More cap checks from josephscott. see #5313
git-svn-id: https://develop.svn.wordpress.org/trunk@6714 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
090e465ffd
commit
7c3373aae6
64
xmlrpc.php
64
xmlrpc.php
@ -1128,21 +1128,30 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
if (!$this->login_pass_ok($user_login, $user_pass)) {
|
if (!$this->login_pass_ok($user_login, $user_pass)) {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
$user = set_current_user(0, $user_login);
|
||||||
|
|
||||||
do_action('xmlrpc_call', 'metaWeblog.newPost');
|
do_action('xmlrpc_call', 'metaWeblog.newPost');
|
||||||
|
|
||||||
$cap = ($publish) ? 'publish_posts' : 'edit_posts';
|
$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
|
||||||
$user = set_current_user(0, $user_login);
|
$error_message = __( 'Sorry, you are not allowed to publish posts on this blog.' );
|
||||||
if ( !current_user_can($cap) )
|
$post_type = 'post';
|
||||||
return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.'));
|
if( !empty( $content_struct['post_type'] ) ) {
|
||||||
|
if( $content_struct['post_type'] == 'page' ) {
|
||||||
|
$cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
|
||||||
|
$error_message = __( 'Sorry, you are not allowed to publish pages on this blog.' );
|
||||||
|
$post_type = 'page';
|
||||||
|
}
|
||||||
|
elseif( $content_type['post_type'] == 'post' ) {
|
||||||
|
// This is the default, no changes needed
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// No other post_type values are allowed here
|
||||||
|
return new IXR_Error( 401, __( 'Invalid post type.' ) );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// The post_type defaults to post, but could also be page.
|
if( !current_user_can( $cap ) ) {
|
||||||
$post_type = "post";
|
return new IXR_Error( 401, $error_message );
|
||||||
if(
|
|
||||||
!empty($content_struct["post_type"])
|
|
||||||
&& ($content_struct["post_type"] == "page")
|
|
||||||
) {
|
|
||||||
$post_type = "page";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Let WordPress generate the post_name (slug) unless
|
// Let WordPress generate the post_name (slug) unless
|
||||||
@ -1368,27 +1377,32 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
if (!$this->login_pass_ok($user_login, $user_pass)) {
|
if (!$this->login_pass_ok($user_login, $user_pass)) {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
$user = set_current_user(0, $user_login);
|
||||||
|
|
||||||
do_action('xmlrpc_call', 'metaWeblog.editPost');
|
do_action('xmlrpc_call', 'metaWeblog.editPost');
|
||||||
|
|
||||||
$user = set_current_user(0, $user_login);
|
$cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
|
||||||
|
$error_message = __( 'Sorry, you are not allowed to publish posts on this blog.' );
|
||||||
// The post_type defaults to post, but could also be page.
|
$post_type = 'post';
|
||||||
$post_type = "post";
|
if( !empty( $content_struct['post_type'] ) ) {
|
||||||
if(
|
if( $content_struct['post_type'] == 'page' ) {
|
||||||
!empty($content_struct["post_type"])
|
$cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
|
||||||
&& ($content_struct["post_type"] == "page")
|
$error_message = __( 'Sorry, you are not allowed to publish pages on this blog.' );
|
||||||
) {
|
$post_type = 'page';
|
||||||
if( !current_user_can( 'edit_page', $post_ID ) ) {
|
}
|
||||||
return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page.")));
|
elseif( $content_type['post_type'] == 'post' ) {
|
||||||
|
// This is the default, no changes needed
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// No other post_type values are allowed here
|
||||||
|
return new IXR_Error( 401, __( 'Invalid post type.' ) );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$post_type = "page";
|
if( !current_user_can( $cap ) ) {
|
||||||
|
return new IXR_Error( 401, $error_message );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
|
|
||||||
return new IXR_Error(401, __('Sorry, you can not edit this post.'));
|
|
||||||
|
|
||||||
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
||||||
|
|
||||||
// If there is no post data for the give post id, stop
|
// If there is no post data for the give post id, stop
|
||||||
|
Loading…
Reference in New Issue
Block a user