From 799ac189511c93b953a02606d52ca0ec8841d7b5 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Thu, 7 Mar 2013 06:52:37 +0000
Subject: [PATCH] XML-RPC: Return an error for getRecentPosts (mw and blogger)
 if the user does not have edit_posts.

props redsweater.
fixes #22320.



git-svn-id: http://core.svn.wordpress.org/trunk@23636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-xmlrpc-server.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php
index e17a3b58d7..6f4e6cf901 100644
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@@ -3784,6 +3784,9 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( !$user = $this->login($username, $password) )
 			return $this->error;
 
+		if ( ! current_user_can( 'edit_posts' ) )
+			return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
+
 		do_action('xmlrpc_call', 'blogger.getRecentPosts');
 
 		$posts_list = wp_get_recent_posts( $query );
@@ -4757,6 +4760,9 @@ class wp_xmlrpc_server extends IXR_Server {
 		if ( !$user = $this->login($username, $password) )
 			return $this->error;
 
+		if ( ! current_user_can( 'edit_posts' ) )
+			return new IXR_Error( 401, __( 'Sorry, you cannot edit posts on this site.' ) );
+
 		do_action('xmlrpc_call', 'metaWeblog.getRecentPosts');
 
 		$posts_list = wp_get_recent_posts( $query );