From a370785fbc8615a6744134549e1ffddab0f94d32 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sat, 22 Mar 2008 08:15:48 +0000
Subject: [PATCH] Fix custom field add/update/delete. Props mdawaffe. fixes
 #6343

git-svn-id: http://svn.automattic.com/wordpress/trunk@7468 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/admin-ajax.php        |  6 +++---
 wp-admin/includes/template.php | 17 ++++++++++-----
 wp-admin/js/post.js            | 10 ++++++++-
 wp-includes/js/autosave.js     | 39 ++++++++++++++++++----------------
 wp-includes/js/wp-lists.js     |  4 ++--
 wp-includes/script-loader.php  |  6 +++---
 6 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php
index 74835b3df..b3c7ce2c6 100644
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -94,7 +94,7 @@ case 'delete-link' :
 	else	die('0');
 	break;
 case 'delete-meta' :
-	check_ajax_referer( 'change_meta' );
+	check_ajax_referer( "delete-meta_$id" );
 	if ( !$meta = get_post_meta_by_id( $id ) )
 		die('0');
 	if ( !current_user_can( 'edit_post', $meta->post_id ) )
@@ -368,10 +368,10 @@ case 'add-comment' :
 	$x->send();
 	break;
 case 'add-meta' :
-	check_ajax_referer( 'change_meta' );
+	check_ajax_referer( 'add-meta' );
 	$c = 0;
 	$pid = (int) $_POST['post_id'];
-	if ( isset($_POST['addmeta']) ) {
+	if ( isset($_POST['metakeyselect']) ) {
 		if ( !current_user_can( 'edit_post', $pid ) )
 			die('-1');
 		if ( '#NONE#' == $_POST['metakeyselect'] && empty($_POST['metakeyinput']) )
diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php
index aaf341588..c1ff2e6da 100644
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@@ -745,6 +745,10 @@ function list_meta( $meta ) {
 }
 
