Make WordPress Core


Ignore:
Timestamp:
12/08/2010 05:50:05 PM (13 years ago)
Author:
westi
Message:

Improve the capabilites checking in the XMLRPC code.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.0/xmlrpc.php

    r15426 r16803  
    11571157        do_action('xmlrpc_call', 'wp.deleteComment');
    11581158
    1159         if ( ! get_comment($comment_ID) )
     1159        if ( !$comment = get_comment( $comment_ID ) )
    11601160            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
     1161
     1162        if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
     1163            return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
    11611164
    11621165        return wp_delete_comment($comment_ID);
     
    11851188        if ( !current_user_can( 'moderate_comments' ) )
    11861189            return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     1190           
     1191        if ( !$comment = get_comment( $comment_ID ) )
     1192            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
     1193
     1194        if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
     1195            return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
    11871196
    11881197        do_action('xmlrpc_call', 'wp.editComment');
    1189 
    1190         if ( ! get_comment($comment_ID) )
    1191             return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
    11921198
    11931199        if ( isset($content_struct['status']) ) {
     
    14181424            return $this->error;
    14191425
    1420         if ( !current_user_can( 'edit_posts' ) )
     1426        if ( !current_user_can( 'edit_pages' ) )
    14211427            return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
    14221428
     
    19581964            return new IXR_Error(404, __('Sorry, no such post.'));
    19591965
    1960         if ( !current_user_can('edit_post', $post_ID) )
     1966        if ( !current_user_can('delete_post', $post_ID) )
    19611967            return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.'));
    19621968
     
    19881994        $password   = $args[2];
    19891995        $content_struct = $args[3];
    1990         $publish     = $args[4];
     1996        $publish     = isset( $args[4] ) ? $args[4] : 0;
    19911997
    19921998        if ( !$user = $this->login($username, $password) )
     
    19942000
    19952001        do_action('xmlrpc_call', 'metaWeblog.newPost');
    1996 
    1997         $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
    1998         $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
    1999         $post_type = 'post';
     2002       
    20002003        $page_template = '';
    20012004        if ( !empty( $content_struct['post_type'] ) ) {
    20022005            if ( $content_struct['post_type'] == 'page' ) {
    2003                 $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
     2006                if ( $publish || 'publish' == $content_struct['page_status'])
     2007                    $cap  = 'publish_pages';
     2008                else
     2009                    $cap = 'edit_pages';
    20042010                $error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
    20052011                $post_type = 'page';
     
    20072013                    $page_template = $content_struct['wp_page_template'];
    20082014            } elseif ( $content_struct['post_type'] == 'post' ) {
    2009                 // This is the default, no changes needed
     2015                if ( $publish || 'publish' == $content_struct['post_status'])
     2016                    $cap  = 'publish_posts';
     2017                else
     2018                    $cap = 'edit_posts';
     2019                $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
     2020                $post_type = 'post';
    20102021            } else {
    20112022                // No other post_type values are allowed here
    20122023                return new IXR_Error( 401, __( 'Invalid post type.' ) );
    20132024            }
     2025        } else {
     2026            if ( $publish || 'publish' == $content_struct['post_status'])
     2027                $cap  = 'publish_posts';
     2028            else
     2029                $cap = 'edit_posts';
     2030            $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
     2031            $post_type = 'post';           
    20142032        }
    20152033
     
    22762294        if ( !empty( $content_struct['post_type'] ) ) {
    22772295            if ( $content_struct['post_type'] == 'page' ) {
    2278                 $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
     2296                if ( $publish || 'publish' == $content_struct['page_status'] )
     2297                    $cap  = 'publish_pages';
     2298                else
     2299                    $cap = 'edit_pages';
    22792300                $error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
    22802301                $post_type = 'page';
     
    22822303                    $page_template = $content_struct['wp_page_template'];
    22832304            } elseif ( $content_struct['post_type'] == 'post' ) {
    2284                 // This is the default, no changes needed
     2305                if ( $publish || 'publish' == $content_struct['post_status'] )
     2306                    $cap  = 'publish_posts';
     2307                else
     2308                    $cap = 'edit_posts';
     2309                $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
     2310                $post_type = 'post';
    22852311            } else {
    22862312                // No other post_type values are allowed here
    22872313                return new IXR_Error( 401, __( 'Invalid post type.' ) );
    22882314            }
     2315        } else {
     2316            if ( $publish || 'publish' == $content_struct['post_status'] )
     2317                $cap  = 'publish_posts';
     2318            else
     2319                $cap = 'edit_posts';
     2320            $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
     2321            $post_type = 'post';           
    22892322        }
    22902323
     
    31023135        do_action('xmlrpc_call', 'mt.publishPost');
    31033136
    3104         if ( !current_user_can('edit_post', $post_ID) )
     3137        if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
    31053138            return new IXR_Error(401, __('Sorry, you cannot edit this post.'));
    31063139
Note: See TracChangeset for help on using the changeset viewer.