Use user returned from auth for XML-RPC logins. Props wnorris. fixes #8941

git-svn-id: http://svn.automattic.com/wordpress/trunk@10456 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2009-01-29 00:25:24 +00:00
parent f02590c921
commit 9ef3298a6f

View File

@ -238,6 +238,8 @@ class wp_xmlrpc_server extends IXR_Server {
* @param string $user_login User's username. * @param string $user_login User's username.
* @param string $user_pass User's password. * @param string $user_pass User's password.
* @return bool Whether authentication passed. * @return bool Whether authentication passed.
* @deprecated use wp_xmlrpc_server::login
* @see wp_xmlrpc_server::login
*/ */
function login_pass_ok($user_login, $user_pass) { function login_pass_ok($user_login, $user_pass) {
if ( !get_option( 'enable_xmlrpc' ) ) { if ( !get_option( 'enable_xmlrpc' ) ) {
@ -252,6 +254,32 @@ class wp_xmlrpc_server extends IXR_Server {
return true; return true;
} }
/**
* Log user in.
*
* @since 2.8
*
* @param string $username User's username.
* @param string $password User's password.
* @return mixed WP_User object if authentication passed, false otherwise
*/
function login($username, $password) {
if ( !get_option( 'enable_xmlrpc' ) ) {
$this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this blog. An admin user can enable them at %s'), admin_url('options-writing.php') ) );
return false;
}
$user = wp_authenticate($username, $password);
if (is_wp_error($user)) {
$this->error = new IXR_Error(403, __('Bad login/pass combination.'));
return false;
}
set_current_user( $user->ID );
return $user;
}
/** /**
* Sanitize string or array of strings for database. * Sanitize string or array of strings for database.
* *
@ -417,13 +445,12 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[0]; $username = $args[0];
$password = $args[1]; $password = $args[1];
if( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
do_action( 'xmlrpc_call', 'wp.getUsersBlogs' ); do_action( 'xmlrpc_call', 'wp.getUsersBlogs' );
$user = set_current_user( 0, $username );
$blogs = (array) get_blogs_of_user( $user->ID ); $blogs = (array) get_blogs_of_user( $user->ID );
$struct = array( ); $struct = array( );
@ -466,11 +493,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[2]; $username = $args[2];
$password = $args[3]; $password = $args[3];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_page', $page_id ) ) if( !current_user_can( 'edit_page', $page_id ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) );
@ -564,11 +590,10 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$num_pages = (int) $args[3]; $num_pages = (int) $args[3];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_pages' ) ) if( !current_user_can( 'edit_pages' ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
@ -616,15 +641,13 @@ class wp_xmlrpc_server extends IXR_Server {
$page = $args[3]; $page = $args[3];
$publish = $args[4]; $publish = $args[4];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
do_action('xmlrpc_call', 'wp.newPage'); do_action('xmlrpc_call', 'wp.newPage');
// Set the user context and check if they are allowed // Make sure the user is allowed to add new pages.
// to add new pages.
$user = set_current_user(0, $username);
if(!current_user_can("publish_pages")) { if(!current_user_can("publish_pages")) {
return(new IXR_Error(401, __("Sorry, you can not add new pages."))); return(new IXR_Error(401, __("Sorry, you can not add new pages.")));
} }
@ -652,8 +675,8 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$page_id = (int) $args[3]; $page_id = (int) $args[3];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
do_action('xmlrpc_call', 'wp.deletePage'); do_action('xmlrpc_call', 'wp.deletePage');
@ -668,8 +691,7 @@ class wp_xmlrpc_server extends IXR_Server {
return(new IXR_Error(404, __("Sorry, no such page."))); return(new IXR_Error(404, __("Sorry, no such page.")));
} }
// Set the user context and make sure they can delete pages. // Make sure the user can delete pages.
