[wp-trac] [WordPress Trac] #39699: Filter to check XML-RPC data before any DB insertion

WordPress Trac noreply at wordpress.org
Thu Jan 26 11:03:09 UTC 2017 

#39699: Filter to check XML-RPC data before any DB insertion
-------------------------------+-----------------------------
 Reporter:  enrico.sorcinelli  |      Owner:
     Type:  enhancement        |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  XML-RPC            |    Version:  trunk
 Severity:  normal             |   Keywords:
  Focuses:                     |
-------------------------------+-----------------------------
 After searching into XML-RPC server class code, I realized that it seems
 that there isn't way to check XML-RPC input data before starting to
 insert/update any rows to database nor to return an `IXR` custom error
 message.
 For example for new post, in order to check custom fields, a possible
 workaround is to use `wp_insert_post_empty_content` filter, but we are
 unable to customize the error message. Moreover at this point some DB rows
 are inserted, so inside the filter above we have to call `wp_delete_post`
 manually in order to clean DB (taking care to check `auto-draft` post
 status).
 In the case of editing post, things get a bit more complicated, so we
 could use transactions with the help of `xmlrpc_call`/`wp_insert_post`
 actions.

 So, the patch aims to add a new filter named `xmlrpc_before_insert_post`
 that allows to do this check in a more robust manner (for `wp.newPost` and
 `wp.editPost` XML-RCP methods).

 Typical usage:

 {{{#!php
 <?php

 if ( defined( 'XMLRPC_REQUEST' ) ) {
    add_filter( 'xmlrpc_before_insert_post',
 'my_filter_xmlrpc_before_insert_post', 10, 3 );
 }
 function my_filter_xmlrpc_before_insert_post ( $post_data,
 $content_struct, $user  ) {
    // do checks with $post_data, i.e:
    if ( title_contains_stop_words( $post_data['post_title'] ) )
       return new IXR_Error( 500, 'Post title contains invalid words' );
    return $post_data,
 }
 }}}

 The filter is placed inside `_insert_post` helper function before
 `get_default_post_to_edit()` that isthe first statement that adds a new DB
 row.

 Regards

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39699>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list