From b48e6bc8762854b59515c18a3358700d2d07c2b1 Mon Sep 17 00:00:00 2001
From: donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36>
Date: Thu, 22 Mar 2007 13:20:00 +0000
Subject: WP Merge to rev 5081

git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@931 7be80a69-a1ef-0310-a953-fb0f7c49ff36
---
 xmlrpc.php | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

(limited to 'xmlrpc.php')

diff --git a/xmlrpc.php b/xmlrpc.php
index 7e39687..1b314b9 100644
--- a/xmlrpc.php
+++ b/xmlrpc.php
@@ -856,6 +856,9 @@ class wp_xmlrpc_server extends IXR_Server {
 
 	  extract($actual_post);
 
+	  if ( ('publish' == $post_status) && !current_user_can('publish_posts') )
+	  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
+
 	  $post_title = xmlrpc_getposttitle($content);
 	  $post_category = xmlrpc_getpostcategory($content);
 	  $post_content = xmlrpc_removepostdata($content);
@@ -1082,12 +1085,6 @@ class wp_xmlrpc_server extends IXR_Server {
 	  }
 
 	  set_current_user(0, $user_login);
-	  if ( !current_user_can('edit_post', $post_ID) )
-	    return new IXR_Error(401, 'Sorry, you can not edit this post.');
-
-	  $postdata = wp_get_single_post($post_ID, ARRAY_A);
-	  extract($postdata);
-		$this->escape($postdata);
 
 		// The post_type defaults to post, but could also be page.
 		$post_type = "post";
@@ -1098,6 +1095,14 @@ class wp_xmlrpc_server extends IXR_Server {
 			$post_type = "page";
 		}
 
+	  // Edit page caps are checked in editPage.  Just check post here.
+	  if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
+	    return new IXR_Error(401, 'Sorry, you can not edit this post.');
+
+	  $postdata = wp_get_single_post($post_ID, ARRAY_A);
+	  extract($postdata);
+		$this->escape($postdata);
+
 		// Let WordPress manage slug if none was provided.
 		$post_name = "";
 		if(!empty($content_struct["wp_slug"])) {
@@ -1169,6 +1174,13 @@ class wp_xmlrpc_server extends IXR_Server {
 	  $post_more = $content_struct['mt_text_more'];
 	  $post_status = $publish ? 'publish' : 'draft';
 
+	  if ( ('publish' == $post_status) ) {
+	  	if ( ( 'page' == $post_type ) && !current_user_can('publish_pages') )
+	  		return new IXR_Error(401, 'Sorry, you do not have the right to publish this page.');
+	  	else if ( !current_user_can('publish_posts') )
+		  	return new IXR_Error(401, 'Sorry, you do not have the right to publish this post.');
+	  }
+
 	  if ($post_more) {
 	    $post_content = $post_content . "\n<!--more-->\n" . $post_more;
 	  }
-- 
cgit