Check XML-RPC cap before running the query. props maxcutler. see #20991 for trunk.
git-svn-id: http://core.svn.wordpress.org/trunk@21137 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
69112517ed
commit
1270e4cef6
|
@ -1337,7 +1337,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
$post_type = get_post_type_object( $post['post_type'] );
|
$post_type = get_post_type_object( $post['post_type'] );
|
||||||
if ( ! current_user_can( $post_type->cap->edit_posts, $post_id ) )
|
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) )
|
||||||
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
||||||
|
|
||||||
return $this->_prepare_post( $post, $fields );
|
return $this->_prepare_post( $post, $fields );
|
||||||
|
@ -1394,13 +1394,15 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
$post_type = get_post_type_object( $filter['post_type'] );
|
$post_type = get_post_type_object( $filter['post_type'] );
|
||||||
if ( ! ( (bool) $post_type ) )
|
if ( ! ( (bool) $post_type ) )
|
||||||
return new IXR_Error( 403, __( 'The post type specified is not valid' ) );
|
return new IXR_Error( 403, __( 'The post type specified is not valid' ) );
|
||||||
|
} else {
|
||||||
if ( ! current_user_can( $post_type->cap->edit_posts ) )
|
$post_type = get_post_type_object( 'post' );
|
||||||
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts in this post type' ));
|
|
||||||
|
|
||||||
$query['post_type'] = $filter['post_type'];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( ! current_user_can( $post_type->cap->edit_posts ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit posts in this post type' ));
|
||||||
|
|
||||||
|
$query['post_type'] = $post_type->name;
|
||||||
|
|
||||||
if ( isset( $filter['post_status'] ) )
|
if ( isset( $filter['post_status'] ) )
|
||||||
$query['post_status'] = $filter['post_status'];
|
$query['post_status'] = $filter['post_status'];
|
||||||
|
|
||||||
|
@ -1427,7 +1429,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
|
|
||||||
foreach ( $posts_list as $post ) {
|
foreach ( $posts_list as $post ) {
|
||||||
$post_type = get_post_type_object( $post['post_type'] );
|
$post_type = get_post_type_object( $post['post_type'] );
|
||||||
if ( ! current_user_can( $post_type->cap->edit_posts, $post['ID'] ) )
|
if ( ! current_user_can( $post_type->cap->edit_post, $post['ID'] ) )
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
$struct[] = $this->_prepare_post( $post, $fields );
|
$struct[] = $this->_prepare_post( $post, $fields );
|
||||||
|
|
Loading…
Reference in New Issue