Some xmlrpc cap checks from josephscott.

git-svn-id: http://svn.automattic.com/wordpress/branches/2.3@6504 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2007-12-27 22:30:18 +00:00
parent a12c5d8bde
commit abb6a65d21
1 changed files with 133 additions and 74 deletions

View File

@ -187,6 +187,12 @@ class wp_xmlrpc_server extends IXR_Server {
return($this->error); return($this->error);
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_page', $page_id ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) );
do_action('xmlrpc_call', 'wp.getPage');
// Lookup page info. // Lookup page info.
$page = get_page($page_id); $page = get_page($page_id);
@ -268,6 +274,12 @@ class wp_xmlrpc_server extends IXR_Server {
return($this->error); return($this->error);
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_pages' ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
do_action('xmlrpc_call', 'wp.getPages');
// Lookup info on pages. // Lookup info on pages.
$pages = get_pages(); $pages = get_pages();
$num_pages = count($pages); $num_pages = count($pages);
@ -426,6 +438,12 @@ class wp_xmlrpc_server extends IXR_Server {
return($this->error); return($this->error);
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_pages' ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
do_action('xmlrpc_call', 'wp.getPageList');
// Get list of pages ids and titles // Get list of pages ids and titles
$page_list = $wpdb->get_results(" $page_list = $wpdb->get_results("
SELECT ID page_id, SELECT ID page_id,
@ -459,7 +477,6 @@ class wp_xmlrpc_server extends IXR_Server {
* wp_getAuthors * wp_getAuthors
*/ */
function wp_getAuthors($args) { function wp_getAuthors($args) {
global $wpdb;
$this->escape($args); $this->escape($args);
@ -509,7 +526,7 @@ class wp_xmlrpc_server extends IXR_Server {
// Set the user context and make sure they are // Set the user context and make sure they are
// allowed to add a category. // allowed to add a category.
set_current_user(0, $username); set_current_user(0, $username);
if(!current_user_can("manage_categories", $page_id)) { if(!current_user_can("manage_categories")) {
return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
} }
@ -563,6 +580,12 @@ class wp_xmlrpc_server extends IXR_Server {
return($this->error); return($this->error);
} }
set_current_user(0, $username);
if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) );
do_action('xmlrpc_call', 'wp.suggestCategories');
$args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category); $args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category);
$category_suggestions = get_categories($args); $category_suggestions = get_categories($args);
@ -613,13 +636,18 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) );
do_action('xmlrpc_call', 'blogger.getUserInfo');
$user_data = get_userdatabylogin($user_login); $user_data = get_userdatabylogin($user_login);
$struct = array( $struct = array(
'nickname' => $user_data->nickname, 'nickname' => $user_data->nickname,
'userid' => $user_data->ID, 'userid' => $user_data->ID,
'url' => $user_data->user_url, 'url' => $user_data->user_url,
'email' => $user_data->user_email,
'lastname' => $user_data->last_name, 'lastname' => $user_data->last_name,
'firstname' => $user_data->first_name 'firstname' => $user_data->first_name
); );
@ -641,7 +669,12 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
$user_data = get_userdatabylogin($user_login); set_current_user( 0, $user_login );
if( !current_user_can( 'edit_post', $post_ID ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
do_action('xmlrpc_call', 'blogger.getPost');
$post_data = wp_get_single_post($post_ID, ARRAY_A); $post_data = wp_get_single_post($post_ID, ARRAY_A);
$categories = implode(',', wp_get_post_categories($post_ID)); $categories = implode(',', wp_get_post_categories($post_ID));
@ -679,12 +712,16 @@ class wp_xmlrpc_server extends IXR_Server {
$posts_list = wp_get_recent_posts($num_posts); $posts_list = wp_get_recent_posts($num_posts);
set_current_user( 0, $user_login );
if (!$posts_list) { if (!$posts_list) {
$this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
return $this->error; return $this->error;
} }
foreach ($posts_list as $entry) { foreach ($posts_list as $entry) {
if( !current_user_can( 'edit_post', $entry['ID'] ) )
continue;
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
$categories = implode(',', wp_get_post_categories($entry['ID'])); $categories = implode(',', wp_get_post_categories($entry['ID']));
@ -1344,78 +1381,83 @@ class wp_xmlrpc_server extends IXR_Server {
/* metaweblog.getPost ...returns a post */ /* metaweblog.getPost ...returns a post */
function mw_getPost($args) { function mw_getPost($args) {
global $wpdb; global $wpdb;
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[0]; $post_ID = (int) $args[0];
$user_login = $args[1]; $user_login = $args[1];
$user_pass = $args[2]; $user_pass = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if (!$this->login_pass_ok($user_login, $user_pass)) {
return $this->error; return $this->error;
}
$postdata = wp_get_single_post($post_ID, ARRAY_A);
if ($postdata['post_date'] != '') {
$post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
$post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
