[wp-trac] [WordPress Trac] #24916: XML-RPC "wp_author_id" ignored when changing author to self
WordPress Trac
noreply at wordpress.org
Tue Mar 24 17:09:27 UTC 2015
#24916: XML-RPC "wp_author_id" ignored when changing author to self
-------------------------------------------------+-------------------------
Reporter: redsweater | Owner:
Type: defect (bug) | johnbillion
Priority: normal | Status: reviewing
Component: XML-RPC | Milestone: 4.2
Severity: normal | Version: 3.8
Keywords: has-patch 2nd-opinion reporter- | Resolution:
feedback | Focuses:
-------------------------------------------------+-------------------------
Comment (by redsweater):
Replying to [comment:13 johnbillion]:
> This change makes sense, but I'm struggling to understand why the two
`edit_others_*` permissions checks are in place here. AFAICT they are
redundant due to the `if ( ! current_user_can( 'edit_post', $post_ID ) )`
check near the beginning of `wp_xmlrpc_server::mw_editPost()`.
>
> Thoughts?
In my original patch I just took it for granted that code was correct (and
the intent of this bug and patch is to avoid reaching that code in the
case the current user is simply supplying their own author ID for their
own post).
I assume that although it has been confirmed the user can edit the post,
that doesn't necessarily give them the right to change the authorship on
the post to e.g. another author. Consider a scenario where the post is
currently in the current user's name, and they want to change the
authorship to another person. In that case it makes sense that a higher
level of permission than just "edit_post" should be required to proceed.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24916#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list