*************** *** 238,243 **** * @param string $user_login User's username. * @param string $user_pass User's password. * @return bool Whether authentication passed. */ function login_pass_ok($user_login, $user_pass) { if ( !get_option( 'enable_xmlrpc' ) ) { --- 238,245 ---- * @param string $user_login User's username. * @param string $user_pass User's password. * @return bool Whether authentication passed. + * @deprecated use wp_xmlrpc_server::login + * @see wp_xmlrpc_server::login */ function login_pass_ok($user_login, $user_pass) { if ( !get_option( 'enable_xmlrpc' ) ) { *************** *** 253,258 **** } /** * Sanitize string or array of strings for database. * * @since 1.5.2 --- 255,286 ---- } /** + * Log user in. + * + * @since 2.8 + * + * @param string $username User's username. + * @param string $password User's password. + * @return mixed WP_User object if authentication passed, false otherwise + */ + function login($username, $password) { + if ( !get_option( 'enable_xmlrpc' ) ) { + $this->error = new IXR_Error( 405, sprintf( __( 'XML-RPC services are disabled on this blog. An admin user can enable them at %s'), admin_url('options-writing.php') ) ); + return false; + } + + $user = wp_authenticate($username, $password); + + if (is_wp_error($user)) { + $this->error = new IXR_Error(403, __('Bad login/pass combination.')); + return false; + } + + set_current_user( $user->ID ); + return $user; + } + + /** * Sanitize string or array of strings for database. * * @since 1.5.2 *************** *** 417,429 **** $username = $args[0]; $password = $args[1]; - if( !$this->login_pass_ok( $username, $password ) ) return $this->error; do_action( 'xmlrpc_call', 'wp.getUsersBlogs' ); - $user = set_current_user( 0, $username ); - $blogs = (array) get_blogs_of_user( $user->ID ); $struct = array( ); --- 445,456 ---- $username = $args[0]; $password = $args[1]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } do_action( 'xmlrpc_call', 'wp.getUsersBlogs' ); $blogs = (array) get_blogs_of_user( $user->ID ); $struct = array( ); *************** *** 441,447 **** 'url' => get_option( 'home' ) . '/', 'blogid' => $blog_id, 'blogName' => get_option( 'blogname' ), - 'xmlrpc' => get_option( 'home' ) . '/xmlrpc.php' ); restore_current_blog( ); --- 468,474 ---- 'url' => get_option( 'home' ) . '/', 'blogid' => $blog_id, 'blogName' => get_option( 'blogname' ), + 'xmlrpc' => site_url( 'xmlrpc.php' ) ); restore_current_blog( ); *************** *** 466,478 **** $username = $args[2]; $password = $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } - set_current_user( 0, $username ); if( !current_user_can( 'edit_page', $page_id ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) ); do_action('xmlrpc_call', 'wp.getPage'); --- 493,504 ---- $username = $args[2]; $password = $args[3]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } if( !current_user_can( 'edit_page', $page_id ) ) + return new IXR_Error( 401, __( 'Sorry, you cannot edit this page.' ) ); do_action('xmlrpc_call', 'wp.getPage'); *************** *** 493,504 **** } // Determine comment and ping settings. - $allow_comments = ("open" == $page->comment_status) ? 1 : 0; - $allow_pings = ("open" == $page->ping_status) ? 1 : 0; // Format page date. - $page_date = mysql2date("Ymd\TH:i:s", $page->post_date); - $page_date_gmt = mysql2date("Ymd\TH:i:s", $page->post_date_gmt); // Pull the categories info together. $categories = array(); --- 519,530 ---- } // Determine comment and ping settings. + $allow_comments = comments_open($page->ID) ? 1 : 0; + $allow_pings = pings_open($page->ID) ? 1 : 0; // Format page date. + $page_date = mysql2date("Ymd\TH:i:s", $page->post_date, false); + $page_date_gmt = mysql2date("Ymd\TH:i:s", $page->post_date_gmt, false); // Pull the categories info together. $categories = array(); *************** *** 564,576 **** $password = $args[2]; $num_pages = (int) $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); do_action('xmlrpc_call', 'wp.getPages'); --- 590,601 ---- $password = $args[2]; $num_pages = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } if( !current_user_can( 'edit_pages' ) ) + return new IXR_Error( 401, __( 'Sorry, you cannot edit pages.' ) ); do_action('xmlrpc_call', 'wp.getPages'); *************** *** 579,585 **** $page_limit = $num_pages; } - $pages = get_posts( "post_type=page&post_status=all&numberposts={$page_limit}" ); $num_pages = count($pages); // If we have pages, put together their info. --- 604,610 ---- $page_limit = $num_pages; } + $pages = get_posts( array('post_type' => 'page', 'post_status' => 'all', 'numberposts' => $page_limit) ); $num_pages = count($pages); // If we have pages, put together their info. *************** *** 616,632 **** $page = $args[3]; $publish = $args[4]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } do_action('xmlrpc_call', 'wp.newPage'); - // Set the user context and check if they are allowed - // to add new pages. - $user = set_current_user(0, $username); if(!current_user_can("publish_pages")) { - return(new IXR_Error(401, __("Sorry, you can not add new pages."))); } // Mark this as content for a page. --- 641,655 ---- $page = $args[3]; $publish = $args[4]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.newPage'); + // Make sure the user is allowed to add new pages. if(!current_user_can("publish_pages")) { + return(new IXR_Error(401, __("Sorry, you cannot add new pages."))); } // Mark this as content for a page. *************** *** 652,659 **** $password = $args[2]; $page_id = (int) $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } do_action('xmlrpc_call', 'wp.deletePage'); --- 675,682 ---- $password = $args[2]; $page_id = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.deletePage'); *************** *** 668,675 **** return(new IXR_Error(404, __("Sorry, no such page."))); } - // Set the user context and make sure they can delete pages. - set_current_user(0, $username); if(!current_user_can("delete_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to delete this page."))); } --- 691,697 ---- return(new IXR_Error(404, __("Sorry, no such page."))); } + // Make sure the user can delete pages. if(!current_user_can("delete_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to delete this page."))); } *************** *** 700,707 **** $content = $args[4]; $publish = $args[5]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } do_action('xmlrpc_call', 'wp.editPage'); --- 722,729 ---- $content = $args[4]; $publish = $args[5]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.editPage'); *************** *** 715,722 **** return(new IXR_Error(404, __("Sorry, no such page."))); } - // Set the user context and make sure they are allowed to edit pages. - set_current_user(0, $username); if(!current_user_can("edit_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page."))); } --- 737,743 ---- return(new IXR_Error(404, __("Sorry, no such page."))); } + // Make sure the user is allowed to edit pages. if(!current_user_can("edit_page", $page_id)) { return(new IXR_Error(401, __("Sorry, you do not have the right to edit this page."))); } *************** *** 754,766 **** $username = $args[1]; $password = $args[2]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); do_action('xmlrpc_call', 'wp.getPageList'); --- 775,786 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } if( !current_user_can( 'edit_pages' ) ) + return new IXR_Error( 401, __( 'Sorry, you cannot edit pages.' ) ); do_action('xmlrpc_call', 'wp.getPageList'); *************** *** 779,786 **** // The date needs to be formated properly. $num_pages = count($page_list); for($i = 0; $i < $num_pages; $i++) { - $post_date = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date); - $post_date_gmt = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date_gmt); $page_list[$i]->dateCreated = new IXR_Date($post_date); $page_list[$i]->date_created_gmt = new IXR_Date($post_date_gmt); --- 799,806 ---- // The date needs to be formated properly. $num_pages = count($page_list); for($i = 0; $i < $num_pages; $i++) { + $post_date = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date, false); + $post_date_gmt = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date_gmt, false); $page_list[$i]->dateCreated = new IXR_Date($post_date); $page_list[$i]->date_created_gmt = new IXR_Date($post_date_gmt); *************** *** 808,820 **** $username = $args[1]; $password = $args[2]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } - set_current_user(0, $username); if(!current_user_can("edit_posts")) { - return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog."))); } do_action('xmlrpc_call', 'wp.getAuthors'); --- 828,839 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } if(!current_user_can("edit_posts")) { + return(new IXR_Error(401, __("Sorry, you cannot edit posts on this blog."))); } do_action('xmlrpc_call', 'wp.getAuthors'); *************** *** 846,856 **** $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view tags.' ) ); } --- 865,874 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view tags.' ) ); } *************** *** 865,872 **** $struct['name'] = $tag->name; $struct['count'] = $tag->count; $struct['slug'] = $tag->slug; - $struct['html_url'] = wp_specialchars( get_tag_link( $tag->term_id ) ); - $struct['rss_url'] = wp_specialchars( get_tag_feed_link( $tag->term_id ) ); $tags[] = $struct; } --- 883,890 ---- $struct['name'] = $tag->name; $struct['count'] = $tag->count; $struct['slug'] = $tag->slug; + $struct['html_url'] = esc_html( get_tag_link( $tag->term_id ) ); + $struct['rss_url'] = esc_html( get_tag_feed_link( $tag->term_id ) ); $tags[] = $struct; } *************** *** 891,905 **** $password = $args[2]; $category = $args[3]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } do_action('xmlrpc_call', 'wp.newCategory'); - // Set the user context and make sure they are - // allowed to add a category. - set_current_user(0, $username); if(!current_user_can("manage_categories")) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } --- 909,921 ---- $password = $args[2]; $category = $args[3]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } do_action('xmlrpc_call', 'wp.newCategory'); + // Make sure the user is allowed to add a category. if(!current_user_can("manage_categories")) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } *************** *** 951,963 **** $password = $args[2]; $category_id = (int) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) { return $this->error; } do_action('xmlrpc_call', 'wp.deleteCategory'); - set_current_user(0, $username); if( !current_user_can("manage_categories") ) { return new IXR_Error( 401, __( "Sorry, you do not have the right to delete a category." ) ); } --- 967,978 ---- $password = $args[2]; $category_id = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'wp.deleteCategory'); if( !current_user_can("manage_categories") ) { return new IXR_Error( 401, __( "Sorry, you do not have the right to delete a category." ) ); } *************** *** 982,992 **** $category = $args[3]; $max_results = (int) $args[4]; - if(!