$categories = array();
$catids = wp_get_post_categories($post_ID);
foreach($catids as $catid) {
$categories[] = get_cat_name($catid);
}
$tagnames = array();
$tags = wp_get_post_tags( $post_ID );
if ( !empty( $tags ) ) {
foreach ( $tags as $tag ) {
$tagnames[] = $tag->name;
}
$tagnames = implode( ', ', $tagnames );
} else {
$tagnames = '';
} }
$post = get_extended($postdata['post_content']); set_current_user( 0, $user_login );
$link = post_permalink($postdata['ID']); if( !current_user_can( 'edit_post', $post_ID ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
// Get the author info. do_action('xmlrpc_call', 'metaWeblog.getPost');
$author = get_userdata($postdata['post_author']);
$allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0; $postdata = wp_get_single_post($post_ID, ARRAY_A);
$allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
$resp = array( if ($postdata['post_date'] != '') {
'dateCreated' => new IXR_Date($post_date), $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
'userid' => $postdata['post_author'], $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
'postid' => $postdata['ID'],
'description' => $post['main'],
'title' => $postdata['post_title'],
'link' => $link,
'permaLink' => $link,
// commented out because no other tool seems to use this
// 'content' => $entry['post_content'],
'categories' => $categories,
'mt_excerpt' => $postdata['post_excerpt'],
'mt_text_more' => $post['extended'],
'mt_allow_comments' => $allow_comments,
'mt_allow_pings' => $allow_pings,
'mt_keywords' => $tagnames,
'wp_slug' => $postdata['post_name'],
'wp_password' => $postdata['post_password'],
'wp_author_id' => $author->ID,
'wp_author_display_name' => $author->display_name,
'date_created_gmt' => new IXR_Date($post_date_gmt)
);
return $resp; $categories = array();
} else { $catids = wp_get_post_categories($post_ID);
return new IXR_Error(404, __('Sorry, no such post.')); foreach($catids as $catid) {
} $categories[] = get_cat_name($catid);
}
$tagnames = array();
$tags = wp_get_post_tags( $post_ID );
if ( !empty( $tags ) ) {
foreach ( $tags as $tag ) {
$tagnames[] = $tag->name;
}
$tagnames = implode( ', ', $tagnames );
} else {
$tagnames = '';
}
$post = get_extended($postdata['post_content']);
$link = post_permalink($postdata['ID']);
// Get the author info.
$author = get_userdata($postdata['post_author']);
$allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
$allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
$resp = array(
'dateCreated' => new IXR_Date($post_date),
'userid' => $postdata['post_author'],
'postid' => $postdata['ID'],
'description' => $post['main'],
'title' => $postdata['post_title'],
'link' => $link,
'permaLink' => $link,
// commented out because no other tool seems to use this
// 'content' => $entry['post_content'],
'categories' => $categories,
'mt_excerpt' => $postdata['post_excerpt'],
'mt_text_more' => $post['extended'],
'mt_allow_comments' => $allow_comments,
'mt_allow_pings' => $allow_pings,
'mt_keywords' => $tagnames,
'wp_slug' => $postdata['post_name'],
'wp_password' => $postdata['post_password'],
'wp_author_id' => $author->ID,
'wp_author_display_name' => $author->display_name,
'date_created_gmt' => new IXR_Date($post_date_gmt)
);
return $resp;
} else {
return new IXR_Error(404, __('Sorry, no such post.'));
}
} }
@ -1440,15 +1482,11 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
$this_user = set_current_user( 0, $user_login ); set_current_user( 0, $user_login );
foreach ($posts_list as $entry) { foreach ($posts_list as $entry) {
if ( if( !current_user_can( 'edit_post', $entry['ID'] ) )
!empty( $entry['post_password'] ) continue;
&& !current_user_can( 'edit_post', $entry['ID'] )
) {
unset( $entry['post_password'] );
}
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
@ -1528,6 +1566,12 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
do_action('xmlrpc_call', 'metaWeblog.getCategories');
$categories_struct = array(); $categories_struct = array();
if ( $cats = get_categories('get=all') ) { if ( $cats = get_categories('get=all') ) {
@ -1647,7 +1691,11 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
foreach ($posts_list as $entry) { foreach ($posts_list as $entry) {
if( !current_user_can( 'edit_post', $entry['ID'] ) )
continue;
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
@ -1686,9 +1734,14 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
do_action('xmlrpc_call', 'mt.getCategoryList');
$categories_struct = array(); $categories_struct = array();
// FIXME: can we avoid using direct SQL there?
if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) { if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) {
foreach ($cats as $cat) { foreach ($cats as $cat) {
$struct['categoryId'] = $cat->term_id; $struct['categoryId'] = $cat->term_id;
@ -1715,6 +1768,12 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_post', $post_ID ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
do_action('xmlrpc_call', 'mt.getPostCategories');
$categories = array(); $categories = array();
$catids = wp_get_post_categories(intval($post_ID)); $catids = wp_get_post_categories(intval($post_ID));
// first listed category will be the primary category // first listed category will be the primary category