WordPress.org

Make WordPress Core

#25805 closed defect (bug) (wontfix)

Permission for wp.getPost in XML-RPC API

Reported by: Michenux Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: XML-RPC Keywords:
Focuses: Cc:

Description

Hi,

In the XML-RPC API, the wp.getPost needs the "edit post" permission. Why ?
I think it's wrong because wp.getPost doesnot edit anything. It's just
for reading posts.

Change History (6)

comment:1 @SergeyBiryukov20 months ago

Originally introduced in [6503] for wp.getPage, blogger.getPost, and metaWeblog.getPost. [19848] for wp.getPost. Modified in [21137] and [24593].

I guess the reason is that these functions return the post for editing rather than viewing. Otherwise anyone would be able to see post_password or any other raw field value of any post.

comment:2 @Michenux20 months ago

I use xml-rpc from an Android application. I don't want that my android application
uses a wordpress user with read/write access. I need only reading. It would be a
security issue if i had to use a user with write access.

comment:3 @markoheijnen20 months ago

I guess for an application that isn't user depended I would use a JSON feed and most just use something like https://github.com/WP-API/WP-API/

At least for iOS I don't want to use an XML-RPC and I'm pretty sure the same counts for Android.

comment:4 @Michenux20 months ago

I didnot know that you could add a json feed on wordpress.
It's great. JSON is a much better solution for mobile application.

I will try, thanks for your support (fast and great answers).

comment:5 @SergeyBiryukov20 months ago

  • Version changed from 3.7.1 to 3.4

Version number indicates the earliest applicable version, which is 3.4 here.

comment:6 @markoheijnen10 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Closing it due that this has been a behaviour for a long time. When https://github.com/WP-API/WP-API/ gets included, this will be things that will be looked at.

Note: See TracTickets for help on using tickets.