diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
index a81761db15..c4bb90d917 100644
a
|
b
|
function map_meta_cap( $cap, $user_id ) { |
66 | 66 | } |
67 | 67 | |
68 | 68 | if ( 'revision' == $post->post_type ) { |
69 | | $post = get_post( $post->post_parent ); |
70 | | if ( ! $post ) { |
71 | | $caps[] = 'do_not_allow'; |
72 | | break; |
73 | | } |
| 69 | $caps[] = 'do_not_allow'; |
| 70 | break; |
74 | 71 | } |
75 | 72 | |
76 | 73 | if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) { |
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
index 471c4c4b4f..0a74abe85d 100644
a
|
b
|
class WP_REST_Revisions_Controller extends WP_REST_Controller { |
260 | 260 | return $parent; |
261 | 261 | } |
262 | 262 | |
| 263 | $parent_post_type = get_post_type_object( $parent->post_type ); |
| 264 | if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { |
| 265 | return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) ); |
| 266 | } |
| 267 | |
263 | 268 | $revision = $this->get_revision( $request['id'] ); |
264 | 269 | if ( is_wp_error( $revision ) ) { |
265 | 270 | return $revision; |
diff --git a/tests/phpunit/tests/rest-api/rest-revisions-controller.php b/tests/phpunit/tests/rest-api/rest-revisions-controller.php
index c30ab17c85..9546bc6cfd 100644
a
|
b
|
class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase |
66 | 66 | $this->revision_id2 = $this->revision_2->ID; |
67 | 67 | } |
68 | 68 | |
| 69 | public function tearDown() { |
| 70 | parent::tearDown(); |
| 71 | |
| 72 | remove_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ) ); |
| 73 | } |
| 74 | |
| 75 | public function _filter_map_meta_cap_remove_no_allow_revisions( $caps, $cap, $user_id, $args ) { |
| 76 | if ( 'delete_post' !== $cap || empty( $args ) ) { |
| 77 | return $caps; |
| 78 | } |
| 79 | $post = get_post( $args[0] ); |
| 80 | if ( ! $post || 'revision' !== $post->post_type ) { |
| 81 | return $caps; |
| 82 | } |
| 83 | $key = array_search( 'do_not_allow', $caps ); |
| 84 | if ( false !== $key ) { |
| 85 | unset( $caps[ $key ] ); |
| 86 | } |
| 87 | return $caps; |
| 88 | } |
| 89 | |
69 | 90 | public function test_register_routes() { |
70 | 91 | $routes = rest_get_server()->get_routes(); |
71 | 92 | $this->assertArrayHasKey( '/wp/v2/posts/(?P<parent>[\d]+)/revisions', $routes ); |
… |
… |
class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase |
203 | 224 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
204 | 225 | $request->set_param( 'force', true ); |
205 | 226 | $response = rest_get_server()->dispatch( $request ); |
| 227 | $this->assertErrorResponse( 'rest_forbidden', $response, 403 ); |
| 228 | $this->assertNotNull( get_post( $this->revision_id1 ) ); |
| 229 | } |
| 230 | |
| 231 | public function test_delete_item_remove_do_not_allow() { |
| 232 | wp_set_current_user( self::$editor_id ); |
| 233 | add_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ), 10, 4 ); |
| 234 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
| 235 | $request->set_param( 'force', true ); |
| 236 | $response = rest_get_server()->dispatch( $request ); |
206 | 237 | $this->assertEquals( 200, $response->get_status() ); |
207 | 238 | $this->assertNull( get_post( $this->revision_id1 ) ); |
208 | 239 | } |
209 | 240 | |
| 241 | public function test_delete_item_cannot_delete_parent() { |
| 242 | wp_set_current_user( self::$contributor_id ); |
| 243 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
| 244 | $request->set_param( 'force', true ); |
| 245 | $response = rest_get_server()->dispatch( $request ); |
| 246 | $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 ); |
| 247 | $this->assertNotNull( get_post( $this->revision_id1 ) ); |
| 248 | } |
| 249 | |
210 | 250 | public function test_delete_item_no_trash() { |
211 | 251 | wp_set_current_user( self::$editor_id ); |
212 | | |
| 252 | add_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ), 10, 4 ); |
213 | 253 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
214 | 254 | $response = rest_get_server()->dispatch( $request ); |
215 | 255 | $this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 ); |