Make WordPress Core

Opened 21 months ago

Last modified 17 months ago

#21386 new enhancement

XML-RPC needs a user permission method

Reported by: markoheijnen Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: mobile
Focuses: Cc:


At this moment when calling a XML-RPC method you will receive a error when the user can't do that method.

What would be better if there is a way an app can retrieve the user permissions and act on that without the need to call the method.

Change History (13)

comment:1 daniloercoli21 months ago

  • Cc ercoli@… added

comment:2 markoheijnen21 months ago

As an addon on this we should have a way that wp.getPostTypes only returns post types a user can add/edit to.

comment:3 maxcutler21 months ago

  • Cc maxcutler added

See #18428 for XML-RPC user management methods. It has wp.getUser and wp.getUsers methods that return capabilities. Is there more that you think is needed?

comment:4 markoheijnen21 months ago

That almost solves the problem. I do think we should have an option in wp.getPostTypes so it only returns the post types the user can add.
So some of the capability issues will be solved by the XML-RPC server instead of in the app

comment:5 daniloercoli21 months ago

  • Cc ercoli@… removed

comment:6 daniloercoli21 months ago

  • Cc ercoli@… added

comment:7 nacin19 months ago

  • Keywords punt added
  • Type changed from defect (bug) to enhancement

This is an enhancement.

#18428 will not end up returning capabilities.

I don't know the best way to solve this. No action here, either. Punt?

comment:8 koke19 months ago

  • Cc koke added
  • Keywords mobile added

comment:9 markoheijnen19 months ago

  • Keywords punt removed
  • Milestone changed from 3.5 to Future Release

comment:10 danielbachhuber18 months ago

  • Cc danielbachhuber added

comment:11 koke17 months ago

For now, our use case for this would be http://ios.trac.wordpress.org/ticket/1475

If the user can't publish posts but save them (contributor?) the UI shouldn't say "Publish"

What's the reason behind wp.getUser not returning capabilities? Would adding wp.hasCap(blogId, username, passsword, cap) make sense if we don't want to return the full list?

comment:12 markoheijnen17 months ago

You can read #18428. Probably something to do with security. From my point of view it doesn't matter that much but you should ask Nacin about this.

comment:13 nacin17 months ago

Fairly little to do with security. Rather, returning a raw array of capabilities and roles doesn't help when it comes to actually processing capability. No filters are run, nor would map_meta_cap() get a chance to do its magic. Raw role names could go a long way for basic sanity checks, which is why those almost made it in.

Note: See TracTickets for help on using tickets.