Make WordPress Core


Ignore:
Timestamp:
04/02/2015 03:48:41 PM (9 years ago)
Author:
johnbillion
Message:

Correctly set the post author in wp_xmlrpc_server::mw_editPost() when the current user is not the author of the post.

Props redsweater, markoheijnen, DrewAPicture
Fixes #24916

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r31279 r31983  
    47574757
    47584758        // Only set the post_author if one is set.
    4759         if ( isset($content_struct['wp_author_id']) && ($user->ID != $content_struct['wp_author_id']) ) {
    4760             switch ( $post_type ) {
    4761                 case 'post':
    4762                     if ( !current_user_can('edit_others_posts') )
    4763                         return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) );
    4764                     break;
    4765                 case 'page':
    4766                     if ( !current_user_can('edit_others_pages') )
    4767                         return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) );
    4768                     break;
    4769                 default:
    4770                     return new IXR_Error( 401, __( 'Invalid post type' ) );
     4759        if ( isset( $content_struct['wp_author_id'] ) ) {
     4760            // Check permissions if attempting to switch author to or from another user.
     4761            if ( $user->ID != $content_struct['wp_author_id'] || $user->ID != $post_author ) {
     4762                switch ( $post_type ) {
     4763                    case 'post':
     4764                        if ( ! current_user_can( 'edit_others_posts' ) ) {
     4765                            return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) );
     4766                        }
     4767                        break;
     4768                    case 'page':
     4769                        if ( ! current_user_can( 'edit_others_pages' ) ) {
     4770                            return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) );
     4771                        }
     4772                        break;
     4773                    default:
     4774                        return new IXR_Error( 401, __( 'Invalid post type' ) );
     4775                        break;
     4776                }
     4777                $post_author = $content_struct['wp_author_id'];
    47714778            }
    4772             $post_author = $content_struct['wp_author_id'];
    47734779        }
    47744780
Note: See TracChangeset for help on using the changeset viewer.