Make WordPress Core


Ignore:
Timestamp:
09/26/2015 02:48:47 AM (9 years ago)
Author:
wonderboymusic
Message:

XML-RPC: wp.getComments should be allowed to return approved comments to those without the 'moderate_comments' cap.

Adds (rewrites) unit tests from 4 years ago that we never committed because....

Props wonderboymusic, koke, ericmann, nprasath002.
Fixes #17981.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r34559 r34570  
    31563156        $comment_id = (int) $args[3];
    31573157
    3158         if ( !$user = $this->login($username, $password) )
    3159             return $this->error;
    3160 
    3161         if ( !current_user_can( 'moderate_comments' ) )
    3162             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     3158        if ( ! $user = $this->login( $username, $password ) ) {
     3159            return $this->error;
     3160        }
    31633161
    31643162        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
    31653163        do_action( 'xmlrpc_call', 'wp.getComment' );
    31663164
    3167         if ( ! $comment = get_comment($comment_id) )
     3165        if ( ! $comment = get_comment( $comment_id ) ) {
    31683166            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
     3167        }
     3168
     3169        if ( ! current_user_can( 'edit_comment', $comment_id ) ) {
     3170            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
     3171        }
    31693172
    31703173        return $this->_prepare_comment( $comment );
     
    32043207        $struct   = isset( $args[3] ) ? $args[3] : array();
    32053208
    3206         if ( !$user = $this->login($username, $password) )
    3207             return $this->error;
    3208 
    3209         if ( !current_user_can( 'moderate_comments' ) )
    3210             return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );
     3209        if ( ! $user = $this->login($username, $password ) )
     3210            return $this->error;
    32113211
    32123212        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
    32133213        do_action( 'xmlrpc_call', 'wp.getComments' );
    32143214
    3215         if ( isset($struct['status']) )
     3215        if ( isset( $struct['status'] ) )
    32163216            $status = $struct['status'];
    32173217        else
    32183218            $status = '';
     3219
     3220        if ( ! current_user_can( 'moderate_comments' ) && 'approve' !== $status ) {
     3221            return new IXR_Error( 401, __( 'Invalid comment status.' ) );
     3222        }
    32193223
    32203224        $post_id = '';
     
    32613265     * @return bool|IXR_Error {@link wp_delete_comment()}
    32623266     */
    3263     public function wp_deleteComment($args) {
     3267    public function wp_deleteComment( $args ) {
    32643268        $this->escape($args);
    32653269
     
    32683272        $comment_ID = (int) $args[3];
    32693273
    3270         if ( !$user = $this->login($username, $password) )
    3271             return $this->error;
    3272 
    3273         if ( !current_user_can( 'moderate_comments' ) )
    3274             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
    3275 
    3276         if ( ! get_comment($comment_ID) )
     3274        if ( ! $user = $this->login( $username, $password ) ) {
     3275            return $this->error;
     3276        }
     3277
     3278        if ( ! get_comment( $comment_ID ) ) {
    32773279            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
    3278 
    3279         if ( !current_user_can( 'edit_comment', $comment_ID ) )
    3280             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     3280        }
     3281
     3282        if ( !current_user_can( 'edit_comment', $comment_ID ) ) {
     3283            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
     3284        }
    32813285
    32823286        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    33353339        $content_struct = $args[4];
    33363340
    3337         if ( !$user = $this->login($username, $password) )
    3338             return $this->error;
    3339 
    3340         if ( !current_user_can( 'moderate_comments' ) )
    3341             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
    3342 
    3343         if ( ! get_comment($comment_ID) )
     3341        if ( !$user = $this->login( $username, $password ) ) {
     3342            return $this->error;
     3343        }
     3344
     3345        if ( ! get_comment( $comment_ID ) ) {
    33443346            return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
    3345 
    3346         if ( !current_user_can( 'edit_comment', $comment_ID ) )
    3347             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
     3347        }
     3348
     3349        if ( ! current_user_can( 'edit_comment', $comment_ID ) ) {
     3350            return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
     3351        }
    33483352
    33493353        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    35373541     * @return array|IXR_Error
    35383542     */
    3539     public function wp_getCommentStatusList($args) {
     3543    public function wp_getCommentStatusList( $args ) {
    35403544        $this->escape( $args );
    35413545
     
    35433547        $password = $args[2];
    35443548
    3545         if ( !$user = $this->login($username, $password) )
    3546             return $this->error;
    3547 
    3548         if ( !current_user_can( 'moderate_comments' ) )
     3549        if ( ! $user = $this->login( $username, $password ) ) {
     3550            return $this->error;
     3551        }
     3552
     3553        if ( ! current_user_can( 'publish_posts' ) ) {
    35493554            return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
     3555        }
    35503556
    35513557        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    35773583        $post_id    = (int) $args[3];
    35783584
    3579         if ( !$user = $this->login($username, $password) )
    3580             return $this->error;
    3581 
    3582         if ( !current_user_can( 'edit_posts' ) )
    3583             return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) );
     3585        if ( ! $user = $this->login( $username, $password ) ) {
     3586            return $this->error;
     3587        }
     3588
     3589        $post = get_post( $post_id, ARRAY_A );
     3590        if ( empty( $post['ID'] ) ) {
     3591            return new IXR_Error( 404, __( 'Invalid post ID.' ) );
     3592        }
     3593
     3594        if ( ! current_user_can( 'edit_post', $post_id ) ) {
     3595            return new IXR_Error( 403, __( 'You are not allowed access to details of this post.' ) );
     3596        }
    35843597
    35853598        /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
     
    35873600
    35883601        $count = wp_count_comments( $post_id );
     3602
    35893603        return array(
    35903604            'approved' => $count->approved,
Note: See TracChangeset for help on using the changeset viewer.