Skip to content

Commit ba8e3e8

Browse files
ryanborenryanboren
committed
Make the xmlrpc user the current user. fixes WordPress#2273
git-svn-id: https://develop.svn.wordpress.org/trunk@3430 602fd350-edb4-49c9-b593-d223f7449a82
1 parent 835a8b9 commit ba8e3e8

3 files changed

Lines changed: 65 additions & 27 deletions

File tree

wp-includes/kses.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -530,9 +530,17 @@ function kses_init_filters() {
530530
function kses_init() {
531531
global $current_user;
532532

533-
get_currentuserinfo(); // set $current_user
533+
remove_filter('pre_comment_author', 'wp_filter_kses');
534+
remove_filter('pre_comment_content', 'wp_filter_kses');
535+
remove_filter('content_save_pre', 'wp_filter_post_kses');
536+
remove_filter('title_save_pre', 'wp_filter_kses');
537+
538+
if (! defined('XMLRPC_REQUEST') )
539+
get_currentuserinfo();
540+
534541
if (current_user_can('unfiltered_html') == false)
535542
kses_init_filters();
536543
}
537544
add_action('init', 'kses_init');
545+
add_action('set_current_user', 'kses_init');
538546
?>

wp-includes/pluggable-functions.php

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,38 @@
33
/* These functions can be replaced via plugins. They are loaded after
44
plugins are loaded. */
55

6+
if ( !function_exists('set_current_user') ) :
7+
function set_current_user($id, $name = '') {
8+
global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_pass_md5, $user_identity, $current_user;
9+
10+
$current_user = '';
11+
12+
$current_user = new WP_User($id, $name);
13+
14+
$userdata = get_userdatabylogin($user_login);
15+
16+
$user_login = $userdata->user_login;
17+
$user_level = $userdata->user_level;
18+
$user_ID = $userdata->ID;
19+
$user_email = $userdata->user_email;
20+
$user_url = $userdata->user_url;
21+
$user_pass_md5 = md5($userdata->user_pass);
22+
$user_identity = $userdata->display_name;
23+
24+
do_action('set_current_user');
25+
26+
return $current_user;
27+
}
28+
endif;
29+
630

731
if ( !function_exists('get_currentuserinfo') ) :
832
function get_currentuserinfo() {
933
global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_pass_md5, $user_identity, $current_user;
1034

35+
if ( defined('XMLRPC_REQUEST') && XMLRPC_REQUEST )
36+
return false;
37+
1138
if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) ||
1239
!wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) {
1340
$current_user = new WP_User(0);

xmlrpc.php

Lines changed: 29 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
<?php
22

3+
define('XMLRPC_REQUEST', true);
4+
5+
// Some browser-embedded clients send cookies. We don't want them.
6+
$_COOKIE = array();
7+
38
# fix for mozBlog and other cases where '<?xml' isn't on the very first line
49
$HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA);
510

@@ -179,16 +184,16 @@ function blogger_getUsersBlogs($args) {
179184
return $this->error;
180185
}
181186

182-
$user = new WP_User(0, $user_login);
183-
$is_admin = $user->has_cap('level_8');
187+
set_current_user(0, $user_login);
188+
$is_admin = current_user_can('level_8');
184189

185190
$struct = array(
186191
'isAdmin' => $is_admin,
187192
'url' => get_settings('home') . '/',
188193
'blogid' => '1',
189194
'blogName' => get_settings('blogname')
190195
);
191-
196+
error_log(print_r($struct,1), 3, '/tmp/xmlrpc');
192197
return array($struct);
193198
}
194199

@@ -317,8 +322,8 @@ function blogger_getTemplate($args) {
317322
return $this->error;
318323
}
319324

320-
$user = new WP_User(0, $user_login);
321-
if ( !$user->has_cap('edit_themes') ) {
325+
set_current_user(0, $user_login);
326+
if ( !current_user_can('edit_themes') ) {
322327
return new IXR_Error(401, 'Sorry, this user can not edit the template.');
323328
}
324329

@@ -352,8 +357,8 @@ function blogger_setTemplate($args) {
352357
return $this->error;
353358
}
354359

355-
$user = new WP_User(0, $user_login);
356-
if ( !$user->has_cap('edit_themes') ) {
360+
set_current_user(0, $user_login);
361+
if ( !current_user_can('edit_themes') ) {
357362
return new IXR_Error(401, 'Sorry, this user can not edit the template.');
358363
}
359364

