WordPress.org

Make WordPress Core

#22320 closed defect (bug) (fixed)

getRecentPosts API succeeds with empty response for unauthorized user

Reported by: redsweater Owned by: westi
Milestone: 3.6 Priority: normal
Severity: normal Version: 2.0
Component: XML-RPC Keywords: has-patch commit 3.6-early westi-likes
Focuses: Cc:

Description

In a multi-user configuration where a user is authenticated for another blog on the same WordPress installation, a getRecentPosts call to the API endpoint for a blog they are NOT a member of returns an empty list instead of failing with an error.

I am attaching a patch that brings the behavior of mw_getRecentPosts and blogger_getRecentPosts in line with other "get" API call variants such as wp_getPosts and wp_getPages that establish precedent for rejecting access to the list of posts if the user doesn't have an "edit" capability for the assets in question.

This is mostly a usability issue in scenarios where a user has configured a client with a correct user name and password, but pointed to the wrong blog. This is most likely to happen on a large multi-user site such as WordPress.com where it would be easy for a user to type a wrong "whatever.wordpress.com" URL and have it correspond to an actual blog on the site for which they don't have permission. In this case the current behavior of returning an empty list just leaves the user mystified. With my patch the client app will receive an appropriate unauthorized error that will notify the user they don't have privileges for the blog being connected to.

Attachments (2)

GetRecentPostPrivilegesFix.patch (913 bytes) - added by redsweater 18 months ago.
Patch the XMLRPC server to reject attempts to request recent posts list from a blog they don't belong to.
NewGetRecentPostsTest.patch (640 bytes) - added by redsweater 18 months ago.
New unit test confirming the fixed behavior for the getRecentPosts call.

Download all attachments as: .zip

Change History (13)

redsweater18 months ago

Patch the XMLRPC server to reject attempts to request recent posts list from a blog they don't belong to.

redsweater18 months ago

New unit test confirming the fixed behavior for the getRecentPosts call.

comment:2 markoheijnen18 months ago

  • Milestone changed from Awaiting Review to 3.5

comment:3 markoheijnen18 months ago

  • Keywords commit added

That behavior is the same as we would have for others. Can be committed.

comment:4 nacin18 months ago

  • Owner set to westi
  • Status changed from new to assigned

comment:5 follow-up: nacin18 months ago

  • Keywords punt added

This is a bit late for an API change, no?

comment:6 markoheijnen18 months ago

Is it that big of an API change? I don't really mind since in my opinion those methods are deprecated

comment:7 in reply to: ↑ 5 westi18 months ago

  • Keywords 3.6-early westi-likes added
  • Milestone changed from 3.5 to Future Release

Replying to nacin:

This is a bit late for an API change, no?

Yeah, I think this should wait for 3.6.

comment:8 SergeyBiryukov18 months ago

  • Keywords punt removed

comment:9 SergeyBiryukov18 months ago

  • Version changed from trunk to 2.0

comment:10 SergeyBiryukov16 months ago

  • Milestone changed from Future Release to 3.6

comment:11 nacin14 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 23636:

XML-RPC: Return an error for getRecentPosts (mw and blogger) if the user does not have edit_posts.

props redsweater.
fixes #22320.

Note: See TracTickets for help on using tickets.