* WordPress Post Administration API.
* @subpackage Administration
* Renames `$_POST` data from form names to DB post columns.
* Manipulates `$_POST` directly.
* @param bool $update Whether the post already exists.
* @param array|null $post_data Optional. The array of post data to process.
* Defaults to the `$_POST` superglobal.
* @return array|WP_Error Array of post data on success, WP_Error on failure.
function _wp_translate_postdata( $update = false, $post_data = null ) {
if ( empty( $post_data ) ) {
$post_data['ID'] = (int) $post_data['post_ID'];
$ptype = get_post_type_object( $post_data['post_type'] );
if ( $update && ! current_user_can( 'edit_post', $post_data['ID'] ) ) {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to edit pages as this user.' ) );
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to edit posts as this user.' ) );
} elseif ( ! $update && ! current_user_can( $ptype->cap->create_posts ) ) {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to create pages as this user.' ) );
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to create posts as this user.' ) );
if ( isset( $post_data['content'] ) ) {
$post_data['post_content'] = $post_data['content'];
if ( isset( $post_data['excerpt'] ) ) {
$post_data['post_excerpt'] = $post_data['excerpt'];
if ( isset( $post_data['parent_id'] ) ) {
$post_data['post_parent'] = (int) $post_data['parent_id'];
if ( isset( $post_data['trackback_url'] ) ) {
$post_data['to_ping'] = $post_data['trackback_url'];
$post_data['user_ID'] = get_current_user_id();
if ( ! empty( $post_data['post_author_override'] ) ) {
$post_data['post_author'] = (int) $post_data['post_author_override'];
if ( ! empty( $post_data['post_author'] ) ) {
$post_data['post_author'] = (int) $post_data['post_author'];
$post_data['post_author'] = (int) $post_data['user_ID'];
if ( isset( $post_data['user_ID'] ) && ( $post_data['post_author'] !== $post_data['user_ID'] )
&& ! current_user_can( $ptype->cap->edit_others_posts ) ) {
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to edit pages as this user.' ) );
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to edit posts as this user.' ) );
if ( 'page' === $post_data['post_type'] ) {
return new WP_Error( 'edit_others_pages', __( 'Sorry, you are not allowed to create pages as this user.' ) );
return new WP_Error( 'edit_others_posts', __( 'Sorry, you are not allowed to create posts as this user.' ) );
if ( ! empty( $post_data['post_status'] ) ) {
$post_data['post_status'] = sanitize_key( $post_data['post_status'] );
// No longer an auto-draft.
if ( 'auto-draft' === $post_data['post_status'] ) {
$post_data['post_status'] = 'draft';
if ( ! get_post_status_object( $post_data['post_status'] ) ) {
unset( $post_data['post_status'] );
// What to do based on which button they pressed.
if ( isset( $post_data['saveasdraft'] ) && '' !== $post_data['saveasdraft'] ) {
$post_data['post_status'] = 'draft';
if ( isset( $post_data['saveasprivate'] ) && '' !== $post_data['saveasprivate'] ) {
$post_data['post_status'] = 'private';
if ( isset( $post_data['publish'] ) && ( '' !== $post_data['publish'] )
&& ( ! isset( $post_data['post_status'] ) || 'private' !== $post_data['post_status'] )
$post_data['post_status'] = 'publish';
if ( isset( $post_data['advanced'] ) && '' !== $post_data['advanced'] ) {
$post_data['post_status'] = 'draft';
if ( isset( $post_data['pending'] ) && '' !== $post_data['pending'] ) {
$post_data['post_status'] = 'pending';
if ( isset( $post_data['ID'] ) ) {
$post_id = $post_data['ID'];
$previous_status = $post_id ? get_post_field( 'post_status', $post_id ) : false;
if ( isset( $post_data['post_status'] ) && 'private' === $post_data['post_status'] && ! current_user_can( $ptype->cap->publish_posts ) ) {
$post_data['post_status'] = $previous_status ? $previous_status : 'pending';
$published_statuses = array( 'publish', 'future' );
* Posts 'submitted for approval' are submitted to $_POST the same as if they were being published.
* Change status from 'publish' to 'pending' if user lacks permissions to publish or to resave published posts.
