WordPress.org

Make WordPress Core


Ignore:
Timestamp:
08/15/2019 10:00:49 PM (2 months ago)
Author:
kadamwhite
Message:

REST API: Prevent deletion of post revisions.

Allowing the client to delete revisions breaks the "audit trail" functionality. This is not allowed in WordPress and shouldn't be allowed through the API.
While not recommended, a plugin may opt-in to the previous behavior by setting a custom 'delete_post' capability for the revisions post type.

Props dlh, danielbachhuber, TimothyBlynJacobs, azaozz, kadamwhite.
Fixes #43709.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r45734 r45812  
    7373
    7474            if ( 'revision' == $post->post_type ) {
    75                 $post = get_post( $post->post_parent );
    76                 if ( ! $post ) {
    77                     $caps[] = 'do_not_allow';
    78                     break;
    79                 }
     75                $caps[] = 'do_not_allow';
     76                break;
    8077            }
    8178
Note: See TracChangeset for help on using the changeset viewer.