diff options
author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-01-02 16:00:05 +0000 |
---|---|---|
committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2008-01-02 16:00:05 +0000 |
commit | 1503e05616c295e6f980134dc341fa1a66dc9672 (patch) | |
tree | b0a7dc356affec0059670603f1cb990da7dbc026 | |
parent | c65d51fec1d641efd1ec8a44c046cd54d588fe3b (diff) | |
download | wordpress-mu-1503e05616c295e6f980134dc341fa1a66dc9672.tar.gz wordpress-mu-1503e05616c295e6f980134dc341fa1a66dc9672.tar.xz wordpress-mu-1503e05616c295e6f980134dc341fa1a66dc9672.zip |
Merge with WP 2.3.2
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@1172 7be80a69-a1ef-0310-a953-fb0f7c49ff36
-rw-r--r-- | wp-admin/admin.php | 4 | ||||
-rw-r--r-- | wp-admin/includes/file.php | 3 | ||||
-rw-r--r-- | wp-admin/js/cat.js | 1 | ||||
-rw-r--r-- | wp-admin/js/link-cat.js | 1 | ||||
-rw-r--r-- | wp-admin/setup-config.php | 4 | ||||
-rw-r--r-- | wp-admin/upload-functions.php | 360 | ||||
-rw-r--r-- | wp-app.php | 22 | ||||
-rw-r--r-- | wp-includes/formatting.php | 35 | ||||
-rw-r--r-- | wp-includes/functions.php | 48 | ||||
-rw-r--r-- | wp-includes/pluggable.php | 4 | ||||
-rw-r--r-- | wp-includes/post.php | 5 | ||||
-rw-r--r-- | wp-includes/query.php | 8 | ||||
-rw-r--r-- | wp-includes/taxonomy.php | 8 | ||||
-rw-r--r-- | wp-includes/version.php | 4 | ||||
-rw-r--r-- | wp-includes/wp-db.php | 29 | ||||
-rw-r--r-- | wp-mail.php | 12 | ||||
-rw-r--r-- | wp-settings.php | 8 | ||||
-rw-r--r-- | xmlrpc.php | 211 |
18 files changed, 293 insertions, 474 deletions
diff --git a/wp-admin/admin.php b/wp-admin/admin.php index 610544d..aaa8efa 100644 --- a/wp-admin/admin.php +++ b/wp-admin/admin.php @@ -1,4 +1,6 @@ <?php +define('WP_ADMIN', TRUE); + if ( defined('ABSPATH') ) require_once( ABSPATH . 'wp-config.php'); else @@ -64,7 +66,7 @@ if (isset($plugin_page)) { do_action('load-' . $plugin_page); if (! isset($_GET['noheader'])) - require_once(ABSPATH . '/wp-admin/admin-header.php'); + require_once(ABSPATH . 'wp-admin/admin-header.php'); if ( file_exists(ABSPATH . MUPLUGINDIR . "/$plugin_page") ) include(ABSPATH . MUPLUGINDIR . "/$plugin_page"); diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php index 25d9c26..45c05e5 100644 --- a/wp-admin/includes/file.php +++ b/wp-admin/includes/file.php @@ -43,6 +43,9 @@ function get_real_file_to_edit( $file ) { } function validate_file( $file, $allowed_files = '' ) { + if ( false !== strpos( $file, '..' )) + return 1; + if ( false !== strpos( $file, './' )) return 1; diff --git a/wp-admin/js/cat.js b/wp-admin/js/cat.js index b486996..e697e9b 100644 --- a/wp-admin/js/cat.js +++ b/wp-admin/js/cat.js @@ -9,4 +9,3 @@ function newCatAddIn() { $('newcat').onkeypress = function(e) { return killSubmit("catList.ajaxAdder('category','jaxcat');", e); }; $('catadd').onclick = function() { catList.ajaxAdder('category', 'jaxcat'); }; } - diff --git a/wp-admin/js/link-cat.js b/wp-admin/js/link-cat.js index 1e95fa3..a0775ce 100644 --- a/wp-admin/js/link-cat.js +++ b/wp-admin/js/link-cat.js @@ -8,4 +8,3 @@ function newLinkCatAddIn() { $('newcat').onkeypress = function(e) { return killSubmit("linkcatList.ajaxAdder('link-category','jaxcat');", e); }; $('catadd').onclick = function() { linkcatList.ajaxAdder('link-category', 'jaxcat'); }; } - diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php index 139ccd3..99af3b4 100644 --- a/wp-admin/setup-config.php +++ b/wp-admin/setup-config.php @@ -4,6 +4,7 @@ define('WP_INSTALLING', true); require_once('../wp-includes/compat.php'); require_once('../wp-includes/functions.php'); +require_once('../wp-includes/classes.php'); if (!file_exists('../wp-config-sample.php')) wp_die('Sorry, I need a wp-config-sample.php file to work from. Please re-upload this file from your WordPress installation.'); @@ -162,6 +163,9 @@ switch($step) { // We'll fail here if the values are no good. require_once('../wp-includes/wp-db.php'); + if ( !empty($wpdb->error) ) + wp_die($wpdb->error->get_error_message()); + $handle = fopen('../wp-config.php', 'w'); foreach ($configFile as $line_num => $line) { diff --git a/wp-admin/upload-functions.php b/wp-admin/upload-functions.php deleted file mode 100644 index e2d734d..0000000 --- a/wp-admin/upload-functions.php +++ /dev/null @@ -1,360 +0,0 @@ -<?php -function wp_upload_display( $dims = false, $href = '' ) { - global $post; - $id = get_the_ID(); - $attachment_data = wp_get_attachment_metadata( $id ); - $is_image = (int) wp_attachment_is_image(); - if ( !isset($attachment_data['width']) && $is_image ) { - if ( $image_data = getimagesize( get_attached_file( $id ) ) ) { - $attachment_data['width'] = $image_data[0]; - $attachment_data['height'] = $image_data[1]; - wp_update_attachment_metadata( $id, $attachment_data ); - } - } - if ( isset($attachment_data['width']) ) - list($width,$height) = wp_shrink_dimensions($attachment_data['width'], $attachment_data['height'], 171, 128); - - ob_start(); - the_title(); - $post_title = attribute_escape(ob_get_contents()); - ob_end_clean(); - $post_content = attribute_escape(apply_filters( 'content_edit_pre', $post->post_content )); - - $class = 'text'; - $innerHTML = get_attachment_innerHTML( $id, false, $dims ); - if ( $image_src = get_attachment_icon_src() ) { - $image_rel = wp_make_link_relative($image_src); - $innerHTML = ' ' . str_replace($image_src, $image_rel, $innerHTML); - $class = 'image'; - } - - $src_base = wp_get_attachment_url(); - $src = wp_make_link_relative( $src_base ); - $src_base = str_replace($src, '', $src_base); - - $r = ''; - - if ( $href ) - $r .