Changeset 6504

Timestamp:

12/27/2007 10:30:18 PM (16 years ago)

Author:

ryan

Message:

Some xmlrpc cap checks from josephscott.

File:

• branches/2.3/xmlrpc.php (modified) (17 diffs)

branches/2.3/xmlrpc.php

@@ -187 +187 @@
             return($this->error);
         }
+
+        set_current_user( 0, $username );
+        if( !current_user_can( 'edit_page', $page_id ) )
+            return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) );
+
+        do_action('xmlrpc_call', 'wp.getPage');
 
         // Lookup page info.
@@ -269 +275 @@
         }
 
+        set_current_user( 0, $username );
+        if( !current_user_can( 'edit_pages' ) )
+            return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
+
+        do_action('xmlrpc_call', 'wp.getPages');
+
         // Lookup info on pages.
         $pages = get_pages();
@@ -427 +439 @@
         }
 
+        set_current_user( 0, $username );
+        if( !current_user_can( 'edit_pages' ) )
+            return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
+
+        do_action('xmlrpc_call', 'wp.getPageList');
+
         // Get list of pages ids and titles
         $page_list = $wpdb->get_results("
@@ -460 +478 @@
      */
     function wp_getAuthors($args) {
-        global $wpdb;
 
         $this->escape($args);
@@ -510 +527 @@
         // allowed to add a category.
         set_current_user(0, $username);
-        if(!current_user_can("manage_categories", $page_id)) {
+        if(!current_user_can("manage_categories")) {
             return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
         }
@@ -564 +581 @@
         }
 
+        set_current_user(0, $username);
+        if( !current_user_can( 'edit_posts' ) ) 
+            return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) );
+
+        do_action('xmlrpc_call', 'wp.suggestCategories');
+
         $args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category);
         $category_suggestions = get_categories($args);
@@ -614 +637 @@
         }
 
+        set_current_user( 0, $user_login );
+        if( !current_user_can( 'edit_posts' ) ) 
+            return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) );
+
+        do_action('xmlrpc_call', 'blogger.getUserInfo');
+
         $user_data = get_userdatabylogin($user_login);
 
@@ -620 +649 @@
             'userid'    => $user_data->ID,
             'url'       => $user_data->user_url,
-            'email'     => $user_data->user_email,
             'lastname'  => $user_data->last_name,
             'firstname' => $user_data->first_name
@@ -642 +670 @@
         }
 
-        $user_data = get_userdatabylogin($user_login);
+        set_current_user( 0, $user_login );
+        if( !current_user_can( 'edit_post', $post_ID ) ) 
+            return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
+
+        do_action('xmlrpc_call', 'blogger.getPost');
+
         $post_data = wp_get_single_post($post_ID, ARRAY_A);
 
@@ -680 +713 @@
         $posts_list = wp_get_recent_posts($num_posts);
 
+        set_current_user( 0, $user_login );
+
         if (!$posts_list) {
             $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
@@ -686 +721 @@
 
         foreach ($posts_list as $entry) {
+            if( !current_user_can( 'edit_post', $entry['ID'] ) )
+                continue;
 
             $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
@@ -1345 +1382 @@
     function mw_getPost($args) {
 