 function _list_meta_row( $entry, &$count ) {
+	static $update_nonce = false;
+	if ( !$update_nonce )
+		$update_nonce = wp_create_nonce( 'add-meta' );
+
 	$r = '';
 	++ $count;
 	if ( $count % 2 )
@@ -768,12 +772,16 @@ function _list_meta_row( $entry, &$count ) {
 	$entry['meta_key']   = attribute_escape($entry['meta_key']);
 	$entry['meta_value'] = attribute_escape($entry['meta_value']);
 	$entry['meta_id'] = (int) $entry['meta_id'];
+
+	$delete_nonce = wp_create_nonce( 'delete-meta_' . $entry['meta_id'] );
+
 	$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
 	$r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
 	$r .= "\n\t\t<td><textarea name='meta[{$entry['meta_id']}][value]' tabindex='6' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>";
-	$r .= "\n\t\t<td style='text-align: center;'><input name='updatemeta' type='submit' tabindex='6' value='".attribute_escape(__( 'Update' ))."' class='add:the-list:meta-{$entry['meta_id']} updatemeta' /><br />";
+	$r .= "\n\t\t<td style='text-align: center;'><input name='updatemeta' type='submit' tabindex='6' value='".attribute_escape(__( 'Update' ))."' class='add:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$update_nonce updatemeta' /><br />";
 	$r .= "\n\t\t<input name='deletemeta[{$entry['meta_id']}]' type='submit' ";
-	$r .= "class='delete:the-list:meta-{$entry['meta_id']} deletemeta' tabindex='6' value='".attribute_escape(__( 'Delete' ))."' />";
+	$r .= "class='delete:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$delete_nonce deletemeta' tabindex='6' value='".attribute_escape(__( 'Delete' ))."' />";
+	$r .= wp_nonce_field( 'change-meta', '_ajax_nonce', false, false );
 	$r .= "</td>\n\t</tr>";
 	return $r;
 }
@@ -815,10 +823,9 @@ function meta_form() {
 <td><input type="text" id="metakeyinput" name="metakeyinput" tabindex="7" /></td>
 		<td><textarea id="metavalue" name="metavalue" rows="3" cols="25" tabindex="8"></textarea></td>
 	</tr>
-
 <tr class="submit"><td colspan="3">
-	<?php wp_nonce_field( 'change_meta', '_ajax_nonce', false ); ?>
-	<input type="submit" id="addmetasub" name="addmeta" class="add:the-list:newmeta" tabindex="9" value="<?php _e( 'Add Custom Field' ) ?>" />
+	<?php wp_nonce_field( 'add-meta', '_ajax_nonce', false ); ?>
+	<input type="submit" id="addmetasub" name="addmeta" class="add:the-list:newmeta::post_id=<?php echo $GLOBALS['post_ID'] ? $GLOBALS['post_ID'] : $GLOBALS['temp_ID']; ?>" tabindex="9" value="<?php _e( 'Add Custom Field' ) ?>" />
 </td></tr>
 </table>
 <?php
diff --git a/wp-admin/js/post.js b/wp-admin/js/post.js
index 78b52c121..729a02ef8 100644
--- a/wp-admin/js/post.js
+++ b/wp-admin/js/post.js
@@ -157,5 +157,13 @@ jQuery(document).ready( function() {
 			jQuery('.edit-timestamp').text(postL10n.edit);
 		}
 		return false;
-    });
+
+	});
+
+	// Custom Fields
+	jQuery('#the-list').wpList( { addAfter: function( xml, s ) {
+		if ( jQuery.isFunction( autosave_update_post_ID ) ) {
+			autosave_update_post_ID(s.parsed.responses[0].supplemental.postid);
+		}
+	} });
 });
diff --git a/wp-includes/js/autosave.js b/wp-includes/js/autosave.js
index 9f6e40956..8d4a80c16 100644
--- a/wp-includes/js/autosave.js
+++ b/wp-includes/js/autosave.js
@@ -46,27 +46,30 @@ function autosave_saved(response) {
 }
 
 // called when autosaving new post
-function autosave_update_post_ID(response) {
+function autosave_saved_new(response) {
 	var res = autosave_saved(response); // parse the ajax response do the above
-
 	// if no errors: update post_ID from the temporary value, grab new save-nonce for that new ID
 	if ( res && res.responses.length && !res.errors ) {
 		var postID = parseInt( res.responses[0].id );
-		if ( !isNaN(postID) && postID > 0 ) {
-			if ( postID == parseInt(jQuery('#post_ID').val()) ) { return; } // no need to do this more than once
-			jQuery('#post_ID').attr({name: "post_ID"});
-			jQuery('#post_ID').val(postID);
-			// We need new nonces
-			jQuery.post(autosaveL10n.requestFile, {
-				action: "autosave-generate-nonces",
-				post_ID: postID,
-				autosavenonce: jQuery('#autosavenonce').val(),
-				post_type: jQuery('#post_type').val()
-			}, function(html) {
-				jQuery('#_wpnonce').val(html);
-			});
-			jQuery('#hiddenaction').val('editpost');
-		}
+		autosave_update_post_ID( postID );
+	}
+}
+
+function autosave_update_post_ID( postID ) {
+	if ( !isNaN(postID) && postID > 0 ) {
+		if ( postID == parseInt(jQuery('#post_ID').val()) ) { return; } // no need to do this more than once
+		jQuery('#post_ID').attr({name: "post_ID"});
+		jQuery('#post_ID').val(postID);
+		// We need new nonces
+		jQuery.post(autosaveL10n.requestFile, {
+			action: "autosave-generate-nonces",
+			post_ID: postID,
+			autosavenonce: jQuery('#autosavenonce').val(),
+			post_type: jQuery('#post_type').val()
+		}, function(html) {
+			jQuery('#_wpnonce').val(html);
+		});
+		jQuery('#hiddenaction').val('editpost');
 	}
 }
 
