The logic here is incorrect:
// Verify this came from the our screen and with proper authorization, because save_post can be triggered at other times
if ( !isset( $_POST['mrlpt_client_check'] ) && !wp_verify_nonce( $_POST['mrlpt_client_check'], 'mrlpt_submit_client' ) ) {
return;
}
This reads if the $_POST['mrlpt_client_check'] is not set and is invalid – return. You want it to read if $_POST['mrlpt_client_check'] is not set or it is invalid – return.
So when $_POST['mrlpt_client_check'] is not set it then checks
wp_verify_nonce( $_POST['mrlpt_client_check'], 'mrlpt_submit_client' )
which throws an error because the first argument is referencing an key that doesn’t exist. Your use of the nonce is correct:
wp_nonce_field( 'mrlpt_submit_client', 'mrlpt_client_check' );
So if the metabox is not saving you may want to check what is being posted
function save_client_metadata( $client_post_id ) {
// Verify if this is an auto save routine.
if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE )
return;
wp_die(var_dump($_POST));
}
I’m not sure what would cause your mrlpt_client_check nonce to not be posted, but you may want to include what includes/mrlpt-client-form.php contains in your question.
Edit
To check permissions:
function save_client_metadata( $post_id ) {
// Verify if this is an auto save routine.
if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE )
return;
//Check that this post is of type 'post'
if( 'post' != get_post_type( $post->ID ) )
return;
//Check permissions
if ( !current_user_can_for_blog( $blog_id, 'publish-post' ) )
wp_die( 'Insufficient privileges: Sorry, you do not have access to this page.' )
//Check nonce named mrlpt_client_check
if ( !isset( $_POST['mrlpt_client_check'] ) || !wp_verify_nonce( $_POST['mrlpt_client_check'], 'mrlpt_submit_client' ) )
return
//Validate data as necessary
}