$this->login_pass_ok($username, $password)) { - return($this->error); } - set_current_user(0, $username); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this blog in order to view categories.' ) ); --- 997,1006 ---- $category = $args[3]; $max_results = (int) $args[4]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; } if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts to this blog in order to view categories.' ) ); *************** *** 1020,1029 **** $password = $args[2]; $comment_id = (int) $args[3]; - if ( !$this->login_pass_ok( $username, $password ) ) return $this->error; - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); --- 1034,1043 ---- $password = $args[2]; $comment_id = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); *************** *** 1033,1040 **** return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); // Format page date. - $comment_date = mysql2date("Ymd\TH:i:s", $comment->comment_date); - $comment_date_gmt = mysql2date("Ymd\TH:i:s", $comment->comment_date_gmt); if ( 0 == $comment->comment_approved ) $comment_status = 'hold'; --- 1047,1054 ---- return new IXR_Error( 404, __( 'Invalid comment ID.' ) ); // Format page date. + $comment_date = mysql2date("Ymd\TH:i:s", $comment->comment_date, false); + $comment_date_gmt = mysql2date("Ymd\TH:i:s", $comment->comment_date_gmt, false); if ( 0 == $comment->comment_approved ) $comment_status = 'hold'; *************** *** 1083,1094 **** $password = $args[2]; $struct = $args[3]; - if ( !$this->login_pass_ok($username, $password) ) - return($this->error); - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit comments.' ) ); do_action('xmlrpc_call', 'wp.getComments'); --- 1097,1108 ---- $password = $args[2]; $struct = $args[3]; + if ( !$user = $this->login($username, $password) ) { + return $this->error; + } if ( !current_user_can( 'moderate_comments' ) ) + return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) ); do_action('xmlrpc_call', 'wp.getComments'); *************** *** 1143,1152 **** $password = $args[2]; $comment_ID = (int) $args[3]; - if ( !$this->login_pass_ok( $username, $password ) ) return $this->error; - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); --- 1157,1166 ---- $password = $args[2]; $comment_ID = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); *************** *** 1175,1184 **** $comment_ID = (int) $args[3]; $content_struct = $args[4]; - if ( !$this->login_pass_ok( $username, $password ) ) return $this->error; - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); --- 1189,1198 ---- $comment_ID = (int) $args[3]; $content_struct = $args[4]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this blog.' ) ); *************** *** 1249,1255 **** $allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false); - if ( !$this->login_pass_ok( $username, $password ) ) { $logged_in = false; if ( $allow_anon && get_option('comment_registration') ) return new IXR_Error( 403, __( 'You must be registered to comment' ) ); --- 1263,1271 ---- $allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false); + $user = $this->login($username, $password); + + if ( !$user ) { $logged_in = false; if ( $allow_anon && get_option('comment_registration') ) return new IXR_Error( 403, __( 'You must be registered to comment' ) ); *************** *** 1257,1263 **** return $this->error; } else { $logged_in = true; - set_current_user( 0, $username ); } if ( is_numeric($post) ) --- 1273,1278 ---- return $this->error; } else { $logged_in = true; } if ( is_numeric($post) ) *************** *** 1274,1280 **** $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { - $user = wp_get_current_user(); $comment['comment_author'] = $wpdb->escape( $user->display_name ); $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); --- 1289,1294 ---- $comment['comment_post_ID'] = $post_id; if ( $logged_in ) { $comment['comment_author'] = $wpdb->escape( $user->display_name ); $comment['comment_author_email'] = $wpdb->escape( $user->user_email ); $comment['comment_author_url'] = $wpdb->escape( $user->user_url ); *************** *** 1326,1335 **** $username = $args[1]; $password = $args[2]; - if ( !