set_current_user(0, $username);
if(!current_user_can("delete_page", $page_id)) { if(!current_user_can("delete_page", $page_id)) {
return(new IXR_Error(401, __("Sorry, you do not have the right to delete this page."))); return(new IXR_Error(401, __("Sorry, you do not have the right to delete this page.")));
} }
@ -700,8 +722,8 @@ class wp_xmlrpc_server extends IXR_Server {
$content = $args[4]; $content = $args[4];
$publish = $args[5]; $publish = $args[5];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
do_action('xmlrpc_call', 'wp.editPage'); do_action('xmlrpc_call', 'wp.editPage');
@ -715,8 +737,7 @@ class wp_xmlrpc_server extends IXR_Server {
return(new IXR_Error(404, __("Sorry, no such page."))); return(new IXR_Error(404, __("Sorry, no such page.")));
} }
// Set the user context and make sure they are allowed to edit pages. // Make sure the user is allowed to edit pages.
set_current_user(0, $username);
if(!current_user_can("edit_page", $page_id)) { if(!current_user_can("edit_page", $page_id)) {
return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page."))); return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page.")));
} }
@ -754,11 +775,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_pages' ) ) if( !current_user_can( 'edit_pages' ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) );
@ -808,11 +828,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
set_current_user(0, $username);
if(!current_user_can("edit_posts")) { if(!current_user_can("edit_posts")) {
return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog."))); return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog.")));
} }
@ -846,11 +865,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if( !$this->login_pass_ok( $username, $password ) ) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_posts' ) ) { if( !current_user_can( 'edit_posts' ) ) {
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view tags.' ) ); return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view tags.' ) );
} }
@ -891,15 +909,13 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$category = $args[3]; $category = $args[3];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
do_action('xmlrpc_call', 'wp.newCategory'); do_action('xmlrpc_call', 'wp.newCategory');
// Set the user context and make sure they are // Make sure the user is allowed to add a category.
// allowed to add a category.
set_current_user(0, $username);
if(!current_user_can("manage_categories")) { if(!current_user_can("manage_categories")) {
return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
} }
@ -951,13 +967,12 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$category_id = (int) $args[3]; $category_id = (int) $args[3];
if( !$this->login_pass_ok( $username, $password ) ) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'wp.deleteCategory'); do_action('xmlrpc_call', 'wp.deleteCategory');
set_current_user(0, $username);
if( !current_user_can("manage_categories") ) { if( !current_user_can("manage_categories") ) {
return new IXR_Error( 401, __( "Sorry, you do not have the right to delete a category." ) ); return new IXR_Error( 401, __( "Sorry, you do not have the right to delete a category." ) );
} }
@ -982,11 +997,10 @@ class wp_xmlrpc_server extends IXR_Server {
$category = $args[3]; $category = $args[3];
$max_results = (int) $args[4]; $max_results = (int) $args[4];
if(!$this->login_pass_ok($username, $password)) { if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
} }
set_current_user(0, $username);
if( !current_user_can( 'edit_posts' ) ) if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this blog in order to view categories.' ) ); return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this blog in order to view categories.' ) );
@ -1020,10 +1034,10 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$comment_id = (int) $args[3]; $comment_id = (int) $args[3];
if ( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
set_current_user( 0, $username );
if ( !current_user_can( 'moderate_comments' ) ) if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) );
@ -1083,10 +1097,10 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$struct = $args[3]; $struct = $args[3];
if ( !$this->login_pass_ok($username, $password) ) if ( !$user = $this->login($username, $password) ) {
return($this->error); return $this->error;
}
set_current_user( 0, $username );
if ( !current_user_can( 'moderate_comments' ) ) if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit comments.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit comments.' ) );
@ -1143,10 +1157,10 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$comment_ID = (int) $args[3]; $comment_ID = (int) $args[3];
if ( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
set_current_user( 0, $username );
if ( !current_user_can( 'moderate_comments' ) ) if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) );
@ -1175,10 +1189,10 @@ class wp_xmlrpc_server extends IXR_Server {
$comment_ID = (int) $args[3]; $comment_ID = (int) $args[3];
