WordPress.org

Make WordPress Core

Changeset 20632


Ignore:
Timestamp:
04/28/2012 06:48:10 PM (9 years ago)
Author:
nacin
Message:

Clean up the XML-RPC 3.4 methods with regards to consistency and future compatibility.

  • Limit returned taxonomy and post type objects to a specific type-cast whitelist of fields.
  • Add $filter and $fields to wp.getTaxonomies to match the functionality of wp.getPostTypes.
  • Prevent the post type from being chnaged in _insert_post().
  • Don't check post_type_supports() in _insert_post().
  • Align handling of sticky posts with those of core.
  • Force tags and categories to go through terms and terms_names, rather than tags_input and post_category.

fixes #20566. props nacin, maxcutler.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r20608 r20632  
    496496     * @access protected
    497497     *
    498      * @param array|object $taxonomy The unprepared taxonomy data
     498     * @param object $taxonomy The unprepared taxonomy data
    499499     * @return array The prepared taxonomy data
    500500     */
    501     protected function _prepare_taxonomy( $taxonomy ) {
    502         $_taxonomy = (array) $taxonomy;
    503 
    504         unset( $_taxonomy['update_count_callback'] );
    505 
    506         return apply_filters( 'xmlrpc_prepare_taxonomy', $_taxonomy, $taxonomy );
     501    protected function _prepare_taxonomy( $taxonomy, $fields ) {
     502        $_taxonomy = array(
     503            'name' => $taxonmy->name,
     504            'label' => $taxonomy->label,
     505            'hierarchical' => (bool) $taxonomy->hierarchical,
     506            'public' => (bool) $taxonomy->public,
     507            'show_ui' => (bool) $taxonomy->show_ui,
     508            '_builtin' => (bool) $taxnomy->_builtin,
     509        );
     510
     511        if ( in_array( 'labels', $fields ) )
     512            $_taxonomy['labels'] = (array) $taxonomy->labels;
     513
     514        if ( in_array( 'capabilities', $fields ) )
     515            $_taxonomy['cap'] = (array) $post_type->cap;
     516
     517        if ( in_array( 'object_types', $fields ) )
     518            $_taxonomy['taxonomies'] = array_unique( (array) $taxonomy->object_type );
     519
     520        return apply_filters( 'xmlrpc_prepare_taxonomy', $_taxonomy, $taxonomy, $fields );
    507521    }
    508522
     
