From 56d04b7f006dbdbbd259b36b3303449773974010 Mon Sep 17 00:00:00 2001
From: Tetrakern <26898880+Tetrakern@users.noreply.github.com>
Date: Tue, 6 Feb 2024 12:14:08 +0100
Subject: [PATCH] Update INSTALLATION.md

---
 INSTALLATION.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/INSTALLATION.md b/INSTALLATION.md
index 609af5ff..b277cc98 100644
--- a/INSTALLATION.md
+++ b/INSTALLATION.md
@@ -1131,11 +1131,12 @@ You can then append missing meta fields with value `0` under **Fictioneer > Tool
  * Filters sticky stories to the top and accounts for missing meta fields
  *
  * @since 5.7.3
+ * @since 5.9.4 - Check orderby by components, extend allow list.
  *
  * @param array    $clauses   An associative array of WP_Query SQL clauses.
  * @param WP_Query $wp_query  The WP_Query instance.
  *
- * @return string The updated SQL clauses.
+ * @return string The updated or unchanged SQL clauses.
  */
 
 function fictioneer_clause_sticky_stories( $clauses, $wp_query ) {
@@ -1144,12 +1145,14 @@ function fictioneer_clause_sticky_stories( $clauses, $wp_query ) {
   // Setup
   $vars = $wp_query->query_vars;
   $allowed_queries = ['stories_list', 'latest_stories', 'latest_stories_compact', 'author_stories'];
-  $allowed_orderby = ['', 'date', 'modified', 'title', 'meta_value', 'meta_value date', 'meta_value modified', 'meta_value title'];
+  $allowed_orderby = ['', 'date', 'modified', 'title', 'meta_value', 'name', 'ID', 'post__in'];
+  $given_orderby = $vars['orderby'] ?? [''];
+  $given_orderby = is_array( $given_orderby ) ? $given_orderby : explode( ' ', $vars['orderby'] );
 
-  // Return if wrong query
+  // Return if query is not allowed
   if (
     ! in_array( $vars['fictioneer_query_name'] ?? 0, $allowed_queries ) ||
-    ! in_array( $vars['orderby'] ?? '', $allowed_orderby )
+    ! empty( array_diff( $given_orderby, $allowed_orderby ) )
   ) {
     return $clauses;
   }