$content_struct = $args[4]; $content_struct = $args[4];
if ( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
set_current_user( 0, $username );
if ( !current_user_can( 'moderate_comments' ) ) if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) );
@ -1249,7 +1263,9 @@ class wp_xmlrpc_server extends IXR_Server {
$allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false); $allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false);
if ( !$this->login_pass_ok( $username, $password ) ) { $user = $this->login($username, $password);
if ( !$user ) {
$logged_in = false; $logged_in = false;
if ( $allow_anon && get_option('comment_registration') ) if ( $allow_anon && get_option('comment_registration') )
return new IXR_Error( 403, __( 'You must be registered to comment' ) ); return new IXR_Error( 403, __( 'You must be registered to comment' ) );
@ -1257,7 +1273,6 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} else { } else {
$logged_in = true; $logged_in = true;
set_current_user( 0, $username );
} }
if ( is_numeric($post) ) if ( is_numeric($post) )
@ -1274,7 +1289,6 @@ class wp_xmlrpc_server extends IXR_Server {
$comment['comment_post_ID'] = $post_id; $comment['comment_post_ID'] = $post_id;
if ( $logged_in ) { if ( $logged_in ) {
$user = wp_get_current_user();
$comment['comment_author'] = $wpdb->escape( $user->display_name ); $comment['comment_author'] = $wpdb->escape( $user->display_name );
$comment['comment_author_email'] = $wpdb->escape( $user->user_email ); $comment['comment_author_email'] = $wpdb->escape( $user->user_email );
$comment['comment_author_url'] = $wpdb->escape( $user->user_url ); $comment['comment_author_url'] = $wpdb->escape( $user->user_url );
@ -1326,10 +1340,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if ( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
set_current_user( 0, $username );
if ( !current_user_can( 'moderate_comments' ) ) if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) );
@ -1354,11 +1368,10 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$post_id = (int) $args[3]; $post_id = (int) $args[3];
if( !$this->login_pass_ok( $username, $password ) ) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_posts' ) ) { if( !current_user_can( 'edit_posts' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) );
} }
@ -1389,11 +1402,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if( !$this->login_pass_ok( $username, $password ) ) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_posts' ) ) { if( !current_user_can( 'edit_posts' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) );
} }
@ -1418,11 +1430,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if( !$this->login_pass_ok( $username, $password ) ) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_posts' ) ) { if( !current_user_can( 'edit_posts' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) );
} }
@ -1447,11 +1458,10 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if( !$this->login_pass_ok( $username, $password ) ) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $username );
if( !current_user_can( 'edit_pages' ) ) { if( !current_user_can( 'edit_pages' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) );
} }
@ -1478,10 +1488,9 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$options = (array) $args[3]; $options = (array) $args[3];
if( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
$user = set_current_user( 0, $username );
// If no specific options where asked for, return all of them // If no specific options where asked for, return all of them
if (count( $options ) == 0 ) { if (count( $options ) == 0 ) {
@ -1533,10 +1542,10 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$options = (array) $args[3]; $options = (array) $args[3];
if( !$this->login_pass_ok( $username, $password ) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
$user = set_current_user( 0, $username );
if( !current_user_can( 'manage_options' ) ) if( !current_user_can( 'manage_options' ) )
return new IXR_Error( 403, __( 'You are not allowed to update options.' ) ); return new IXR_Error( 403, __( 'You are not allowed to update options.' ) );
@ -1576,16 +1585,15 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'blogger.getUsersBlogs'); do_action('xmlrpc_call', 'blogger.getUsersBlogs');
set_current_user(0, $user_login);
$is_admin = current_user_can('manage_options'); $is_admin = current_user_can('manage_options');
$struct = array( $struct = array(
@ -1613,27 +1621,24 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_posts' ) ) if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) );
do_action('xmlrpc_call', 'blogger.getUserInfo'); do_action('xmlrpc_call', 'blogger.getUserInfo');
$user_data = get_userdatabylogin($user_login);
$struct = array( $struct = array(
'nickname' => $user_data->nickname, 'nickname' => $user->nickname,
'userid' => $user_data->ID, 'userid' => $user->ID,
'url' => $user_data->user_url, 'url' => $user->user_url,
'lastname' => $user_data->last_name, 'lastname' => $user->last_name,
