Some xmlrpc cap checks from josephscott.
git-svn-id: http://svn.automattic.com/wordpress/branches/2.3@6504 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
a12c5d8bde
commit
abb6a65d21
207
xmlrpc.php
207
xmlrpc.php
|
@ -187,6 +187,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return($this->error);
|
return($this->error);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $username );
|
||||||
|
if( !current_user_can( 'edit_page', $page_id ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'wp.getPage');
|
||||||
|
|
||||||
// Lookup page info.
|
// Lookup page info.
|
||||||
$page = get_page($page_id);
|
$page = get_page($page_id);
|
||||||
|
|
||||||
|
@ -268,6 +274,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return($this->error);
|
return($this->error);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $username );
|
||||||
|
if( !current_user_can( 'edit_pages' ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'wp.getPages');
|
||||||
|
|
||||||
// Lookup info on pages.
|
// Lookup info on pages.
|
||||||
$pages = get_pages();
|
$pages = get_pages();
|
||||||
$num_pages = count($pages);
|
$num_pages = count($pages);
|
||||||
|
@ -426,6 +438,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return($this->error);
|
return($this->error);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $username );
|
||||||
|
if( !current_user_can( 'edit_pages' ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'wp.getPageList');
|
||||||
|
|
||||||
// Get list of pages ids and titles
|
// Get list of pages ids and titles
|
||||||
$page_list = $wpdb->get_results("
|
$page_list = $wpdb->get_results("
|
||||||
SELECT ID page_id,
|
SELECT ID page_id,
|
||||||
|
@ -459,7 +477,6 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
* wp_getAuthors
|
* wp_getAuthors
|
||||||
*/
|
*/
|
||||||
function wp_getAuthors($args) {
|
function wp_getAuthors($args) {
|
||||||
global $wpdb;
|
|
||||||
|
|
||||||
$this->escape($args);
|
$this->escape($args);
|
||||||
|
|
||||||
|
@ -509,7 +526,7 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
// Set the user context and make sure they are
|
// Set the user context and make sure they are
|
||||||
// allowed to add a category.
|
// allowed to add a category.
|
||||||
set_current_user(0, $username);
|
set_current_user(0, $username);
|
||||||
if(!current_user_can("manage_categories", $page_id)) {
|
if(!current_user_can("manage_categories")) {
|
||||||
return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
|
return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -563,6 +580,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return($this->error);
|
return($this->error);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user(0, $username);
|
||||||
|
if( !current_user_can( 'edit_posts' ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'wp.suggestCategories');
|
||||||
|
|
||||||
$args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category);
|
$args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category);
|
||||||
$category_suggestions = get_categories($args);
|
$category_suggestions = get_categories($args);
|
||||||
|
|
||||||
|
@ -613,13 +636,18 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $user_login );
|
||||||
|
if( !current_user_can( 'edit_posts' ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'blogger.getUserInfo');
|
||||||
|
|
||||||
$user_data = get_userdatabylogin($user_login);
|
$user_data = get_userdatabylogin($user_login);
|
||||||
|
|
||||||
$struct = array(
|
$struct = array(
|
||||||
'nickname' => $user_data->nickname,
|
'nickname' => $user_data->nickname,
|
||||||
'userid' => $user_data->ID,
|
'userid' => $user_data->ID,
|
||||||
'url' => $user_data->user_url,
|
'url' => $user_data->user_url,
|
||||||
'email' => $user_data->user_email,
|
|
||||||
'lastname' => $user_data->last_name,
|
'lastname' => $user_data->last_name,
|
||||||
'firstname' => $user_data->first_name
|
'firstname' => $user_data->first_name
|
||||||
);
|
);
|
||||||
|
@ -641,7 +669,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
$user_data = get_userdatabylogin($user_login);
|
set_current_user( 0, $user_login );
|
||||||
|
if( !current_user_can( 'edit_post', $post_ID ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'blogger.getPost');
|
||||||
|
|
||||||
$post_data = wp_get_single_post($post_ID, ARRAY_A);
|
$post_data = wp_get_single_post($post_ID, ARRAY_A);
|
||||||
|
|
||||||
$categories = implode(',', wp_get_post_categories($post_ID));
|
$categories = implode(',', wp_get_post_categories($post_ID));
|
||||||
|
@ -679,12 +712,16 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
|
|
||||||
$posts_list = wp_get_recent_posts($num_posts);
|
$posts_list = wp_get_recent_posts($num_posts);
|
||||||
|
|
||||||
