From fcc970a1cf82bc90ad83c8e609691f86c7038135 Mon Sep 17 00:00:00 2001 From: desrosj Date: Thu, 29 Oct 2020 17:44:07 +0000 Subject: [PATCH] XML-RPC: Improve error messages for unprivileged users. Add specific permission checks to avoid ambiguous failure messages. Props zieladam, peterwilsoncc, xknown, whyisjake. Built from https://develop.svn.wordpress.org/trunk@49380 git-svn-id: http://core.svn.wordpress.org/trunk@49139 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-xmlrpc-server.php | 15 +++++++++++++++ wp-includes/version.php | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/wp-includes/class-wp-xmlrpc-server.php b/wp-includes/class-wp-xmlrpc-server.php index ae6bdd0cb6..53566cbeff 100644 --- a/wp-includes/class-wp-xmlrpc-server.php +++ b/wp-includes/class-wp-xmlrpc-server.php @@ -3876,6 +3876,21 @@ class wp_xmlrpc_server extends IXR_Server { return new IXR_Error( 403, __( 'Sorry, comments are closed for this item.' ) ); } + if ( + 'publish' === get_post_status( $post_id ) && + ! current_user_can( 'edit_post', $post_id ) && + post_password_required( $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + + if ( + 'private' === get_post_status( $post_id ) && + ! current_user_can( 'read_post', $post_id ) + ) { + return new IXR_Error( 403, __( 'Sorry, you are not allowed to comment on this post.' ) ); + } + $comment = array( 'comment_post_ID' => $post_id, 'comment_content' => trim( $content_struct['content'] ), diff --git a/wp-includes/version.php b/wp-includes/version.php index f4784a78ab..36f3a29030 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.6-beta2-49371'; +$wp_version = '5.6-beta2-49380'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.