Ticket #5534 (closed defect: fixed)

Opened 4 months ago

Last modified 4 months ago

Limit XML-RPC method wp.getAuthors to only return user_id, user_login and display_name & add capability check (edit_posts)

Reported by: josephscott Assigned to: anonymous
Priority: normal Milestone: 2.5
Component: XML-RPC Version: 2.3.2
Severity: normal Keywords: has-patch
Cc: josephscott

Description

The wp.getAuthors method just returns all of the data provided by get_users_of_blog(), we should limit it to just specific useful information. In this case information that is needed and helpful for setting the post author: user_id, user_login and display_name.

Also add a capability check, at a minimum should be able to edit posts. If you can't even do that then there really isn't any reason to expose the list of authors on a blog.

Attachments

xmlrpc.php.diff (0.7 kB) - added by josephscott on 12/26/07 18:24:36.

Change History

12/26/07 18:24:36 changed by josephscott

  • attachment xmlrpc.php.diff added.

12/26/07 19:42:01 changed by josephscott

  • version changed from 2.4 to 2.3.2.
  • milestone changed from 2.5 to 2.4.

12/26/07 19:54:36 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [6498]) Limit what getAuthors exposes. Props josephscott for the patch and xknown for the find. fixes #5534 for 2.4

12/26/07 19:56:24 changed by ryan

(In [6499]) Limit what getAuthors exposes. Props josephscott for the patch and xknown for the find. fixes #5534 for 2.3