= "<a id='file-link-$id' href='$href' title='$post_title' class='file-link $class'>\n"; - if ( $href || $image_src ) - $r .= "\t\t\t$innerHTML"; - if ( $href ) - $r .= "</a>\n"; - $r .= "\n\t\t<div class='upload-file-data'>\n\t\t\t<p>\n"; - $r .= "\t\t\t\t<input type='hidden' name='attachment-url-$id' id='attachment-url-$id' value='$src' />\n"; - $r .= "\t\t\t\t<input type='hidden' name='attachment-url-base-$id' id='attachment-url-base-$id' value='$src_base' />\n"; - - if ( !$thumb_base = wp_get_attachment_thumb_url() ) - $thumb_base = wp_mime_type_icon(); - if ( $thumb_base ) { - $thumb_rel = wp_make_link_relative( $thumb_base ); - $thumb_base = str_replace( $thumb_rel, '', $thumb_base ); - $r .= "\t\t\t\t<input type='hidden' name='attachment-thumb-url-$id' id='attachment-thumb-url-$id' value='$thumb_rel' />\n"; - $r .= "\t\t\t\t<input type='hidden' name='attachment-thumb-url-base-$id' id='attachment-thumb-url-base-$id' value='$thumb_base' />\n"; - } - - $r .= "\t\t\t\t<input type='hidden' name='attachment-is-image-$id' id='attachment-is-image-$id' value='$is_image' />\n"; - - if ( isset($width) ) { - $r .= "\t\t\t\t<input type='hidden' name='attachment-width-$id' id='attachment-width-$id' value='$width' />\n"; - $r .= "\t\t\t\t<input type='hidden' name='attachment-height-$id' id='attachment-height-$id' value='$height' />\n"; - } - $r .= "\t\t\t\t<input type='hidden' name='attachment-page-url-$id' id='attachment-page-url-$id' value='" . get_attachment_link( $id ) . "' />\n"; - $r .= "\t\t\t\t<input type='hidden' name='attachment-title-$id' id='attachment-title-$id' value='$post_title' />\n"; - $r .= "\t\t\t\t<input type='hidden' name='attachment-description-$id' id='attachment-description-$id' value='$post_content' />\n"; - $r .= "\t\t\t</p>\n\t\t</div>\n"; - return $r; -} - -function wp_upload_view() { - global $style, $post_id, $style; - $id = get_the_ID(); - $attachment_data = wp_get_attachment_metadata( $id ); -?> - <div id="upload-file"> - <div id="file-title"> - <h2><?php if ( !isset($attachment_data['width']) && 'inline' != $style ) - echo "<a href='" . wp_get_attachment_url() . "' title='" . __('Direct link to file') . "'>"; - the_title(); - if ( !isset($attachment_data['width']) && 'inline' != $style ) - echo '</a>'; - ?></h2> - <span><?php - echo '[ '; - echo '<a href="' . get_permalink() . '">' . __('view') . '</a>'; - echo ' | '; - echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>'; - echo ' | '; - echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>'; - echo ' ]'; ?></span> - </div> - - <div id="upload-file-view" class="alignleft"> -<?php if ( isset($attachment_data['width']) && 'inline' != $style ) - echo "<a href='" . wp_get_attachment_url() . "' title='" . __('Direct link to file') . "'>"; - echo wp_upload_display( array(171, 128) ); - if ( isset($attachment_data['width']) && 'inline' != $style ) - echo '</a>'; ?> - </div> - <?php the_attachment_links( $id ); ?> - </div> -<?php echo "<form action='' id='browse-form'><input type='hidden' id='nonce-value' value='" . wp_create_nonce( 'inlineuploading' ) . "' /></form>\n"; -} - -function wp_upload_form() { - $id = get_the_ID(); - global $post_id, $tab, $style; - $enctype = $id ? '' : ' enctype="multipart/form-data"'; - $post_id = (int) $post_id; -?> - <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&tab=upload&post_id=' . $post_id); ?>"> -<?php - if ( $id ) : - $attachment = get_post_to_edit( $id ); - $attachment_data = wp_get_attachment_metadata( $id ); -?> - <div id="file-title"> - <h2><?php if ( !isset($attachment_data['width']) && 'inline' != $style ) - echo "<a href='" . wp_get_attachment_url() . "' title='" . __('Direct link to file') . "'>"; - the_title(); - if ( !isset($attachment_data['width']) && 'inline' != $style ) - echo '</a>'; - ?></h2> - <span><?php - echo '[ '; - echo '<a href="' . get_permalink() . '">' . __('view') . '</a>'; - echo ' | '; - echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>'; - echo ' | '; - echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>'; - echo ' ]'; ?></span> - </div> - - <div id="upload-file-view" class="alignleft"> -<?php if ( isset($attachment_data['width']) && 'inline' != $style ) - echo "<a href='" . wp_get_attachment_url() . "' title='" . __('Direct link to file') . "'>"; - echo wp_upload_display( array(171, 128) ); - if ( isset($attachment_data['width']) && 'inline' != $style ) - echo '</a>'; ?> - </div> -<?php endif; ?> - <table><col /><col class="widefat" /> -<?php if ( $id ): ?> - <tr> - <th scope="row"><label for="url"><?php _e('URL'); ?></label></th> - <td><input type="text" id="url" class="readonly" value="<?php echo wp_get_attachment_url(); ?>" readonly="readonly" /></td> - </tr> -<?php else : ?> - <tr> - <th scope="row"><label for="upload"><?php _e('File'); ?></label></th> - <td><input type="file" id="upload" name="image" /></td> - </tr> -<?php endif; ?> - <tr> - <th scope="row"><label for="post_title"><?php _e('Title'); ?></label></th> - <td><input type="text" id="post_title" name="post_title" value="<?php echo $attachment->post_title; ?>" /></td> - </tr> - <tr> - <th scope="row"><label for="post_content"><?php _e('Description'); ?