Index: xmlrpc.php =================================================================== --- xmlrpc.php (revision 10382) +++ xmlrpc.php (working copy) @@ -238,6 +238,8 @@ * @param string $user_login User's username. * @param string $user_pass User's password. * @return bool Whether authentication passed. + * @deprecated use wp_xmlrpc_server::login + * @see wp_xmlrpc_server::login */ function login_pass_ok($user_login, $user_pass) { if ( !get_option( 'enable_xmlrpc' ) ) { @@ -253,6 +255,32 @@ } /** + * Log user in. + * + * @since 2.8 + * + * @param string $username User's username. + * @param string $password User's password. + * @return mixed WP_User object if authentication passed, false otherwise + */ + function login($username, $password) { + if ( !get_option( 'enable_xmlrpc' ) ) { + $this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this blog. An admin user can enable them at %s'), admin_url('options-writing.php') ) ); + return false; + } + + $user = wp_authenticate($username, $password); + + if (is_wp_error($user)) { + $this->error = new IXR_Error(403, __('Bad login/pass combination.')); + return false; + } + + set_current_user( $user->ID ); + return $user; + } + + /** * Sanitize string or array of strings for database. * * @since 1.5.2 @@ -417,13 +445,12 @@ $username = $args[0]; $password = $args[1]; - if( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } do_action( 'xmlrpc_call', 'wp.getUsersBlogs' ); - $user = set_current_user( 0, $username ); - $blogs = (array) get_blogs_of_user( $user->ID ); $struct = array( ); @@ -466,11 +493,10 @@ $username = $args[2]; $password = $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_page', $page_id ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) ); @@ -564,11 +590,10 @@ $password = $args[2]; $num_pages = (int) $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); @@ -616,15 +641,13 @@ $page = $args[3]; $publish = $args[4]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.newPage'); - // Set the user context and check if they are allowed - // to add new pages. - $user = set_current_user(0, $username); + // Make sure the user is allowed to add new pages. if(!current_user_can("publish_pages")) { return(new IXR_Error(401, __("Sorry, you can not add new pages."))); } @@ -652,8 +675,8 @@ $password = $args[2]; $page_id = (int) $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.deletePage'); @@ -668,8 +691,7 @@ return(new IXR_Error(404, __("Sorry, no such page."))); } - // Set the user context and make sure they can delete pages. - set_current_user(0, $username); + // Make sure the user can delete pages. if(!current_user_can("delete_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to delete this page."))); } @@ -700,8 +722,8 @@ $content = $args[4]; $publish = $args[5]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.editPage'); @@ -715,8 +737,7 @@ return(new IXR_Error(404, __("Sorry, no such page."))); } - // Set the user context and make sure they are allowed to edit pages. - set_current_user(0, $username); + // Make sure the user is allowed to edit pages. if(!current_user_can("edit_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page."))); } @@ -754,11 +775,10 @@ $username = $args[1]; $password = $args[2]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); @@ -808,11 +828,10 @@ $username = $args[1]; $password = $args[2]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user(0, $username); if(!current_user_can("edit_posts")) { return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog."))); } @@ -846,11 +865,10 @@ $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view tags.' ) ); } @@ -891,15 +909,13 @@ $password = $args[2]; $category = $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.newCategory'); - // Set the user context and make sure they are - // allowed to add a category. - set_current_user(0, $username); + // Make sure the user is allowed to add a category. if(!current_user_can("manage_categories")) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } @@ -951,13 +967,12 @@ $password = $args[2]; $category_id = (int) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'wp.deleteCategory'); - set_current_user(0, $username); if( !current_user_can("manage_categories") ) { return new IXR_Error( 401, __( "Sorry, you do not have the right to delete a category." ) ); } @@ -982,11 +997,10 @@ $category = $args[3]; $max_results = (int) $args[4]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; } - set_current_user(0, $username); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this blog in order to view categories.' ) ); @@ -1020,10 +1034,10 @@ $password = $args[2]; $comment_id = (int) $args[3]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); @@ -1083,10 +1097,10 @@ $password = $args[2]; $struct = $args[3]; - if ( !$this->login_pass_ok($username, $password) ) - return($this->error); + if ( !$user = $this->login($username, $password) ) { + return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit comments.' ) ); @@ -1143,10 +1157,10 @@ $password = $args[2]; $comment_ID = (int) $args[3]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); @@ -1175,10 +1189,10 @@ $comment_ID = (int) $args[3]; $content_struct = $args[4]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); @@ -1249,7 +1263,9 @@ $allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false); - if ( !$this->login_pass_ok( $username, $password ) ) { + $user = $this->login($username, $password); + + if ( !