diff --git a/src/wp-includes/class-wp-xmlrpc-server.php b/src/wp-includes/class-wp-xmlrpc-server.php index c684e32698..898a322ff7 100644 --- a/src/wp-includes/class-wp-xmlrpc-server.php +++ b/src/wp-includes/class-wp-xmlrpc-server.php @@ -4756,20 +4756,26 @@ class wp_xmlrpc_server extends IXR_Server { $post_author = $postdata['post_author']; // Only set the post_author if one is set. - if ( isset($content_struct['wp_author_id']) && ($user->ID != $content_struct['wp_author_id']) ) { - switch ( $post_type ) { - case 'post': - if ( !current_user_can('edit_others_posts') ) - return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) ); - break; - case 'page': - if ( !current_user_can('edit_others_pages') ) - return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) ); - break; - default: - return new IXR_Error( 401, __( 'Invalid post type' ) ); + if ( isset( $content_struct['wp_author_id'] ) ) { + // Check permissions if attempting to switch author to or from another user. + if ( $user->ID != $content_struct['wp_author_id'] || $user->ID != $post_author ) { + switch ( $post_type ) { + case 'post': + if ( ! current_user_can( 'edit_others_posts' ) ) { + return new IXR_Error( 401, __( 'You are not allowed to change the post author as this user.' ) ); + } + break; + case 'page': + if ( ! current_user_can( 'edit_others_pages' ) ) { + return new IXR_Error( 401, __( 'You are not allowed to change the page author as this user.' ) ); + } + break; + default: + return new IXR_Error( 401, __( 'Invalid post type' ) ); + break; + } + $post_author = $content_struct['wp_author_id']; } - $post_author = $content_struct['wp_author_id']; } if ( isset($content_struct['mt_allow_comments']) ) { diff --git a/tests/phpunit/tests/xmlrpc/mw/editPost.php b/tests/phpunit/tests/xmlrpc/mw/editPost.php index 78b5f06e25..7d7ef3fbef 100644 --- a/tests/phpunit/tests/xmlrpc/mw/editPost.php +++ b/tests/phpunit/tests/xmlrpc/mw/editPost.php @@ -95,6 +95,25 @@ class Tests_XMLRPC_mw_editPost extends WP_XMLRPC_UnitTestCase { $this->assertEquals( $contributor_id, $out->post_author ); } + /** + * @ticket 24916 + */ + function test_capable_reassign_author_to_self() { + $contributor_id = $this->make_user_by_role( 'contributor' ); + $editor_id = $this->make_user_by_role( 'editor' ); + + $post = array( 'post_title' => 'Post test', 'post_author' => $contributor_id ); + $post_id = wp_insert_post( $post ); + + $post2 = array( 'wp_author_id' => $editor_id ); + $result = $this->myxmlrpcserver->mw_editPost( array( $post_id, 'editor', 'editor', $post2 ) ); + $this->assertNotInstanceOf( 'IXR_Error', $result ); + $this->assertTrue($result); + + $out = get_post( $post_id ); + $this->assertEquals( $editor_id, $out->post_author ); + } + function test_post_thumbnail() { add_theme_support( 'post-thumbnails' ); diff --git a/tests/phpunit/tests/xmlrpc/wp/editPost.php b/tests/phpunit/tests/xmlrpc/wp/editPost.php index 23c0b776aa..05a694f321 100644 --- a/tests/phpunit/tests/xmlrpc/wp/editPost.php +++ b/tests/phpunit/tests/xmlrpc/wp/editPost.php @@ -95,6 +95,25 @@ class Tests_XMLRPC_wp_editPost extends WP_XMLRPC_UnitTestCase { $this->assertEquals( $contributor_id, $out->post_author ); } + /** + * @ticket 24916 + */ + function test_capable_reassign_author_to_self() { + $contributor_id = $this->make_user_by_role( 'contributor' ); + $editor_id = $this->make_user_by_role( 'editor' ); + + $post = array( 'post_title' => 'Post test', 'post_author' => $contributor_id ); + $post_id = wp_insert_post( $post ); + + $post2 = array( 'post_author' => $editor_id ); + $result = $this->myxmlrpcserver->wp_editPost( array( 1, 'editor', 'editor', $post_id, $post2 ) ); + $this->assertNotInstanceOf( 'IXR_Error', $result ); + $this->assertTrue($result); + + $out = get_post( $post_id ); + $this->assertEquals( $editor_id, $out->post_author ); + } + function test_post_thumbnail() { add_theme_support( 'post-thumbnails' );