Skip to content

Commit

Permalink
Fix broken access control (#1590)
Browse files Browse the repository at this point in the history 
* BREAKING CHANGE: fix broken access control

* refactor: hard code secured fields
  • Loading branch information
@tanftw
tanftw authored Jun 26, 2024
1 parent 2d492a7 commit db1e61a
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 13 deletions.
2 changes: 2 additions & 0 deletions inc/fields/post.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,8 @@ public static function query( $meta, array $field ): array {
'mb_field_id' => $field['id'],
] );

$args['perm'] = 'readable';

$meta = wp_parse_id_list( (array) $meta );

// Query only selected items.
Expand Down
26 changes: 13 additions & 13 deletions inc/fields/user.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ public static function ajax_get_users() {
$request = rwmb_request();

$field = $request->filter_post( 'field', FILTER_DEFAULT, FILTER_FORCE_ARRAY );

// Required for 'choice_label' filter. See self::filter().
$field['clone'] = false;
$field['_original_id'] = $field['id'];
Expand Down Expand Up @@ -96,22 +96,22 @@ public static function normalize( $field ) {

public static function query( $meta, array $field ): array {
$display_field = $field['display_field'];

$args = wp_parse_args( $field['query_args'], [
'orderby' => $display_field,
'order' => 'asc',
'fields' => [
'ID',
'user_login',
'user_pass',
'user_nicename',
'user_email',
'user_url',
'user_registered',
'user_status',
'display_name',
],
] );

$args['fields'] = [
'ID',
'user_login',
'user_nicename',
'user_url',
'user_registered',
'user_status',
'display_name',
];

$meta = wp_parse_id_list( (array) $meta );

// Query only selected items.
Expand All @@ -132,7 +132,7 @@ public static function query( $meta, array $field ): array {
$users = get_users( $args );
$options = [];
foreach ( $users as $user ) {
$label = $user->$display_field ? $user->$display_field : __( '(No title)', 'meta-box' );
$label = $user->$display_field ?? __( '(No title)', 'meta-box' );
$label = self::filter( 'choice_label', $label, $field, $user );

$options[ $user->ID ] = [
Expand Down

0 comments on commit db1e61a

Please sign in to comment.