@@ -390,9 +395,8 @@ function blogger_newPost($args) {
390395
}
391396

392397
$cap = ($publish) ? 'publish_posts' : 'edit_posts';
393-
394-
$user = new WP_User(0, $user_login);
395-
if ( !$user->has_cap($cap) )
398+
$user = set_current_user(0, $user_login);
399+
if ( !current_user_can($cap) )
396400
return new IXR_Error(401, 'Sorry, you can not post on this weblog or category.');
397401

398402
$post_status = ($publish) ? 'publish' : 'draft';
@@ -445,8 +449,8 @@ function blogger_editPost($args) {
445449

446450
$this->escape($actual_post);
447451

448-
$user = new WP_User(0, $user_login);
449-
if ( !$user->has_cap('edit_post', $post_ID) )
452+
set_current_user(0, $user_login);
453+
if ( !current_user_can('edit_post', $post_ID) )
450454
return new IXR_Error(401, 'Sorry, you do not have the right to edit this post.');
451455

452456
extract($actual_post);
@@ -489,8 +493,8 @@ function blogger_deletePost($args) {
489493
return new IXR_Error(404, 'Sorry, no such post.');
490494
}
491495

492-
$user = new WP_User(0, $user_login);
493-
if ( !$user->has_cap('edit_post', $post_ID) )
496+
set_current_user(0, $user_login);
497+
if ( !current_user_can('edit_post', $post_ID) )
494498
return new IXR_Error(401, 'Sorry, you do not have the right to delete this post.');
495499

496500
$result = wp_delete_post($post_ID);
@@ -525,8 +529,8 @@ function mw_newPost($args) {
525529
return $this->error;
526530
}
527531

528-
$user = new WP_User(0, $user_login);
529-
if ( !$user->has_cap('publish_posts') )
532+
$user = set_current_user(0, $user_login);
533+
if ( !current_user_can('publish_posts') )
530534
return new IXR_Error(401, 'Sorry, you can not post on this weblog or category.');
531535

532536
$post_author = $user->ID;
@@ -605,8 +609,8 @@ function mw_editPost($args) {
605609
return $this->error;
606610
}
607611

608-
$user = new WP_User(0, $user_login);
609-
if ( !$user->has_cap('edit_post', $post_ID) )
612+
set_current_user(0, $user_login);
613+
if ( !current_user_can('edit_post', $post_ID) )
610614
return new IXR_Error(401, 'Sorry, you can not edit this post.');
611615

612616
$postdata = wp_get_single_post($post_ID, ARRAY_A);
@@ -844,9 +848,8 @@ function mw_newMediaObject($args) {
844848
if ( !$this->login_pass_ok($user_login, $user_pass) )
845849
return $this->error;
846850

847-
$user = new WP_User(0, $user_login);
848-
849-
if ( !$user->has_cap('upload_files') ) {
851+
set_current_user(0, $user_login);
852+
if ( !current_user_can('upload_files') ) {
850853
logIO('O', '(MW) User does not have upload_files capability');
851854
$this->error = new IXR_Error(401, 'You are not allowed to upload files to this site.');
852855
return $this->error;
@@ -984,8 +987,8 @@ function mt_setPostCategories($args) {
984987
return $this->error;
985988
}
986989

987-
$user = new WP_User(0, $user_login);
988-
if ( !$user->has_cap('edit_post', $post_ID) )
990+
set_current_user(0, $user_login);
991+
if ( !current_user_can('edit_post', $post_ID) )
989992
return new IXR_Error(401, 'Sorry, you can not edit this post.');
990993

991994
foreach($categories as $cat) {
@@ -1066,8 +1069,8 @@ function mt_publishPost($args) {
10661069
return $this->error;
10671070
}
10681071

1069-
$user = new WP_User(0, $user_login);
1070-
if ( !$user->has_cap('edit_post', $post_ID) )
1072+
set_current_user(0, $user_login);
1073+
if ( !current_user_can('edit_post', $post_ID) )
10711074
return new IXR_Error(401, 'Sorry, you can not edit this post.');
10721075

10731076
$postdata = wp_get_single_post($post_ID,ARRAY_A);
@@ -1282,4 +1285,4 @@ function pingback_extensions_getPingbacks($args) {
12821285

12831286
$wp_xmlrpc_server = new wp_xmlrpc_server();
12841287

1285-
?>
1288+
?>

0 commit comments

Comments
 (0)