Correctly set the post author in `wp_xmlrpc_server::mw_editPost()` when the current user is not the author of the post.

Props redsweater, markoheijnen, DrewAPicture
Fixes #24916


git-svn-id: https://develop.svn.wordpress.org/trunk@31983 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/class-wp-xmlrpc-server.php

@@ -4756,20 +4756,26 @@ class wp_xmlrpc_server extends IXR_Server {
 		$post_author = $postdata['post_author'];
 
 		// Only set the post_author if one is set.
-		if ( isset($content_struct['wp_author_id']) && ($user->ID != $content_struct['wp_author_id']) ) {
-			switch ( $post_type ) {
-				case 'post':
-					if ( !current_user_can('edit_others_posts') )
-						return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) );
-					break;
-				case 'page':
-					if ( !current_user_can('edit_others_pages') )
-						return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) );
-					break;
-				default:
-					return new IXR_Error( 401, __( 'Invalid post type' ) );
+		if ( isset( $content_struct['wp_author_id'] ) ) {
+			// Check permissions if attempting to switch author to or from another user.
+			if ( $user->ID != $content_struct['wp_author_id'] || $user->ID != $post_author ) {
+				switch ( $post_type ) {
+					case 'post':
+						if ( ! current_user_can( 'edit_others_posts' ) ) {
+							return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) );
+						}
+						break;
+					case 'page':
+						if ( ! current_user_can( 'edit_others_pages' ) ) {
+							return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) );
+						}
+						break;
+					default:
+						return new IXR_Error( 401, __( 'Invalid post type' ) );
+						break;
+				}
+				$post_author = $content_struct['wp_author_id'];
 			}
-			$post_author = $content_struct['wp_author_id'];
 		}
 
 		if ( isset($content_struct['mt_allow_comments']) ) {

tests/phpunit/tests/xmlrpc/mw/editPost.php

@@ -95,6 +95,25 @@ class Tests_XMLRPC_mw_editPost extends WP_XMLRPC_UnitTestCase {
 		$this->assertEquals( $contributor_id, $out->post_author );
 	}
 
+	/**
+	 * @ticket 24916
+	 */
+	function test_capable_reassign_author_to_self() {
+		$contributor_id = $this->make_user_by_role( 'contributor' );
+		$editor_id = $this->make_user_by_role( 'editor' );
+
+		$post = array( 'post_title' => 'Post test', 'post_author' => $contributor_id );
+		$post_id = wp_insert_post( $post );
+
+		$post2 = array( 'wp_author_id' => $editor_id );
+		$result = $this->myxmlrpcserver->mw_editPost( array( $post_id, 'editor', 'editor', $post2 ) );
+		$this->assertNotInstanceOf( 'IXR_Error', $result );
+		$this->assertTrue($result);
+
+		$out = get_post( $post_id );
+		$this->assertEquals( $editor_id, $out->post_author );
+	}
+	
 	function test_post_thumbnail() {
 		add_theme_support( 'post-thumbnails' );
 

tests/phpunit/tests/xmlrpc/wp/editPost.php

@@ -95,6 +95,25 @@ class Tests_XMLRPC_wp_editPost extends WP_XMLRPC_UnitTestCase {
 		$this->assertEquals( $contributor_id, $out->post_author );
 	}
 
+	/**
+	 * @ticket 24916
+	 */
+	function test_capable_reassign_author_to_self() {
+		$contributor_id = $this->make_user_by_role( 'contributor' );
+		$editor_id = $this->make_user_by_role( 'editor' );
+
+		$post = array( 'post_title' => 'Post test', 'post_author' => $contributor_id );
+		$post_id = wp_insert_post( $post );
+
+		$post2 = array( 'post_author' => $editor_id );
+		$result = $this->myxmlrpcserver->wp_editPost( array( 1, 'editor', 'editor', $post_id, $post2 ) );
+		$this->assertNotInstanceOf( 'IXR_Error', $result );
+		$this->assertTrue($result);
+
+		$out = get_post( $post_id );
+		$this->assertEquals( $editor_id, $out->post_author );
+	}
+	
 	function test_post_thumbnail() {
 		add_theme_support( 'post-thumbnails' );