search

chnovo7 / wordpress-custom-content-type-manager

Automatically exported from code.google.com/p/wordpress-custom-content-type-manager
0 stars 0 forks source link

Request: Custom field metaboxes to display conditionally, based on simple PHP input #511

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The new metaboxes organisation of custom fields is a great addition.

I'd like to see the option to input some custom php with (a boolean return) to 
switch on/off the metabox's visiblity. e.g. If I have a metabox I want to 
display only for pages using the page-about.php template, I could stick in the 
code:

    basename( get_page_template() ) == "page-about.php"

This should then only display the metabox for about pages.

That would rock. I'll have a look at implementing this myself, and if I can 
work it out, I'll post a patch to this request.

Original issue reported on code.google.com by a...@perchten.co.uk on 15 Aug 2013 at 12:07

GoogleCodeExporter commented 8 years ago 
Yup, not too hard. Although it's completely and utterly ridiculously insecure 
as it will just run whatever PHP you give it. Might want to have a special 
option to turn it on or off I guess. Anyhoo, patch attached. Needs to be run 
from the wp-content root directory.

Any problems feel free to yell.

Original comment by a...@perchten.co.uk on 15 Aug 2013 at 12:42

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by ever...@fireproofsocks.com on 15 Aug 2013 at 12:57

GoogleCodeExporter commented 8 years ago 
Committed revision 761382.  Will go out in 0.9.7.7

Original comment by ever...@fireproofsocks.com on 23 Aug 2013 at 6:07

GoogleCodeExporter commented 8 years ago 
In the field, upon submission, the quotes are transformed into their alt-code.

e.g. return basename( get_page_template() ) == "page-about.php"

from return basename( get_page_template() ) == "page-about.php"

Original comment by nathanie...@gmail.com on 19 Jan 2014 at 9:10

GoogleCodeExporter commented 8 years ago 
See duplicate Issue #542.

Original comment by ever...@fireproofsocks.com on 13 Feb 2014 at 6:08

GoogleCodeExporter commented 8 years ago 
Issue 542 has been merged into this issue.

Original comment by ever...@fireproofsocks.com on 13 Feb 2014 at 6:08

GoogleCodeExporter commented 8 years ago 
Part of the problem was  that I was using the CCTM::get_value() function to 
retrieve that value for storage: it gets a value out of an array, but it also 
runs esc_html, which causes problems in this case.

So inside of includes/CCTM_Metabox.php line 100 or so becomes this:

$data['visibility_control'] = (isset($posted_data['visibility_control']))? 
$posted_data['visibility_control'] : '';

Second problem was that fields were not being properly associated with 
metaboxes -- StandardizedCustomFields::_get_custom_fields() sometimes returned 
an empty array even though the metabox id was correct.  Resaving the fields 
after doing drag-and-drop in the "Manage Custom Fields" page restored the 
value, that may have just been some bad data on my end.

Finally, inside of StandardizedCustomFields.php line 112, I changed the line to 
this:

                    if ( eval($m['visibility_control'].';') !== true ) {

Forcing the command to end with a semi-colon prevented certain php errors, and 
removing the html entity conversion made this work as expected.

Committed revision 857415.

Original comment by ever...@fireproofsocks.com on 13 Feb 2014 at 7:01

GoogleCodeExporter commented 8 years ago 
There are security vulnerabilities introduced when evaluating code here.  The 
solution must be a bit more restrictive, e.g. allow ONLY a list of template 
file names, not arbitrary PHP code to be executed.

Original comment by ever...@fireproofsocks.com on 5 May 2015 at 9:43

GoogleCodeExporter commented 8 years ago 
Had to change this re security.  Now accepts only page template basenames as of 
0.9.8

Original comment by ever...@fireproofsocks.com on 11 May 2015 at 4:57