Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2025-01-21 15:51:26 +01:00
Code Issues Projects Releases Wiki Activity

XML-RPC: wp.getComments should be allowed to return approved comments to those without the 'moderate_comments' cap.

Browse Source 
Adds (rewrites) unit tests from 4 years ago that we never committed because....

Props wonderboymusic, koke, ericmann, nprasath002.
Fixes #17981.

Built from https://develop.svn.wordpress.org/trunk@34570


git-svn-id: http://core.svn.wordpress.org/trunk@34534 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Scott Taylor 2015-09-26 02:49:27 +00:00
parent fa90b77ba4
commit a0ccd4eae8
2 changed files with 46 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
wp-includes/class-wp-xmlrpc-server.php
View File

@ -3155,17 +3155,20 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$comment_id = (int) $args[3]; $comment_id = (int) $args[3];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getComment' ); do_action( 'xmlrpc_call', 'wp.getComment' );
if ( ! $comment = get_comment($comment_id) ) if ( ! $comment = get_comment( $comment_id ) ) {
return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( ! current_user_can( 'edit_comment', $comment_id ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
return $this->_prepare_comment( $comment ); return $this->_prepare_comment( $comment );
} }
@ -3206,9 +3209,6 @@ class wp_xmlrpc_server extends IXR_Server {
if ( ! $user = $this->login($username, $password ) ) if ( ! $user = $this->login($username, $password ) )
return $this->error; return $this->error;
if ( !current_user_can( 'moderate_comments' ) )
return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getComments' ); do_action( 'xmlrpc_call', 'wp.getComments' );
@ -3217,6 +3217,10 @@ class wp_xmlrpc_server extends IXR_Server {
else else
$status = ''; $status = '';
if ( ! current_user_can( 'moderate_comments' ) && 'approve' !== $status ) {
return new IXR_Error( 401, __( 'Invalid comment status.' ) );
}
$post_id = ''; $post_id = '';
if ( isset($struct['post_id']) ) if ( isset($struct['post_id']) )
$post_id = absint($struct['post_id']); $post_id = absint($struct['post_id']);
@ -3267,17 +3271,17 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$comment_ID = (int) $args[3]; $comment_ID = (int) $args[3];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) ) if ( ! get_comment( $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! get_comment($comment_ID) )
return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( !current_user_can( 'edit_comment', $comment_ID ) ) if ( !current_user_can( 'edit_comment', $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.deleteComment' ); do_action( 'xmlrpc_call', 'wp.deleteComment' );
@ -3334,17 +3338,17 @@ class wp_xmlrpc_server extends IXR_Server {
$comment_ID = (int) $args[3]; $comment_ID = (int) $args[3];
$content_struct = $args[4]; $content_struct = $args[4];
if ( !$user = $this->login($username, $password) ) if ( !$user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) ) if ( ! get_comment( $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
if ( ! get_comment($comment_ID) )
return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
}
if ( !current_user_can( 'edit_comment', $comment_ID ) ) if ( ! current_user_can( 'edit_comment', $comment_ID ) ) {
return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) ); return new IXR_Error( 403, __( 'You are not allowed to moderate or edit this comment.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.editComment' ); do_action( 'xmlrpc_call', 'wp.editComment' );
@ -3542,11 +3546,13 @@ class wp_xmlrpc_server extends IXR_Server {
$username = $args[1]; $username = $args[1];
$password = $args[2]; $password = $args[2];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'moderate_comments' ) ) if ( ! current_user_can( 'publish_posts' ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) ); return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getCommentStatusList' ); do_action( 'xmlrpc_call', 'wp.getCommentStatusList' );
@ -3576,16 +3582,24 @@ class wp_xmlrpc_server extends IXR_Server {
$password = $args[2]; $password = $args[2];
$post_id = (int) $args[3]; $post_id = (int) $args[3];
if ( !$user = $this->login($username, $password) ) if ( ! $user = $this->login( $username, $password ) ) {
return $this->error; return $this->error;
}
if ( !current_user_can( 'edit_posts' ) ) $post = get_post( $post_id, ARRAY_A );
return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); if ( empty( $post['ID'] ) ) {
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
}
if ( ! current_user_can( 'edit_post', $post_id ) ) {
return new IXR_Error( 403, __( 'You are not allowed access to details of this post.' ) );
}
/** This action is documented in wp-includes/class-wp-xmlrpc-server.php */ /** This action is documented in wp-includes/class-wp-xmlrpc-server.php */
do_action( 'xmlrpc_call', 'wp.getCommentCount' ); do_action( 'xmlrpc_call', 'wp.getCommentCount' );
$count = wp_count_comments( $post_id ); $count = wp_count_comments( $post_id );
return array( return array(
'approved' => $count->approved, 'approved' => $count->approved,
'awaiting_moderation' => $count->moderated, 'awaiting_moderation' => $count->moderated,

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.4-alpha-34569'; $wp_version = '4.4-alpha-34570';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.