Skip to content

Commit

Permalink
Improve API usage in wp-app.php for post operations and attachment de…
Browse files Browse the repository at this point in the history 
…letion. Proper cap checks. Unregister put_file and delete_file as core itself doesn't provide for file replacement. for 3.4.

git-svn-id: https://develop.svn.wordpress.org/branches/3.4@21745 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information
@nacin
nacin committed Sep 4, 2012
1 parent 5997cc4 commit 88988d1
Showing 1 changed file with 21 additions and 20 deletions.
41 changes: 21 additions & 20 deletions wp-includes/class-wp-atom-server.php
View file
Expand Up @@ -167,9 +167,7 @@ function __construct() {
array('GET' => 'get_attachment',
'POST' => 'create_attachment'),
'@/attachment/file/(\d+)$@' =>
array('GET' => 'get_file',
'PUT' => 'put_file',
'DELETE' => 'delete_file'),
array('GET' => 'get_file'),
'@/attachment/(\d+)$@' =>
array('GET' => 'get_attachment',
'PUT' => 'put_attachment',
Expand Down Expand Up @@ -315,6 +313,12 @@ function create_post() {

$entry = array_pop($parser->feed->entries);

$publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) );
$cap = ($publish) ? 'publish_posts' : 'edit_posts';

if ( !current_user_can($cap) )
$this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.'));

$catnames = array();
if ( !empty( $entry->categories ) ) {
foreach ( $entry->categories as $cat ) {
Expand All @@ -331,13 +335,6 @@ function create_post() {
array_push($post_category, $cat->term_id);
}

$publish = ! ( isset( $entry->draft ) && 'yes' == trim( $entry->draft ) );

$cap = ($publish) ? 'publish_posts' : 'edit_posts';

if ( !current_user_can($cap) )
$this->auth_required(__('Sorry, you do not have the right to edit/publish new posts.'));

$blog_ID = get_current_blog_id();
$post_status = ($publish) ? 'publish' : 'draft';
$post_author = (int) $user_ID;
Expand Down Expand Up @@ -398,7 +395,7 @@ function create_post() {
function get_post($postID) {
global $entry;

if ( !current_user_can( 'edit_post', $postID ) )
if ( ! get_post( $postID ) || ! current_user_can( 'edit_post', $postID ) )
$this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) );

$this->set_current_entry($postID);
Expand Down Expand Up @@ -429,10 +426,14 @@ function put_post($postID) {
global $entry;
$this->set_current_entry($postID);

if ( !current_user_can('edit_post', $entry['ID']) )
if ( !current_user_can('edit_post', $postID) )
$this->auth_required(__('Sorry, you do not have the right to edit this post.'));

$publish = ! ( isset($parsed->draft) && 'yes' == trim($parsed->draft) );

if ( $publish && ! current_user_can( 'publish_posts' ) )
$this->auth_required( __( 'Sorry, you do not have the right to publish this post.' ) );

$post_status = ($publish) ? 'publish' : 'draft';

extract($entry);
Expand Down Expand Up @@ -473,7 +474,7 @@ function delete_post($postID) {
global $entry;
$this->set_current_entry($postID);

if ( !current_user_can('edit_post', $postID) )
if ( !current_user_can('delete_post', $postID) )
$this->auth_required(__('Sorry, you do not have the right to delete this post.'));

if ( $entry['post_type'] == 'attachment' ) {
Expand Down Expand Up @@ -504,6 +505,9 @@ function get_attachment($postID = null) {
if ( !isset($postID) ) {
$this->get_attachments();
} else {
if ( ! current_user_can( 'edit_post', $postID ) )
$this->auth_required( __( 'Sorry, you do not have the right to edit this post.' ) );

$this->set_current_entry($postID);
$output = $this->get_entry($postID, 'attachment');
$this->output($output);
Expand Down Expand Up @@ -589,7 +593,7 @@ function put_attachment($postID) {
global $entry;
$this->set_current_entry($postID);

if ( !current_user_can('edit_post', $entry['ID']) )
if ( !current_user_can('edit_post', $entry['ID']) || 'attachment' != $entry['post_type'] )
$this->auth_required(__('Sorry, you do not have the right to edit this post.'));

extract($entry);
Expand Down Expand Up @@ -624,7 +628,7 @@ function delete_attachment($postID) {
global $entry;
$this->set_current_entry($postID);

if ( !current_user_can('edit_post', $postID) )
if ( !current_user_can('delete_post', $postID) )
$this->auth_required(__('Sorry, you do not have the right to delete this post.'));

$location = get_post_meta($entry['ID'], '_wp_attached_file', true);
Expand All @@ -633,11 +637,8 @@ function delete_attachment($postID) {
if ( !isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext']) )
$this->internal_error(__('Error occurred while accessing post metadata for file location.'));

// delete file
@unlink($location);

// delete attachment
$result = wp_delete_post($postID);
$result = wp_delete_attachment($postID);

if ( !$result )
$this->internal_error(__('For some strange yet very annoying reason, this post could not be deleted.'));
Expand Down Expand Up @@ -970,7 +971,7 @@ function get_feed($page = 1, $post_type = 'post') {

$count = get_option('posts_per_rss');

wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&post_status=any');
wp('posts_per_page=' . $count . '&offset=' . ($count * ($page-1)) . '&orderby=modified&perm=readable');

$post = $GLOBALS['post'];
$posts = $GLOBALS['posts'];
Expand Down

0 comments on commit 88988d1

Please sign in to comment.