$this->login_pass_ok( $username, $password ) ) return $this->error; - set_current_user( 0, $username ); if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); --- 1340,1349 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } if ( !current_user_can( 'moderate_comments' ) ) return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); *************** *** 1354,1364 **** $password = $args[2]; $post_id = (int) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); } --- 1368,1377 ---- $password = $args[2]; $post_id = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about comments.' ) ); } *************** *** 1389,1399 **** $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } --- 1402,1411 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } *************** *** 1418,1428 **** $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } --- 1430,1439 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } *************** *** 1447,1457 **** $username = $args[1]; $password = $args[2]; - if( !$this->login_pass_ok( $username, $password ) ) { return $this->error; } - set_current_user( 0, $username ); if( !current_user_can( 'edit_pages' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } --- 1458,1467 ---- $username = $args[1]; $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_pages' ) ) { return new IXR_Error( 403, __( 'You are not allowed access to details about this blog.' ) ); } *************** *** 1478,1487 **** $password = $args[2]; $options = (array) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) return $this->error; - - $user = set_current_user( 0, $username ); // If no specific options where asked for, return all of them if (count( $options ) == 0 ) { --- 1488,1496 ---- $password = $args[2]; $options = (array) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } // If no specific options where asked for, return all of them if (count( $options ) == 0 ) { *************** *** 1533,1542 **** $password = $args[2]; $options = (array) $args[3]; - if( !$this->login_pass_ok( $username, $password ) ) return $this->error; - $user = set_current_user( 0, $username ); if( !current_user_can( 'manage_options' ) ) return new IXR_Error( 403, __( 'You are not allowed to update options.' ) ); --- 1542,1551 ---- $password = $args[2]; $options = (array) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; + } if( !current_user_can( 'manage_options' ) ) return new IXR_Error( 403, __( 'You are not allowed to update options.' ) ); *************** *** 1576,1591 **** $this->escape($args); - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } do_action('xmlrpc_call', 'blogger.getUsersBlogs'); - set_current_user(0, $user_login); $is_admin = current_user_can('manage_options'); $struct = array( --- 1585,1599 ---- $this->escape($args); + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.getUsersBlogs'); $is_admin = current_user_can('manage_options'); $struct = array( *************** *** 1593,1599 **** 'url' => get_option('home') . '/', 'blogid' => '1', 'blogName' => get_option('blogname'), - 'xmlrpc' => get_option('home') . '/xmlrpc.php', ); return array($struct); --- 1601,1607 ---- 'url' => get_option('home') . '/', 'blogid' => '1', 'blogName' => get_option('blogname'), + 'xmlrpc' => site_url( 'xmlrpc.php' ) ); return array($struct); *************** *** 1613,1639 **** $this->escape($args); - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); do_action('xmlrpc_call', 'blogger.getUserInfo'); - $user_data = get_userdatabylogin($user_login); - $struct = array( - 'nickname' => $user_data->nickname, - 'userid' => $user_data->ID, - 'url' => $user_data->user_url, - 'lastname' => $user_data->last_name, - 'firstname' => $user_data->first_name ); return $struct; --- 1621,1644 ---- $this->escape($args); + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); do_action('xmlrpc_call', 'blogger.getUserInfo'); $struct = array( + 'nickname' => $user->nickname, + 'userid' => $user->ID, + 'url' => $user->user_url, + 'lastname' => $user->last_name, + 'firstname' => $user->first_name ); return $struct; *************** *** 1652,1667 **** $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); do_action('xmlrpc_call', 'blogger.getPost'); --- 1657,1671 ---- $this->escape($args); $post_ID = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); do_action('xmlrpc_call', 'blogger.getPost'); *************** *** 1675,1681 **** $struct = array( 'userid' => $post_data['post_author'], - 'dateCreated' => new IXR_Date(mysql2date('Ymd\TH:i:s', $post_data['post_date'])), 'content' => $content, 'postid' => $post_data['ID'] ); --- 1679,1685 ---- $struct = array( 'userid' => $post_data['post_author'], + 'dateCreated' => new IXR_Date(mysql2date('Ymd\TH:i:s', $post_data['post_date'], false)), 'content' => $content, 'postid' => $post_data['ID'] ); *************** *** 1696,1706 **** $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; $num_posts = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } --- 1700,1710 ---- $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ + $username = $args[2]; + $password = $args[3]; $num_posts = $args[4]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } *************** *** 1708,1715 **** $posts_list = wp_get_recent_posts($num_posts); - set_current_user( 0, $user_login ); - if (!$posts_list) { $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); return $this->error; --- 1712,1717 ---- $posts_list = wp_get_recent_posts($num_posts); if (!