From 0bffacac50c39c8a5bc07012ce87f366d65c6255 Mon Sep 17 00:00:00 2001 From: ryan Date: Mon, 23 Apr 2012 21:54:30 +0000 Subject: [PATCH] Check the publish_post cap when publishing an already existing post. Props nprasath002 Fixes #20474 git-svn-id: http://svn.automattic.com/wordpress/trunk@20568 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-xmlrpc-server.php | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index be7b4f5b54..b7783ff817 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -785,13 +785,23 @@ class wp_xmlrpc_server extends IXR_Server { case 'pending': break; case 'private': - if ( ! current_user_can( $post_type->cap->publish_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to create private posts in this post type' )); + if ( $update ) { + if ( ! current_user_can( $post_type->cap->publish_post, $post_data[ 'ID' ] ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to set this post as private.' ) ); + } else { + if ( ! current_user_can( $post_type->cap->publish_posts ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to create private posts in this post type' )); + } break; case 'publish': case 'future': - if ( ! current_user_can( $post_type->cap->publish_posts ) ) - return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish posts in this post type' )); + if ( $update ) { + if ( ! current_user_can( $post_type->cap->publish_post, $post_data[ 'ID' ] ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish this post.' ) ); + } else { + if ( ! current_user_can( $post_type->cap->publish_posts ) ) + return new IXR_Error( 401, __( 'Sorry, you are not allowed to publish posts in this post type' )); + } break; default: $post_data['post_status'] = 'draft';