></label></th> - <td><textarea name="post_content" id="post_content"><?php echo $attachment->post_content; ?></textarea></td> - </tr> - <tr id="buttons" class="submit"> - <td colspan='2'> -<?php if ( $id ) : ?> - <input type="submit" name="delete" id="delete" class="delete alignleft" value="<?php _e('Delete File'); ?>" /> -<?php endif; ?> - <input type="hidden" name="from_tab" value="<?php echo $tab; ?>" /> - <input type="hidden" name="action" value="<?php echo $id ? 'save' : 'upload'; ?>" /> -<?php if ( $post_id ) : ?> - <input type="hidden" name="post_id" value="<?php echo $post_id; ?>" /> -<?php endif; if ( $id ) : ?> - <input type="hidden" name="ID" value="<?php echo $id; ?>" /> -<?php endif; ?> - <?php wp_nonce_field( 'inlineuploading' ); ?> - <div class="submit"> - <input type="submit" value="<?php $id ? _e('Save') : _e('Upload'); ?> »" /> - </div> - </td> - </tr> - </table> - </form> -<?php -} - -function wp_upload_tab_upload() { - wp_upload_form(); -} - -function wp_upload_tab_upload_action() { - global $action; - if ( isset($_POST['delete']) ) - $action = 'delete'; - - switch ( $action ) : - case 'upload' : - global $from_tab, $post_id, $style; - if ( !$from_tab ) - $from_tab = 'upload'; - - check_admin_referer( 'inlineuploading' ); - - global $post_id, $post_title, $post_content; - - if ( !current_user_can( 'upload_files' ) ) - wp_die( __('You are not allowed to upload files.') - . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=browse-all&post_id=$post_id") . "'>" - . __('Browse Files') . '</a>' - ); - - $overrides = array('action'=>'upload'); - - $file = wp_handle_upload($_FILES['image'], $overrides); - - if ( isset($file['error']) ) - wp_die($file['error'] . "<br /><a href='" . get_option('siteurl') - . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=$from_tab&post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>' - ); - - $url = $file['url']; - $type = $file['type']; - $file = $file['file']; - $filename = basename($file); - - // Construct the attachment array - $attachment = array( - 'post_title' => $post_title ? $post_title : $filename, - 'post_content' => $post_content, - 'post_type' => 'attachment', - 'post_parent' => $post_id, - 'post_mime_type' => $type, - 'guid' => $url - ); - - // Save the data - $id = wp_insert_attachment($attachment, $file, $post_id); - - wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) ); - - wp_redirect( get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=browse&action=view&ID=$id&post_id=$post_id"); - die; - break; - - case 'save' : - global $from_tab, $post_id, $style; - if ( !$from_tab ) - $from_tab = 'upload'; - check_admin_referer( 'inlineuploading' ); - - wp_update_post($_POST); - wp_redirect( get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=$from_tab&post_id=$post_id"); - die; - break; - - case 'delete' : - global $ID, $post_id, $from_tab, $style; - if ( !$from_tab ) - $from_tab = 'upload'; - - check_admin_referer( 'inlineuploading' ); - - if ( !current_user_can('edit_post', (int) $ID) ) - wp_die( __('You are not allowed to delete this attachment.') - . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=$from_tab&post_id=$post_id") . "'>" - . __('Go back') . '</a>' - ); - - wp_delete_attachment($ID); - - wp_redirect( get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=$from_tab&post_id=$post_id" ); - die; - break; - - endswitch; -} - -add_action( 'upload_files_upload', 'wp_upload_tab_upload_action' ); - -function wp_upload_grab_attachments( $obj ) { - $obj->is_attachment = true; -} - -function wp_upload_posts_where( $where ) { - global $post_id; - return $where . " AND post_parent = '" . (int) $post_id . "'"; -} - -function wp_upload_tab_browse() { - global $wpdb, $action, $paged; - $old_vars = compact( 'paged' ); - - switch ( $action ) : - case 'edit' : - case 'view' : - global $ID; - $attachments = query_posts("attachment_id=$ID"); - if ( have_posts() ) : while ( have_posts() ) : the_post(); - 'edit' == $action ? wp_upload_form() : wp_upload_view(); - endwhile; endif; - break; - default : - global $tab, $post_id, $style; - add_action( 'pre_get_posts', 'wp_upload_grab_attachments' ); - if ( 'browse' == $tab && $post_id ) - add_filter( 'posts_where', 'wp_upload_posts_where' ); - $attachments = query_posts("what_to_show=posts&posts_per_page=10&paged=$paged"); - $count_query = "SELECT COUNT(*) FROM $wpdb->posts WHERE post_type = 'attachment'"; - if ( $post_id ) - $count_query .= " AND post_parent = '$post_id'"; - $total = $wpdb->get_var($count_query); - - echo "<ul id='upload-files'>\n"; - if ( have_posts() ) : while ( have_posts() ) : the_post(); - $href = wp_specialchars( add_query_arg( array( - 'action' => 'inline' == $style ? 