WordPress.org

Make WordPress Core

Changeset 19867


Ignore:
Timestamp:
02/08/2012 03:40:26 PM (6 years ago)
Author:
ryan
Message:

Simplify cap checking. Props nprasath002. see #18429

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r19864 r19867  
    622622            return new IXR_Error( 403, __( 'Invalid post type' ) );
    623623
    624         if ( ! current_user_can( $post_type->cap->edit_posts ) )
    625             return new IXR_Error( 401, __( 'Sorry, you are not allowed to post on this site.' ) );
     624        $update = false;
     625        if ( ! empty( $post_data[ 'ID' ] ) )
     626            $update = true;
     627
     628        if ( $update ) {
     629            if ( ! current_user_can( $post_type->cap->edit_post, $post_data[ 'ID' ] ) )
     630                return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
     631        } else {
     632            if ( ! current_user_can( $post_type->cap->edit_posts ) )
     633                return new IXR_Error( 401, __( 'Sorry, you are not allowed to post on this site.' ) );
     634        }
    626635
    627636        switch ( $post_data['post_status'] ) {
     
    646655            return new IXR_Error( 401, __( 'Sorry, you are not allowed to create password protected posts in this post type' ) );
    647656
    648 
    649657        $post_data['post_author'] = absint( $post_data['post_author'] );
    650658        if ( ! empty( $post_data['post_author'] ) && $post_data['post_author'] != $user->ID ) {
     
    656664            if ( ! $author )
    657665                return new IXR_Error( 404, __( 'Invalid author ID.' ) );
    658         }
    659         else {
     666        } else {
    660667            $post_data['post_author'] = $user->ID;
    661668        }
     
    31363143        $publish     = $args[4];
    31373144
    3138         if ( !$user = $this->login($username, $password) )
     3145        if ( ! $user = $this->login($username, $password) )
    31393146            return $this->error;
    31403147
    31413148        do_action('xmlrpc_call', 'metaWeblog.editPost');
    31423149
    3143         $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
    3144         $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
    3145         $post_type = 'post';
    3146         $page_template = '';
    3147         if ( !empty( $content_struct['post_type'] ) ) {
    3148             if ( $content_struct['post_type'] == 'page' ) {
    3149                 if ( $publish || 'publish' == $content_struct['page_status'] )
    3150                     $cap  = 'publish_pages';
    3151                 else
    3152                     $cap = 'edit_pages';
    3153                 $error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
    3154                 $post_type = 'page';
    3155                 if ( !empty( $content_struct['wp_page_template'] ) )
    3156                     $page_template = $content_struct['wp_page_template'];
    3157             } elseif ( $content_struct['post_type'] == 'post' ) {
    3158                 if ( $publish || 'publish' == $content_struct['post_status'] )
    3159                     $cap  = 'publish_posts';
    3160                 else
    3161                     $cap = 'edit_posts';
    3162                 $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
    3163                 $post_type = 'post';
    3164             } else {
    3165                 // No other post_type values are allowed here
    3166                 return new IXR_Error( 401, __( 'Invalid post type.' ) );
    3167             }
    3168         } else {
    3169             if ( $publish || 'publish' == $content_struct['post_status'] )
    3170                 $cap  = 'publish_posts';
    3171             else
    3172                 $cap = 'edit_posts';
    3173             $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
    3174             $post_type = 'post';
    3175         }
    3176 
    3177         if ( !current_user_can( $cap ) )
    3178             return new IXR_Error( 401, $error_message );
     3150        $postdata = wp_get_single_post( $post_ID, ARRAY_A );
     3151
     3152        // If there is no post data for the give post id, stop
     3153        // now and return an error. Other wise a new post will be
     3154        // created (which was the old behavior).
     3155        if ( ! $postdata || empty( $postdata[ 'ID' ] ) )
     3156            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
     3157
     3158        if ( ! current_user_can( 'edit_post', $post_ID ) )
     3159            return new IXR_Error( 401, __( 'Sorry, you do not have the right to edit this post.' ) );
    31793160
    31803161        // Check for a valid post format if one was given
     
    31853166            }
    31863167        }
    3187 
    3188         $postdata = wp_get_single_post($post_ID, ARRAY_A);
    3189 
    3190         // If there is no post data for the give post id, stop
    3191         // now and return an error. Other wise a new post will be
    3192         // created (which was the old behavior).
    3193         if ( empty($postdata["ID"]) )
    3194             return(new IXR_Error(404, __('Invalid post ID.')));
    31953168
    31963169        $this->escape($postdata);
Note: See TracChangeset for help on using the changeset viewer.