Cookies override user specified in XML-RPC post data

[skeltoac]

Working on #2241, I tested XMLRPC using Performancing/Firefox. I set up the XMLRPC client to use a login with Author caps (no unfiltered_html). My posts showed under the correct author. My HTML was unfiltered when I posted, but it should have been filtered. My browser was still logged in as admin (unfiltered_html) and Performancing was sending those cookies with the XMLRPC requests. Result: post saved under correct user but assuming caps due to cookie.

Wordpress should not authenticate with cookies when handling an XMLRPC request. i also sent a message to the Performancing dev (Jed Brown) but we should fix the core as well.

I'm working on the patch.

no-cookies.diff defines a contant before anything else is done by xmlrpc.php, and checks that constant before using the cookies to log the user in. There is much more to be done.

How does XMLRPC authenticate if its not through cookies? IMO this is a performancing bug, or you shouldn't be trying to run two users off one browser (so it would be invalid).

Removing bg|has-patch as your patch doesn't fix the problem in its entirety, as you've stated.

Sorry David :-) This one's done.

Hehe, that was my mistake :P I accidentally added bg|has-patch, not you.

Probably too much new code here for 2.0.1. Discuss.

I think this needs to be fixed, even if it is a non-trivial amount of code. This bug has been reported many, many times. Let's commit and test the hell out of it.

(In [3430]) Make the xmlrpc user the current user. fixes #2273

Leftover error_log() call.

I tested this with Performancing, using metaweblog API and Blogger API, while the browser was logged in as admin. It honored the user's caps regardless of the cookies. Other clients should be tested as well.

Probably too much new code here for 2.0.1. Discuss.

Woah. I totally didn't post that last comment.

(In [3431]) Remove debug cruft. fixes #2273

Milestone 2.0.1 deleted