Make WordPress Core

Changeset 31983


Ignore:
Timestamp:
04/02/2015 03:48:41 PM (10 years ago)
Author:
johnbillion
Message:

Correctly set the post author in wp_xmlrpc_server::mw_editPost() when the current user is not the author of the post.

Props redsweater, markoheijnen, DrewAPicture
Fixes #24916

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r31279 r31983  
    47574757
    47584758        // Only set the post_author if one is set.
    4759         if ( isset($content_struct['wp_author_id']) && ($user->ID != $content_struct['wp_author_id']) ) {
    4760             switch ( $post_type ) {
    4761                 case 'post':
    4762                     if ( !current_user_can('edit_others_posts') )
    4763                         return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) );
    4764                     break;
    4765                 case 'page':
    4766                     if ( !current_user_can('edit_others_pages') )
    4767                         return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) );
    4768                     break;
    4769                 default:
    4770                     return new IXR_Error( 401, __( 'Invalid post type' ) );
     4759        if ( isset( $content_struct['wp_author_id'] ) ) {
     4760            // Check permissions if attempting to switch author to or from another user.
     4761            if ( $user->ID != $content_struct['wp_author_id'] || $user->ID != $post_author ) {
     4762                switch ( $post_type ) {
     4763                    case 'post':
     4764                        if ( ! current_user_can( 'edit_others_posts' ) ) {
     4765                            return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) );
     4766                        }
     4767                        break;
     4768                    case 'page':
     4769                        if ( ! current_user_can( 'edit_others_pages' ) ) {
     4770                            return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) );
     4771                        }
     4772                        break;
     4773                    default:
     4774                        return new IXR_Error( 401, __( 'Invalid post type' ) );
     4775                        break;
     4776                }
     4777                $post_author = $content_struct['wp_author_id'];
    47714778            }
    4772             $post_author = $content_struct['wp_author_id'];
    47734779        }
    47744780
  • trunk/tests/phpunit/tests/xmlrpc/mw/editPost.php

    r25002 r31983  
    9696    }
    9797
     98    /**
     99     * @ticket 24916
     100     */
     101    function test_capable_reassign_author_to_self() {
     102        $contributor_id = $this->make_user_by_role( 'contributor' );
     103        $editor_id = $this->make_user_by_role( 'editor' );
     104
     105        $post = array( 'post_title' => 'Post test', 'post_author' => $contributor_id );
     106        $post_id = wp_insert_post( $post );
     107
     108        $post2 = array( 'wp_author_id' => $editor_id );
     109        $result = $this->myxmlrpcserver->mw_editPost( array( $post_id, 'editor', 'editor', $post2 ) );
     110        $this->assertNotInstanceOf( 'IXR_Error', $result );
     111        $this->assertTrue($result);
     112
     113        $out = get_post( $post_id );
     114        $this->assertEquals( $editor_id, $out->post_author );
     115    }
     116   
    98117    function test_post_thumbnail() {
    99118        add_theme_support( 'post-thumbnails' );
  • trunk/tests/phpunit/tests/xmlrpc/wp/editPost.php

    r27554 r31983  
    9696    }
    9797
     98    /**
     99     * @ticket 24916
     100     */
     101    function test_capable_reassign_author_to_self() {
     102        $contributor_id = $this->make_user_by_role( 'contributor' );
     103        $editor_id = $this->make_user_by_role( 'editor' );
     104
     105        $post = array( 'post_title' => 'Post test', 'post_author' => $contributor_id );
     106        $post_id = wp_insert_post( $post );
     107
     108        $post2 = array( 'post_author' => $editor_id );
     109        $result = $this->myxmlrpcserver->wp_editPost( array( 1, 'editor', 'editor', $post_id, $post2 ) );
     110        $this->assertNotInstanceOf( 'IXR_Error', $result );
     111        $this->assertTrue($result);
     112
     113        $out = get_post( $post_id );
     114        $this->assertEquals( $editor_id, $out->post_author );
     115    }
     116   
    98117    function test_post_thumbnail() {
    99118        add_theme_support( 'post-thumbnails' );
Note: See TracChangeset for help on using the changeset viewer.