if ( isset( $post_data['post_status'] )
&& ( in_array( $post_data['post_status'], $published_statuses, true )
&& ! current_user_can( $ptype->cap->publish_posts ) )
if ( ! in_array( $previous_status, $published_statuses, true ) || ! current_user_can( 'edit_post', $post_id ) ) {
$post_data['post_status'] = 'pending';
if ( ! isset( $post_data['post_status'] ) ) {
$post_data['post_status'] = 'auto-draft' === $previous_status ? 'draft' : $previous_status;
if ( isset( $post_data['post_password'] ) && ! current_user_can( $ptype->cap->publish_posts ) ) {
unset( $post_data['post_password'] );
if ( ! isset( $post_data['comment_status'] ) ) {
$post_data['comment_status'] = 'closed';
if ( ! isset( $post_data['ping_status'] ) ) {
$post_data['ping_status'] = 'closed';
foreach ( array( 'aa', 'mm', 'jj', 'hh', 'mn' ) as $timeunit ) {
if ( ! empty( $post_data[ 'hidden_' . $timeunit ] ) && $post_data[ 'hidden_' . $timeunit ] !== $post_data[ $timeunit ] ) {
$post_data['edit_date'] = '1';
if ( ! empty( $post_data['edit_date'] ) ) {
$aa = ( $aa <= 0 ) ? gmdate( 'Y' ) : $aa;
$mm = ( $mm <= 0 ) ? gmdate( 'n' ) : $mm;
$jj = ( $jj > 31 ) ? 31 : $jj;
$jj = ( $jj <= 0 ) ? gmdate( 'j' ) : $jj;
$hh = ( $hh > 23 ) ? $hh - 24 : $hh;
$mn = ( $mn > 59 ) ? $mn - 60 : $mn;
$ss = ( $ss > 59 ) ? $ss - 60 : $ss;
$post_data['post_date'] = sprintf( '%04d-%02d-%02d %02d:%02d:%02d', $aa, $mm, $jj, $hh, $mn, $ss );
$valid_date = wp_checkdate( $mm, $jj, $aa, $post_data['post_date'] );
return new WP_Error( 'invalid_date', __( 'Invalid date.' ) );
* Only assign a post date if the user has explicitly set a new value.
$previous_date = $post_id ? get_post_field( 'post_date', $post_id ) : false;
if ( $previous_date && $previous_date !== $post_data['post_date'] ) {
$post_data['edit_date'] = true;
$post_data['post_date_gmt'] = get_gmt_from_date( $post_data['post_date'] );
$post_data['edit_date'] = false;
unset( $post_data['post_date'] );
unset( $post_data['post_date_gmt'] );
if ( isset( $post_data['post_category'] ) ) {
$category_object = get_taxonomy( 'category' );
if ( ! current_user_can( $category_object->cap->assign_terms ) ) {
unset( $post_data['post_category'] );
* Returns only allowed post data fields.
* @param array|WP_Error|null $post_data The array of post data to process, or an error object.
* Defaults to the `$_POST` superglobal.
* @return array|WP_Error Array of post data on success, WP_Error on failure.
function _wp_get_allowed_postdata( $post_data = null ) {
if ( empty( $post_data ) ) {
if ( is_wp_error( $post_data ) ) {
return array_diff_key( $post_data, array_flip( array( 'meta_input', 'file', 'guid' ) ) );
* Updates an existing post with values provided in `$_POST`.
* If post data is passed as an argument, it is treated as an array of data
* keyed appropriately for turning into a post object.
* If post data is not passed, the `$_POST` global variable is used instead.
* @global wpdb $wpdb WordPress database abstraction object.
* @param array|null $post_data Optional. The array of post data to process.
* Defaults to the `$_POST` superglobal.
function edit_post( $post_data = null ) {
if ( empty( $post_data ) ) {
// Clear out any data in internal vars.
unset( $post_data['filter'] );
$post_id = (int) $post_data['post_ID'];
$post = get_post( $post_id );
$post_data['post_type'] = $post->post_type;
$post_data['post_mime_type'] = $post->post_mime_type;
if ( ! empty( $post_data['post_status'] ) ) {
$post_data['post_status'] = sanitize_key( $post_data['post_status'] );
if ( 'inherit' === $post_data['post_status'] ) {
unset( $post_data['post_status'] );
$ptype = get_post_type_object( $post_data['post_type'] );
if ( ! current_user_can( 'edit_post', $post_id ) ) {
if ( 'page' === $post_data['post_type'] ) {
wp_die( __( 'Sorry, you are not allowed to edit this page.' ) );
wp_die( __( 'Sorry, you are not allowed to edit this post.' ) );
if ( post_type_supports( $ptype->name, 'revisions' ) ) {
$revisions = wp_get_post_revisions(
$revision = current( $revisions );
// Check if the revisions have been upgraded.