-      global $wpdb;
-
-        $this->escape($args);
-
-      $post_ID     = (int) $args[0];
-      $user_login  = $args[1];
-      $user_pass   = $args[2];
-
-      if (!$this->login_pass_ok($user_login, $user_pass)) {
-        return $this->error;
-      }
-
-      $postdata = wp_get_single_post($post_ID, ARRAY_A);
-
-      if ($postdata['post_date'] != '') {
-
-        $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
-        $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
-
-        $categories = array();
-        $catids = wp_get_post_categories($post_ID);
-        foreach($catids as $catid) {
-          $categories[] = get_cat_name($catid);
-        }
-
-        $tagnames = array();
-        $tags = wp_get_post_tags( $post_ID );
-        if ( !empty( $tags ) ) {
-            foreach ( $tags as $tag ) {
-                $tagnames[] = $tag->name;
-            }
-            $tagnames = implode( ', ', $tagnames );
+        global $wpdb;
+
+        $this->escape($args);
+
+        $post_ID     = (int) $args[0];
+        $user_login  = $args[1];
+        $user_pass   = $args[2];
+
+        if (!$this->login_pass_ok($user_login, $user_pass)) {
+            return $this->error;
+        }
+
+        set_current_user( 0, $user_login );
+        if( !current_user_can( 'edit_post', $post_ID ) )
+            return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
+
+        do_action('xmlrpc_call', 'metaWeblog.getPost');
+
+        $postdata = wp_get_single_post($post_ID, ARRAY_A);
+
+        if ($postdata['post_date'] != '') {
+            $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
+            $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
+
+            $categories = array();
+            $catids = wp_get_post_categories($post_ID);
+            foreach($catids as $catid) {
+                $categories[] = get_cat_name($catid);
+            }
+
+            $tagnames = array();
+            $tags = wp_get_post_tags( $post_ID );
+            if ( !empty( $tags ) ) {
+                foreach ( $tags as $tag ) {
+                    $tagnames[] = $tag->name;
+                }
+                $tagnames = implode( ', ', $tagnames );
+            } else {
+                $tagnames = '';
+            }
+
+            $post = get_extended($postdata['post_content']);
+            $link = post_permalink($postdata['ID']);
+
+            // Get the author info.
+            $author = get_userdata($postdata['post_author']);
+
+            $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
+            $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
+
+            $resp = array(
+                'dateCreated' => new IXR_Date($post_date),
+                'userid' => $postdata['post_author'],
+                'postid' => $postdata['ID'],
+                'description' => $post['main'],
+                'title' => $postdata['post_title'],
+                'link' => $link,
+                'permaLink' => $link,
+                // commented out because no other tool seems to use this
+                //        'content' => $entry['post_content'],
+                'categories' => $categories,
+                'mt_excerpt' => $postdata['post_excerpt'],
+                'mt_text_more' => $post['extended'],
+                'mt_allow_comments' => $allow_comments,
+                'mt_allow_pings' => $allow_pings,
+                'mt_keywords' => $tagnames,
+                'wp_slug' => $postdata['post_name'],
+                'wp_password' => $postdata['post_password'],
+                'wp_author_id' => $author->ID,
+                'wp_author_display_name'    => $author->display_name,
+                'date_created_gmt' => new IXR_Date($post_date_gmt)
+            );
+
+            return $resp;
         } else {
-            $tagnames = '';
-        }
-
-        $post = get_extended($postdata['post_content']);
-        $link = post_permalink($postdata['ID']);
-
-        // Get the author info.
-        $author = get_userdata($postdata['post_author']);
-
-        $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
-        $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
-
-        $resp = array(
-          'dateCreated' => new IXR_Date($post_date),
-          'userid' => $postdata['post_author'],
-          'postid' => $postdata['ID'],
-          'description' => $post['main'],
-          'title' => $postdata['post_title'],
-          'link' => $link,
-          'permaLink' => $link,
-// commented out because no other tool seems to use this
-//        'content' => $entry['post_content'],
-          'categories' => $categories,
-          'mt_excerpt' => $postdata['post_excerpt'],
-          'mt_text_more' => $post['extended'],
-          'mt_allow_comments' => $allow_comments,
-          'mt_allow_pings' => $allow_pings,
-          'mt_keywords' => $tagnames,
-          'wp_slug' => $postdata['post_name'],
-          'wp_password' => $postdata['post_password'],
-          'wp_author_id' => $author->ID,
-          'wp_author_display_name'  => $author->display_name,
-          'date_created_gmt' => new IXR_Date($post_date_gmt)
-        );
-
-        return $resp;
-      } else {
-        return new IXR_Error(404, __('Sorry, no such post.'));
-      }
+            return new IXR_Error(404, __('Sorry, no such post.'));
+        }
     }
 
@@ -1441 +1483 @@
         }
 
-        $this_user = set_current_user( 0, $user_login );
+        set_current_user( 0, $user_login );
 
         foreach ($posts_list as $entry) {
-            if ( 
-                !empty( $entry['post_password'] ) 
-                && !current_user_can( 'edit_post', $entry['ID'] )
-            ) {
-                unset( $entry['post_password'] );
-            }
+            if( !current_user_can( 'edit_post', $entry['ID'] ) )
+                continue;
 
             $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
@@ -1529 +1567 @@
         }
 
+        set_current_user( 0, $user_login );
+        if( !current_user_can( 'edit_posts' ) )
+            return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
+
+        do_action('xmlrpc_call', 'metaWeblog.getCategories');
+
         $categories_struct = array();
 
@@ -1648 +1692 @@
         }
 
+        set_current_user( 0, $user_login );
+
         foreach ($posts_list as $entry) {
+            if( !current_user_can( 'edit_post', $entry['ID'] ) ) 
+                continue;
 
             $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
@@ -1687 +1735 @@
         }
 
+        set_current_user( 0, $user_login );
+        if( !current_user_can( 'edit_posts' ) )
+            return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
+
+        do_action('xmlrpc_call', 'mt.getCategoryList');
+
         $categories_struct = array();
 
-        // FIXME: can we avoid using direct SQL there?
         if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) {
             foreach ($cats as $cat) {
@@ -1715 +1768 @@
             return $this->error;
         }
+
+        set_current_user( 0, $user_login );
+        if( !current_user_can( 'edit_post', $post_ID ) )
+            return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
+
+        do_action('xmlrpc_call', 'mt.getPostCategories');
 
         $categories = array();