WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

REST API: Prevent deletion of post revisions. 

Allowing the client to delete revisions breaks the "audit trail" functionality. This is not allowed in WordPress and shouldn't be allowed through the API.
While not recommended, a plugin may opt-in to the previous behavior by setting a custom 'delete_post' capability for the revisions post type.

Props dlh, danielbachhuber, TimothyBlynJacobs, azaozz, kadamwhite.
Fixes #43709.


Built from https://develop.svn.wordpress.org/trunk@45812


git-svn-id: http://core.svn.wordpress.org/trunk@45623 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
K. Adam White 2019-08-15 22:01:55 +00:00
parent 5dbb64d0dd
commit 00cb4c7dbd
3 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
wp-includes/capabilities.php
View File

@ -72,12 +72,9 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
}
if ( 'revision' == $post->post_type ) {
$post = get_post( $post->post_parent );
if ( ! $post ) {
$caps[] = 'do_not_allow';
break;
}
}
if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) {
$caps[] = 'manage_options';

12
wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
View File

@ -349,6 +349,11 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller {
return $parent;
}
$parent_post_type = get_post_type_object( $parent->post_type );
if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) {
return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) );
}
$revision = $this->get_revision( $request['id'] );
if ( is_wp_error( $revision ) ) {
return $revision;
@ -383,7 +388,12 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller {
}
$post_type = get_post_type_object( 'revision' );
return current_user_can( $post_type->cap->delete_post, $revision->ID );
if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) {
return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete this revision.' ), array( 'status' => rest_authorization_required_code() ) );
}
return true;
}
/**

2
wp-includes/version.php
View File

@ -13,7 +13,7 @@
*
* @global string $wp_version
*/
$wp_version = '5.3-alpha-45811';
$wp_version = '5.3-alpha-45812';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.