    653667     * @access protected
    654668     *
    655      * @param array|object $post_type The unprepared post type data
     669     * @param object $post_type Post type object
    656670     * @param array $fields The subset of post fields to return
    657671     * @return array The prepared post type data
    658672     */
    659     protected function _prepare_post_type( $post_type, $fields ) {
    660         $post_type = (array) $post_type;
    661 
     673    public function _prepare_post_type( $post_type, $fields ) {
    662674        $_post_type = array(
    663             'name' => $post_type['name'],
    664             'label' => $post_type['label'],
    665             'description' => $post_type['description'],
    666             'hierarchical' => $post_type['hierarchical'],
    667             'public' => $post_type['public'],
    668             '_builtin' => $post_type['_builtin'],
    669             'supports' => get_all_post_type_supports( $post_type['name'] )
     675            'name' => $post_type->name,
     676            'label' => $post_type->label,
     677            'hierarchical' => (bool) $post_type->hierarchical,
     678            'public' => (bool) $post_type->public,
     679            'show_ui' => (bool) $post_type->show_ui,
     680            '_builtin' => (bool) $post_type->_builtin,
     681            'has_archive' => (bool) $post_type->has_archive,
     682            'supports' => get_all_post_type_supports( $post_type->name ),
    670683        );
    671684
    672685        if ( in_array( 'labels', $fields ) ) {
    673             $_post_type['labels'] = (array) $post_type['labels'];
     686            $_post_type['labels'] = (array) $post_type->labels;
    674687        }
    675688
    676689        if ( in_array( 'capabilities', $fields ) ) {
    677             $_post_type['cap'] = (array) $post_type['cap'];
    678             $_post_type['capability_type'] = $post_type['capability_type'];
    679             $_post_type['map_meta_cap'] = $post_type['map_meta_cap'];
    680         }
    681 
    682         if ( in_array( 'admin', $fields ) ) {
    683             $_post_type['publicly_queryable'] = $post_type['publicly_queryable'];
    684             $_post_type['exclude_from_search'] = $post_type['exclude_from_search'];
    685             $_post_type['_edit_link'] = $post_type['_edit_link'];
    686             $_post_type['rewrite'] = $post_type['rewrite'];
    687             $_post_type['has_archive'] = $post_type['has_archive'];
    688             $_post_type['query_var'] = $post_type['query_var'];
     690            $_post_type['cap'] = (array) $post_type->cap;
     691            $_post_type['map_meta_cap'] = (bool) $post_type->map_meta_cap;
    689692        }
    690693
    691694        if ( in_array( 'menu', $fields ) ) {
    692             $_post_type['show_ui'] = $post_type['show_ui'];
    693             $_post_type['menu_position'] = $post_type['menu_position'];
    694             $_post_type['menu_icon'] = $post_type['menu_icon'];
    695             $_post_type['show_in_nav_menus'] = $post_type['show_in_nav_menus'];
    696             $_post_type['show_in_menu'] = $post_type['show_in_menu'];
    697             $_post_type['show_in_admin_bar'] = $post_type['show_in_admin_bar'];
    698         }
    699 
    700         if ( in_array( 'taxonomies', $fields ) ) {
    701             $_post_type['taxonomies'] = get_object_taxonomies( $_post_type['name'] );
    702         }
     695            $_post_type['menu_position'] = (int) $post_type->menu_position;
     696            $_post_type['menu_icon'] = $post_type->menu_icon;
     697            $_post_type['show_in_menu'] = (bool) $post_type->show_in_menu;
     698        }
     699
     700        if ( in_array( 'taxonomies', $fields ) )
     701            $_post_type['taxonomies'] = get_object_taxonomies( $_post_type->name, 'names' );
    703702
    704703        return apply_filters( 'xmlrpc_prepare_post_type', $_post_type, $post_type );
     
    737736    /**
    738737     * Create a new post for any registered post type.
     738     *
     739     * @since 3.4.0
    739740     *
    740741     * @uses wp_insert_post()
     
    785786    /*
    786787     * Helper method for filtering out elements from an array.
    787      */
    788     function _is_greater_than_one( $count ){
     788     *
     789     * @since 3.4.0
     790     */
     791    function _is_greater_than_one( $count ) {
    789792        return $count > 1;
    790793    }
     
    792795    /*
    793796     * Helper method for wp_newPost and wp_editPost, containing shared logic.
    794      */
    795     function _insert_post( $user, $content_struct ) {
     797     *
     798     * @since 3.4.0
     799     */
     800    protected function _insert_post( $user, $content_struct ) {
    796801        $defaults = array( 'post_status' => 'draft', 'post_type' => 'post', 'post_author' => 0,
    797             'post_password' => '', 'post_excerpt' => '', 'post_content' => '', 'post_title' => '', 'sticky' => 0 );
     802            'post_password' => '', 'post_excerpt' => '', 'post_content' => '', 'post_title' => '' );
    798803
    799804        $post_data = wp_parse_args( $content_struct, $defaults );
    800805
    801806        $post_type = get_post_type_object( $post_data['post_type'] );
    802         if ( ! ( (bool) $post_type ) )
     807        if ( ! $post_type )
    803808            return new IXR_Error( 403, __( 'Invalid post type' ) );
    804809
    805         $update = false;
    806         if ( ! empty( $post_data[ 'ID' ] ) )
    807             $update = true;
     810        $update = ! empty( $post_data['ID'] );
    808811
    809812        if ( $update ) {
    810             if ( ! current_user_can( $post_type->cap->edit_post, $post_data[ 'ID' ] ) )
     813            if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) )
    811814                return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
     815            if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) )
     816                return new IXR_Error( 401, __( 'The post type may not be changed.' ) );
    812817        } else {
    813818            if ( ! current_user_can( $post_type->cap->edit_posts ) )
     
