WordPress.org

Make WordPress Core

Changeset 19867


Ignore:
Timestamp:
02/08/12 15:40:26 (3 years ago)
Author:
ryan
Message:

Simplify cap checking. Props nprasath002. see #18429

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r19864 r19867  
    622622            return new IXR_Error( 403, __( 'Invalid post type' ) ); 
    623623 
    624         if ( ! current_user_can( $post_type->cap->edit_posts ) ) 
    625             return new IXR_Error( 401, __( 'Sorry, you are not allowed to post on this site.' ) ); 
     624        $update = false; 
     625        if ( ! empty( $post_data[ 'ID' ] ) )  
     626            $update = true;  
     627 
     628        if ( $update ) { 
     629            if ( ! current_user_can( $post_type->cap->edit_post, $post_data[ 'ID' ] ) ) 
     630                return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) ); 
     631        } else { 
     632            if ( ! current_user_can( $post_type->cap->edit_posts ) ) 
     633                return new IXR_Error( 401, __( 'Sorry, you are not allowed to post on this site.' ) ); 
     634        } 
    626635 
    627636        switch ( $post_data['post_status'] ) { 
     
    646655            return new IXR_Error( 401, __( 'Sorry, you are not allowed to create password protected posts in this post type' ) ); 
    647656 
    648  
    649657        $post_data['post_author'] = absint( $post_data['post_author'] ); 
    650658        if ( ! empty( $post_data['post_author'] ) && $post_data['post_author'] != $user->ID ) { 
     
    656664            if ( ! $author ) 
    657665                return new IXR_Error( 404, __( 'Invalid author ID.' ) ); 
    658         } 
    659         else { 
     666        } else { 
    660667            $post_data['post_author'] = $user->ID; 
    661668        } 
     
    31363143        $publish     = $args[4]; 
    31373144 
    3138         if ( !$user = $this->login($username, $password) ) 
     3145        if ( ! $user = $this->login($username, $password) ) 
    31393146            return $this->error; 
    31403147 
    31413148        do_action('xmlrpc_call', 'metaWeblog.editPost'); 
    31423149 
    3143         $cap = ( $publish ) ? 'publish_posts' : 'edit_posts'; 
    3144         $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' ); 
    3145         $post_type = 'post'; 
    3146         $page_template = ''; 
    3147         if ( !empty( $content_struct['post_type'] ) ) { 
    3148             if ( $content_struct['post_type'] == 'page' ) { 
    3149                 if ( $publish || 'publish' == $content_struct['page_status'] ) 
    3150                     $cap  = 'publish_pages'; 
    3151                 else 
    3152                     $cap = 'edit_pages'; 
    3153                 $error_message = __( 'Sorry, you are not allowed to publish pages on this site.' ); 
    3154                 $post_type = 'page'; 
    3155                 if ( !empty( $content_struct['wp_page_template'] ) ) 
    3156                     $page_template = $content_struct['wp_page_template']; 
    3157             } elseif ( $content_struct['post_type'] == 'post' ) { 
    3158                 if ( $publish || 'publish' == $content_struct['post_status'] ) 
    3159                     $cap  = 'publish_posts'; 
    3160                 else 
    3161                     $cap = 'edit_posts'; 
    3162                 $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' ); 
    3163                 $post_type = 'post'; 
    3164             } else { 
    3165                 // No other post_type values are allowed here 
    3166                 return new IXR_Error( 401, __( 'Invalid post type.' ) ); 
    3167             } 
    3168         } else { 
    3169             if ( $publish || 'publish' == $content_struct['post_status'] ) 
    3170                 $cap  = 'publish_posts'; 
    3171             else 
    3172                 $cap = 'edit_posts'; 
    3173             $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' ); 
    3174             $post_type = 'post'; 
    3175         } 
    3176  
    3177         if ( !current_user_can( $cap ) ) 
    3178             return new IXR_Error( 401, $error_message ); 
     3150        $postdata = wp_get_single_post( $post_ID, ARRAY_A ); 
     3151 
     3152        // If there is no post data for the give post id, stop 
     3153        // now and return an error. Other wise a new post will be 
     3154        // created (which was the old behavior). 
     3155        if ( ! $postdata || empty( $postdata[ 'ID' ] ) ) 
     3156            return new IXR_Error( 404, __( 'Invalid post ID.' ) ); 
     3157 
     3158        if ( ! current_user_can( 'edit_post', $post_ID ) ) 
     3159            return new IXR_Error( 401, __( 'Sorry, you do not have the right to edit this post.' ) ); 
    31793160 
    31803161        // Check for a valid post format if one was given 
     
    31853166            } 
    31863167        } 
    3187  
    3188         $postdata = wp_get_single_post($post_ID, ARRAY_A); 
    3189  
    3190         // If there is no post data for the give post id, stop 
    3191         // now and return an error. Other wise a new post will be 
    3192         // created (which was the old behavior). 
    3193         if ( empty($postdata["ID"]) ) 
    3194             return(new IXR_Error(404, __('Invalid post ID.'))); 
    31953168 
    31963169        $this->escape($postdata); 
Note: See TracChangeset for help on using the changeset viewer.