From 0a1b37428386510d4cdaa429cc43906fddf9aabf Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Thu, 7 Mar 2013 06:52:37 +0000
Subject: [PATCH] XML-RPC: Return an error for getRecentPosts (mw and blogger)
 if the user does not have edit_posts.

props redsweater.
fixes #22320.



git-svn-id: https://develop.svn.wordpress.org/trunk@23636 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/class-wp-xmlrpc-server.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php
index e17a3b58d7..6f4e6cf901 100644
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@@ -3784,6 +3784,9 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( !$user = $this->login($username, $password) )
 			return $this->error;
 
+		if ( ! current_user_can( 'edit_posts' ) )
+			return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
+
 		do_action('xmlrpc_call', 'blogger.getRecentPosts');
 
 		$posts_list = wp_get_recent_posts( $query );
@@ -4757,6 +4760,9 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( !$user = $this->login($username, $password) )
 			return $this->error;
 
+		if ( ! current_user_can( 'edit_posts' ) )
+			return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
+
 		do_action('xmlrpc_call', 'metaWeblog.getRecentPosts');
 
 		$posts_list = wp_get_recent_posts( $query );