From 5b9e7c07ba65cbbd4e31e8d3a8285f16b7ffe7c1 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Mon, 23 Apr 2012 21:54:30 +0000 Subject: [PATCH] Check the publish_post cap when publishing an already existing post. Props nprasath002 Fixes #20474 git-svn-id: https://develop.svn.wordpress.org/trunk@20568 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/class-wp-xmlrpc-server.php | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index be7b4f5b54..b7783ff817 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -785,13 +785,23 @@ class wp_xmlrpc_server extends IXR_Server { case 'pending': break; case 'private': - if ( ! current_user_can( $post_type->cap->publish_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to create private posts in this post type' )); + if ( $update ) { + if ( ! current_user_can( $post_type->cap->publish_post, $post_data[ 'ID' ] ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to set this post as private.' ) ); + } else { + if ( ! current_user_can( $post_type->cap->publish_posts ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to create private posts in this post type' )); + } break; case 'publish': case 'future': - if ( ! current_user_can( $post_type->cap->publish_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish posts in this post type' )); + if ( $update ) { + if ( ! current_user_can( $post_type->cap->publish_post, $post_data[ 'ID' ] ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish this post.' ) ); + } else { + if ( ! current_user_can( $post_type->cap->publish_posts ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish posts in this post type' )); + } break; default: $post_data['post_status'] = 'draft';