X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/af50974463450c98503e763a7836a50e260461a9..f5fcdc7994bb67cce809bc4777944ae8b7fad4a4:/wp-includes/class-wp-xmlrpc-server.php diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index 89bf5129..aac66314 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -41,8 +41,6 @@ class wp_xmlrpc_server extends IXR_Server { * or replace XMLRPC methods. * * @since 1.5.0 - * - * @return wp_xmlrpc_server */ public function __construct() { $this->methods = array( @@ -163,7 +161,10 @@ class wp_xmlrpc_server extends IXR_Server { * @return mixed|bool Return value of the callback, false otherwise. */ public function __call( $name, $arguments ) { - return call_user_func_array( array( $this, $name ), $arguments ); + if ( '_multisite_getUsersBlogs' === $name ) { + return call_user_func_array( array( $this, $name ), $arguments ); + } + return false; } public function serve_request() { @@ -1116,13 +1117,13 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; // convert the date field back to IXR form - if ( isset( $content_struct['post_date'] ) && ! is_a( $content_struct['post_date'], 'IXR_Date' ) ) { + if ( isset( $content_struct['post_date'] ) && ! ( $content_struct['post_date'] instanceof IXR_Date ) ) { $content_struct['post_date'] = $this->_convert_date( $content_struct['post_date'] ); } // ignore the existing GMT date if it is empty or a non-GMT date was supplied in $content_struct, // since _insert_post will ignore the non-GMT date if the GMT date is set - if ( isset( $content_struct['post_date_gmt'] ) && ! is_a( $content_struct['post_date_gmt'], 'IXR_Date' ) ) { + if ( isset( $content_struct['post_date_gmt'] ) && ! ( $content_struct['post_date_gmt'] instanceof IXR_Date ) ) { if ( $content_struct['post_date_gmt'] == '0000-00-00 00:00:00' || isset( $content_struct['post_date'] ) ) { unset( $content_struct['post_date_gmt'] ); } else { @@ -1149,6 +1150,56 @@ class wp_xmlrpc_server extends IXR_Server { return $count > 1; } + private function _validate_boolean( $var ) { + if ( is_bool( $var ) ) { + return $var; + } + + if ( is_string( $var ) && 'false' === strtolower( $var ) ) { + return false; + } + + return (bool) $var; + } + + /** + * Encapsulate the logic for sticking a post + * and determining if the user has permission to do so + * + * @since 4.3.0 + * @access private + * + * @param array $post_data + * @param bool $update + * @return void|IXR_Error + */ + private function _toggle_sticky( $post_data, $update = false ) { + $post_type = get_post_type_object( $post_data['post_type'] ); + + // Private and password-protected posts cannot be stickied. + if ( 'private' === $post_data['post_status'] || ! empty( $post_data['post_password'] ) ) { + // Error if the client tried to stick the post, otherwise, silently unstick. + if ( ! empty( $post_data['sticky'] ) ) { + return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) ); + } + + if ( $update ) { + unstick_post( $post_data['ID'] ); + } + } elseif ( isset( $post_data['sticky'] ) ) { + if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) { + return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) ); + } + + $sticky = $this->_validate_boolean( $post_data['sticky'] ); + if ( $sticky ) { + stick_post( $post_data['ID'] ); + } else { + unstick_post( $post_data['ID'] ); + } + } + } + /** * Helper method for wp_newPost and wp_editPost, containing shared logic. * @@ -1241,20 +1292,9 @@ class wp_xmlrpc_server extends IXR_Server { $post_ID = $post_data['ID']; if ( $post_data['post_type'] == 'post' ) { - // Private and password-protected posts cannot be stickied. - if ( $post_data['post_status'] == 'private' || ! empty( $post_data['post_password'] ) ) { - // Error if the client tried to stick the post, otherwise, silently unstick. - if ( ! empty( $post_data['sticky'] ) ) - return new IXR_Error( 401, __( 'Sorry, you cannot stick a private post.' ) ); - if ( $update ) - unstick_post( $post_ID ); - } elseif ( isset( $post_data['sticky'] ) ) { - if ( ! current_user_can( $post_type->cap->edit_others_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to stick this post.' ) ); - if ( $post_data['sticky'] ) - stick_post( $post_ID ); - else - unstick_post( $post_ID ); + $error = $this->_toggle_sticky( $post_data, $update ); + if ( $error ) { + return $error; } } @@ -1519,7 +1559,7 @@ class wp_xmlrpc_server extends IXR_Server { * * @uses get_post() * @param array $args Method parameters. Contains: - * - int $blog_id (unset) + * - int $blog_id (unused) * - string $username * - string $password * - int $post_id @@ -2545,8 +2585,6 @@ class wp_xmlrpc_server extends IXR_Server { // Items not escaped here will be escaped in newPost. $username = $this->escape($args[1]); $password = $this->escape($args[2]); - $page = $args[3]; - $publish = $args[4]; if ( !$user = $this->login($username, $password) ) return $this->error; @@ -2917,7 +2955,7 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; if ( !current_user_can( 'edit_posts' ) ) - return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this site in order to view categories.' ) ); + return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this site in order to view categories.' ) ); /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ do_action( 'xmlrpc_call', 'wp.suggestCategories' ); @@ -3098,7 +3136,7 @@ class wp_xmlrpc_server extends IXR_Server { * * @since 2.7.0 * - * @param array $args. Contains: + * @param array $args Contains: * - blog_id (unused) * - username * - password @@ -3211,10 +3249,11 @@ class wp_xmlrpc_server extends IXR_Server { if ( !