'firstname' => $user_data->first_name 'firstname' => $user->first_name
); );
return $struct; return $struct;
@ -1652,14 +1657,13 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[1]; $post_ID = (int) $args[1];
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_post', $post_ID ) ) if( !current_user_can( 'edit_post', $post_ID ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
@ -1696,11 +1700,11 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[1]; /* though we don't use it yet */ $blog_ID = (int) $args[1]; /* though we don't use it yet */
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
$num_posts = $args[4]; $num_posts = $args[4];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
@ -1708,8 +1712,6 @@ class wp_xmlrpc_server extends IXR_Server {
$posts_list = wp_get_recent_posts($num_posts); $posts_list = wp_get_recent_posts($num_posts);
set_current_user( 0, $user_login );
if (!$posts_list) { if (!$posts_list) {
$this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.'));
return $this->error; return $this->error;
@ -1756,17 +1758,16 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[1]; $blog_ID = (int) $args[1];
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
$template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'blogger.getTemplate'); do_action('xmlrpc_call', 'blogger.getTemplate');
set_current_user(0, $user_login);
if ( !current_user_can('edit_themes') ) { if ( !current_user_can('edit_themes') ) {
return new IXR_Error(401, __('Sorry, this user can not edit the template.')); return new IXR_Error(401, __('Sorry, this user can not edit the template.'));
} }
@ -1798,18 +1799,17 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[1]; $blog_ID = (int) $args[1];
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
$content = $args[4]; $content = $args[4];
$template = $args[5]; /* could be 'main' or 'archiveIndex', but we don't use it */ $template = $args[5]; /* could be 'main' or 'archiveIndex', but we don't use it */
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'blogger.setTemplate'); do_action('xmlrpc_call', 'blogger.setTemplate');
set_current_user(0, $user_login);
if ( !current_user_can('edit_themes') ) { if ( !current_user_can('edit_themes') ) {
return new IXR_Error(401, __('Sorry, this user can not edit the template.')); return new IXR_Error(401, __('Sorry, this user can not edit the template.'));
} }
@ -1841,19 +1841,18 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[1]; /* though we don't use it yet */ $blog_ID = (int) $args[1]; /* though we don't use it yet */
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
$content = $args[4]; $content = $args[4];
$publish = $args[5]; $publish = $args[5];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'blogger.newPost'); do_action('xmlrpc_call', 'blogger.newPost');
$cap = ($publish) ? 'publish_posts' : 'edit_posts'; $cap = ($publish) ? 'publish_posts' : 'edit_posts';
$user = set_current_user(0, $user_login);
if ( !current_user_can($cap) ) if ( !current_user_can($cap) )
return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.')); return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.'));
@ -1897,12 +1896,12 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[1]; $post_ID = (int) $args[1];
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
$content = $args[4]; $content = $args[4];
$publish = $args[5]; $publish = $args[5];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
@ -1916,7 +1915,6 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($actual_post); $this->escape($actual_post);
set_current_user(0, $user_login);
if ( !current_user_can('edit_post', $post_ID) ) if ( !current_user_can('edit_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.'));
@ -1953,11 +1951,11 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[1]; $post_ID = (int) $args[1];
$user_login = $args[2]; $username = $args[2];
$user_pass = $args[3]; $password = $args[3];
$publish = $args[4]; $publish = $args[4];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
@ -1969,7 +1967,6 @@ class wp_xmlrpc_server extends IXR_Server {
return new IXR_Error(404, __('Sorry, no such post.')); return new IXR_Error(404, __('Sorry, no such post.'));
} }
set_current_user(0, $user_login);
if ( !current_user_can('edit_post', $post_ID) ) if ( !current_user_can('edit_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.')); return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.'));
@ -1998,15 +1995,14 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[0]; // we will support this in the near future $blog_ID = (int) $args[0]; // we will support this in the near future
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
$content_struct = $args[3]; $content_struct = $args[3];
$publish = $args[4]; $publish = $args[4];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
$user = set_current_user(0, $user_login);
do_action('xmlrpc_call', 'metaWeblog.newPost'); do_action('xmlrpc_call', 'metaWeblog.newPost');
@ -2296,15 +2292,14 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[0]; $post_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