    821826            case 'private':
    822827                if ( ! current_user_can( $post_type->cap->publish_posts ) )
    823                     return new IXR_Error( 401, __( 'Sorry, you are not allowed to create private posts in this post type' ));
     828                    return new IXR_Error( 401, __( 'Sorry, you are not allowed to create private posts in this post type' ) );
    824829                break;
    825830            case 'publish':
    826831            case 'future':
    827832                if ( ! current_user_can( $post_type->cap->publish_posts ) )
    828                     return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish posts in this post type' ));
     833                    return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish posts in this post type' ) );
    829834                break;
    830835            default:
     
    849854        }
    850855
    851         if ( isset( $post_data['comment_status'] ) ) {
    852             if ( ! post_type_supports( $post_data['post_type'], 'comments' ) || ( $post_data['comment_status'] != 'open' && $post_data['comment_status'] != 'closed' ) ) {
    853                 unset( $post_data['comment_status'] );
    854             }
    855         }
    856 
    857         if ( isset( $post_data['ping_status'] ) ) {
    858             if ( ! post_type_supports( $post_data['post_type'], 'trackbacks' ) || ( $post_data['ping_status'] != 'open' && $post_data['ping_status'] != 'closed' ) ) {
    859                 unset( $post_data['ping_status'] );
    860             }
    861         }
     856        if ( isset( $post_data['comment_status'] ) && $post_data['comment_status'] != 'open' && $post_data['comment_status'] != 'closed' )
     857            unset( $post_data['comment_status'] );
     858
     859        if ( isset( $post_data['ping_status'] ) && $post_data['ping_status'] != 'open' && $post_data['ping_status'] != 'closed' )
     860            unset( $post_data['ping_status'] );
    862861
    863862        // Do some timestamp voodoo
    864863        if ( ! empty( $post_data['post_date_gmt'] ) ) {
    865864            // We know this is supposed to be GMT, so we're going to slap that Z on there by force
    866             $dateCreated = str_replace( 'Z', '', $post_data['post_date_gmt']->getIso() ) . 'Z';
     865            $dateCreated = rtrim( $post_data['post_date_gmt']->getIso(), 'Z' ) . 'Z';
    867866        } elseif ( ! empty( $post_data['post_date'] ) ) {
    868867            $dateCreated = $post_data['post_date']->getIso();
     
