[wp-trac] [WordPress Trac] #22320: getRecentPosts API succeeds with empty response for unauthorized user

WordPress Trac noreply at wordpress.org
Tue Oct 30 17:23:43 UTC 2012


#22320: getRecentPosts API succeeds with empty response for unauthorized user
-----------------------------+--------------------------
 Reporter:  redsweater       |       Type:  defect (bug)
   Status:  new              |   Priority:  normal
Milestone:  Awaiting Review  |  Component:  XML-RPC
  Version:  trunk            |   Severity:  normal
 Keywords:  has-patch        |
-----------------------------+--------------------------
 In a multi-user configuration where a user is authenticated for another
 blog on the same WordPress installation, a getRecentPosts call to the API
 endpoint for a blog they are NOT a member of returns an empty list instead
 of failing with an error.

 I am attaching a patch that brings the behavior of mw_getRecentPosts and
 blogger_getRecentPosts in line with other "get" API call variants such as
 wp_getPosts and wp_getPages that establish precedent for rejecting access
 to the list of posts if the user doesn't have an "edit" capability for the
 assets in question.

 This is mostly a usability issue in scenarios where a user has configured
 a client with a correct user name and password, but pointed to the wrong
 blog. This is most likely to happen on a large multi-user site such as
 WordPress.com where it would be easy for a user to type a wrong
 "whatever.wordpress.com" URL and have it correspond to an actual blog on
 the site for which they don't have permission. In this case the current
 behavior of returning an empty list just leaves the user mystified. With
 my patch the client app will receive an appropriate unauthorized error
 that will notify the user they don't have privileges for the blog being
 connected to.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22320>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list