diff --git src/wp-includes/capabilities.php src/wp-includes/capabilities.php
index eb6b3bbace..e6d16e927a 100644
|
|
|
function map_meta_cap( $cap, $user_id, ...$args ) { |
| 72 | 72 | } |
| 73 | 73 | |
| 74 | 74 | if ( 'revision' == $post->post_type ) { |
| 75 | | $post = get_post( $post->post_parent ); |
| 76 | | if ( ! $post ) { |
| 77 | | $caps[] = 'do_not_allow'; |
| 78 | | break; |
| 79 | | } |
| | 75 | $caps[] = 'do_not_allow'; |
| | 76 | break; |
| 80 | 77 | } |
| 81 | 78 | |
| 82 | 79 | if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) { |
diff --git src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
index 52df0f2206..77c5347d0a 100644
|
|
|
class WP_REST_Revisions_Controller extends WP_REST_Controller { |
| 349 | 349 | return $parent; |
| 350 | 350 | } |
| 351 | 351 | |
| | 352 | $parent_post_type = get_post_type_object( $parent->post_type ); |
| | 353 | if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { |
| | 354 | return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) ); |
| | 355 | } |
| | 356 | |
| 352 | 357 | $revision = $this->get_revision( $request['id'] ); |
| 353 | 358 | if ( is_wp_error( $revision ) ) { |
| 354 | 359 | return $revision; |
| … |
… |
class WP_REST_Revisions_Controller extends WP_REST_Controller { |
| 383 | 388 | } |
| 384 | 389 | |
| 385 | 390 | $post_type = get_post_type_object( 'revision' ); |
| 386 | | return current_user_can( $post_type->cap->delete_post, $revision->ID ); |
| | 391 | |
| | 392 | if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) { |
| | 393 | return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete this revision.' ), array( 'status' => rest_authorization_required_code() ) ); |
| | 394 | } |
| | 395 | |
| | 396 | return true; |
| 387 | 397 | } |
| 388 | 398 | |
| 389 | 399 | /** |
diff --git tests/phpunit/tests/rest-api/rest-revisions-controller.php tests/phpunit/tests/rest-api/rest-revisions-controller.php
index f9497845ce..655d675f49 100644
|
|
|
class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase |
| 76 | 76 | $this->revision_id3 = $this->revision_3->ID; |
| 77 | 77 | } |
| 78 | 78 | |
| | 79 | public function tearDown() { |
| | 80 | parent::tearDown(); |
| | 81 | |
| | 82 | remove_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ) ); |
| | 83 | } |
| | 84 | |
| | 85 | public function _filter_map_meta_cap_remove_no_allow_revisions( $caps, $cap, $user_id, $args ) { |
| | 86 | if ( 'delete_post' !== $cap || empty( $args ) ) { |
| | 87 | return $caps; |
| | 88 | } |
| | 89 | $post = get_post( $args[0] ); |
| | 90 | if ( ! $post || 'revision' !== $post->post_type ) { |
| | 91 | return $caps; |
| | 92 | } |
| | 93 | $key = array_search( 'do_not_allow', $caps, true ); |
| | 94 | if ( false !== $key ) { |
| | 95 | unset( $caps[ $key ] ); |
| | 96 | } |
| | 97 | return $caps; |
| | 98 | } |
| | 99 | |
| 79 | 100 | public function test_register_routes() { |
| 80 | 101 | $routes = rest_get_server()->get_routes(); |
| 81 | 102 | $this->assertArrayHasKey( '/wp/v2/posts/(?P<parent>[\d]+)/revisions', $routes ); |
| … |
… |
class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase |
| 216 | 237 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
| 217 | 238 | $request->set_param( 'force', true ); |
| 218 | 239 | $response = rest_get_server()->dispatch( $request ); |
| | 240 | $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 ); |
| | 241 | $this->assertNotNull( get_post( $this->revision_id1 ) ); |
| | 242 | } |
| | 243 | |
| | 244 | public function test_delete_item_remove_do_not_allow() { |
| | 245 | wp_set_current_user( self::$editor_id ); |
| | 246 | add_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ), 10, 4 ); |
| | 247 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
| | 248 | $request->set_param( 'force', true ); |
| | 249 | $response = rest_get_server()->dispatch( $request ); |
| 219 | 250 | $this->assertEquals( 200, $response->get_status() ); |
| 220 | 251 | $this->assertNull( get_post( $this->revision_id1 ) ); |
| 221 | 252 | } |
| 222 | 253 | |
| 223 | | public function test_delete_item_no_trash() { |
| | 254 | public function test_delete_item_cannot_delete_parent() { |
| 224 | 255 | wp_set_current_user( self::$editor_id ); |
| | 256 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
| | 257 | $request->set_param( 'force', true ); |
| | 258 | $response = rest_get_server()->dispatch( $request ); |
| | 259 | $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 ); |
| | 260 | $this->assertNotNull( get_post( $this->revision_id1 ) ); |
| | 261 | } |
| 225 | 262 | |
| | 263 | public function test_delete_item_no_trash() { |
| | 264 | wp_set_current_user( self::$editor_id ); |
| | 265 | add_filter( 'map_meta_cap', array( $this, '_filter_map_meta_cap_remove_no_allow_revisions' ), 10, 4 ); |
| 226 | 266 | $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); |
| 227 | 267 | $response = rest_get_server()->dispatch( $request ); |
| 228 | 268 | $this->assertErrorResponse( 'rest_trash_not_supported', $response, 501 ); |