'view' : 'edit', - 'ID' => get_the_ID()) - ), 1 ); - - echo "\t<li id='file-"; - the_ID(); - echo "' class='alignleft'>\n"; - echo wp_upload_display( array(128,128), $href ); - echo "\t</li>\n"; - endwhile; - else : - echo "\t<li>" . __('There are no attachments to show.') . "</li>\n"; - endif; - echo "</ul>\n\n"; - - echo "<form action='' id='browse-form'><input type='hidden' id='nonce-value' value='" . wp_create_nonce( 'inlineuploading' ) . "' /></form>\n"; - break; - endswitch; - - extract($old_vars); -} - - -function wp_upload_tab_browse_action() { - global $style; - if ( 'inline' == $style ) - wp_enqueue_script('upload'); -} - -add_action( 'upload_files_browse', 'wp_upload_tab_browse_action' ); -add_action( 'upload_files_browse-all', 'wp_upload_tab_browse_action' ); - -function wp_upload_admin_head() { - global $wp_locale; - echo "<link rel='stylesheet' href='" . get_option('siteurl') . '/wp-admin/upload.css?version=' . get_bloginfo('version') . "a' type='text/css' />\n"; - if ( 'rtl' == $wp_locale->text_direction ) - echo "<link rel='stylesheet' href='" . get_option('siteurl') . '/wp-admin/upload-rtl.css?version=' . get_bloginfo('version') . "a' type='text/css' />\n"; - if ( 'inline' == @$_GET['style'] ) { - echo "<style type='text/css' media='screen'>\n"; - echo "\t#upload-menu { position: absolute; z-index: 2; }\n"; - echo "\tbody > #upload-menu { position: fixed; }\n"; - echo "\t#upload-content { top: 2em; }\n"; - echo "\t#upload-file { position: absolute; top: 15px; }\n"; - echo "</style>"; - } -} - -?> @@ -159,6 +159,10 @@ class AtomServer { function get_service() { log_app('function','get_service()'); + + if( !current_user_can( 'edit_posts' ) ) + $this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) ); + $entries_url = attribute_escape($this->get_entries_url()); $categories_url = attribute_escape($this->get_categories_url()); $media_url = attribute_escape($this->get_attachments_url()); @@ -188,8 +192,11 @@ EOD; } function get_categories_xml() { - log_app('function','get_categories_xml()'); + + if( !current_user_can( 'edit_posts' ) ) + $this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) ); + $home = attribute_escape(get_bloginfo_rss('home')); $categories = ""; @@ -282,8 +289,11 @@ EOD; } function get_post($postID) { - global $entry; + + if( !current_user_can( 'edit_post', $postID ) ) + $this->auth_required( __( 'Sorry, you do not have the right to access this post.' ) ); + $this->set_current_entry($postID); $output = $this->get_entry($postID); log_app('function',"get_post($postID)"); @@ -372,8 +382,9 @@ EOD; } function get_attachment($postID = NULL) { + if( !current_user_can( 'upload_files' ) ) + $this->auth_required( __( 'Sorry, you do not have the right to file uploads on this blog.' ) ); - global $entry; if (!isset($postID)) { $this->get_attachments(); } else { @@ -494,6 +505,10 @@ EOD; } $location = get_post_meta($entry['ID'], '_wp_attached_file', true); + $filetype = wp_check_filetype($location); + + if(!isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext'])) + $this->internal_error(__('Error ocurred while accessing post metadata for file location.')); // delete file @unlink($location); @@ -795,7 +810,6 @@ EOD; </app:control> <author> <name><?php the_author()?></name> - <email><?php the_author_email()?></email> <?php if (get_the_author_url() && get_the_author_url() != 'http://') { ?> <uri><?php the_author_url()?></uri> <?php } ?> diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 2c95dbe..76f41d8 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -622,18 +622,35 @@ function antispambot($emailaddy, $mailto=0) { return $emailNOSPAMaddy; } +function _make_url_clickable_cb($matches) { + $url = $matches[2]; + $url = clean_url($url); + if ( empty($url) ) + return $matches[0]; + return $matches[1] . "<a href=\"$url\" rel=\"nofollow\">$url</a>"; +} + +function _make_web_ftp_clickable_cb($matches) { + $dest = $matches[2]; + $dest = 'http://' . $dest; + $dest = clean_url($dest); + if ( empty($dest) ) + return $matches[0]; + + return $matches[1] . "<a href=\"$dest\" rel=\"nofollow\">$dest</a>"; +} + +function _make_email_clickable_cb($matches) { + $email = $matches[2] . '@' . $matches[3]; + return $matches[1] . "<a href=\"mailto:$email\">$email</a>"; +} + function make_clickable($ret) { $ret = ' ' . $ret; // in testing, using arrays here was found to be faster - $ret = preg_replace( - array( - '#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', - '#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', - '#([\s>])([a-z0-9\-_.]+)@([^,< \n\r]+)#i'), - array( - '$1<a href="$2" rel="nofollow">$2</a>', - '$1<a href="http://$2" rel="nofollow">$2</a>', - '$1<a href="mailto:$2@$3">$2@$3</a>'),$ret); + $ret = preg_replace_callback('#([\s>])([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_url_clickable_cb', $ret); + $ret = preg_replace_callback('#([\s>])((www|ftp)\.[\w\#$%&~/.\-;:=,?@\[\]+]*)#is', '_make_web_ftp_clickable_cb', $ret); + $ret = preg_replace_callback('#([\s>])([.0-9a-z_+-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,})#i', '_make_email_clickable_cb', $ret); // this one is not in an array because we need it to run last, for cleanup of accidental links within links $ret = preg_replace("#(<a( [^>]+?>|>))<a [^>]+?>([^>]+?)</a></a>#i", "$1$3</a>", $ret); $ret = trim($ret); diff --git a/wp-includes/functions.php b/wp-includes/functions.php index bd89231..a067a8a 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -204,10 +204,10 @@ function get_option($setting) { if ( false === $value ) { if ( defined('WP_INSTALLING') ) - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); $row = $wpdb->get_row("SELECT option_value FROM $wpdb->options WHERE option_name = '$setting' LIMIT 1"); if ( defined('WP_INSTALLING') ) - $wpdb->show_errors(); + $wpdb->show_errors($show); if( is_object( $row) ) { // Has to be get_row instead of get_var because of funkiness with 0, false, null values $value = $row->option_value; @@ -242,11 +242,11 @@ function form_option($option) { function get_alloptions() { global $wpdb, $wp_queries; - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); if ( !