Check XML-RPC cap before running the query. props maxcutler. see #20991 for trunk.

git-svn-id: http://core.svn.wordpress.org/trunk@21137 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2012-06-26 19:04:10 +00:00
parent 69112517ed
commit 1270e4cef6
1 changed files with 9 additions and 7 deletions

View File

@ -1337,7 +1337,7 @@ class wp_xmlrpc_server extends IXR_Server {
return new IXR_Error( 404, __( 'Invalid post ID.' ) ); return new IXR_Error( 404, __( 'Invalid post ID.' ) );
$post_type = get_post_type_object( $post['post_type'] ); $post_type = get_post_type_object( $post['post_type'] );
if ( ! current_user_can( $post_type->cap->edit_posts, $post_id ) ) if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) )
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
return $this->_prepare_post( $post, $fields ); return $this->_prepare_post( $post, $fields );
@ -1394,12 +1394,14 @@ class wp_xmlrpc_server extends IXR_Server {
$post_type = get_post_type_object( $filter['post_type'] ); $post_type = get_post_type_object( $filter['post_type'] );
if ( ! ( (bool) $post_type ) ) if ( ! ( (bool) $post_type ) )
return new IXR_Error( 403, __( 'The post type specified is not valid' ) ); return new IXR_Error( 403, __( 'The post type specified is not valid' ) );
} else {
$post_type = get_post_type_object( 'post' );
}
if ( ! current_user_can( $post_type->cap->edit_posts ) ) if ( ! current_user_can( $post_type->cap->edit_posts ) )
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts in this post type' )); return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts in this post type' ));
$query['post_type'] = $filter['post_type']; $query['post_type'] = $post_type->name;
}
if ( isset( $filter['post_status'] ) ) if ( isset( $filter['post_status'] ) )
$query['post_status'] = $filter['post_status']; $query['post_status'] = $filter['post_status'];
@ -1427,7 +1429,7 @@ class wp_xmlrpc_server extends IXR_Server {
foreach ( $posts_list as $post ) { foreach ( $posts_list as $post ) {
$post_type = get_post_type_object( $post['post_type'] ); $post_type = get_post_type_object( $post['post_type'] );
if ( ! current_user_can( $post_type->cap->edit_posts, $post['ID'] ) ) if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) )
continue; continue;
$struct[] = $this->_prepare_post( $post, $fields ); $struct[] = $this->_prepare_post( $post, $fields );