Post meta: Update meta keys to be private (#1090)

* Post meta: Update meta keys to be private

WordPress convention states that meta keys prefixed with an underscore are
considered private and hidden from the custom fields UI. Since our meta keys
are for internal plugin use only, they should follow this convention.

This change helps prevent accidental modification of ActivityPub meta data
through WordPress's custom fields interface while maintaining the expected
pattern for plugin developers.

See: https://developer.wordpress.org/plugins/metadata/managing-post-metadata/#hidden-custom-fields

* Add changelog

* Fix phpcs

* Don't make activitypub_content_visibility private

* Add missing bits

* Also remove content_warning

Needs to be editable in editor

* update phpcs

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * Added a filter to make custom comment types manageable in WP.com Calypso
 
+### Changed
+
+* Hide ActivityPub post meta keys from the custom Fields UI
+
 ### Fixed
 
 * Undefined array key warnings in various places

includes/class-activitypub.php

@@ -339,7 +339,7 @@ public static function get_avatar_url( $comment ) {
 	public static function trash_post( $post_id ) {
 		\add_post_meta(
 			$post_id,
-			'activitypub_canonical_url',
+			'_activitypub_canonical_url',
 			\get_permalink( $post_id ),
 			true
 		);
@@ -351,7 +351,7 @@ public static function trash_post( $post_id ) {
 	 * @param string $post_id The Post ID.
 	 */
 	public static function untrash_post( $post_id ) {
-		\delete_post_meta( $post_id, 'activitypub_canonical_url' );
+		\delete_post_meta( $post_id, '_activitypub_canonical_url' );
 	}
 
 	/**
@@ -482,7 +482,7 @@ private static function register_post_types() {
 
 		\register_post_meta(
 			Followers::POST_TYPE,
-			'activitypub_inbox',
+			'_activitypub_inbox',
 			array(
 				'type'              => 'string',
 				'single'            => true,
@@ -492,7 +492,7 @@ private static function register_post_types() {
 
 		\register_post_meta(
 			Followers::POST_TYPE,
-			'activitypub_errors',
+			'_activitypub_errors',
 			array(
 				'type'              => 'string',
 				'single'            => false,
@@ -508,7 +508,7 @@ private static function register_post_types() {
 
 		\register_post_meta(
 			Followers::POST_TYPE,
-			'activitypub_user_id',
+			'_activitypub_user_id',
 			array(
 				'type'              => 'string',
 				'single'            => false,
@@ -520,7 +520,7 @@ private static function register_post_types() {
 
 		\register_post_meta(
 			Followers::POST_TYPE,
-			'activitypub_actor_json',
+			'_activitypub_actor_json',
 			array(
 				'type'              => 'string',
 				'single'            => true,

includes/class-migration.php

@@ -161,6 +161,9 @@ public static function maybe_migrate() {
 		if ( \version_compare( $version_from_db, '4.5.0', '<' ) ) {
 			\wp_schedule_single_event( \time() + MINUTE_IN_SECONDS, 'activitypub_update_comment_counts' );
 		}
+		if ( \version_compare( $version_from_db, '4.6.0', '<' ) ) {
+			self::migrate_to_4_6_0();
+		}
 
 		/**
 		 * Fires when the system has to be migrated.
@@ -387,6 +390,26 @@ public static function migrate_to_4_1_0() {
 		);
 	}
 
+	/**
+	 * Updates post meta keys to be prefixed with an underscore.
+	 */
+	public static function migrate_to_4_6_0() {
+		global $wpdb;
+
+		$meta_keys = array(
+			'activitypub_actor_json',
+			'activitypub_canonical_url',
+			'activitypub_errors',
+			'activitypub_inbox',
+			'activitypub_user_id',
+		);
+
+		foreach ( $meta_keys as $meta_key ) {
+			// phpcs:ignore WordPress.DB
+			$wpdb->update( $wpdb->postmeta, array( 'meta_key' => '_' . $meta_key ), array( 'meta_key' => $meta_key ) );
+		}
+	}
+
 	/**
 	 * Update comment counts for posts in batches.
 	 *

includes/collection/class-actors.php

@@ -100,7 +100,7 @@ public static function get_by_username( $username ) {
 				'meta_query'  => array(
 					'relation' => 'OR',
 					array(
-						'key'     => 'activitypub_user_identifier',
+						'key'     => '_activitypub_user_identifier',
 						'value'   => $username,
 						'compare' => 'LIKE',
 					),

includes/collection/class-followers.php

@@ -52,11 +52,11 @@ public static function add_follower( $user_id, $actor ) {
 			return $id;
 		}
 
