From f2ea13fd3bf0062e924fcba8d171fe5986443701 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Wed, 26 Dec 2007 19:50:26 +0000
Subject: [PATCH] Limit post_password exposure.  Props josephscott for the
 patch and xknown for the find. fixes #5535 for 2.4

git-svn-id: http://svn.automattic.com/wordpress/trunk@6496 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 xmlrpc.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/xmlrpc.php b/xmlrpc.php
index 731f98be41..b30b8cc153 100644
--- a/xmlrpc.php
+++ b/xmlrpc.php
@@ -1535,7 +1535,15 @@ class wp_xmlrpc_server extends IXR_Server {
 			return $this->error;
 		}
 
+		$this_user = set_current_user( 0, $user_login );
+
 		foreach ($posts_list as $entry) {
+			if ( 
+				!empty( $entry['post_password'] ) 
+				&& !current_user_can( 'edit_post', $entry['ID'] )
+			) {
+				unset( $entry['post_password'] );
+			}
 
 			$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']);
 			$post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);