Ticket #5313: xmlrpc.php.2.diff

File xmlrpc.php.2.diff, 3.2 kB (added by josephscott, 9 months ago)
Make sure cap checks happen

xmlrpc.php

old	new
1128	1128	if (!$this->login_pass_ok($user_login, $user_pass)) {
1129	1129	return $this->error;
1130	1130	}
	1131	$user = set_current_user(0, $user_login);
1131	1132
1132	1133	do_action('xmlrpc_call', 'metaWeblog.newPost');
1133	1134
1134		$cap = ($publish) ? 'publish_posts' : 'edit_posts';
1135		$user = set_current_user(0, $user_login);
1136		if ( !current_user_can($cap) )
1137		return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.'));
	1135	$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
	1136	$error_message = __( 'Sorry, you are not allowed to publish posts on this blog.' );
	1137	$post_type = 'post';
	1138	if( !empty( $content_struct['post_type'] ) ) {
	1139	if( $content_struct['post_type'] == 'page' ) {
	1140	$cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
	1141	$error_message = __( 'Sorry, you are not allowed to publish pages on this blog.' );
	1142	$post_type = 'page';
	1143	}
	1144	elseif( $content_type['post_type'] == 'post' ) {
	1145	// This is the default, no changes needed
	1146	}
	1147	else {
	1148	// No other post_type values are allowed here
	1149	return new IXR_Error( 401, __( 'Invalid post type.' ) );
	1150	}
	1151	}
1138	1152
1139		// The post_type defaults to post, but could also be page.
1140		$post_type = "post";
1141		if(
1142		!empty($content_struct["post_type"])
1143		&& ($content_struct["post_type"] == "page")
1144		) {
1145		$post_type = "page";
	1153	if( !current_user_can( $cap ) ) {
	1154	return new IXR_Error( 401, $error_message );
1146	1155	}
1147	1156
1148	1157	// Let WordPress generate the post_name (slug) unless
…	…
1368	1377	if (!$this->login_pass_ok($user_login, $user_pass)) {
1369	1378	return $this->error;
1370	1379	}
	1380	$user = set_current_user(0, $user_login);
1371	1381
1372	1382	do_action('xmlrpc_call', 'metaWeblog.editPost');
1373	1383
1374		$user = set_current_user(0, $user_login);
1375
1376		// The post_type defaults to post, but could also be page.
1377		$post_type = "post";
1378		if(
1379		!empty($content_struct["post_type"])
1380		&& ($content_struct["post_type"] == "page")
1381		) {
1382		if( !current_user_can( 'edit_page', $post_ID ) ) {
1383		return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page.")));
	1384	$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
	1385	$error_message = __( 'Sorry, you are not allowed to publish posts on this blog.' );
	1386	$post_type = 'post';
	1387	if( !empty( $content_struct['post_type'] ) ) {
	1388	if( $content_struct['post_type'] == 'page' ) {
	1389	$cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
	1390	$error_message = __( 'Sorry, you are not allowed to publish pages on this blog.' );
	1391	$post_type = 'page';
1384	1392	}
	1393	elseif( $content_type['post_type'] == 'post' ) {
	1394	// This is the default, no changes needed
	1395	}
	1396	else {
	1397	// No other post_type values are allowed here
	1398	return new IXR_Error( 401, __( 'Invalid post type.' ) );
	1399	}
	1400	}
1385	1401
1386		$post_type = "page";
	1402	if( !current_user_can( $cap ) ) {
	1403	return new IXR_Error( 401, $error_message );
1387	1404	}
1388	1405
1389		~~if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )~~
1390		~~return new IXR_Error(401, __('Sorry, you can not edit this post.'));~~
1391
1392	1406	$postdata = wp_get_single_post($post_ID, ARRAY_A);
1393	1407
1394	1408	// If there is no post data for the give post id, stop

Download in other formats:

Original Format