Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#24280 new defect (bug)

Privilege check in mt_publishPost

Reported by: fgauthier Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0.3
Component: XML-RPC Keywords:
Focuses: Cc:


The mt_publishPost function requires both the publish_posts and edit_post privileges to publish a post.

Elsewhere, the publish_posts privilege is sufficient to publish a post.

Change History (4)

comment:1 @markoheijnen2 years ago

If I look at _insert_post() what is used in the main XML-RPC methods you will see both checks there too.

Guess you mean that with elsewhere? or do you mean somewhere else in core?

comment:2 @fgauthier2 years ago

In fact, I meant functions like blogger_newPost($args) and mw_newPost($args) that do not check the edit_post privilege when the status of the new post is set to 'publish'.

In this context, it seemed strange to require the edit_post privilege to publish a post.

comment:3 @markoheijnen2 years ago

wp.* methods are leading to me. So I rather fix blogger_newPost and mw_newPost if needed.

comment:4 @SergeyBiryukov2 years ago

  • Version changed from trunk to 3.0.3

Introduced in [16802].

Note: See TracTickets for help on using tickets.