Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#20336 closed defect (bug) (fixed)

XMLRPC several methods for check for capability before it exists

Reported by: markoheijnen Owned by: nacin
Milestone: 3.4 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch commit
Focuses: Cc:


When you check for the capability to edit a post it also applies for not existing posts.
So if a post ID doesn't exists it will also say you are not allowed to edit the post.

So I guess wp_get_single_post should be before current_user_can. So the right error message can be applied. Also the check on post_date for "no such post" is weird

Attachments (1)

20336.diff (3.1 KB) - added by nacin 4 years ago.

Download all attachments as: .zip

Change History (7)

#1 @markoheijnen
4 years ago

Added unit test cases for the method mw_getPost [UT599]

Last edited 4 years ago by markoheijnen (previous) (diff)

#2 @markoheijnen
4 years ago

  • Summary changed from XMLRPC mw_getPost never shows the post doesn't exists to XMLRPC several methods for check for capability before it exists

#3 @markoheijnen
4 years ago

wp_getPage does the same: [UT601]

#4 @maxcutler
4 years ago

  • Milestone changed from Awaiting Review to 3.4

4 years ago

#5 @nacin
4 years ago

  • Keywords has-patch commit added

20336.diff is the result of reviewing every meta cap in class-wp-xmlrpc-server.php. Could use a second look.

#6 @nacin
4 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [20637]:

Check for the existence of a post before calling current_user_can() with a meta cap on that object. fixes #20336.

Note: See TracTickets for help on using tickets.