Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#20991 closed defect (bug) (fixed)

wp.getPosts doesn't always check cap

Reported by: maxcutler's profile maxcutler Owned by: nacin's profile nacin
Milestone: 3.4.1 Priority: normal
Severity: normal Version: 3.4
Component: XML-RPC Keywords: has-patch commit
Focuses: Cc:


The cap check against 'edit_posts' in the XML-RPC wp.getPosts method does not fire immediately when querying against the 'post' post type. For other post types ('page', 'attachment', or CPTs), the cap check will fire early and short-circuit the method execution with an error.

The cap is checked properly before outputting each post, so at worst a non-capable user will get an empty array as output. However, by that point the query will have run.

Attachments (1)

20991.patch (1.1 KB) - added by maxcutler 12 years ago.

Download all attachments as: .zip

Change History (6)

12 years ago

#1 @maxcutler
12 years ago

Unit test in [UT738].

#2 @nacin
12 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

#3 @nacin
12 years ago

  • Milestone changed from 3.5 to 3.4.1

#4 @nacin
12 years ago

In [21137]:

Check XML-RPC cap before running the query. props maxcutler. see #20991 for trunk.

#5 @nacin
12 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21138]:

Check XML-RPC cap before running the query. props maxcutler. fixes #20991 for 3.4.

Note: See TracTickets for help on using tickets.