From 87b8d6d5588817927d456abf0f502df6110a326f Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Wed, 21 Mar 2007 22:15:20 +0000
Subject: [PATCH] Check for publish caps when editing via xmlrpc.

git-svn-id: https://develop.svn.wordpress.org/trunk@5074 602fd350-edb4-49c9-b593-d223f7449a82
---
 xmlrpc.php | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/xmlrpc.php b/xmlrpc.php
index 58d8806be2..9126a8cfea 100644
--- a/xmlrpc.php
+++ b/xmlrpc.php
@@ -846,6 +846,9 @@ class wp_xmlrpc_server extends IXR_Server {
 
 	  extract($actual_post);
 
+	  if ( ('publish' == $post_status) && !current_user_can('publish_posts') )
+	  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
+
 	  $post_title = xmlrpc_getposttitle($content);
 	  $post_category = xmlrpc_getpostcategory($content);
 	  $post_content = xmlrpc_removepostdata($content);
@@ -1072,12 +1075,6 @@ class wp_xmlrpc_server extends IXR_Server {
 	  }
 
 	  set_current_user(0, $user_login);
-	  if ( !current_user_can('edit_post', $post_ID) )
-	    return new IXR_Error(401, 'Sorry, you can not edit this post.');
-
-	  $postdata = wp_get_single_post($post_ID, ARRAY_A);
-	  extract($postdata);
-		$this->escape($postdata);
 
 		// The post_type defaults to post, but could also be page.
 		$post_type = "post";
@@ -1088,6 +1085,14 @@ class wp_xmlrpc_server extends IXR_Server {
 			$post_type = "page";
 		}
 
+	  // Edit page caps are checked in editPage.  Just check post here.
+	  if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
+	    return new IXR_Error(401, 'Sorry, you can not edit this post.');
+
+	  $postdata = wp_get_single_post($post_ID, ARRAY_A);
+	  extract($postdata);
+		$this->escape($postdata);
+
 		// Let WordPress manage slug if none was provided.
 		$post_name = "";
 		if(!empty($content_struct["wp_slug"])) {
@@ -1159,6 +1164,13 @@ class wp_xmlrpc_server extends IXR_Server {
 	  $post_more = $content_struct['mt_text_more'];
 	  $post_status = $publish ? 'publish' : 'draft';
 
+	  if ( ('publish' == $post_status) ) {
+	  	if ( ( 'page' == $post_type ) && !current_user_can('publish_pages') )
+	  		return new IXR_Error(401, 'Sorry, you do not have the right to publish this page.');
+	  	else if ( !current_user_can('publish_posts') )
+		  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
+	  }
+
 	  if ($post_more) {
 	    $post_content = $post_content . "\n<!--more-->\n" . $post_more;
 	  }