|
set_current_user( 0, $user_login );
|
||||||
|
|
||||||
if (!$posts_list) {
|
if (!$posts_list) {
|
||||||
$this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
|
$this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach ($posts_list as $entry) {
|
foreach ($posts_list as $entry) {
|
||||||
|
if( !current_user_can( 'edit_post', $entry['ID'] ) )
|
||||||
|
continue;
|
||||||
|
|
||||||
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
|
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
|
||||||
$categories = implode(',', wp_get_post_categories($entry['ID']));
|
$categories = implode(',', wp_get_post_categories($entry['ID']));
|
||||||
|
@ -1344,78 +1381,83 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
/* metaweblog.getPost ...returns a post */
|
/* metaweblog.getPost ...returns a post */
|
||||||
function mw_getPost($args) {
|
function mw_getPost($args) {
|
||||||
|
|
||||||
global $wpdb;
|
global $wpdb;
|
||||||
|
|
||||||
$this->escape($args);
|
$this->escape($args);
|
||||||
|
|
||||||
$post_ID = (int) $args[0];
|
$post_ID = (int) $args[0];
|
||||||
$user_login = $args[1];
|
$user_login = $args[1];
|
||||||
$user_pass = $args[2];
|
$user_pass = $args[2];
|
||||||
|
|
||||||
if (!$this->login_pass_ok($user_login, $user_pass)) {
|
if (!$this->login_pass_ok($user_login, $user_pass)) {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
|
||||||
|
|
||||||
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
|
||||||
|
|
||||||
if ($postdata['post_date'] != '') {
|
|
||||||
|
|
||||||
$post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
|
|
||||||
$post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
|
|
||||||
|
|
||||||
$categories = array();
|
|
||||||
$catids = wp_get_post_categories($post_ID);
|
|
||||||
foreach($catids as $catid) {
|
|
||||||
$categories[] = get_cat_name($catid);
|
|
||||||
}
|
|
||||||
|
|
||||||
$tagnames = array();
|
|
||||||
$tags = wp_get_post_tags( $post_ID );
|
|
||||||
if ( !empty( $tags ) ) {
|
|
||||||
foreach ( $tags as $tag ) {
|
|
||||||
$tagnames[] = $tag->name;
|
|
||||||
}
|
|
||||||
$tagnames = implode( ', ', $tagnames );
|
|
||||||
} else {
|
|
||||||
$tagnames = '';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$post = get_extended($postdata['post_content']);
|
set_current_user( 0, $user_login );
|
||||||
$link = post_permalink($postdata['ID']);
|
if( !current_user_can( 'edit_post', $post_ID ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
|
||||||
|
|
||||||
// Get the author info.
|
do_action('xmlrpc_call', 'metaWeblog.getPost');
|
||||||
$author = get_userdata($postdata['post_author']);
|
|
||||||
|
|
||||||
$allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
|
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
||||||
$allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
|
|
||||||
|
|
||||||
$resp = array(
|
if ($postdata['post_date'] != '') {
|
||||||
'dateCreated' => new IXR_Date($post_date),
|
$post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']);
|
||||||
'userid' => $postdata['post_author'],
|
$post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
|
||||||
'postid' => $postdata['ID'],
|
|
||||||
'description' => $post['main'],
|
|
||||||
'title' => $postdata['post_title'],
|
|
||||||
'link' => $link,
|
|
||||||
'permaLink' => $link,
|
|
||||||
// commented out because no other tool seems to use this
|
|
||||||
// 'content' => $entry['post_content'],
|
|
||||||
'categories' => $categories,
|
|
||||||
'mt_excerpt' => $postdata['post_excerpt'],
|
|
||||||
'mt_text_more' => $post['extended'],
|
|
||||||
'mt_allow_comments' => $allow_comments,
|
|
||||||
'mt_allow_pings' => $allow_pings,
|
|
||||||
'mt_keywords' => $tagnames,
|
|
||||||
'wp_slug' => $postdata['post_name'],
|
|
||||||
'wp_password' => $postdata['post_password'],
|
|
||||||
'wp_author_id' => $author->ID,
|
|
||||||
'wp_author_display_name' => $author->display_name,
|
|
||||||
'date_created_gmt' => new IXR_Date($post_date_gmt)
|
|
||||||
);
|
|
||||||
|
|
||||||
return $resp;
|
$categories = array();
|
||||||
} else {
|
$catids = wp_get_post_categories($post_ID);
|
||||||
return new IXR_Error(404, __('Sorry, no such post.'));
|
foreach($catids as $catid) {
|
||||||
}
|
$categories[] = get_cat_name($catid);
|
||||||
|
}
|
||||||
|
|
||||||
|
$tagnames = array();
|
||||||
|
$tags = wp_get_post_tags( $post_ID );
|
||||||
|
if ( !empty( $tags ) ) {
|
||||||
|
foreach ( $tags as $tag ) {
|
||||||
|
$tagnames[] = $tag->name;
|
||||||
|
}
|
||||||
|
$tagnames = implode( ', ', $tagnames );
|
||||||
|
} else {
|
||||||
|
$tagnames = '';
|
||||||
|
}
|
||||||
|
|
||||||
|
$post = get_extended($postdata['post_content']);
|
||||||
|
$link = post_permalink($postdata['ID']);
|
||||||
|
|
||||||
|
// Get the author info.