$options = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options WHERE autoload = 'yes'") ) { $options = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options"); } - $wpdb->show_errors(); + $wpdb->show_errors($show); foreach ($options as $option) { // "When trying to design a foolproof system, @@ -269,10 +269,10 @@ function wp_load_alloptions() { $alloptions = wp_cache_get('alloptions', 'options'); if ( !$alloptions ) { - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); if ( !$alloptions_db = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options WHERE autoload = 'yes'") ) $alloptions_db = $wpdb->get_results("SELECT option_name, option_value FROM $wpdb->options"); - $wpdb->show_errors(); + $wpdb->show_errors($show); $alloptions = array(); foreach ( (array) $alloptions_db as $o ) $alloptions[$o->option_name] = $o->option_value; @@ -899,9 +899,9 @@ function do_robots() { function is_blog_installed() { global $wpdb; - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); $installed = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name = 'siteurl'"); - $wpdb->show_errors(); + $wpdb->show_errors($show); $install_status = !empty( $installed ) ? TRUE : FALSE; return $install_status; @@ -1426,4 +1426,36 @@ function wp_ob_end_flush_all() while ( @ob_end_flush() ); } +function dead_db() { + global $wpdb; + + // Load custom DB error template, if present. + if ( file_exists( ABSPATH . 'wp-content/db-error.php' ) ) { + require_once( ABSPATH . 'wp-content/db-error.php' ); + die(); + } + + // If installing or in the admin, provide the verbose message. + if ( defined('WP_INSTALLING') || defined('WP_ADMIN') ) + wp_die($wpdb->error); + + // Otherwise, be terse. + status_header( 500 ); + nocache_headers(); + header( 'Content-Type: text/html; charset=utf-8' ); +?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" <?php if ( function_exists( 'language_attributes' ) ) language_attributes(); ?>> +<head> + <title>Database Error</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> +</head> +<body> + <h1>Error establishing a database connection</h1> +</body> +</html> +<?php + die(); +} + ?> diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 8ce2985..d9dae0f 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -79,9 +79,9 @@ function get_userdata( $user_id ) { if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$user_id' LIMIT 1") ) return false; - $wpdb->hide_errors(); + $show = $wpdb->hide_errors(); $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'"); - $wpdb->show_errors(); + $wpdb->show_errors($show); if ($metavalues) { foreach ( $metavalues as $meta ) { diff --git a/wp-includes/post.php b/wp-includes/post.php index ea41d62..6c62224 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -428,6 +428,10 @@ function get_post_custom_values( $key = '', $post_id = 0 ) { } function sanitize_post($post, $context = 'display') { + + if ( 'raw' == $context ) + return $post; + // TODO: Use array keys instead of hard coded list $fields = array('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_date', 'post_date_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'post_category'); @@ -1139,6 +1143,7 @@ function &get_pages($args = '') { $exclude = ''; $meta_key = ''; $meta_value = ''; + $hierarchical = false; $incpages = preg_split('/[\s,]+/',$include); if ( count($incpages) ) { foreach ( $incpages as $incpage ) { diff --git a/wp-includes/query.php b/wp-includes/query.php index 61a78f6..82f0807 100644 --- a/wp-includes/query.php +++ b/wp-includes/query.php @@ -32,9 +32,9 @@ function wp_reset_query() { */
function is_admin () {
- global $wp_query;
-
- return ($wp_query->is_admin || (stripos($_SERVER['REQUEST_URI'], 'wp-admin/') !== false));
+ if ( defined('WP_ADMIN') )
+ return WP_ADMIN;
+ return false;
}
function is_archive () {
@@ -642,7 +642,7 @@ class WP_Query { if ('' != $qv['preview'])
$this->is_preview = true;
- if ( strpos($_SERVER['PHP_SELF'], 'wp-admin/') !== false )
+ if ( is_admin() )
$this->is_admin = true;
if ( false !== strpos($qv['feed'], 'comments-') ) {
diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php index ea9fae6..92ebdda 100644 --- a/wp-includes/taxonomy.php +++ b/wp-includes/taxonomy.php @@ -663,6 +663,10 @@ function is_term($term, $taxonomy = '') { * @return array|object Term with all fields sanitized */ function sanitize_term($term, $taxonomy, $context = 'display') { + + if ( 'raw' == $context ) + return $term; + $fields = array('term_id', 'name', 'description', 'slug', 'count', 'parent', 'term_group'); $do_object = false; @@ -933,8 +937,8 @@ function wp_insert_term( $term, $taxonomy, $args = array() ) { $term_group = $alias->term_group; } else { // The alias isn't in a group, so let's create a new one and firstly add the alias term to it. - $term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms") + 1; - $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->terms SET term_group = %d WHERE term_id = %d", $term_group, $alias->term_id ) ); + $term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms GROUP BY term_group") + 1; + $wpdb->query("UPDATE $wpdb->terms SET term_group = $term_group WHERE term_id = $alias->term_id"); } } diff --git a/wp-includes/version.php b/wp-includes/version.php index e2814c1..7a78e44 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -2,8 +2,8 @@ // This holds the version number in a separate file so we can bump it without cluttering the SVN -$wp_version = '2.3.1'; -$wpmu_version = '1.3'; +$wp_version = '2.3.2'; +$wpmu_version = '1.3.1'; $wp_db_version = 6124; ?> diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php index ef1070e..adadc31 100644 --- a/wp-includes/wp-db.php +++ b/wp-includes/wp-db.php @@ -15,11 +15,12 @@ if (!defined('SAVEQUERIES')) class wpdb { - var $show_errors = true; + var $show_errors = false; var $num_queries = 0; var $last_query; var $col_info; var $queries; + var $ready = false; // Our tables var $posts; @@ -58,6 +59,9 @@ class wpdb { function __construct($dbuser, $dbpassword, $dbname, $dbhost) { register_shutdown_function(array(&$this, "__destruct")); + if ( defined('WP_DEBUG') and WP_DEBUG == true ) + $this->show_errors(); + $this->charset = 'utf8'; $this->collete = 'utf8'; @@ -79,8 +83,11 @@ class wpdb { </ul> <p>If you're unsure what these terms mean you should probably contact your host. If you still need help you can always visit the <a href='http://wordpress.org/support/'>WordPress Support Forums</a>.</p> "); + return; } + $this->ready = true; + if ( !empty($this->charset) && version_compare(mysql_get_server_info(), '4.1.0', '>=') ) $this->query("SET NAMES '$this->charset'"); @@ -97,6 +104,7 @@ class wpdb { */ function select($db, &$dbh) { if (!@mysql_select_db($db, $dbh)) { + $this->ready = false; $this->bail(" <h1>Can’t select database</h1> <p>We were able to connect to the database server (which means your username and password is okay) but not able to select the <code>$db</code> database.</p> @@ -105,6 +113,7 @@ class wpdb { <li>On some systems the name of your database is prefixed with your username, so it would be like username_wordpress. Could that be the problem?</li> </ul> <p>If you don't know how to setup a database you should <strong>contact your host</strong>. If all else fails you may find help at the <a href='http://wordpress.org/support/'>WordPress Support Forums</a>.</p>"); + return; } } @@ -174,12 +183,16 @@ class wpdb { // ================================================================== // Turn error handling on or off.. - function show_errors() { - $this->show_errors = true; + function show_errors( $show = true ) { + $errors = $this->show_errors; + $this->show_errors = $show; + return $errors; } function hide_errors() { + $show = $this->show_errors; $this->show_errors = false; + return $show; } // ================================================================== @@ -231,6 +244,9 @@ class wpdb { // Basic Query - see docs for more detail function query($query) { + if ( ! $this->ready ) + return false; + // filter the query, if filters are available // NOTE: some queries are made before the plugins have been loaded, and thus cannot be filtered with this method if ( function_exists('apply_filters') ) @@ -470,8 +486,13 @@ class wpdb { * @param string $message */ function bail($message) { // Just wraps errors in a nice header and footer - if ( !$this->show_errors ) + if ( !$this->show_errors ) { + if ( class_exists('WP_Error') ) + $this->error = new WP_Error('500', $message); + else + $this->error = $message; return false; + } wp_die($message); } } diff --git a/wp-mail.php b/wp-mail.php index e510055..ab9ae84 100644 --- a/wp-mail.php +++ b/wp-mail.php @@ -12,7 +12,7 @@ $phone_delim = '::'; $pop3 = new POP3(); if (!$pop3->connect(get_option('mailserver_url'), get_option('mailserver_port'))) - wp_die($pop3->ERROR); + wp_die(wp_specialchars($pop3->ERROR)); $count = $pop3->login(get_option('mailserver_login'), get_option('mailserver_pass')); if (0 == $count) wp_die(__('There doesn’t seem to be any new mail.')); @@ -129,9 +129,6 @@ for ($i=1; $i <= $count; $i++) : $content = explode($phone_delim, $content); $content[1] ? $content = $content[1] : $content = $content[0]; - echo "<p><b>Content-type:</b> $content_type, <b>Content-Transfer-Encoding:</b> $content_transfer_encoding, <b>boundary:</b> $boundary</p>\n"; - echo "<p><b>Raw content:</b><br /><pre>".$content.'</pre></p>'; - $content = trim($content); $post_content = apply_filters('phone_content', $content); @@ -161,12 +158,11 @@ for ($i=1; $i <= $count; $i++) : do_action('publish_phone', $post_ID); - echo "\n<p><b>Author:</b> $post_author</p>"; - echo "\n<p><b>Posted title:</b> $post_title<br />"; - echo "\n<b>Posted content:</b><br /><pre>".$content.'</pre></p>'; + echo "\n<p><b>Author:</b> " . wp_specialchars($post_author) . "</p>"; + echo "\n<p><b>Posted title:</b> " . wp_specialchars($post_title) . "<br />"; if(!$pop3->delete($i)) { - echo '<p>Oops '.$pop3->ERROR.'</p></div>'; + echo '<p>Oops '.wp_specialchars($pop3->ERROR).'</p></div>'; $pop3->reset(); exit; } else { diff --git a/wp-settings.php b/wp-settings.php index bc35a34..292f5d4 100644 --- a/wp-settings.php +++ b/wp-settings.php @@ -130,6 +130,9 @@ if ( file_exists(ABSPATH . 'wp-content/db.php') ) else require_once (ABSPATH . WPINC . '/wp-db.php'); +if ( !empty($wpdb->error) ) + dead_db(); + // $table_prefix is deprecated as of 2.1 $wpdb->prefix = $wpdb->base_prefix = $table_prefix; @@ -137,6 +140,7 @@ if ( preg_match('|[^a-z0-9_]|i', $wpdb->prefix) && !file_exists(ABSPATH . 'wp-co wp_die("<strong>ERROR</strong>: <code>$table_prefix</code> in <code>wp-config.php</code> can only contain numbers, letters, and underscores."); // Table names +$wpdb->usermeta = $wpdb->prefix . 