    874873        }
    875874
    876         if ( ! isset( $post_data['ID'] ) ) {
     875        if ( ! isset( $post_data['ID'] ) )
    877876            $post_data['ID'] = get_default_post_to_edit( $post_data['post_type'], true )->ID;
    878         }
    879877        $post_ID = $post_data['ID'];
    880878
    881         $sticky = $post_data['sticky'] ? true : false;
    882 
    883         if ( $post_data['post_type'] == 'post' && $sticky == true ) {
    884             if ( ! current_user_can( $post_type->cap->edit_others_posts ) )
    885                 return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) );
    886 
    887             if ( $post_data['post_status'] != 'publish' )
    888                 return new IXR_Error( 401, __( 'Only published posts can be made sticky.' ) );
    889 
    890             stick_post( $post_ID );
    891         }
    892 
    893         if ( isset ( $post_data['post_thumbnail'] ) ) {
     879        if ( $post_data['post_type'] == 'post' ) {
     880            // Private and password-protected posts cannot be stickied.
     881            if ( $post_data['status'] == 'private' || ! empty( $post_data['post_password'] ) ) {
     882                // Error if the client tried to stick the post, otherwise, silently unstick.
     883                if ( ! empty( $post_data['sticky'] ) )
     884                    return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) );
     885                if ( $update )
     886                    unstick_post( $post_ID );
     887            } elseif ( isset( $post_data['sticky'] ) )  {
     888                if ( ! current_user_can( $post_type->cap->edit_others_posts ) )
     889                    return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) );
     890                if ( $post_data['sticky'] )
     891                    stick_post( $post_ID );
     892                else
     893                    unstick_post( $post_ID );
     894            }
     895        }
     896
     897        if ( isset( $post_data['post_thumbnail'] ) ) {
    894898            // empty value deletes, non-empty value adds/updates
    895             if ( empty( $post_data['post_thumbnail'] ) ) {
     899            if ( ! $post_data['post_thumbnail'] )
    896900                delete_post_thumbnail( $post_ID );
    897             }
    898             else {
    899                 if ( set_post_thumbnail( $post_ID, $post_data['post_thumbnail'] ) === false )
     901            elseif ( ! set_post_thumbnail( $post_ID, $post_data['post_thumbnail'] ) )
    900902                    return new IXR_Error( 404, __( 'Invalid attachment ID.' ) );
    901             }
    902903            unset( $content_struct['post_thumbnail'] );
    903904        }
    904905
    905         if ( isset ( $post_data['custom_fields'] ) && post_type_supports( $post_data['post_type'], 'custom-fields' ) ) {
     906        if ( isset( $post_data['custom_fields'] ) )
    906907            $this->set_custom_fields( $post_ID, $post_data['custom_fields'] );
    907         }
    908908
    909909        if ( isset( $post_data['terms'] ) || isset( $post_data['terms_names'] ) ) {
     
    988988
    989989            $post_data['tax_input'] = $terms;
    990             unset( $post_data['terms'] );
    991             unset( $post_data['terms_names'] );
     990            unset( $post_data['terms'], $post_data['terms_names'] );
    992991        } else {
    993992            // do not allow direct submission of 'tax_input', clients must use 'terms' and/or 'terms_names'
    994             unset( $post_data['tax_input'] );
     993            unset( $post_data['tax_input'], $post_data['post_category'], $post_data['tags_input'] );
    995994        }
    996995
     
    10241023    /**
    10251024     * Edit a post for any registered post type.
     1025     *
     1026     * @since 3.4.0
    10261027     *
    10271028     * The $content_struct parameter only needs to contain fields that
     
    10401041        $this->escape( $args );
    10411042
    1042         $blog_id        = (int) $args[0]; // we will support this in the near future
     1043        $blog_id        = (int) $args[0];
    10431044        $username       = $args[1];
    10441045        $password       = $args[2];
     
    10511052        do_action( 'xmlrpc_call', 'wp.editPost' );
    10521053
    1053         // User Capabilities are checked in _insert_post.
    1054 
    10551054        $post = get_post( $post_id, ARRAY_A );
    10561055
    1057         if ( empty( $post["ID"] ) )
     1056        if ( empty( $post['ID'] ) )
    10581057            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
    10591058
     
    10801079    /**
    10811080     * Delete a post for any registered post type.
     1081     *
     1082     * @since 3.4.0
    10821083     *
    10831084     * @uses wp_delete_post()
     
    11201121    /**
    11211122     * Retrieve a post.
     1123     *
     1124     * @since 3.4.0
    11221125     *
    11231126     * The optional $fields parameter specifies what fields will be included
     
    11801183        $post = wp_get_single_post( $post_id, ARRAY_A );
    11811184
    1182         if ( empty( $post["ID"] ) )
     1185        if ( empty( $post['ID'] ) )
    11831186            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
    11841187
     
    11921195    /**
    11931196     * Retrieve posts.
     1197     *
     1198     * @since 3.4.0
    11941199     *
    11951200     * The optional $filter parameter modifies the query used to retrieve posts.
     