$user ) { $logged_in = false; - if ( $allow_anon && get_option('comment_registration') ) + if ( $allow_anon && get_option('comment_registration') ) { return new IXR_Error( 403, __( 'You must be registered to comment' ) ); - else if ( !$allow_anon ) + } elseif ( ! $allow_anon ) { return $this->error; + } } else { $logged_in = true; } @@ -3634,7 +3673,7 @@ class wp_xmlrpc_server extends IXR_Server { $formats = get_post_format_strings(); - # find out if they want a list of currently supports formats + // find out if they want a list of currently supports formats if ( isset( $args[3] ) && is_array( $args[3] ) ) { if ( $args[3]['show-supported'] ) { if ( current_theme_supports( 'post-formats' ) ) { @@ -4212,7 +4251,6 @@ class wp_xmlrpc_server extends IXR_Server { $username = $args[2]; $password = $args[3]; $content = $args[4]; - $publish = $args[5]; if ( ! $user = $this->login( $username, $password ) ) { return $this->error; @@ -4278,7 +4316,6 @@ class wp_xmlrpc_server extends IXR_Server { $post_ID = (int) $args[1]; $username = $args[2]; $password = $args[3]; - $publish = $args[4]; if ( !$user = $this->login($username, $password) ) return $this->error; @@ -4448,7 +4485,6 @@ class wp_xmlrpc_server extends IXR_Server { break; default: return new IXR_Error( 401, __( 'Invalid post type' ) ); - break; } $author = get_userdata( $content_struct['wp_author_id'] ); if ( ! $author ) @@ -4583,10 +4619,12 @@ class wp_xmlrpc_server extends IXR_Server { // Only posts can be sticky if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) { - if ( $content_struct['sticky'] == true ) - stick_post( $post_ID ); - elseif ( $content_struct['sticky'] == false ) - unstick_post( $post_ID ); + $data = $postdata; + $data['sticky'] = $content_struct['sticky']; + $error = $this->_toggle_sticky( $data ); + if ( $error ) { + return $error; + } } if ( isset($content_struct['custom_fields']) ) @@ -4736,7 +4774,6 @@ class wp_xmlrpc_server extends IXR_Server { $menu_order = $postdata['menu_order']; // Let WordPress manage slug if none was provided. - $post_name = ""; $post_name = $postdata['post_name']; if ( isset($content_struct['wp_slug']) ) $post_name = $content_struct['wp_slug']; @@ -4760,21 +4797,26 @@ class wp_xmlrpc_server extends IXR_Server { $post_author = $postdata['post_author']; // Only set the post_author if one is set. - if ( isset($content_struct['wp_author_id']) && ($user->ID != $content_struct['wp_author_id']) ) { - switch ( $post_type ) { - case 'post': - if ( !current_user_can('edit_others_posts') ) - return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) ); - break; - case 'page': - if ( !current_user_can('edit_others_pages') ) - return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) ); - break; - default: - return new IXR_Error( 401, __( 'Invalid post type' ) ); - break; + if ( isset( $content_struct['wp_author_id'] ) ) { + // Check permissions if attempting to switch author to or from another user. + if ( $user->ID != $content_struct['wp_author_id'] || $user->ID != $post_author ) { + switch ( $post_type ) { + case 'post': + if ( ! current_user_can( 'edit_others_posts' ) ) { + return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) ); + } + break; + case 'page': + if ( ! current_user_can( 'edit_others_pages' ) ) { + return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) ); + } + break; + default: + return new IXR_Error( 401, __( 'Invalid post type' ) ); + break; + } + $post_author = $content_struct['wp_author_id']; } - $post_author = $content_struct['wp_author_id']; } if ( isset($content_struct['mt_allow_comments']) ) { @@ -4872,11 +4914,12 @@ class wp_xmlrpc_server extends IXR_Server { $tags_input = isset( $content_struct['mt_keywords'] ) ? $content_struct['mt_keywords'] : null; - if ( ('publish' == $post_status) ) { - if ( ( 'page' == $post_type ) && !current_user_can('publish_pages') ) - return new IXR_Error(401, __('Sorry, you do not have the right to publish this page.')); - else if ( !current_user_can('publish_posts') ) - return new IXR_Error(401, __('Sorry, you do not have the right to publish this post.')); + if ( 'publish' == $post_status || 'private' == $post_status ) { + if ( 'page' == $post_type && ! current_user_can( 'publish_pages' ) ) { + return new IXR_Error( 401, __( 'Sorry, you do not have the right to publish this page.' ) ); + } elseif ( ! current_user_can( 'publish_posts' ) ) { + return new IXR_Error( 401, __( 'Sorry, you do not have the right to publish this post.' ) ); + } } if ( $post_more ) @@ -4916,10 +4959,13 @@ class wp_xmlrpc_server extends IXR_Server { // Only posts can be sticky if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) { - if ( $content_struct['sticky'] == true ) - stick_post( $post_ID ); - elseif ( $content_struct['sticky'] == false ) - unstick_post( $post_ID ); + $data = $newpost; + $data['sticky'] = $content_struct['sticky']; + $data['post_type'] = 'post'; + $error = $this->_toggle_sticky( $data, true ); + if ( $error ) { + return $error; + } } if ( isset($content_struct['custom_fields']) ) @@ -5683,8 +5729,6 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = $args[0]; $pagelinkedto = $args[1]; - $title = ''; - $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); $pagelinkedto = str_replace('&', '&', $pagelinkedto); $pagelinkedto = str_replace('&', '&', $pagelinkedto);