WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#5534 closed defect (bug) (fixed)

Limit XML-RPC method wp.getAuthors to only return user_id, user_login and display_name & add capability check (edit_posts)

Reported by: josephscott Owned by:
Milestone: 2.5 Priority: normal
Severity: normal Version: 2.3.2
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

The wp.getAuthors method just returns all of the data provided by get_users_of_blog(), we should limit it to just specific useful information. In this case information that is needed and helpful for setting the post author: user_id, user_login and display_name.

Also add a capability check, at a minimum should be able to edit posts. If you can't even do that then there really isn't any reason to expose the list of authors on a blog.

Attachments (1)

xmlrpc.php.diff (723 bytes) - added by josephscott 12 years ago.

Download all attachments as: .zip

Change History (4)

#1 @josephscott
12 years ago

  • Milestone changed from 2.5 to 2.4
  • Version changed from 2.4 to 2.3.2

#2 @ryan
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6498]) Limit what getAuthors exposes. Props josephscott for the patch and xknown for the find. fixes #5534 for 2.4

#3 @ryan
12 years ago

(In [6499]) Limit what getAuthors exposes. Props josephscott for the patch and xknown for the find. fixes #5534 for 2.3

Note: See TracTickets for help on using tickets.