@@ -173,7 +176,7 @@ var autosave = function() {
 
 	if(parseInt(post_data["post_ID"]) < 1) {
 		post_data["temp_ID"] = post_data["post_ID"];
-		var successCallback = autosave_update_post_ID; // new post
+		var successCallback = autosave_saved_new;; // new post
 	} else {
 		var successCallback = autosave_saved; // pre-existing post
 	}
diff --git a/wp-includes/js/wp-lists.js b/wp-includes/js/wp-lists.js
index f1eed16db..e1ef51571 100644
--- a/wp-includes/js/wp-lists.js
+++ b/wp-includes/js/wp-lists.js
@@ -154,7 +154,7 @@ var wpList = {
 		s.success = function(r) {
 			var res = wpAjax.parseAjaxResponse(r, s.response, s.element);
 			if ( !res || res.errors ) {
-				element.stop().css( 'backgroundColor', '#FF3333' ).show().queue( function() { list.wpList.recolor(); $(this).dequeue(); } );
+				element.stop().stop().css( 'backgroundColor', '#FF3333' ).show().queue( function() { list.wpList.recolor(); $(this).dequeue(); } );
 				return false;
 			}
 			if ( $.isFunction(s.delAfter) ) {
@@ -217,7 +217,7 @@ var wpList = {
 		s.success = function(r) {
 			var res = wpAjax.parseAjaxResponse(r, s.response, s.element);
 			if ( !res || res.errors ) {
-				element.stop().css( 'backgroundColor', '#FF3333' )[isClass?'removeClass':'addClass'](s.dimClass).show().queue( function() { list.wpList.recolor(); $(this).dequeue(); } );
+				element.stop().stop().css( 'backgroundColor', '#FF3333' )[isClass?'removeClass':'addClass'](s.dimClass).show().queue( function() { list.wpList.recolor(); $(this).dequeue(); } );
 				return false;
 			}
 			if ( $.isFunction(s.dimAfter) ) {
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index 6732a1000..139518c89 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -47,7 +47,7 @@ class WP_Scripts {
 			'broken' => __('An unidentified error has occurred.')
 		) );
 
-		$this->add( 'autosave', '/wp-includes/js/autosave.js', array('schedule', 'wp-ajax-response'), '20080317' );
+		$this->add( 'autosave', '/wp-includes/js/autosave.js', array('schedule', 'wp-ajax-response'), '20080322' );
 
 		$this->add( 'wp-ajax', '/wp-includes/js/wp-ajax.js', array('prototype'), '20070306');
 		$this->localize( 'wp-ajax', 'WPAjaxL10n', array(
@@ -57,7 +57,7 @@ class WP_Scripts {
 			'whoaText' => __("Slow down, I'm still sending your data!")
 		) );
 
-		$this->add( 'wp-lists', '/wp-includes/js/wp-lists.js', array('wp-ajax-response'), '20080312' );
+		$this->add( 'wp-lists', '/wp-includes/js/wp-lists.js', array('wp-ajax-response'), '20080322' );
 		$this->localize( 'wp-lists', 'wpListL10n', array(
 			'url' => get_option( 'siteurl' ) . '/wp-admin/admin-ajax.php'
 		) );
@@ -144,7 +144,7 @@ class WP_Scripts {
 				'save' => __('Save'),
 				'cancel' => __('Cancel'),
 			) );
-			$this->add( 'post', '/wp-admin/js/post.js', array('suggest', 'jquery-ui-tabs', 'wp-lists', 'postbox', 'slug'), '20080318' );
+			$this->add( 'post', '/wp-admin/js/post.js', array('suggest', 'jquery-ui-tabs', 'wp-lists', 'postbox', 'slug'), '20080322' );
 			$this->localize( 'post', 'postL10n', array(
 				'tagsUsed' =>  __('Tags used on this post:'),
 				'add' => attribute_escape(__('Add')),