-		$post_meta = get_post_meta( $id, 'activitypub_user_id', false );
+		$post_meta = get_post_meta( $id, '_activitypub_user_id', false );
 
 		// phpcs:ignore WordPress.PHP.StrictInArray.MissingTrueStrict
 		if ( is_array( $post_meta ) && ! in_array( $user_id, $post_meta ) ) {
-			add_post_meta( $id, 'activitypub_user_id', $user_id );
+			add_post_meta( $id, '_activitypub_user_id', $user_id );
 			wp_cache_delete( sprintf( self::CACHE_KEY_INBOXES, $user_id ), 'activitypub' );
 		}
 
@@ -89,7 +89,7 @@ public static function remove_follower( $user_id, $actor ) {
 		 */
 		do_action( 'activitypub_followers_pre_remove_follower', $follower, $user_id, $actor );
 
-		return delete_post_meta( $follower->get__id(), 'activitypub_user_id', $user_id );
+		return delete_post_meta( $follower->get__id(), '_activitypub_user_id', $user_id );
 	}
 
 	/**
@@ -106,7 +106,7 @@ public static function get_follower( $user_id, $actor ) {
 		// phpcs:ignore WordPress.DB.DirectDatabaseQuery
 		$post_id = $wpdb->get_var(
 			$wpdb->prepare(
-				"SELECT DISTINCT p.ID FROM $wpdb->posts p INNER JOIN $wpdb->postmeta pm ON p.ID = pm.post_id WHERE p.post_type = %s AND pm.meta_key = 'activitypub_user_id' AND pm.meta_value = %d AND p.guid = %s",
+				"SELECT DISTINCT p.ID FROM $wpdb->posts p INNER JOIN $wpdb->postmeta pm ON p.ID = pm.post_id WHERE p.post_type = %s AND pm.meta_key = '_activitypub_user_id' AND pm.meta_value = %d AND p.guid = %s",
 				array(
 					esc_sql( self::POST_TYPE ),
 					esc_sql( $user_id ),
@@ -188,7 +188,7 @@ public static function get_followers_with_count( $user_id, $number = -1, $page =
 			// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
 			'meta_query'     => array(
 				array(
-					'key'   => 'activitypub_user_id',
+					'key'   => '_activitypub_user_id',
 					'value' => $user_id,
 				),
 			),
@@ -219,11 +219,11 @@ public static function get_all_followers() {
 			'meta_query' => array(
 				'relation' => 'AND',
 				array(
-					'key'     => 'activitypub_inbox',
+					'key'     => '_activitypub_inbox',
 					'compare' => 'EXISTS',
 				),
 				array(
-					'key'     => 'activitypub_actor_json',
+					'key'     => '_activitypub_actor_json',
 					'compare' => 'EXISTS',
 				),
 			),
@@ -247,15 +247,15 @@ public static function count_followers( $user_id ) {
 				'meta_query' => array(
 					'relation' => 'AND',
 					array(
-						'key'   => 'activitypub_user_id',
+						'key'   => '_activitypub_user_id',
 						'value' => $user_id,
 					),
 					array(
-						'key'     => 'activitypub_inbox',
+						'key'     => '_activitypub_inbox',
 						'compare' => 'EXISTS',
 					),
 					array(
-						'key'     => 'activitypub_actor_json',
+						'key'     => '_activitypub_actor_json',
 						'compare' => 'EXISTS',
 					),
 				),
@@ -290,15 +290,15 @@ public static function get_inboxes( $user_id ) {
 				'meta_query' => array(
 					'relation' => 'AND',
 					array(
-						'key'     => 'activitypub_inbox',
+						'key'     => '_activitypub_inbox',
 						'compare' => 'EXISTS',
 					),
 					array(
-						'key'   => 'activitypub_user_id',
+						'key'   => '_activitypub_user_id',
 						'value' => $user_id,
 					),
 					array(
-						'key'     => 'activitypub_inbox',
+						'key'     => '_activitypub_inbox',
 						'value'   => '',
 						'compare' => '!=',
 					),
@@ -318,7 +318,7 @@ public static function get_inboxes( $user_id ) {
 			$wpdb->prepare(
 				"SELECT DISTINCT meta_value FROM {$wpdb->postmeta}
 				WHERE post_id IN (" . implode( ', ', array_fill( 0, count( $posts ), '%d' ) ) . ")
-				AND meta_key = 'activitypub_inbox'
+				AND meta_key = '_activitypub_inbox'
 				AND meta_value IS NOT NULL",
 				$posts
 			)
@@ -378,24 +378,24 @@ public static function get_faulty_followers( $number = 20 ) {
 			'meta_query'     => array(
 				'relation' => 'OR',
 				array(
-					'key'     => 'activitypub_errors',
+					'key'     => '_activitypub_errors',
 					'compare' => 'EXISTS',
 				),
 				array(
-					'key'     => 'activitypub_inbox',
+					'key'     => '_activitypub_inbox',
 					'compare' => 'NOT EXISTS',
 				),
 				array(
-					'key'     => 'activitypub_actor_json',
+					'key'     => '_activitypub_actor_json',
 					'compare' => 'NOT EXISTS',
 				),
 				array(
-					'key'     => 'activitypub_inbox',
+					'key'     => '_activitypub_inbox',
 					'value'   => '',
 					'compare' => '=',
 				),
 				array(
-					'key'     => 'activitypub_actor_json',
+					'key'     => '_activitypub_actor_json',
 					'value'   => '',
 					'compare' => '=',
 				),
@@ -437,7 +437,7 @@ public static function add_error( $post_id, $error ) {
 