'usermeta'; $wpdb->blogs = $wpdb->prefix . 'blogs'; $wpdb->site = $wpdb->prefix . 'site'; $wpdb->sitemeta = $wpdb->prefix . 'sitemeta'; @@ -145,7 +149,6 @@ $wpdb->signups = $wpdb->prefix . 'signups'; $wpdb->registration_log = $wpdb->prefix . 'registration_log'; $wpdb->blog_versions = $wpdb->prefix . 'blog_versions'; $wpdb->users = $wpdb->prefix . 'users'; -$wpdb->usermeta = $wpdb->prefix . 'usermeta'; if( defined( 'SUNRISE' ) ) include_once( ABSPATH . 'wp-content/sunrise.php' ); @@ -172,9 +175,6 @@ if ( defined('CUSTOM_USER_TABLE') ) if ( defined('CUSTOM_USER_META_TABLE') ) $wpdb->usermeta = CUSTOM_USER_META_TABLE; -// To be removed in 2.2 -$tableposts = $tableusers = $tablecategories = $tablepost2cat = $tablecomments = $tablelink2cat = $tablelinks = $tablelinkcategories = $tableoptions = $tablepostmeta = ''; - if ( file_exists(ABSPATH . 'wp-content/object-cache.php') ) require_once (ABSPATH . 'wp-content/object-cache.php'); else @@ -187,6 +187,12 @@ class wp_xmlrpc_server extends IXR_Server { return($this->error); } + set_current_user( 0, $username ); + if( !current_user_can( 'edit_page', $page_id ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this page.' ) ); + + do_action('xmlrpc_call', 'wp.getPage'); + // Lookup page info. $page = get_page($page_id); @@ -268,6 +274,12 @@ class wp_xmlrpc_server extends IXR_Server { return($this->error); } + set_current_user( 0, $username ); + if( !current_user_can( 'edit_pages' ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); + + do_action('xmlrpc_call', 'wp.getPages'); + // Lookup info on pages. $pages = get_pages(); $num_pages = count($pages); @@ -426,6 +438,12 @@ class wp_xmlrpc_server extends IXR_Server { return($this->error); } + set_current_user( 0, $username ); + if( !current_user_can( 'edit_pages' ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit pages.' ) ); + + do_action('xmlrpc_call', 'wp.getPageList'); + // Get list of pages ids and titles $page_list = $wpdb->get_results(" SELECT ID page_id, @@ -459,7 +477,6 @@ class wp_xmlrpc_server extends IXR_Server { * wp_getAuthors */ function wp_getAuthors($args) { - global $wpdb; $this->escape($args); @@ -471,7 +488,23 @@ class wp_xmlrpc_server extends IXR_Server { return($this->error); } - return(get_users_of_blog()); + set_current_user(0, $username); + if(!current_user_can("edit_posts")) { + return(new IXR_Error(401, __("Sorry, you can not edit posts on this blog."))); + } + + do_action('xmlrpc_call', 'wp.getAuthors'); + + $authors = array(); + foreach( (array) get_users_of_blog() as $row ) { + $authors[] = array( + "user_id" => $row->user_id, + "user_login" => $row->user_login, + "display_name" => $row->display_name + ); + } + + return($authors); } /** @@ -493,7 +526,7 @@ class wp_xmlrpc_server extends IXR_Server { // Set the user context and make sure they are // allowed to add a category. set_current_user(0, $username); - if(!current_user_can("manage_categories", $page_id)) { + if(!current_user_can("manage_categories")) { return(new IXR_Error(401, __("Sorry, you do not have the right to add a category."))); } @@ -547,6 +580,12 @@ class wp_xmlrpc_server extends IXR_Server { return($this->error); } + set_current_user(0, $username); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you must be able to publish to this blog in order to view categories.' ) ); + + do_action('xmlrpc_call', 'wp.suggestCategories'); + $args = array('get' => 'all', 'number' => $max_results, 'name__like' => $category); $category_suggestions = get_categories($args); @@ -610,13 +649,18 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you do not have access to user data on this blog.' ) ); + + do_action('xmlrpc_call', 'blogger.getUserInfo'); + $user_data = get_userdatabylogin($user_login); $struct = array( 'nickname' => $user_data->nickname, 'userid' => $user_data->ID, 'url' => $user_data->user_url, - 'email' => $user_data->user_email, 'lastname' => $user_data->last_name, 'firstname' => $user_data->first_name ); @@ -638,7 +682,12 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } - $user_data = get_userdatabylogin($user_login); + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); + + do_action('xmlrpc_call', 'blogger.getPost'); + $post_data = wp_get_single_post($post_ID, ARRAY_A); $categories = implode(',', wp_get_post_categories($post_ID)); @@ -676,12 +725,16 @@ class wp_xmlrpc_server extends IXR_Server { $posts_list = wp_get_recent_posts($num_posts); + set_current_user( 0, $user_login ); + if (!$posts_list) { $this->error = new IXR_Error(500, __('Either there are no posts, or something went wrong.')); return $this->error; } foreach ($posts_list as $entry) { + if( !current_user_can( 'edit_post', $entry['ID'] ) ) + continue; $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $categories = implode(',', wp_get_post_categories($entry['ID'])); @@ -1341,78 +1394,83 @@ class wp_xmlrpc_server extends IXR_Server { /* metaweblog.getPost ...returns a post */ function mw_getPost($args) { - global $wpdb; + global $wpdb; $this->escape($args); - $post_ID = (int) $args[0]; - $user_login = $args[1]; - $user_pass = $args[2]; + $post_ID = (int) $args[0]; + $user_login = $args[1]; + $user_pass = $args[2]; - if (!$this->login_pass_ok($user_login, $user_pass)) { - return $this->error; - } + if (!