$posts_list) { $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); return $this->error; *************** *** 1719,1725 **** if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; - $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $categories = implode(',', wp_get_post_categories($entry['ID'])); $content = ''.stripslashes($entry['post_title']).''; --- 1721,1727 ---- if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; + $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date'], false); $categories = implode(',', wp_get_post_categories($entry['ID'])); $content = ''.stripslashes($entry['post_title']).''; *************** *** 1756,1772 **** $this->escape($args); $blog_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } do_action('xmlrpc_call', 'blogger.getTemplate'); - set_current_user(0, $user_login); if ( !current_user_can('edit_themes') ) { return new IXR_Error(401, __('Sorry, this user can not edit the template.')); } --- 1758,1773 ---- $this->escape($args); $blog_ID = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $template = $args[4]; /* could be 'main' or 'archiveIndex', but we don't use it */ + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.getTemplate'); if ( !current_user_can('edit_themes') ) { return new IXR_Error(401, __('Sorry, this user can not edit the template.')); } *************** *** 1798,1817 **** $this->escape($args); $blog_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; $content = $args[4]; $template = $args[5]; /* could be 'main' or 'archiveIndex', but we don't use it */ - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } do_action('xmlrpc_call', 'blogger.setTemplate'); - set_current_user(0, $user_login); if ( !current_user_can('edit_themes') ) { - return new IXR_Error(401, __('Sorry, this user can not edit the template.')); } /* warning: here we make the assumption that the blog's URL is on the same server */ --- 1799,1817 ---- $this->escape($args); $blog_ID = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $template = $args[5]; /* could be 'main' or 'archiveIndex', but we don't use it */ + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.setTemplate'); if ( !current_user_can('edit_themes') ) { + return new IXR_Error(401, __('Sorry, this user cannot edit the template.')); } /* warning: here we make the assumption that the blog's URL is on the same server */ *************** *** 1841,1859 **** $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ - $user_login = $args[2]; - $user_pass = $args[3]; $content = $args[4]; $publish = $args[5]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } do_action('xmlrpc_call', 'blogger.newPost'); $cap = ($publish) ? 'publish_posts' : 'edit_posts'; - $user = set_current_user(0, $user_login); if ( !current_user_can($cap) ) return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.')); --- 1841,1858 ---- $this->escape($args); $blog_ID = (int) $args[1]; /* though we don't use it yet */ + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'blogger.newPost'); $cap = ($publish) ? 'publish_posts' : 'edit_posts'; if ( !current_user_can($cap) ) return new IXR_Error(401, __('Sorry, you are not allowed to post on this blog.')); *************** *** 1897,1908 **** $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; $content = $args[4]; $publish = $args[5]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } --- 1896,1907 ---- $this->escape($args); $post_ID = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $content = $args[4]; $publish = $args[5]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } *************** *** 1916,1922 **** $this->escape($actual_post); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); --- 1915,1920 ---- $this->escape($actual_post); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.')); *************** *** 1953,1963 **** $this->escape($args); $post_ID = (int) $args[1]; - $user_login = $args[2]; - $user_pass = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } --- 1951,1961 ---- $this->escape($args); $post_ID = (int) $args[1]; + $username = $args[2]; + $password = $args[3]; $publish = $args[4]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } *************** *** 1969,1975 **** return new IXR_Error(404, __('Sorry, no such post.')); } - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.')); --- 1967,1972 ---- return new IXR_Error(404, __('Sorry, no such post.')); } if ( !current_user_can('edit_post', $post_ID) ) return new IXR_Error(401, __('Sorry, you do not have the right to delete this post.')); *************** *** 1998,2012 **** $this->escape($args); $blog_ID = (int) $args[0]; // we will support this in the near future - $user_login = $args[1]; - $user_pass = $args[2]; $content_struct = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - $user = set_current_user(0, $user_login); do_action('xmlrpc_call', 'metaWeblog.newPost'); --- 1995,2008 ---- $this->escape($args); $blog_ID = (int) $args[0]; // we will support this in the near future + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; $publish = $args[4]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'metaWeblog.newPost'); *************** *** 2219,2233 **** return new IXR_Error(500, __('Sorry, your entry could not be posted. Something wrong happened.')); } if ( isset($content_struct['custom_fields']) ) { $this->set_custom_fields($post_ID, $content_struct['custom_fields']); } // Handle enclosures - $enclosure = $content_struct['enclosure']; - if( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { - add_post_meta( $post_ID, 'enclosure', $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type'] ); - } $this->attach_uploads( $post_ID, $post_content ); --- 2215,2233 ---- return new IXR_Error(500, __('Sorry, your entry could not be posted. Something wrong happened.')); } + // Only posts can be sticky + if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) + if ( $content_struct['sticky'] == true ) + stick_post( $post_ID ); + elseif ( $content_struct['sticky'] == false ) + unstick_post( $post_ID ); + if ( isset($content_struct['custom_fields']) ) { $this->set_custom_fields($post_ID, $content_struct['custom_fields']); } // Handle enclosures + $this->add_enclosure_if_new($post_ID, $content_struct['enclosure']); $this->attach_uploads( $post_ID, $post_content ); *************** *** 2236,2241 **** return strval($post_ID); } /** * Attach upload to a post. * --- 2236,2262 ---- return strval($post_ID); } + function add_enclosure_if_new($post_ID, $enclosure) { + if( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { + + $encstring = $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type']; + $found = false; + foreach ( (array) get_post_custom($post_ID) as $key => $val) { + if ($key == 'enclosure') { + foreach ( (array) $val as $enc ) { + if ($enc == $encstring) { + $found = true; + break 2; + } + } + } + } + if (!$found) { + add_post_meta( $post_ID, 'enclosure', $encstring ); + } + } + } + /** * Attach upload to a post. * *************** *** 2252,2258 **** if( is_array( $attachments ) ) { foreach( $attachments as $file ) { if( strpos( $post_content, $file->guid ) !== false ) { - $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->posts} SET post_parent = %d WHERE ID = %d", $post_ID, $file->ID) ); } } } --- 2273,2279 ---- if( is_array( $attachments ) ) { foreach( $attachments as $file ) { if( strpos( $post_content, $file->guid ) !== false ) { + $wpdb->update($wpdb->posts, array('post_parent' => $post_ID), array('ID' => $file->ID) ); } } } *************** *** 2271,2285 **** $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; $content_struct = $args[3]; $publish = $args[4]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - $user = set_current_user(0, $user_login); do_action('xmlrpc_call', 'metaWeblog.editPost'); --- 2292,2305 ---- $this->escape($args); $post_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; $content_struct = $args[3]; $publish = $args[4]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'metaWeblog.editPost'); *************** *** 2314,2320 **** // now and return an error. Other wise a new post will be // created (which was the old behavior). if(empty($postdata["ID"])) { - return(new IXR_Error(404, __("Invalid post id."))); } $this->escape($postdata); --- 2334,2340 ---- // now and return an error. Other wise a new post will be // created (which was the old behavior). if(empty($postdata["ID"])) { + return(new IXR_Error(404, __("Invalid post ID."))); } $this->escape($postdata); *************** *** 2502,2516 **** return new IXR_Error(500, __('Sorry, your entry could not be edited. Something wrong happened.')); } if ( isset($content_struct['custom_fields']) ) { $this->set_custom_fields($post_ID, $content_struct['custom_fields']); } // Handle enclosures - $enclosure = $content_struct['enclosure']; - if( is_array( $enclosure ) && isset( $enclosure['url'] ) && isset( $enclosure['length'] ) && isset( $enclosure['type'] ) ) { - add_post_meta( $post_ID, 'enclosure', $enclosure['url'] . "\n" . $enclosure['length'] . "\n" . $enclosure['type'] ); - } $this->attach_uploads( $ID, $post_content ); --- 2522,2540 ---- return new IXR_Error(500, __('Sorry, your entry could not be edited. Something wrong happened.')); } + // Only posts can be sticky + if ( $post_type == 'post' && isset( $content_struct['sticky'] ) ) + if ( $content_struct['sticky'] == true ) + stick_post( $post_ID ); + elseif ( $content_struct['sticky'] == false ) + unstick_post( $post_ID ); + if ( isset($content_struct['custom_fields']) ) { $this->set_custom_fields($post_ID, $content_struct['custom_fields']); } // Handle enclosures + $this->add_enclosure_if_new($post_ID, $content_struct['enclosure']); $this->attach_uploads( $ID, $post_content ); *************** *** 2532,2555 **** $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) - return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); do_action('xmlrpc_call', 'metaWeblog.getPost'); $postdata = wp_get_single_post($post_ID, ARRAY_A); if ($postdata['post_date'] != '') { - $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']); $categories = array(); $catids = wp_get_post_categories($post_ID); --- 2556,2578 ---- $this->escape($args); $post_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) ); do_action('xmlrpc_call', 