 		return add_post_meta(
 			$post_id,
-			'activitypub_errors',
+			'_activitypub_errors',
 			$error_message
 		);
 	}

includes/model/class-follower.php

@@ -36,7 +36,7 @@ class Follower extends Actor {
 	 * @return mixed
 	 */
 	public function get_errors() {
-		return get_post_meta( $this->_id, 'activitypub_errors', false );
+		return get_post_meta( $this->_id, '_activitypub_errors', false );
 	}
 
 	/**
@@ -72,7 +72,7 @@ public function get_url() {
 	 * Reset (delete) all errors.
 	 */
 	public function reset_errors() {
-		delete_post_meta( $this->_id, 'activitypub_errors' );
+		delete_post_meta( $this->_id, '_activitypub_errors' );
 	}
 
 	/**
@@ -216,9 +216,9 @@ public function delete() {
 	 * Update the post meta.
 	 */
 	protected function get_post_meta_input() {
-		$meta_input                           = array();
-		$meta_input['activitypub_inbox']      = $this->get_shared_inbox();
-		$meta_input['activitypub_actor_json'] = $this->to_json();
+		$meta_input                            = array();
+		$meta_input['_activitypub_inbox']      = $this->get_shared_inbox();
+		$meta_input['_activitypub_actor_json'] = $this->to_json();
 
 		return $meta_input;
 	}
@@ -334,7 +334,7 @@ public function get_shared_inbox() {
 	 * @return \Activitypub\Activity\Base_Object|WP_Error
 	 */
 	public static function init_from_cpt( $post ) {
-		$actor_json = get_post_meta( $post->ID, 'activitypub_actor_json', true );
+		$actor_json = get_post_meta( $post->ID, '_activitypub_actor_json', true );
 		$object     = self::init_from_json( $actor_json );
 		$object->set__id( $post->ID );
 		$object->set_id( $post->guid );

includes/transformer/class-post.php

@@ -152,7 +152,7 @@ public function get_url() {
 
 		switch ( \get_post_status( $post ) ) {
 			case 'trash':
-				$permalink = \get_post_meta( $post->ID, 'activitypub_canonical_url', true );
+				$permalink = \get_post_meta( $post->ID, '_activitypub_canonical_url', true );
 				break;
 			case 'draft':
 				// Get_sample_permalink is in wp-admin, not always loaded.

integration/class-jetpack.php

@@ -35,9 +35,9 @@ public static function add_sync_meta( $allow_list ) {
 			return $allow_list;
 		}
 		$activitypub_meta_keys = array(
-			'activitypub_user_id',
-			'activitypub_inbox',
-			'activitypub_actor_json',
+			'_activitypub_user_id',
+			'_activitypub_inbox',
+			'_activitypub_actor_json',
 		);
 		return \array_merge( $allow_list, $activitypub_meta_keys );
 	}

readme.txt

@@ -135,6 +135,7 @@ For reasons of data protection, it is not possible to see the followers of other
 = Unreleased =
 
 * Added: A filter to make custom comment types manageable in WP.com Calypso
+* Changed: Hide ActivityPub post meta keys from the custom Fields UI
 * Fixed: Undefined array key warnings in various places
 
 = 4.6.0 =