WordPress.org

Make WordPress Core

Changeset 21745


Ignore:
Timestamp:
09/04/2012 08:58:32 PM (9 years ago)
Author:
nacin
Message:

Improve API usage in wp-app.php for post operations and attachment deletion. Proper cap checks. Unregister put_file and delete_file as core itself doesn't provide for file replacement. for 3.4.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.4/wp-includes/class-wp-atom-server.php

    r20715 r21745  
    168168                        'POST' => 'create_attachment'),
    169169            '@/attachment/file/(\d+)$@' =>
    170                 array('GET' => 'get_file',
    171                         'PUT' => 'put_file',
    172                         'DELETE' => 'delete_file'),
     170                array('GET' => 'get_file'),
    173171            '@/attachment/(\d+)$@' =>
    174172                array('GET' => 'get_attachment',
     
    316314        $entry = array_pop($parser->feed->entries);
    317315
     316        $publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) );
     317        $cap = ($publish) ? 'publish_posts' : 'edit_posts';
     318
     319        if ( !current_user_can($cap) )
     320            $this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.'));
     321
    318322        $catnames = array();
    319323        if ( !empty( $entry->categories ) ) {
     
    331335                array_push($post_category, $cat->term_id);
    332336        }
    333 
    334         $publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) );
    335 
    336         $cap = ($publish) ? 'publish_posts' : 'edit_posts';
    337 
    338         if ( !current_user_can($cap) )
    339             $this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.'));
    340337
    341338        $blog_ID = get_current_blog_id();
     
    399396        global $entry;
    400397
    401         if ( !current_user_can( 'edit_post', $postID ) )
     398        if ( ! get_post( $postID ) || ! current_user_can( 'edit_post', $postID ) )
    402399            $this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) );
    403400
     
    430427        $this->set_current_entry($postID);
    431428
    432         if ( !current_user_can('edit_post', $entry['ID']) )
     429        if ( !current_user_can('edit_post', $postID) )
    433430            $this->auth_required(__('Sorry, you do not have the right to edit this post.'));
    434431
    435432        $publish = ! ( isset($parsed->draft) && 'yes' == trim($parsed->draft) );
     433
     434        if ( $publish && ! current_user_can( 'publish_posts' ) )
     435            $this->auth_required( __( 'Sorry, you do not have the right to publish this post.' ) );
     436
    436437        $post_status = ($publish) ? 'publish' : 'draft';
    437438
     
    474475        $this->set_current_entry($postID);
    475476
    476         if ( !current_user_can('edit_post', $postID) )
     477        if ( !current_user_can('delete_post', $postID) )
    477478            $this->auth_required(__('Sorry, you do not have the right to delete this post.'));
    478479
     
    505506            $this->get_attachments();
    506507        } else {
     508            if ( ! current_user_can( 'edit_post', $postID ) )
     509                $this->auth_required( __( 'Sorry, you do not have the right to edit this post.' ) );
     510
    507511            $this->set_current_entry($postID);
    508512            $output = $this->get_entry($postID, 'attachment');
     
    590594        $this->set_current_entry($postID);
    591595
    592         if ( !current_user_can('edit_post', $entry['ID']) )
     596        if ( !current_user_can('edit_post', $entry['ID']) || 'attachment' != $entry['post_type'] )
    593597            $this->auth_required(__('Sorry, you do not have the right to edit this post.'));
    594598
     
    625629        $this->set_current_entry($postID);
    626630
    627         if ( !current_user_can('edit_post', $postID) )
     631        if ( !current_user_can('delete_post', $postID) )
    628632            $this->auth_required(__('Sorry, you do not have the right to delete this post.'));
    629633
     
    634638            $this->internal_error(__('Error occurred while accessing post metadata for file location.'));
    635639
    636         // delete file
    637         @unlink($location);
    638 
    639640        // delete attachment
    640         $result = wp_delete_post($postID);
     641        $result = wp_delete_attachment($postID);
    641642
    642643        if ( !$result )
     
    971972        $count = get_option('posts_per_rss');
    972973
    973         wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&post_status=any');
     974        wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&perm=readable');
    974975
    975976        $post = $GLOBALS['post'];
Note: See TracChangeset for help on using the changeset viewer.