$user ) { $logged_in = false; if ( $allow_anon && get_option('comment_registration') ) return new IXR_Error( 403, __( 'You must be registered to comment' ) ); @@ -1257,7 +1273,6 @@ return $this->error; } else { $logged_in = true; - set_current_user( 0, $username ); } if ( is_numeric($post) ) @@ -1274,7 +1289,6 @@ $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { - $user = wp_get_current_user(); $comment['comment_author'] = $wpdb->escape( $user->display_name ); $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); @@ -1326,10 +1340,10 @@ $username = $args[1]; $password = $args[2]; - if ( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); @@ -1354,11 +1368,10 @@ $password = $args[2]; $post_id = (int) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); } @@ -1389,11 +1402,10 @@ $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } @@ -1418,11 +1430,10 @@ $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } @@ -1447,11 +1458,10 @@ $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } @@ -1478,11 +1488,10 @@ $password = $args[2]; $options = (array) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - $user = set_current_user( 0, $username ); - // If no specific options where asked for, return all of them if (count( $options ) == 0 ) { $options = array_keys($this->blog_options); @@ -1533,10 +1542,10 @@ $password = $args[2]; $options = (array) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } - $user = set_current_user( 0, $username ); if( !current_user_can( 'manage_options' ) ) return new IXR_Error( 403, __( 'You are not allowed to update options.' ) ); @@ -1576,16 +1585,15 @@ $this->escape($args); - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.getUsersBlogs'); - set_current_user(0, $user_login); $is_admin = current_user_can('manage_options'); $struct = array( @@ -1613,27 +1621,24 @@ $this->escape($args); - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); do_action('xmlrpc_call', 'blogger.getUserInfo'); - $user_data = get_userdatabylogin($user_login); - $struct = array( - 'nickname' => $user_data->nickname, - 'userid' => $user_data->ID, - 'url' => $user_data->user_url, - 'lastname' => $user_data->last_name, - 'firstname' => $user_data->first_name + 'nickname' => $user->nickname, + 'userid' => $user->ID, + 'url' => $user->user_url, + 'lastname' => $user->last_name, + 'firstname' => $user->first_name ); return $struct; @@ -1652,14 +1657,13 @@ $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); @@ -1696,11 +1700,11 @@ $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $num_posts = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -1708,8 +1712,6 @@ $posts_list = wp_get_recent_posts($num_posts); - set_current_user( 0, $user_login ); - if (!$posts_list) { $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); return $this->error; @@ -1756,17 +1758,16 @@ $this->escape($args); $blog_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.getTemplate'); - set_current_user(0, $user_login); if ( !current_user_can('edit_themes') ) { return new IXR_Error(401, __('Sorry, this user can not edit the template.')); } @@ -1798,18 +1799,17 @@ $this->escape($args); $blog_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $template = $args[5]; /* could be 'main' or 'archiveIndex', but we don't use it */ - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.setTemplate'); - set_current_user(0, $user_login); if ( !current_user_can('edit_themes') ) { return new IXR_Error(401, __('Sorry, this user can not edit the template.')); } @@ -1841,19 +1841,18 @@ $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.newPost'); $cap = ($publish) ? 'publish_posts' : 'edit_posts'; - $user = set_current_user(0, $user_login); if ( !current_user_can($cap) ) return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.')); @@ -1897,12 +1896,12 @@ $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -1916,7 +1915,6 @@ $this->escape($actual_post); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); @@ -1953,11 +1951,11 @@ $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; + $username = $args[2]; + $password = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -1969,7 +1967,6 @@ return new IXR_Error(404, __('Sorry, no such post.')); } - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.')); @@ -1998,15 +1995,14 @@ $this->escape($args); $blog_ID = (int) $args[0]; // we will support this in the near future - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - $user = set_current_user(0, $user_login); do_action('xmlrpc_call', 'metaWeblog.newPost'); @@ -2278,15 +2274,14 @@ $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - $user = set_current_user(0, $user_login); do_action('xmlrpc_call', 'metaWeblog.editPost'); @@ -2546,14 +2541,13 @@ $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); @@ -2658,11 +2652,11 @@ $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $num_posts = (int) $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -2674,8 +2668,6 @@ return array( ); } - set_current_user( 0, $user_login ); - foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; @@ -2762,14 +2754,13 @@ $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); @@ -2810,8 +2801,8 @@ global $wpdb; $blog_ID = (int) $args[0]; - $user_login = $wpdb->escape($args[1]); - $user_pass = $wpdb->escape($args[2]); + $username = $wpdb->escape($args[1]); + $password = $wpdb->escape($args[2]); $data = $args[3]; $name = sanitize_file_name( $data['name'] ); @@ -2820,12 +2811,12 @@ logIO('O', '(MW) Received '.strlen($bits).' bytes'); - if ( !$this->login_pass_ok($user_login, $user_pass) ) + if ( !$user = $this->login($username, $password) ) { return $this->error; + } do_action('xmlrpc_call', 'metaWeblog.newMediaObject'); - set_current_user(0, $user_login); if ( !current_user_can('upload_files') ) { logIO('O', '(MW) User does not have upload_files capability'); $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.')); @@ -2895,11 +2886,11 @@ $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $num_posts = (int) $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } @@ -2912,8 +2903,6 @@ return $this->error; } - set_current_user( 0, $user_login ); - foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; @@ -2952,14 +2941,13 @@ $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); @@ -2992,14 +2980,13 @@ $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); @@ -3034,17 +3021,16 @@ $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; $categories = $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'mt.setPostCategories'); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you can not edit this post.')); @@ -3146,16 +3132,15 @@ $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $username = $args[1]; + $password = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'mt.publishPost'); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you can not edit this post.'));