WordPress.org

Make WordPress Core

Changeset 21745


Ignore:
Timestamp:
09/04/12 20:58:32 (20 months ago)
Author:
nacin
Message:

Improve API usage in wp-app.php for post operations and attachment deletion. Proper cap checks. Unregister put_file and delete_file as core itself doesn't provide for file replacement. for 3.4.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.4/wp-includes/class-wp-atom-server.php

    r20715 r21745  
    168168                        'POST' => 'create_attachment'), 
    169169            '@/attachment/file/(\d+)$@' => 
    170                 array('GET' => 'get_file', 
    171                         'PUT' => 'put_file', 
    172                         'DELETE' => 'delete_file'), 
     170                array('GET' => 'get_file'), 
    173171            '@/attachment/(\d+)$@' => 
    174172                array('GET' => 'get_attachment', 
     
    316314        $entry = array_pop($parser->feed->entries); 
    317315 
     316        $publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) ); 
     317        $cap = ($publish) ? 'publish_posts' : 'edit_posts'; 
     318 
     319        if ( !current_user_can($cap) ) 
     320            $this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.')); 
     321 
    318322        $catnames = array(); 
    319323        if ( !empty( $entry->categories ) ) { 
     
    331335                array_push($post_category, $cat->term_id); 
    332336        } 
    333  
    334         $publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) ); 
    335  
    336         $cap = ($publish) ? 'publish_posts' : 'edit_posts'; 
    337  
    338         if ( !current_user_can($cap) ) 
    339             $this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.')); 
    340337 
    341338        $blog_ID = get_current_blog_id(); 
     
    399396        global $entry; 
    400397 
    401         if ( !current_user_can( 'edit_post', $postID ) ) 
     398        if ( ! get_post( $postID ) || ! current_user_can( 'edit_post', $postID ) ) 
    402399            $this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) ); 
    403400 
     
    430427        $this->set_current_entry($postID); 
    431428 
    432         if ( !current_user_can('edit_post', $entry['ID']) ) 
     429        if ( !current_user_can('edit_post', $postID) ) 
    433430            $this->auth_required(__('Sorry, you do not have the right to edit this post.')); 
    434431 
    435432        $publish = ! ( isset($parsed->draft) && 'yes' == trim($parsed->draft) ); 
     433 
     434        if ( $publish && ! current_user_can( 'publish_posts' ) ) 
     435            $this->auth_required( __( 'Sorry, you do not have the right to publish this post.' ) ); 
     436 
    436437        $post_status = ($publish) ? 'publish' : 'draft'; 
    437438 
     
    474475        $this->set_current_entry($postID); 
    475476 
    476         if ( !current_user_can('edit_post', $postID) ) 
     477        if ( !current_user_can('delete_post', $postID) ) 
    477478            $this->auth_required(__('Sorry, you do not have the right to delete this post.')); 
    478479 
     
    505506            $this->get_attachments(); 
    506507        } else { 
     508            if ( ! current_user_can( 'edit_post', $postID ) ) 
     509                $this->auth_required( __( 'Sorry, you do not have the right to edit this post.' ) ); 
     510 
    507511            $this->set_current_entry($postID); 
    508512            $output = $this->get_entry($postID, 'attachment'); 
     
    590594        $this->set_current_entry($postID); 
    591595 
    592         if ( !current_user_can('edit_post', $entry['ID']) ) 
     596        if ( !current_user_can('edit_post', $entry['ID']) || 'attachment' != $entry['post_type'] ) 
    593597            $this->auth_required(__('Sorry, you do not have the right to edit this post.')); 
    594598 
     
    625629        $this->set_current_entry($postID); 
    626630 
    627         if ( !current_user_can('edit_post', $postID) ) 
     631        if ( !current_user_can('delete_post', $postID) ) 
    628632            $this->auth_required(__('Sorry, you do not have the right to delete this post.')); 
    629633 
     
    634638            $this->internal_error(__('Error occurred while accessing post metadata for file location.')); 
    635639 
    636         // delete file 
    637         @unlink($location); 
    638  
    639640        // delete attachment 
    640         $result = wp_delete_post($postID); 
     641        $result = wp_delete_attachment($postID); 
    641642 
    642643        if ( !$result ) 
     
    971972        $count = get_option('posts_per_rss'); 
    972973 
    973         wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&post_status=any'); 
     974        wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&perm=readable'); 
    974975 
    975976        $post = $GLOBALS['post']; 
Note: See TracChangeset for help on using the changeset viewer.