'metaWeblog.getPost'); $postdata = wp_get_single_post($post_ID, ARRAY_A); if ($postdata['post_date'] != '') { + $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date'], false); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt'], false); $categories = array(); $catids = wp_get_post_categories($post_ID); *************** *** 2580,2585 **** $postdata['post_status'] = 'publish'; } $enclosure = array(); foreach ( (array) get_post_custom($post_ID) as $key => $val) { if ($key == 'enclosure') { --- 2603,2612 ---- $postdata['post_status'] = 'publish'; } + $sticky = false; + if ( is_sticky( $post_ID ) ) + $sticky = true; + $enclosure = array(); foreach ( (array) get_post_custom($post_ID) as $key => $val) { if ($key == 'enclosure') { *************** *** 2615,2621 **** 'wp_author_display_name' => $author->display_name, 'date_created_gmt' => new IXR_Date($post_date_gmt), 'post_status' => $postdata['post_status'], - 'custom_fields' => $this->get_custom_fields($post_ID) ); if (!empty($enclosure)) $resp['enclosure'] = $enclosure; --- 2642,2649 ---- 'wp_author_display_name' => $author->display_name, 'date_created_gmt' => new IXR_Date($post_date_gmt), 'post_status' => $postdata['post_status'], + 'custom_fields' => $this->get_custom_fields($post_ID), + 'sticky' => $sticky ); if (!empty($enclosure)) $resp['enclosure'] = $enclosure; *************** *** 2639,2649 **** $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; $num_posts = (int) $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } --- 2667,2677 ---- $this->escape($args); $blog_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; $num_posts = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } *************** *** 2655,2668 **** return array( ); } - set_current_user( 0, $user_login ); - foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; - $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); $categories = array(); $catids = wp_get_post_categories($entry['ID']); --- 2683,2694 ---- return array( ); } foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; + $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date'], false); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt'], false); $categories = array(); $catids = wp_get_post_categories($entry['ID']); *************** *** 2743,2756 **** $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); --- 2769,2781 ---- $this->escape($args); $blog_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); *************** *** 2765,2772 **** $struct['description'] = $cat->name; $struct['categoryDescription'] = $cat->description; $struct['categoryName'] = $cat->name; - $struct['htmlUrl'] = wp_specialchars(get_category_link($cat->term_id)); - $struct['rssUrl'] = wp_specialchars(get_category_feed_link($cat->term_id, 'rss2')); $categories_struct[] = $struct; } --- 2790,2797 ---- $struct['description'] = $cat->name; $struct['categoryDescription'] = $cat->description; $struct['categoryName'] = $cat->name; + $struct['htmlUrl'] = esc_html(get_category_link($cat->term_id)); + $struct['rssUrl'] = esc_html(get_category_feed_link($cat->term_id, 'rss2')); $categories_struct[] = $struct; } *************** *** 2791,2798 **** global $wpdb; $blog_ID = (int) $args[0]; - $user_login = $wpdb->escape($args[1]); - $user_pass = $wpdb->escape($args[2]); $data = $args[3]; $name = sanitize_file_name( $data['name'] ); --- 2816,2823 ---- global $wpdb; $blog_ID = (int) $args[0]; + $username = $wpdb->escape($args[1]); + $password = $wpdb->escape($args[2]); $data = $args[3]; $name = sanitize_file_name( $data['name'] ); *************** *** 2801,2812 **** logIO('O', '(MW) Received '.strlen($bits).' bytes'); - if ( !$this->login_pass_ok($user_login, $user_pass) ) return $this->error; do_action('xmlrpc_call', 'metaWeblog.newMediaObject'); - set_current_user(0, $user_login); if ( !current_user_can('upload_files') ) { logIO('O', '(MW) User does not have upload_files capability'); $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.')); --- 2826,2837 ---- logIO('O', '(MW) Received '.strlen($bits).' bytes'); + if ( !$user = $this->login($username, $password) ) { return $this->error; + } do_action('xmlrpc_call', 'metaWeblog.newMediaObject'); if ( !current_user_can('upload_files') ) { logIO('O', '(MW) User does not have upload_files capability'); $this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.')); *************** *** 2876,2886 **** $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; $num_posts = (int) $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } --- 2901,2911 ---- $this->escape($args); $blog_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; $num_posts = (int) $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } *************** *** 2893,2906 **** return $this->error; } - set_current_user( 0, $user_login ); - foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; - $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); $struct[] = array( 'dateCreated' => new IXR_Date($post_date), --- 2918,2929 ---- return $this->error; } foreach ($posts_list as $entry) { if( !current_user_can( 