$content_struct = $args[3]; $content_struct = $args[3];
$publish = $args[4]; $publish = $args[4];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
$user = set_current_user(0, $user_login);
do_action('xmlrpc_call', 'metaWeblog.editPost'); do_action('xmlrpc_call', 'metaWeblog.editPost');
@ -2561,14 +2556,13 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[0]; $post_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_post', $post_ID ) ) if( !current_user_can( 'edit_post', $post_ID ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
@ -2673,11 +2667,11 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[0]; $blog_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
$num_posts = (int) $args[3]; $num_posts = (int) $args[3];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
@ -2689,8 +2683,6 @@ class wp_xmlrpc_server extends IXR_Server {
return array( ); return array( );
} }
set_current_user( 0, $user_login );
foreach ($posts_list as $entry) { foreach ($posts_list as $entry) {
if( !current_user_can( 'edit_post', $entry['ID'] ) ) if( !current_user_can( 'edit_post', $entry['ID'] ) )
continue; continue;
@ -2777,14 +2769,13 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[0]; $blog_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_posts' ) ) if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
@ -2825,8 +2816,8 @@ class wp_xmlrpc_server extends IXR_Server {
global $wpdb; global $wpdb;
$blog_ID = (int) $args[0]; $blog_ID = (int) $args[0];
$user_login = $wpdb->escape($args[1]); $username = $wpdb->escape($args[1]);
$user_pass = $wpdb->escape($args[2]); $password = $wpdb->escape($args[2]);
$data = $args[3]; $data = $args[3];
$name = sanitize_file_name( $data['name'] ); $name = sanitize_file_name( $data['name'] );
@ -2835,12 +2826,12 @@ class wp_xmlrpc_server extends IXR_Server {
logIO('O', '(MW) Received '.strlen($bits).' bytes'); logIO('O', '(MW) Received '.strlen($bits).' bytes');
if ( !$this->login_pass_ok($user_login, $user_pass) ) if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
}
do_action('xmlrpc_call', 'metaWeblog.newMediaObject'); do_action('xmlrpc_call', 'metaWeblog.newMediaObject');
set_current_user(0, $user_login);
if ( !current_user_can('upload_files') ) { if ( !current_user_can('upload_files') ) {
logIO('O', '(MW) User does not have upload_files capability'); logIO('O', '(MW) User does not have upload_files capability');
$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.')); $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
@ -2910,11 +2901,11 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[0]; $blog_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
$num_posts = (int) $args[3]; $num_posts = (int) $args[3];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
@ -2927,8 +2918,6 @@ class wp_xmlrpc_server extends IXR_Server {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
foreach ($posts_list as $entry) { foreach ($posts_list as $entry) {
if( !current_user_can( 'edit_post', $entry['ID'] ) ) if( !current_user_can( 'edit_post', $entry['ID'] ) )
continue; continue;
@ -2967,14 +2956,13 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$blog_ID = (int) $args[0]; $blog_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_posts' ) ) if( !current_user_can( 'edit_posts' ) )
return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) );
@ -3007,14 +2995,13 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[0]; $post_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
set_current_user( 0, $user_login );
if( !current_user_can( 'edit_post', $post_ID ) ) if( !current_user_can( 'edit_post', $post_ID ) )
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
@ -3049,17 +3036,16 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[0]; $post_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
$categories = $args[3]; $categories = $args[3];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'mt.setPostCategories'); do_action('xmlrpc_call', 'mt.setPostCategories');
set_current_user(0, $user_login);
if ( !current_user_can('edit_post', $post_ID) ) if ( !current_user_can('edit_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you can not edit this post.')); return new IXR_Error(401, __('Sorry, you can not edit this post.'));
@ -3161,16 +3147,15 @@ class wp_xmlrpc_server extends IXR_Server {
$this->escape($args); $this->escape($args);
$post_ID = (int) $args[0]; $post_ID = (int) $args[0];
$user_login = $args[1]; $username = $args[1];
$user_pass = $args[2]; $password = $args[2];
if (!$this->login_pass_ok($user_login, $user_pass)) { if ( !$user = $this->login($username, $password) ) {
return $this->error; return $this->error;
} }
do_action('xmlrpc_call', 'mt.publishPost'); do_action('xmlrpc_call', 'mt.publishPost');
set_current_user(0, $user_login);
if ( !current_user_can('edit_post', $post_ID) ) if ( !current_user_can('edit_post', $post_ID) )
return new IXR_Error(401, __('Sorry, you can not edit this post.')); return new IXR_Error(401, __('Sorry, you can not edit this post.'));