getRecentPosts API succeeds with empty response for unauthorized user
|Reported by:||redsweater||Owned by:||westi|
|Component:||XML-RPC||Keywords:||has-patch commit 3.6-early westi-likes|
In a multi-user configuration where a user is authenticated for another blog on the same WordPress installation, a getRecentPosts call to the API endpoint for a blog they are NOT a member of returns an empty list instead of failing with an error.
I am attaching a patch that brings the behavior of mw_getRecentPosts and blogger_getRecentPosts in line with other "get" API call variants such as wp_getPosts and wp_getPages that establish precedent for rejecting access to the list of posts if the user doesn't have an "edit" capability for the assets in question.
This is mostly a usability issue in scenarios where a user has configured a client with a correct user name and password, but pointed to the wrong blog. This is most likely to happen on a large multi-user site such as WordPress.com where it would be easy for a user to type a wrong "whatever.wordpress.com" URL and have it correspond to an actual blog on the site for which they don't have permission. In this case the current behavior of returning an empty list just leaves the user mystified. With my patch the client app will receive an appropriate unauthorized error that will notify the user they don't have privileges for the blog being connected to.
Change History (13)
- Keywords 3.6-early westi-likes added
- Milestone changed from 3.5 to Future Release