Permalink
Browse files

Improve the capabilites checking in the XMLRPC code.

git-svn-id: http://svn.automattic.com/wordpress/branches/3.0@16803 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
westi
westi committed Dec 8, 2010
1 parent 3f5c34b commit cc420fb1bc85a74cb05255971447cf30bb2fb58a
Showing with 53 additions and 20 deletions.
  1. +1 −1 readme.html
  2. +1 −1 wp-admin/includes/update-core.php
  3. +1 −1 wp-includes/version.php
  4. +50 −17 xmlrpc.php
View
@@ -8,7 +8,7 @@
<body>
<h1 id="logo">
<a href="http://wordpress.org/"><img alt="WordPress" src="wp-admin/images/wordpress-logo.png" width="250" height="68" /></a>
- <br /> Version 3.0.2
+ <br /> Version 3.0.3
</h1>
<p style="text-align: center">Semantic Personal Publishing Platform</p>
@@ -274,7 +274,7 @@ function update_core($from, $to) {
$mysql_version = $wpdb->db_version();
$required_php_version = '4.3';
$required_mysql_version = '4.1.2';
- $wp_version = '3.0.2';
+ $wp_version = '3.0.3';
$php_compat = version_compare( $php_version, $required_php_version, '>=' );
$mysql_compat = version_compare( $mysql_version, $required_mysql_version, '>=' ) || file_exists( WP_CONTENT_DIR . '/db.php' );
View
@@ -8,7 +8,7 @@
*
* @global string $wp_version
*/
-$wp_version = '3.0.2';
+$wp_version = '3.0.3';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
View
@@ -1156,9 +1156,12 @@ function wp_deleteComment($args) {
do_action('xmlrpc_call', 'wp.deleteComment');
- if ( ! get_comment($comment_ID) )
+ if ( !$comment = get_comment( $comment_ID ) )
return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
+ if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
+ return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
+
return wp_delete_comment($comment_ID);
}
@@ -1184,11 +1187,14 @@ function wp_editComment($args) {
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
+
+ if ( !$comment = get_comment( $comment_ID ) )
+ return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
- do_action('xmlrpc_call', 'wp.editComment');
+ if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
+ return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
- if ( ! get_comment($comment_ID) )
- return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
+ do_action('xmlrpc_call', 'wp.editComment');
if ( isset($content_struct['status']) ) {
$statuses = get_comment_statuses();
@@ -1417,7 +1423,7 @@ function wp_getPageStatusList( $args ) {
if ( !$user = $this->login($username, $password) )
return $this->error;
- if ( !current_user_can( 'edit_posts' ) )
+ if ( !current_user_can( 'edit_pages' ) )
return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
do_action('xmlrpc_call', 'wp.getPageStatusList');
@@ -1957,7 +1963,7 @@ function blogger_deletePost($args) {
if ( !$actual_post || $actual_post['post_type'] != 'post' )
return new IXR_Error(404, __('Sorry, no such post.'));
- if ( !current_user_can('edit_post', $post_ID) )
+ if ( !current_user_can('delete_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.'));
$result = wp_delete_post($post_ID);
@@ -1987,30 +1993,42 @@ function mw_newPost($args) {
$username = $args[1];
$password = $args[2];
$content_struct = $args[3];
- $publish = $args[4];
+ $publish = isset( $args[4] ) ? $args[4] : 0;
if ( !$user = $this->login($username, $password) )
return $this->error;
do_action('xmlrpc_call', 'metaWeblog.newPost');
-
- $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
- $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
- $post_type = 'post';
+
$page_template = '';
if ( !empty( $content_struct['post_type'] ) ) {
if ( $content_struct['post_type'] == 'page' ) {
- $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
+ if ( $publish || 'publish' == $content_struct['page_status'])
+ $cap = 'publish_pages';
+ else
+ $cap = 'edit_pages';
$error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
$post_type = 'page';
if ( !empty( $content_struct['wp_page_template'] ) )
$page_template = $content_struct['wp_page_template'];
} elseif ( $content_struct['post_type'] == 'post' ) {
- // This is the default, no changes needed
+ if ( $publish || 'publish' == $content_struct['post_status'])
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
+ $post_type = 'post';
} else {
// No other post_type values are allowed here
return new IXR_Error( 401, __( 'Invalid post type.' ) );
}
+ } else {
+ if ( $publish || 'publish' == $content_struct['post_status'])
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
+ $post_type = 'post';
}
if ( !current_user_can( $cap ) )
@@ -2275,17 +2293,32 @@ function mw_editPost($args) {
$page_template = '';
if ( !empty( $content_struct['post_type'] ) ) {
if ( $content_struct['post_type'] == 'page' ) {
- $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
+ if ( $publish || 'publish' == $content_struct['page_status'] )
+ $cap = 'publish_pages';
+ else
+ $cap = 'edit_pages';
$error_message = __( 'Sorry, you are not allowed to publish pages on this site.' );
$post_type = 'page';
if ( !empty( $content_struct['wp_page_template'] ) )
$page_template = $content_struct['wp_page_template'];
} elseif ( $content_struct['post_type'] == 'post' ) {
- // This is the default, no changes needed
+ if ( $publish || 'publish' == $content_struct['post_status'] )
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
+ $post_type = 'post';
} else {
// No other post_type values are allowed here
return new IXR_Error( 401, __( 'Invalid post type.' ) );
}
+ } else {
+ if ( $publish || 'publish' == $content_struct['post_status'] )
+ $cap = 'publish_posts';
+ else
+ $cap = 'edit_posts';
+ $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
+ $post_type = 'post';
}
if ( !current_user_can( $cap ) )
@@ -3101,7 +3134,7 @@ function mt_publishPost($args) {
do_action('xmlrpc_call', 'mt.publishPost');
- if ( !current_user_can('edit_post', $post_ID) )
+ if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you cannot edit this post.'));
$postdata = wp_get_single_post($post_ID,ARRAY_A);
@@ -3339,4 +3372,4 @@ function pingback_extensions_getPingbacks($args) {
$wp_xmlrpc_server = new wp_xmlrpc_server();
$wp_xmlrpc_server->serve_request();
-?>
+?>

0 comments on commit cc420fb

Please sign in to comment.