    12101215     *  - array   $filter optional
    12111216     *  - array   $fields optional
    1212      * @return array cntains a collection of posts.
     1217     * @return array contains a collection of posts.
    12131218     */
    12141219    function wp_getPosts( $args ) {
     
    12801285    /**
    12811286     * Create a new term.
     1287     *
     1288     * @since 3.4.0
    12821289     *
    12831290     * @uses wp_insert_term()
     
    13611368    /**
    13621369     * Edit a term.
     1370     *
     1371     * @since 3.4.0
    13631372     *
    13641373     * @uses wp_update_term()
     
    14561465     * Delete a term.
    14571466     *
     1467     * @since 3.4.0
     1468     *
    14581469     * @uses wp_delete_term()
    14591470     * @param array $args Method parameters. Contains:
     
    15081519    /**
    15091520     * Retrieve a term.
     1521     *
     1522     * @since 3.4.0
    15101523     *
    15111524     * @uses get_term()
     
    15631576     * Retrieve all terms for a taxonomy.
    15641577     *
     1578     * @since 3.4.0
     1579     *
    15651580     * The optional $filter parameter modifies the query used to retrieve terms.
    15661581     * Accepted keys are 'number', 'offset', 'orderby', 'order', 'hide_empty', and 'search'.
     
    16371652     * Retrieve a taxonomy.
    16381653     *
     1654     * @since 3.4.0
     1655     *
    16391656     * @uses get_taxonomy()
    16401657     * @param array $args Method parameters. Contains:
     
    16531670        $taxonomy       = $args[3];
    16541671
     1672        if ( isset( $args[4] ) )
     1673            $fields = $args[4];
     1674        else
     1675            $fields = apply_filters( 'xmlrpc_default_taxonomy_fields', array( 'labels', 'capabilities', 'object_types' ), 'wp.getTaxonomy' );
     1676
    16551677        if ( ! $user = $this->login( $username, $password ) )
    16561678            return $this->error;
     
    16661688            return new IXR_Error( 401, __( 'You are not allowed to assign terms in this taxonomy.' ) );
    16671689
    1668         return $this->_prepare_taxonomy( $taxonomy );
     1690        return $this->_prepare_taxonomy( $taxonomy, $fields );
    16691691    }
    16701692
    16711693    /**
    16721694     * Retrieve all taxonomies.
     1695     *
     1696     * @since 3.4.0
    16731697     *
    16741698     * @uses get_taxonomies()
     
    16851709        $username           = $args[1];
    16861710        $password           = $args[2];
     1711        $filter             = isset( $args[3] ) ? $args[3] : array( 'public' => true );
     1712
     1713        if ( isset( $args[4] ) )
     1714            $fields = $args[4];
     1715        else
     1716            $fields = apply_filters( 'xmlrpc_default_taxonomy_fields', array( 'labels', 'capabilities', 'object_types' ), 'wp.getTaxonomies' );
    16871717
    16881718        if ( ! $user = $this->login( $username, $password ) )
     
    16911721        do_action( 'xmlrpc_call', 'wp.getTaxonomies' );
    16921722
    1693         $taxonomies = get_taxonomies( array(), 'objects' );
     1723        $taxonomies = get_taxonomies( $filter, 'objects' );
    16941724
    16951725        // holds all the taxonomy data
     
    17011731                continue;
    17021732
    1703             $struct[] = $this->_prepare_taxonomy( $taxonomy );
     1733            $struct[] = $this->_prepare_taxonomy( $taxonomy, $fields );
    17041734        }
    17051735
     
    20642094     * Get list of all tags
    20652095     *
    2066      * @since 2.7
     2096     * @since 2.7.0
    20672097     *
    20682098     * @param array $args Method parameters.
     
