Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#25805 closed defect (bug) (wontfix)

Permission for wp.getPost in XML-RPC API

Reported by: Michenux Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: XML-RPC Keywords:
Focuses: Cc:



In the XML-RPC API, the wp.getPost needs the "edit post" permission. Why ? I think it's wrong because wp.getPost doesnot edit anything. It's just for reading posts.

Change History (6)

#1 @SergeyBiryukov
5 years ago

Originally introduced in [6503] for wp.getPage, blogger.getPost, and metaWeblog.getPost. [19848] for wp.getPost. Modified in [21137] and [24593].

I guess the reason is that these functions return the post for editing rather than viewing. Otherwise anyone would be able to see post_password or any other raw field value of any post.

#2 @Michenux
5 years ago

I use xml-rpc from an Android application. I don't want that my android application uses a wordpress user with read/write access. I need only reading. It would be a security issue if i had to use a user with write access.

#3 @markoheijnen
5 years ago

I guess for an application that isn't user depended I would use a JSON feed and most just use something like https://github.com/WP-API/WP-API/

At least for iOS I don't want to use an XML-RPC and I'm pretty sure the same counts for Android.

#4 @Michenux
5 years ago

I didnot know that you could add a json feed on wordpress. It's great. JSON is a much better solution for mobile application.

I will try, thanks for your support (fast and great answers).

#5 @SergeyBiryukov
5 years ago

  • Version changed from 3.7.1 to 3.4

Version number indicates the earliest applicable version, which is 3.4 here.

#6 @markoheijnen
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Closing it due that this has been a behaviour for a long time. When https://github.com/WP-API/WP-API/ gets included, this will be things that will be looked at.

Note: See TracTickets for help on using tickets.