#8672: XML RPC method bug in 2.7 in wp_newComment()
------------------------------+---------------------------------------------
Reporter: screamingtoaster | Owner: josephscott
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: XML-RPC | Version: 2.7
Severity: critical | Resolution:
Keywords: |
------------------------------+---------------------------------------------
Comment (by screamingtoaster):
Replying to [comment:1 josephscott]:
Hi Joseph
Thanks for looking into this so quickly. My comments are below.
> 1- I can't replicate this problem, I've confirmed that for an invalid
username/password code does execute to the !$allow_anon check. While an
error is stored in $this->error at the time of the user check failing, it
isn't used until further into the code. If you can provide detailed steps
on how to reproduce the reported problem I'd be happy to help track it
down.
>
I would be glad to give you a copy of my database that contains the data
I'm testing against. Please let me know if you want this and I will upload
this. Here's a step by step guide for me to encounter this problem:
1. I create a new admin user (uid:admin, with role:admin)
[[BR]]
2. I create a new regular user (uid:user, with role:contributor)
[[BR]]
3. I create a new comment by calling wp.newComment and pass the uid:user
as the user, and ask it to create a comment for a post that has comments
open. This then results in an error "org.apache.xmlrpc.XmlRpcException:
You are not allowed to moderate comments on this blog."
[[BR]]
4. I can call the same wp.newComment method as uid:admin, and it works; I
can then change edit the comment and make the author uid:user.
My question is, I can post a comment as uid:user using the wordpress user
interface, but via XMLRPC there seems to be an issue with role
capabilities that exceed Contributor. So how are anonymous comments
possible. If I don't provide a userid/password to login with, I get
another error: "org.apache.xmlrpc.XmlRpcException: Bad login/pass
combination.".
So how can I create a comment anonymously with just a author name, email,
and url? This code doesn't seem to support this?
[[BR]]
> 2- I don't think we talked about addressing the case where a valid user
is trying to leave a comment as someone else. Just before the code block
you quoted you'll see a check for $logged_in. If $logged_in is true then
we always use their account info to populate the author details. If it's
false then we populate the comment author details with the values
provided, if they were provided at all.
For this part of the issue, as I've shown for part 1, an anonymous user or
non admin user can't post comments, so the part of code that looks for
author{name, email, and url} aren't even checked. Even if they were
checked, the if/then statements querying the struct are incorrect. The
existence of "author" is used to determine whether "author_email",
"author_url" should be used.
Please let me know if you need any more information from me. I'm using
Java and Apache XMLRPC to get to wordpress. I'm creating a BlackBerry app,
as well as a GWT based app to allow editing wordpress blogs.
Thanks,
Nazmul
[mailto:screamingtoaster at gmail.com]
--
Ticket URL: <http://trac.wordpress.org/ticket/8672#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software