if ( $revisions && _wp_get_post_revision_version( $revision ) < 1 ) {
_wp_upgrade_revisions_of_post( $post, wp_get_post_revisions( $post_id ) );
if ( isset( $post_data['visibility'] ) ) {
switch ( $post_data['visibility'] ) {
$post_data['post_password'] = '';
unset( $post_data['sticky'] );
$post_data['post_status'] = 'private';
$post_data['post_password'] = '';
unset( $post_data['sticky'] );
$post_data = _wp_translate_postdata( true, $post_data );
if ( is_wp_error( $post_data ) ) {
wp_die( $post_data->get_error_message() );
$translated = _wp_get_allowed_postdata( $post_data );
if ( isset( $post_data['post_format'] ) ) {
set_post_format( $post_id, $post_data['post_format'] );
$format_meta_urls = array( 'url', 'link_url', 'quote_source_url' );
foreach ( $format_meta_urls as $format_meta_url ) {
$keyed = '_format_' . $format_meta_url;
if ( isset( $post_data[ $keyed ] ) ) {
update_post_meta( $post_id, $keyed, wp_slash( sanitize_url( wp_unslash( $post_data[ $keyed ] ) ) ) );
$format_keys = array( 'quote', 'quote_source_name', 'image', 'gallery', 'audio_embed', 'video_embed' );
foreach ( $format_keys as $key ) {
$keyed = '_format_' . $key;
if ( isset( $post_data[ $keyed ] ) ) {
if ( current_user_can( 'unfiltered_html' ) ) {
update_post_meta( $post_id, $keyed, $post_data[ $keyed ] );
update_post_meta( $post_id, $keyed, wp_filter_post_kses( $post_data[ $keyed ] ) );
if ( 'attachment' === $post_data['post_type'] && preg_match( '#^(audio|video)/#', $post_data['post_mime_type'] ) ) {
$id3data = wp_get_attachment_metadata( $post_id );
if ( ! is_array( $id3data ) ) {
foreach ( wp_get_attachment_id3_keys( $post, 'edit' ) as $key => $label ) {
if ( isset( $post_data[ 'id3_' . $key ] ) ) {
$id3data[ $key ] = sanitize_text_field( wp_unslash( $post_data[ 'id3_' . $key ] ) );
wp_update_attachment_metadata( $post_id, $id3data );
if ( isset( $post_data['meta'] ) && $post_data['meta'] ) {
foreach ( $post_data['meta'] as $key => $value ) {
$meta = get_post_meta_by_id( $key );
if ( (int) $meta->post_id !== $post_id ) {
if ( is_protected_meta( $meta->meta_key, 'post' )
|| ! current_user_can( 'edit_post_meta', $post_id, $meta->meta_key )
if ( is_protected_meta( $value['key'], 'post' )
|| ! current_user_can( 'edit_post_meta', $post_id, $value['key'] )
update_meta( $key, $value['key'], $value['value'] );
if ( isset( $post_data['deletemeta'] ) && $post_data['deletemeta'] ) {
foreach ( $post_data['deletemeta'] as $key => $value ) {
$meta = get_post_meta_by_id( $key );
if ( (int) $meta->post_id !== $post_id ) {
if ( is_protected_meta( $meta->meta_key, 'post' )
|| ! current_user_can( 'delete_post_meta', $post_id, $meta->meta_key )
if ( 'attachment' === $post_data['post_type'] ) {
if ( isset( $post_data['_wp_attachment_image_alt'] ) ) {
$image_alt = wp_unslash( $post_data['_wp_attachment_image_alt'] );
if ( get_post_meta( $post_id, '_wp_attachment_image_alt', true ) !== $image_alt ) {
$image_alt = wp_strip_all_tags( $image_alt, true );
// update_post_meta() expects slashed.
update_post_meta( $post_id, '_wp_attachment_image_alt', wp_slash( $image_alt ) );
$attachment_data = isset( $post_data['attachments'][ $post_id ] ) ? $post_data['attachments'][ $post_id ] : array();
/** This filter is documented in wp-admin/includes/media.php */
$translated = apply_filters( 'attachment_fields_to_save', $translated, $attachment_data );
// Convert taxonomy input to term IDs, to avoid ambiguity.
if ( isset( $post_data['tax_input'] ) ) {
foreach ( (array) $post_data['tax_input'] as $taxonomy => $terms ) {
$tax_object = get_taxonomy( $taxonomy );
if ( $tax_object && isset( $tax_object->meta_box_sanitize_cb ) ) {
$translated['tax_input'][ $taxonomy ] = call_user_func_array( $tax_object->meta_box_sanitize_cb, array( $taxonomy, $terms ) );
update_post_meta( $post_id, '_edit_last', get_current_user_id() );
$success = wp_update_post( $translated );
// If the save failed, see if we can confidence check the main fields and try again.
if ( ! $success && is_callable( array( $wpdb, 'strip_invalid_text_for_column' ) ) ) {
$fields = array( 'post_title', 'post_content', 'post_excerpt' );
foreach ( $fields as $field ) {
if ( isset( $translated[ $field ] ) ) {
$translated[ $field ] = $wpdb->strip_invalid_text_for_column( $wpdb->posts, $field, $translated[ $field ] );
wp_update_post( $translated );
// Now that we have an ID we can fix any attachment anchor hrefs.
_fix_attachment_links( $post_id );
wp_set_post_lock( $post_id );
if ( current_user_can( $ptype->cap->edit_others_posts ) && current_user_can( $ptype->cap->publish_posts ) ) {
if ( ! empty( $post_data['sticky'] ) ) {
unstick_post( $post_id );
* Processes the post data for the bulk editing of posts.
* Updates all bulk edited posts/pages, adding (but not removing) tags and
* categories. Skips pages when they would be their own parent or child.
* @global wpdb $wpdb WordPress database abstraction object.
* @param array|null $post_data Optional. The array of post data to process.
* Defaults to the `$_POST` superglobal.
* An array of updated, skipped, and locked post IDs.
* @type int[] $updated An array of updated post IDs.
* @type int[] $skipped An array of skipped post IDs.
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
