WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#10806 closed defect (bug) (fixed)

XMLRPC references level_8 capability

Reported by: dd32 Owned by: josephscott
Milestone: 3.0 Priority: normal
Severity: normal Version: 2.9
Component: XML-RPC Keywords: has-patch
Focuses: multisite Cc:

Description

the WPMU part of the wp_getUsersBlogs() XMLRPC method refers directly to the 'level_8' capability, The usage of user levels has been deprecated for awhile..

I'm not entirely too sure how this applies to MU, so am not providing a patch..

Affected line: http://core.trac.wordpress.org/browser/trunk/xmlrpc.php#L472

s/level_10/administrator/ would appear to me to be the best solution to me.. but not sure if that role is used by MU.. possibly checking a capability would be better such as manage_options ?

And before someone mentions this should be on the WPMU trac, This is WPMU specific code in WP.

Attachments (1)

10806.diff (392 bytes) - added by nacin 4 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 dd324 years ago

  • Keywords multisite added
  • Milestone changed from Future Release to 3.0

comment:2 nacin4 years ago

  • Keywords has-patch added; needs-patch removed

s/level_8/manage_options/ seems accurate here, that's generally the defining capability of an administrator.

nacin4 years ago

comment:3 dd324 years ago

s/level_8/manage_options/ seems accurate here, that's generally the defining capability of an administrator.

I'm wondering who should be able to access the users of a blog though, Just the superadmin, the owner of a blog, etc.

comment:4 nacin4 years ago

Oh, wait, yea: "Retrieve the blogs of the user."

That's is_super_admin() territory.

comment:5 nacin4 years ago

I'm wondering who should be able to access the users of a blog though, Just the superadmin, the owner of a blog, etc.

The function is to retrieve the blogs that the current user belongs to. The isAdmin flag is a way to indicate whether the user can administrate the blog. Of course, it being a single flag that needs to be compatible, we can't get into capabilities.

We associate manage_options closest to the persona of administrator so we should go with that.

comment:6 dd324 years ago

Sounds sane enough to me, and reflects how teh function currently operates.

comment:7 dd324 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12969]) Do not use deprecated user levels in XMLRPC (s/level_8/manage_options/). Props nacin. Fixes #10806

Note: See TracTickets for help on using tickets.