[wp-trac] [WordPress Trac] #24916: XML-RPC "wp_author_id" ignored when changing author to self

WordPress Trac noreply at wordpress.org
Tue Mar 24 17:09:27 UTC 2015


#24916: XML-RPC  "wp_author_id" ignored when changing author to self
-------------------------------------------------+-------------------------
 Reporter:  redsweater                           |       Owner:
     Type:  defect (bug)                         |  johnbillion
 Priority:  normal                               |      Status:  reviewing
Component:  XML-RPC                              |   Milestone:  4.2
 Severity:  normal                               |     Version:  3.8
 Keywords:  has-patch 2nd-opinion reporter-      |  Resolution:
  feedback                                       |     Focuses:
-------------------------------------------------+-------------------------

Comment (by redsweater):

 Replying to [comment:13 johnbillion]:
 > This change makes sense, but I'm struggling to understand why the two
 `edit_others_*` permissions checks are in place here. AFAICT they are
 redundant due to the `if ( ! current_user_can( 'edit_post', $post_ID ) )`
 check near the beginning of `wp_xmlrpc_server::mw_editPost()`.
 >
 > Thoughts?

 In my original patch I just took it for granted that code was correct (and
 the intent of this bug and patch is to avoid reaching that code in the
 case the current user is simply supplying their own author ID for their
 own post).

 I assume that although it has been confirmed the user can edit the post,
 that doesn't necessarily give them the right to change the authorship on
 the post to e.g. another author. Consider a scenario where the post is
 currently in the current user's name, and they want to change the
 authorship to another person. In that case it makes sense that a higher
 level of permission than just "edit_post" should be required to proceed.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24916#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list