[wp-trac] [WordPress Trac] #38293: A connected user can delete a protected post meta
WordPress Trac
noreply at wordpress.org
Mon Oct 31 19:29:10 UTC 2016
#38293: A connected user can delete a protected post meta
---------------------------------------------+-----------------------------
Reporter: ajoah | Owner: johnbillion
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 4.7
Component: Posts, Post Types | Version: 3.3
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: administration
---------------------------------------------+-----------------------------
Changes (by johnbillion):
* status: reviewing => closed
* resolution: => fixed
Comment:
In [changeset:"39062"]:
{{{
#!CommitTicketReference repository="" revision="39062"
Posts, Post Types: Prevent users from being able to delete a protected
meta field from a post.
Previously a user could remove a protected meta field by using their
browser developer tools to alter the form field properties in the Custom
Fields meta box, given that they know the ID of the protected meta field.
This change prevents this by preventing any change to a protected meta
field, including changing its key.
Props ajoah, johnbillion, peterwilsoncc
Fixes #38293
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38293#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list