Make WordPress Core

Ticket #43709: 43709.1.diff

File 43709.1.diff, 4.5 KB (added by danielbachhuber, 7 years ago)
  • src/wp-includes/capabilities.php

    diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
    index a81761db15..c4bb90d917 100644
    a b function map_meta_cap( $cap, $user_id ) { 
    6666                        }
    6767
    6868                        if ( 'revision' == $post->post_type ) {
    69                                 $post = get_post( $post->post_parent );
    70                                 if ( ! $post ) {
    71                                         $caps[] = 'do_not_allow';
    72                                         break;
    73                                 }
     69                                $caps[] = 'do_not_allow';
     70                                break;
    7471                        }
    7572
    7673                        if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) {
  • src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

    diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
    index 471c4c4b4f..0a74abe85d 100644
    a b class WP_REST_Revisions_Controller extends WP_REST_Controller { 
    260260                        return $parent;
    261261                }
    262262
     263                $parent_post_type = get_post_type_object( $parent->post_type );
     264                if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) {
     265                        return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) );
     266                }
     267
    263268                $revision = $this->get_revision( $request['id'] );
    264269                if ( is_wp_error( $revision ) ) {
    265270                        return $revision;
  • tests/phpunit/tests/rest-api/rest-revisions-controller.php

    diff --git a/tests/phpunit/tests/rest-api/rest-revisions-controller.php b/tests/phpunit/tests/rest-api/rest-revisions-controller.php
    index c30ab17c85..9546bc6cfd 100644
    a b class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase 
    6666                $this->revision_id2 = $this->revision_2->ID;
    6767        }
    6868
     69        public function tearDown() {
     70                parent::tearDown();
     71
     72                remove_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ) );
     73        }
     74
     75        public function _filter_map_meta_cap_remove_no_allow_revisions( $caps, $cap, $user_id, $args ) {
     76                if ( 'delete_post' !== $cap || empty( $args ) ) {
     77                        return $caps;
     78                }
     79                $post = get_post( $args[0] );
     80                if ( ! $post || 'revision' !== $post->post_type ) {
     81                        return $caps;
     82                }
     83                $key = array_search( 'do_not_allow', $caps );
     84                if ( false !== $key ) {
     85                        unset( $caps[ $key ] );
     86                }
     87                return $caps;
     88        }
     89
    6990        public function test_register_routes() {
    7091                $routes = rest_get_server()->get_routes();
    7192                $this->assertArrayHasKey( '/wp/v2/posts/(?P<parent>[\d]+)/revisions', $routes );
    class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase 
    203224                $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
    204225                $request->set_param( 'force', true );
    205226                $response = rest_get_server()->dispatch( $request );
     227                $this->assertErrorResponse( 'rest_forbidden', $response, 403 );
     228                $this->assertNotNull( get_post( $this->revision_id1 ) );
     229        }
     230
     231        public function test_delete_item_remove_do_not_allow() {
     232                wp_set_current_user( self::$editor_id );
     233                add_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ), 10, 4 );
     234                $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
     235                $request->set_param( 'force', true );
     236                $response = rest_get_server()->dispatch( $request );
    206237                $this->assertEquals( 200, $response->get_status() );
    207238                $this->assertNull( get_post( $this->revision_id1 ) );
    208239        }
    209240
     241        public function test_delete_item_cannot_delete_parent() {
     242                wp_set_current_user( self::$contributor_id );
     243                $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
     244                $request->set_param( 'force', true );
     245                $response = rest_get_server()->dispatch( $request );
     246                $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 );
     247                $this->assertNotNull( get_post( $this->revision_id1 ) );
     248        }
     249
    210250        public function test_delete_item_no_trash() {
    211251                wp_set_current_user( self::$editor_id );
    212 
     252                add_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ), 10, 4 );
    213253                $request  = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
    214254                $response = rest_get_server()->dispatch( $request );
    215255                $this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 );