Changeset 6714 for trunk/xmlrpc.php

Timestamp:

02/04/2008 06:35:05 PM (17 years ago)

Author:

ryan

Message:

More cap checks from josephscott. see #5313

File:

• trunk/xmlrpc.php (modified) (2 diffs)

trunk/xmlrpc.php

@@ -1129 +1129 @@
             return $this->error;
         }
+        $user = set_current_user(0, $user_login);
 
         do_action('xmlrpc_call', 'metaWeblog.newPost');
 
-        $cap = ($publish) ? 'publish_posts' : 'edit_posts';
-        $user = set_current_user(0, $user_login);
-        if ( !current_user_can($cap) )
-            return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.'));
-
-        // The post_type defaults to post, but could also be page.
-        $post_type = "post";
-        if(
-            !empty($content_struct["post_type"])
-            && ($content_struct["post_type"] == "page")
-        ) {
-            $post_type = "page";
+        $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
+        $error_message = __( 'Sorry, you are not allowed to publish posts on this blog.' );
+        $post_type = 'post';
+        if( !empty( $content_struct['post_type'] ) ) {
+            if( $content_struct['post_type'] == 'page' ) {
+                $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
+                $error_message = __( 'Sorry, you are not allowed to publish pages on this blog.' );
+                $post_type = 'page';
+            }
+            elseif( $content_type['post_type'] == 'post' ) {
+                // This is the default, no changes needed
+            }
+            else {
+                // No other post_type values are allowed here
+                return new IXR_Error( 401, __( 'Invalid post type.' ) );
+            }
+        }
+
+        if( !current_user_can( $cap ) ) {
+            return new IXR_Error( 401, $error_message );
         }
 
@@ -1369 +1378 @@
             return $this->error;
         }
+        $user = set_current_user(0, $user_login);
 
         do_action('xmlrpc_call', 'metaWeblog.editPost');
 
-        $user = set_current_user(0, $user_login);
-
-        // The post_type defaults to post, but could also be page.
-        $post_type = "post";
-        if(
-            !empty($content_struct["post_type"])
-            && ($content_struct["post_type"] == "page")
-        ) {
-            if( !current_user_can( 'edit_page', $post_ID ) ) {
-                return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page.")));
-            }
-
-            $post_type = "page";
-        }
-
-        if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
-            return new IXR_Error(401, __('Sorry, you can not edit this post.'));
+        $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
+        $error_message = __( 'Sorry, you are not allowed to publish posts on this blog.' );
+        $post_type = 'post';
+        if( !empty( $content_struct['post_type'] ) ) {
+            if( $content_struct['post_type'] == 'page' ) {
+                $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
+                $error_message = __( 'Sorry, you are not allowed to publish pages on this blog.' );
+                $post_type = 'page';
+            }
+            elseif( $content_type['post_type'] == 'post' ) {
+                // This is the default, no changes needed
+            }
+            else {
+                // No other post_type values are allowed here
+                return new IXR_Error( 401, __( 'Invalid post type.' ) );
+            }
+        }
+
+        if( !current_user_can( $cap ) ) {
+            return new IXR_Error( 401, $error_message );
+        }
 
         $postdata = wp_get_single_post($post_ID, ARRAY_A);