'edit_post', $entry['ID'] ) ) continue; + $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date'], false); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt'], false); $struct[] = array( 'dateCreated' => new IXR_Date($post_date), *************** *** 2933,2946 **** $this->escape($args); $blog_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); --- 2956,2968 ---- $this->escape($args); $blog_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_posts' ) ) return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); *************** *** 2973,2986 **** $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } - set_current_user( 0, $user_login ); if( !current_user_can( 'edit_post', $post_ID ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); --- 2995,3007 ---- $this->escape($args); $post_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } if( !current_user_can( 'edit_post', $post_ID ) ) return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); *************** *** 3015,3033 **** $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; $categories = $args[3]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } do_action('xmlrpc_call', 'mt.setPostCategories'); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) - return new IXR_Error(401, __('Sorry, you can not edit this post.')); foreach($categories as $cat) { $catids[] = $cat['categoryId']; --- 3036,3053 ---- $this->escape($args); $post_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; $categories = $args[3]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'mt.setPostCategories'); if ( !current_user_can('edit_post', $post_ID) ) + return new IXR_Error(401, __('Sorry, you cannot edit this post.')); foreach($categories as $cat) { $catids[] = $cat['categoryId']; *************** *** 3127,3144 **** $this->escape($args); $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { return $this->error; } do_action('xmlrpc_call', 'mt.publishPost'); - set_current_user(0, $user_login); if ( !current_user_can('edit_post', $post_ID) ) - return new IXR_Error(401, __('Sorry, you can not edit this post.')); $postdata = wp_get_single_post($post_ID,ARRAY_A); --- 3147,3163 ---- $this->escape($args); $post_ID = (int) $args[0]; + $username = $args[1]; + $password = $args[2]; + if ( !$user = $this->login($username, $password) ) { return $this->error; } do_action('xmlrpc_call', 'mt.publishPost'); if ( !current_user_can('edit_post', $post_ID) ) + return new IXR_Error(401, __('Sorry, you cannot edit this post.')); $postdata = wp_get_single_post($post_ID,ARRAY_A); *************** *** 3225,3231 **** } } else { // TODO: Attempt to extract a post ID from the given URL - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); } $post_ID = (int) $post_ID; --- 3244,3250 ---- } } else { // TODO: Attempt to extract a post ID from the given URL + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); } $post_ID = (int) $post_ID; *************** *** 3235,3248 **** $post = get_post($post_ID); if ( !$post ) // Post_ID not found - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); if ( $post_ID == url_to_postid($pagelinkedfrom) ) return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.')); // Check if pings are on if ( !pings_open($post) ) - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); // Let's check that the remote site didn't already pingback this entry $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ); --- 3254,3267 ---- $post = get_post($post_ID); if ( !$post ) // Post_ID not found + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); if ( $post_ID == url_to_postid($pagelinkedfrom) ) return new IXR_Error(0, __('The source URL and the target URL cannot both point to the same resource.')); // Check if pings are on if ( !pings_open($post) ) + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); // Let's check that the remote site didn't already pingback this entry $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ); *************** *** 3308,3314 **** $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); - $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]'; $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $comment_post_ID = (int) $post_ID; --- 3327,3333 ---- $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); + $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $comment_post_ID = (int) $post_ID; *************** *** 3341,3347 **** global $wpdb; - do_action('xmlrpc_call', 'pingback.extensions.getPingsbacks'); $this->escape($args); --- 3360,3366 ---- global $wpdb; + do_action('xmlrpc_call', 'pingback.extensions.getPingbacks'); $this->escape($args); *************** *** 3350,3356 **** $post_ID = url_to_postid($url); if (!$post_ID) { // We aren't sure that the resource is available and/or pingback enabled - return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); } $actual_post = wp_get_single_post($post_ID, ARRAY_A); --- 3369,3375 ---- $post_ID = url_to_postid($url); if (!$post_ID) { // We aren't sure that the resource is available and/or pingback enabled + return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn’t exist, or it is not a pingback-enabled resource.')); } $actual_post = wp_get_single_post($post_ID, ARRAY_A);