Skip to content

Commit

Permalink
Ensure unauthorized users don't read post meta
Browse files Browse the repository at this point in the history
  • Loading branch information
@artemiomorales
artemiomorales committed Jan 26, 2024
1 parent 06a3930 commit f53121d
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/wp-includes/block-bindings/sources/post-meta.php
View file
Expand Up @@ -14,6 +14,13 @@ function post_meta_source_callback( $source_attrs ) {
$post_id = get_the_ID();
}

// If a post isn't public, we need to prevent
// unauthorized users from accessing the post meta.
$post = get_post($post_id);

Check failure on line 19 in src/wp-includes/block-bindings/sources/post-meta.php

View workflow job for this annotation

GitHub Actions / PHP coding standards 

Expected 1 spaces after opening parenthesis; 0 found

Check failure on line 19 in src/wp-includes/block-bindings/sources/post-meta.php

View workflow job for this annotation

GitHub Actions / PHP coding standards 

Expected 1 spaces before closing parenthesis; 0 found
if ( ( $post && $post->post_status != 'publish' && ! current_user_can( 'read_post', $post_id ) ) || post_password_required( $post_id ) ) {

Check failure on line 20 in src/wp-includes/block-bindings/sources/post-meta.php

View workflow job for this annotation

GitHub Actions / PHP coding standards 

Use Yoda Condition checks, you must.
return null;
}

return get_post_meta( $post_id, $source_attrs['value'], true );
}

Expand Down

0 comments on commit f53121d

Please sign in to comment.