    24702500        // Do some timestamp voodoo
    24712501        if ( !empty( $content_struct['date_created_gmt'] ) ) {
    2472             $dateCreated = str_replace( 'Z', '', $content_struct['date_created_gmt']->getIso() ) . 'Z'; // We know this is supposed to be GMT, so we're going to slap that Z on there by force
     2502            // We know this is supposed to be GMT, so we're going to slap that Z on there by force
     2503            $dateCreated = rtrim( $post_data['post_date_gmt']->getIso(), 'Z' ) . 'Z';
    24732504            $comment_date = get_date_from_gmt(iso8601_to_datetime($dateCreated));
    24742505            $comment_date_gmt = iso8601_to_datetime($dateCreated, 'GMT');
     
    29572988    /**
    29582989     * Retrieves a post type
     2990     *
     2991     * @since 3.4.0
    29592992     *
    29602993     * @uses get_post_type_object()
     
    29843017        $post_type_name = $args[3];
    29853018
    2986         if ( isset( $args[4] ) ) 
    2987             $fields = $args[4]; 
    2988         else 
    2989             $fields = apply_filters( 'xmlrpc_default_posttype_fields', array( 'labels', 'capabilities', 'taxonomies' ), 'wp.getPostType' ); 
     3019        if ( isset( $args[4] ) )
     3020            $fields = $args[4];
     3021        else
     3022            $fields = apply_filters( 'xmlrpc_default_posttype_fields', array( 'labels', 'capabilities', 'taxonomies' ), 'wp.getPostType' );
    29903023
    29913024        if ( !$user = $this->login( $username, $password ) )
     
    30083041     * Retrieves a post types
    30093042     *
    3010      * @access private
     3043     * @since 3.4.0
    30113044     *
    30123045     * @uses get_post_types()
     
    30253058        $username           = $args[1];
    30263059        $password           = $args[2];
    3027         $filter             = isset( $args[3] ) ? $args[3] : array( 'public' => true ); 
    3028 
    3029         if ( isset( $args[4] ) ) 
    3030             $fields = $args[4]; 
    3031         else 
    3032             $fields = apply_filters( 'xmlrpc_default_posttype_fields', array( 'labels', 'capabilities', 'taxonomies' ), 'wp.getPostTypes' ); 
     3060        $filter             = isset( $args[3] ) ? $args[3] : array( 'public' => true );
     3061
     3062        if ( isset( $args[4] ) )
     3063            $fields = $args[4];
     3064        else
     3065            $fields = apply_filters( 'xmlrpc_default_posttype_fields', array( 'labels', 'capabilities', 'taxonomies' ), 'wp.getPostTypes' );
    30333066
    30343067        if ( ! $user = $this->login( $username, $password ) )
     
    35303563        $this->escape($args);
    35313564
    3532         $blog_ID     = (int) $args[0]; // we will support this in the near future
     3565        $blog_ID     = (int) $args[0];
    35333566        $username  = $args[1];
    35343567        $password   = $args[2];
     
    37273760        // Do some timestamp voodoo
    37283761        if ( !empty( $content_struct['date_created_gmt'] ) )
    3729             $dateCreated = str_replace( 'Z', '', $content_struct['date_created_gmt']->getIso() ) . 'Z'; // We know this is supposed to be GMT, so we're going to slap that Z on there by force
     3762            // We know this is supposed to be GMT, so we're going to slap that Z on there by force
     3763            $dateCreated = rtrim( $post_data['post_date_gmt']->getIso(), 'Z' ) . 'Z';
    37303764        elseif ( !empty( $content_struct['dateCreated']) )
    37313765            $dateCreated = $content_struct['dateCreated']->getIso();
     
    40454079        // Do some timestamp voodoo
    40464080        if ( !empty( $content_struct['date_created_gmt'] ) )
    4047             $dateCreated = str_replace( 'Z', '', $content_struct['date_created_gmt']->getIso() ) . 'Z'; // We know this is supposed to be GMT, so we're going to slap that Z on there by force
     4081            // We know this is supposed to be GMT, so we're going to slap that Z on there by force
     4082            $dateCreated = rtrim( $post_data['post_date_gmt']->getIso(), 'Z' ) . 'Z';
    40484083        elseif ( !empty( $content_struct['dateCreated']) )
    40494084            $dateCreated = $content_struct['dateCreated']->getIso();
Note: See TracChangeset for help on using the changeset viewer.