|
||||||
|
$author = get_userdata($postdata['post_author']);
|
||||||
|
|
||||||
|
$allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0;
|
||||||
|
$allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0;
|
||||||
|
|
||||||
|
$resp = array(
|
||||||
|
'dateCreated' => new IXR_Date($post_date),
|
||||||
|
'userid' => $postdata['post_author'],
|
||||||
|
'postid' => $postdata['ID'],
|
||||||
|
'description' => $post['main'],
|
||||||
|
'title' => $postdata['post_title'],
|
||||||
|
'link' => $link,
|
||||||
|
'permaLink' => $link,
|
||||||
|
// commented out because no other tool seems to use this
|
||||||
|
// 'content' => $entry['post_content'],
|
||||||
|
'categories' => $categories,
|
||||||
|
'mt_excerpt' => $postdata['post_excerpt'],
|
||||||
|
'mt_text_more' => $post['extended'],
|
||||||
|
'mt_allow_comments' => $allow_comments,
|
||||||
|
'mt_allow_pings' => $allow_pings,
|
||||||
|
'mt_keywords' => $tagnames,
|
||||||
|
'wp_slug' => $postdata['post_name'],
|
||||||
|
'wp_password' => $postdata['post_password'],
|
||||||
|
'wp_author_id' => $author->ID,
|
||||||
|
'wp_author_display_name' => $author->display_name,
|
||||||
|
'date_created_gmt' => new IXR_Date($post_date_gmt)
|
||||||
|
);
|
||||||
|
|
||||||
|
return $resp;
|
||||||
|
} else {
|
||||||
|
return new IXR_Error(404, __('Sorry, no such post.'));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -1440,15 +1482,11 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
$this_user = set_current_user( 0, $user_login );
|
set_current_user( 0, $user_login );
|
||||||
|
|
||||||
foreach ($posts_list as $entry) {
|
foreach ($posts_list as $entry) {
|
||||||
if (
|
if( !current_user_can( 'edit_post', $entry['ID'] ) )
|
||||||
!empty( $entry['post_password'] )
|
continue;
|
||||||
&& !current_user_can( 'edit_post', $entry['ID'] )
|
|
||||||
) {
|
|
||||||
unset( $entry['post_password'] );
|
|
||||||
}
|
|
||||||
|
|
||||||
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
|
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
|
||||||
$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
|
$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
|
||||||
|
@ -1528,6 +1566,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $user_login );
|
||||||
|
if( !current_user_can( 'edit_posts' ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'metaWeblog.getCategories');
|
||||||
|
|
||||||
$categories_struct = array();
|
$categories_struct = array();
|
||||||
|
|
||||||
if ( $cats = get_categories('get=all') ) {
|
if ( $cats = get_categories('get=all') ) {
|
||||||
|
@ -1647,7 +1691,11 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $user_login );
|
||||||
|
|
||||||
foreach ($posts_list as $entry) {
|
foreach ($posts_list as $entry) {
|
||||||
|
if( !current_user_can( 'edit_post', $entry['ID'] ) )
|
||||||
|
continue;
|
||||||
|
|
||||||
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
|
$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
|
||||||
$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
|
$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
|
||||||
|
@ -1686,9 +1734,14 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $user_login );
|
||||||
|
if( !current_user_can( 'edit_posts' ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'mt.getCategoryList');
|
||||||
|
|
||||||
$categories_struct = array();
|
$categories_struct = array();
|
||||||
|
|
||||||
// FIXME: can we avoid using direct SQL there?
|
|
||||||
if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) {
|
if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) {
|
||||||
foreach ($cats as $cat) {
|
foreach ($cats as $cat) {
|
||||||
$struct['categoryId'] = $cat->term_id;
|
$struct['categoryId'] = $cat->term_id;
|
||||||
|
@ -1715,6 +1768,12 @@ class wp_xmlrpc_server extends IXR_Server {
|
||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_current_user( 0, $user_login );
|
||||||
|
if( !current_user_can( 'edit_post', $post_ID ) )
|
||||||
|
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
|
||||||
|
|
||||||
|
do_action('xmlrpc_call', 'mt.getPostCategories');
|
||||||
|
|
||||||
$categories = array();
|
$categories = array();
|
||||||
$catids = wp_get_post_categories(intval($post_ID));
|
$catids = wp_get_post_categories(intval($post_ID));
|
||||||
// first listed category will be the primary category
|
// first listed category will be the primary category
|
||||||
|
|
Loading…
Reference in New Issue