Make WordPress Core

Changeset 6503


Ignore:
Timestamp:
12/27/2007 10:14:27 PM (16 years ago)
Author:
ryan
Message:

Some xmlrpc cap checks from josephscott.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/xmlrpc.php

    r6498 r6503  
    231231            return($this->error);
    232232        }
     233
     234        set_current_user( 0, $username );
     235        if( !current_user_can( 'edit_page', $page_id ) )
     236            return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) );
    233237
    234238        do_action('xmlrpc_call', 'wp.getPage');
     
    316320        }
    317321
     322        set_current_user( 0, $username );
     323        if( !current_user_can( 'edit_pages' ) )
     324            return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
     325
    318326        do_action('xmlrpc_call', 'wp.getPages');
    319327
     
    482490        }
    483491
     492        set_current_user( 0, $username );
     493        if( !current_user_can( 'edit_pages' ) )
     494            return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
     495
    484496        do_action('xmlrpc_call', 'wp.getPageList');
    485497
     
    647659        }
    648660
     661        set_current_user(0, $username);
     662        if( !current_user_can( 'edit_posts' ) )
     663            return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) );
     664
    649665        do_action('xmlrpc_call', 'wp.suggestCategories');
    650666
     
    707723        }
    708724
     725        set_current_user( 0, $user_login );
     726        if( !current_user_can( 'edit_posts' ) )
     727            return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) );
     728
    709729        do_action('xmlrpc_call', 'blogger.getUserInfo');
    710730
     
    715735            'userid'    => $user_data->ID,
    716736            'url'       => $user_data->user_url,
    717             'email'     => $user_data->user_email,
    718737            'lastname'  => $user_data->last_name,
    719738            'firstname' => $user_data->first_name
     
    736755            return $this->error;
    737756        }
     757
     758        set_current_user( 0, $user_login );
     759        if( !current_user_can( 'edit_post', $post_ID ) )
     760            return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
    738761
    739762        do_action('xmlrpc_call', 'blogger.getPost');
     
    776799        $posts_list = wp_get_recent_posts($num_posts);
    777800
     801        set_current_user( 0, $user_login );
     802
    778803        if (!$posts_list) {
    779804            $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
     
    782807
    783808        foreach ($posts_list as $entry) {
     809            if( !current_user_can( 'edit_post', $entry['ID'] ) )
     810                continue;
    784811
    785812            $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
     
    14621489            return $this->error;
    14631490        }
     1491
     1492        set_current_user( 0, $user_login );
     1493        if( !current_user_can( 'edit_post', $post_ID ) )
     1494            return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
    14641495
    14651496        do_action('xmlrpc_call', 'metaWeblog.getPost');
     
    15501581        }
    15511582
    1552         $this_user = set_current_user( 0, $user_login );
     1583        set_current_user( 0, $user_login );
    15531584
    15541585        foreach ($posts_list as $entry) {
    1555             if (
    1556                 !empty( $entry['post_password'] )
    1557                 && !current_user_can( 'edit_post', $entry['ID'] )
    1558             ) {
    1559                 unset( $entry['post_password'] );
    1560             }
     1586            if( !current_user_can( 'edit_post', $entry['ID'] ) )
     1587                continue;
    15611588
    15621589            $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
     
    16381665        }
    16391666
     1667        set_current_user( 0, $user_login );
     1668        if( !current_user_can( 'edit_posts' ) )
     1669            return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
     1670
    16401671        do_action('xmlrpc_call', 'metaWeblog.getCategories');
    16411672
     
    17611792        }
    17621793
     1794        set_current_user( 0, $user_login );
     1795
    17631796        foreach ($posts_list as $entry) {
     1797            if( !current_user_can( 'edit_post', $entry['ID'] ) )
     1798                continue;
    17641799
    17651800            $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
     
    17981833        }
    17991834
     1835        set_current_user( 0, $user_login );
     1836        if( !current_user_can( 'edit_posts' ) )
     1837            return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
     1838
    18001839        do_action('xmlrpc_call', 'mt.getCategoryList');
    18011840
    18021841        $categories_struct = array();
    18031842
    1804         // FIXME: can we avoid using direct SQL there?
    18051843        if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) {
    18061844            foreach ($cats as $cat) {
     
    18281866            return $this->error;
    18291867        }
     1868
     1869        set_current_user( 0, $user_login );
     1870        if( !current_user_can( 'edit_post', $post_ID ) )
     1871            return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
    18301872
    18311873        do_action('xmlrpc_call', 'mt.getPostCategories');
Note: See TracChangeset for help on using the changeset viewer.