From e690aa50adea4adfa6beffda8c68825d3989f06f Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Sun, 19 Jul 2015 18:08:55 +0000 Subject: [PATCH] Ensure that private posts cannot be made sticky via Quick Edit. DRY the logic for stickies in `wp_xmlrpc_server` by introducing `->_toggle_sticky()`. Props wonderboymusic, obenland, chriscct7. Fixes #20662. git-svn-id: https://develop.svn.wordpress.org/trunk@33325 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/ajax-actions.php | 6 +- src/wp-includes/class-wp-xmlrpc-server.php | 71 +++++++++++++++------- 2 files changed, 53 insertions(+), 24 deletions(-) diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php index df90b97a45..b5bcd32d7d 100644 --- a/src/wp-admin/includes/ajax-actions.php +++ b/src/wp-admin/includes/ajax-actions.php @@ -1567,10 +1567,12 @@ function wp_ajax_inline_save() { $data['parent_id'] = $data['post_parent']; // Status. - if ( isset($data['keep_private']) && 'private' == $data['keep_private'] ) + if ( isset( $data['keep_private'] ) && 'private' == $data['keep_private'] ) { + $data['visibility'] = 'private'; $data['post_status'] = 'private'; - else + } else { $data['post_status'] = $data['_status']; + } if ( empty($data['comment_status']) ) $data['comment_status'] = 'closed'; diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index 0573b71490..38b084dbc5 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -1192,6 +1192,40 @@ class wp_xmlrpc_server extends IXR_Server { return $count > 1; } + /** + * @since 4.3.0 + * + * @param array $post_data + * @param bool $update + * @return void|IXR_Error + */ + private function _toggle_sticky( $post_data, $update = false ) { + $post_type = get_post_type_object( $post_data['post_type'] ); + + // Private and password-protected posts cannot be stickied. + if ( 'private' === $post_data['post_status'] || ! empty( $post_data['post_password'] ) ) { + // Error if the client tried to stick the post, otherwise, silently unstick. + if ( ! empty( $post_data['sticky'] ) ) { + return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) ); + } + + if ( $update ) { + unstick_post( $post_data['ID'] ); + } + } elseif ( isset( $post_data['sticky'] ) ) { + if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) { + return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) ); + } + + $sticky = wp_validate_boolean( $post_data['sticky'] ); + if ( $sticky ) { + stick_post( $post_data['ID'] ); + } else { + unstick_post( $post_data['ID'] ); + } + } + } + /** * Helper method for wp_newPost() and wp_editPost(), containing shared logic. * @@ -1287,20 +1321,9 @@ class wp_xmlrpc_server extends IXR_Server { $post_ID = $post_data['ID']; if ( $post_data['post_type'] == 'post' ) { - // Private and password-protected posts cannot be stickied. - if ( $post_data['post_status'] == 'private' || ! empty( $post_data['post_password'] ) ) { - // Error if the client tried to stick the post, otherwise, silently unstick. - if ( ! empty( $post_data['sticky'] ) ) - return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) ); - if ( $update ) - unstick_post( $post_ID ); - } elseif ( isset( $post_data['sticky'] ) ) { - if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) ); - if ( $post_data['sticky'] ) - stick_post( $post_ID ); - else - unstick_post( $post_ID ); + $error = $this->_toggle_sticky( $post_data, $update ); + if ( $error ) { + return $error; } } @@ -4902,10 +4925,12 @@ class wp_xmlrpc_server extends IXR_Server { // Only posts can be sticky if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) { - if ( $content_struct['sticky'] == true ) - stick_post( $post_ID ); - elseif ( $content_struct['sticky'] == false ) - unstick_post( $post_ID ); + $data = $postdata; + $data['sticky'] = $content_struct['sticky']; + $error = $this->_toggle_sticky( $data ); + if ( $error ) { + return $error; + } } if ( isset($content_struct['custom_fields']) ) @@ -5250,10 +5275,12 @@ class wp_xmlrpc_server extends IXR_Server { // Only posts can be sticky if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) { - if ( $content_struct['sticky'] == true ) - stick_post( $post_ID ); - elseif ( $content_struct['sticky'] == false ) - unstick_post( $post_ID ); + $data = $newpost; + $data['sticky'] = $content_struct['sticky']; + $error = $this->_toggle_sticky( $data, true ); + if ( $error ) { + return $error; + } } if ( isset($content_struct['custom_fields']) )