[wp-trac] [WordPress Trac] #18786: meta_form() should place some restrictions on meta keys
WordPress Trac
wp-trac at lists.automattic.com
Mon Sep 26 22:37:58 UTC 2011
#18786: meta_form() should place some restrictions on meta keys
----------------------------+-----------------------------
Reporter: nacin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Keywords: 2nd-opinion
----------------------------+-----------------------------
meta_form() echoes out all meta keys into a dropdown for the custom fields
box, unless they start with an underscore (as bound by the query).
We should consider is_protected_meta( $key, 'post' ) and/or
current_user_can( 'add_post_meta', $post->ID, $key ). This isn't a
security thing, just an opportunity to hide some things from the user they
don't need to see.
On the other hand, it's definitely a number of extra calculations.
is_protected_meta() is light as long as there's no filter on things (and
if there is, we probably want to know). current_user_can() might be a bit
more weight than necessary here.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18786>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list