Skip to content

Block Bindings: Don't show protected fields that are bound to blocks and post meta #6197

Closed
SantosGuillamot wants to merge 23 commits into
WordPress:trunkfrom
SantosGuillamot:fix/only-show-non-protected-fields-in-post-meta-binding
Closed

Block Bindings: Don't show protected fields that are bound to blocks and post meta #6197
SantosGuillamot wants to merge 23 commits into
WordPress:trunkfrom
SantosGuillamot:fix/only-show-non-protected-fields-in-post-meta-binding

Conversation

@SantosGuillamot

@SantosGuillamot SantosGuillamot commented Feb 28, 2024
edited
Loading

Copy link
Copy Markdown

As discussed in Gutenberg plugin, this pull request adds two safety checks to ensure block bindings don't leak private post meta:

  • Check if the meta field is protected.
  • Check if the meta field is available through the REST API.

It seems safer to add these limitations to ensure no unwanted data is leaked. And it can be explored later how to loosen these restrictions.

To do that this pull request:

Testing Instructions

Test it doesn't show the protected value when show_in_rest is false

  1. Register a custom field with show_in_rest set to false:
register_meta(
	'post',
	'protected',
	array(
		'show_in_rest'   => false,
		'single'         => true,
		'type'           => 'string',
		'default'        => 'Protected value',
	)
);
  1. Add a paragraph block in a page pointing to the protected block:
<!-- wp:paragraph {"metadata":{"bindings":{"content":{"source":"core/post-meta","args":{"key":"protected"}}}}} -->
<p>Text</p>
<!-- /wp:paragraph -->
  1. Save the page, go to the front and check it doesn't show the protected value.

Test protected custom field

  1. Change the register source to show_in_rest true but protect it. It can be done adding a _ at the beginning of the key or using a filter like this one:
function protect_meta( $protected, $meta_key, $meta_type ) {
        return true;
}
add_filter( 'is_protected_meta', 'protect_meta', 10, 3 );
  1. Check that the paragraph bound to the protected field doesn't show the protected value in the frontend.

Trac ticket: https://core.trac.wordpress.org/ticket/60651

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gziolo gziolo gziolo approved these changes

@xknown xknown xknown left review comments

@swissspidy swissspidy swissspidy approved these changes

@peterwilsoncc peterwilsoncc Awaiting requested review from peterwilsoncc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@SantosGuillamot @gziolo @swissspidy @peterwilsoncc @xknown