$this->login_pass_ok($user_login, $user_pass)) { + return $this->error; + } - $postdata = wp_get_single_post($post_ID, ARRAY_A); + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); - if ($postdata['post_date'] != '') { + do_action('xmlrpc_call', 'metaWeblog.getPost'); - $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']); - $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']); + $postdata = wp_get_single_post($post_ID, ARRAY_A); - $categories = array(); - $catids = wp_get_post_categories($post_ID); - foreach($catids as $catid) { - $categories[] = get_cat_name($catid); - } + if ($postdata['post_date'] != '') { + $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date']); + $post_date_gmt = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']); - $tagnames = array(); - $tags = wp_get_post_tags( $post_ID ); - if ( !empty( $tags ) ) { - foreach ( $tags as $tag ) { - $tagnames[] = $tag->name; + $categories = array(); + $catids = wp_get_post_categories($post_ID); + foreach($catids as $catid) { + $categories[] = get_cat_name($catid); + } + + $tagnames = array(); + $tags = wp_get_post_tags( $post_ID ); + if ( !empty( $tags ) ) { + foreach ( $tags as $tag ) { + $tagnames[] = $tag->name; + } + $tagnames = implode( ', ', $tagnames ); + } else { + $tagnames = ''; } - $tagnames = implode( ', ', $tagnames ); - } else { - $tagnames = ''; - } - $post = get_extended($postdata['post_content']); - $link = post_permalink($postdata['ID']); + $post = get_extended($postdata['post_content']); + $link = post_permalink($postdata['ID']); - // Get the author info. - $author = get_userdata($postdata['post_author']); + // Get the author info. + $author = get_userdata($postdata['post_author']); - $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0; - $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0; + $allow_comments = ('open' == $postdata['comment_status']) ? 1 : 0; + $allow_pings = ('open' == $postdata['ping_status']) ? 1 : 0; - $resp = array( - 'dateCreated' => new IXR_Date($post_date), - 'userid' => $postdata['post_author'], - 'postid' => $postdata['ID'], - 'description' => $post['main'], - 'title' => $postdata['post_title'], - 'link' => $link, - 'permaLink' => $link, -// commented out because no other tool seems to use this -// 'content' => $entry['post_content'], - 'categories' => $categories, - 'mt_excerpt' => $postdata['post_excerpt'], - 'mt_text_more' => $post['extended'], - 'mt_allow_comments' => $allow_comments, - 'mt_allow_pings' => $allow_pings, - 'mt_keywords' => $tagnames, - 'wp_slug' => $postdata['post_name'], - 'wp_password' => $postdata['post_password'], - 'wp_author_id' => $author->ID, - 'wp_author_display_name' => $author->display_name, - 'date_created_gmt' => new IXR_Date($post_date_gmt) - ); - - return $resp; - } else { - return new IXR_Error(404, __('Sorry, no such post.')); - } + $resp = array( + 'dateCreated' => new IXR_Date($post_date), + 'userid' => $postdata['post_author'], + 'postid' => $postdata['ID'], + 'description' => $post['main'], + 'title' => $postdata['post_title'], + 'link' => $link, + 'permaLink' => $link, + // commented out because no other tool seems to use this + // 'content' => $entry['post_content'], + 'categories' => $categories, + 'mt_excerpt' => $postdata['post_excerpt'], + 'mt_text_more' => $post['extended'], + 'mt_allow_comments' => $allow_comments, + 'mt_allow_pings' => $allow_pings, + 'mt_keywords' => $tagnames, + 'wp_slug' => $postdata['post_name'], + 'wp_password' => $postdata['post_password'], + 'wp_author_id' => $author->ID, + 'wp_author_display_name' => $author->display_name, + 'date_created_gmt' => new IXR_Date($post_date_gmt) + ); + + return $resp; + } else { + return new IXR_Error(404, __('Sorry, no such post.')); + } } @@ -1437,7 +1495,11 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + set_current_user( 0, $user_login ); + foreach ($posts_list as $entry) { + if( !current_user_can( 'edit_post', $entry['ID'] ) ) + continue; $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); @@ -1517,6 +1579,12 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); + + do_action('xmlrpc_call', 'metaWeblog.getCategories'); + $categories_struct = array(); if ( $cats = get_categories('get=all') ) { @@ -1636,7 +1704,11 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + set_current_user( 0, $user_login ); + foreach ($posts_list as $entry) { + if( !current_user_can( 'edit_post', $entry['ID'] ) ) + continue; $post_date = mysql2date('Ymd\TH:i:s', $entry['post_date']); $post_date_gmt = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']); @@ -1675,9 +1747,14 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_posts' ) ) + return new IXR_Error( 401, __( 'Sorry, you must be able to edit posts on this blog in order to view categories.' ) ); + + do_action('xmlrpc_call', 'mt.getCategoryList'); + $categories_struct = array(); - // FIXME: can we avoid using direct SQL there? if ( $cats = get_categories('hide_empty=0&hierarchical=0') ) { foreach ($cats as $cat) { $struct['categoryId'] = $cat->term_id; @@ -1704,6 +1781,12 @@ class wp_xmlrpc_server extends IXR_Server { return $this->error; } + set_current_user( 0, $user_login ); + if( !current_user_can( 'edit_post', $post_ID ) ) + return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) ); + + do_action('xmlrpc_call', 'mt.getPostCategories'); + $categories = array(); $catids = wp_get_post_categories(intval($post_ID)); // first listed category will be the primary category |