diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index a18dbe7fa1..0ee850b95c 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -1538,10 +1538,12 @@ function wp_ajax_inline_save() { $data['parent_id'] = $data['post_parent']; // Status. - if ( isset($data['keep_private']) && 'private' == $data['keep_private'] ) + if ( isset( $data['keep_private'] ) && 'private' == $data['keep_private'] ) { + $data['visibility'] = 'private'; $data['post_status'] = 'private'; - else + } else { $data['post_status'] = $data['_status']; + } if ( empty($data['comment_status']) ) $data['comment_status'] = 'closed'; diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index 89bf512930..d726143cfd 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -1149,6 +1149,56 @@ class wp_xmlrpc_server extends IXR_Server { return $count > 1; } + private function _validate_boolean( $var ) { + if ( is_bool( $var ) ) { + return $var; + } + + if ( is_string( $var ) && 'false' === strtolower( $var ) ) { + return false; + } + + return (bool) $var; + } + + /** + * Encapsulate the logic for sticking a post + * and determining if the user has permission to do so + * + * @since 4.3.0 + * @access private + * + * @param array $post_data + * @param bool $update + * @return void|IXR_Error + */ + private function _toggle_sticky( $post_data, $update = false ) { + $post_type = get_post_type_object( $post_data['post_type'] ); + + // Private and password-protected posts cannot be stickied. + if ( 'private' === $post_data['post_status'] || ! empty( $post_data['post_password'] ) ) { + // Error if the client tried to stick the post, otherwise, silently unstick. + if ( ! empty( $post_data['sticky'] ) ) { + return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) ); + } + + if ( $update ) { + unstick_post( $post_data['ID'] ); + } + } elseif ( isset( $post_data['sticky'] ) ) { + if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) { + return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) ); + } + + $sticky = $this->_validate_boolean( $post_data['sticky'] ); + if ( $sticky ) { + stick_post( $post_data['ID'] ); + } else { + unstick_post( $post_data['ID'] ); + } + } + } + /** * Helper method for wp_newPost and wp_editPost, containing shared logic. * @@ -1241,20 +1291,9 @@ class wp_xmlrpc_server extends IXR_Server { $post_ID = $post_data['ID']; if ( $post_data['post_type'] == 'post' ) { - // Private and password-protected posts cannot be stickied. - if ( $post_data['post_status'] == 'private' || ! empty( $post_data['post_password'] ) ) { - // Error if the client tried to stick the post, otherwise, silently unstick. - if ( ! empty( $post_data['sticky'] ) ) - return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) ); - if ( $update ) - unstick_post( $post_ID ); - } elseif ( isset( $post_data['sticky'] ) ) { - if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) ); - if ( $post_data['sticky'] ) - stick_post( $post_ID ); - else - unstick_post( $post_ID ); + $error = $this->_toggle_sticky( $post_data, $update ); + if ( $error ) { + return $error; } } @@ -4583,10 +4622,12 @@ class wp_xmlrpc_server extends IXR_Server { // Only posts can be sticky if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) { - if ( $content_struct['sticky'] == true ) - stick_post( $post_ID ); - elseif ( $content_struct['sticky'] == false ) - unstick_post( $post_ID ); + $data = $postdata; + $data['sticky'] = $content_struct['sticky']; + $error = $this->_toggle_sticky( $data ); + if ( $error ) { + return $error; + } } if ( isset($content_struct['custom_fields']) ) @@ -4872,11 +4913,12 @@ class wp_xmlrpc_server extends IXR_Server { $tags_input = isset( $content_struct['mt_keywords'] ) ? $content_struct['mt_keywords'] : null; - if ( ('publish' == $post_status) ) { - if ( ( 'page' == $post_type ) && !current_user_can('publish_pages') ) - return new IXR_Error(401, __('Sorry, you do not have the right to publish this page.')); - else if ( !current_user_can('publish_posts') ) - return new IXR_Error(401, __('Sorry, you do not have the right to publish this post.')); + if ( 'publish' == $post_status || 'private' == $post_status ) { + if ( 'page' == $post_type && ! current_user_can( 'publish_pages' ) ) { + return new IXR_Error( 401, __( 'Sorry, you do not have the right to publish this page.' ) ); + } elseif ( ! current_user_can( 'publish_posts' ) ) { + return new IXR_Error( 401, __( 'Sorry, you do not have the right to publish this post.' ) ); + } } if ( $post_more ) @@ -4916,10 +4958,13 @@ class wp_xmlrpc_server extends IXR_Server { // Only posts can be sticky if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) { - if ( $content_struct['sticky'] == true ) - stick_post( $post_ID ); - elseif ( $content_struct['sticky'] == false ) - unstick_post( $post_ID ); + $data = $newpost; + $data['sticky'] = $content_struct['sticky']; + $data['post_type'] = 'post'; + $error = $this->_toggle_sticky( $data, true ); + if ( $error ) { + return $error; + } } if ( isset($content_struct['custom_fields']) )