XML-RPC "wp_author_id" ignored when changing author to self
|Reported by:||redsweater||Owned by:||markoheijnen|
When using the MetaWeblog mw_editPost method to change the author of an existing post from another user to the logged in user, the wp_author_id" field is not read from the content_struct because of a logic error in mw_editPost().
The logic error is in this line:
if ( isset($content_struct['wp_author_id']) && ($user->ID != $content_struct['wp_author_id']) )
Here it is assumed that if the supplied author ID is the same as the logged in user, then the supplied ID does not need to be read. However, this is not true when the post being edited is in fact not currently in the logged in user's authorship.
The attached patch fixes the problem and also clarifies the permissions test so that it will reject any effort to change the author ID either to another user's ID or from another user's ID, unless the logged in user has permission to editor others' posts.