Changeset 45812 for trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

Timestamp:

08/15/2019 10:00:49 PM (6 years ago)

Author:

kadamwhite

Message:

REST API: Prevent deletion of post revisions.

Allowing the client to delete revisions breaks the "audit trail" functionality. This is not allowed in WordPress and shouldn't be allowed through the API.
While not recommended, a plugin may opt-in to the previous behavior by setting a custom 'delete_post' capability for the revisions post type.

Props dlh, danielbachhuber, TimothyBlynJacobs, azaozz, kadamwhite.
Fixes #43709.

File:

• trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php (modified) (2 diffs)

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

@@ -350 +350 @@
         }
 
+        $parent_post_type = get_post_type_object( $parent->post_type );
+        if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) {
+            return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
         $revision = $this->get_revision( $request['id'] );
         if ( is_wp_error( $revision ) ) {
@@ -384 +389 @@
 
         $post_type = get_post_type_object( 'revision' );
-        return current_user_can( $post_type->cap->delete_post, $revision->ID );
+
+        if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) {
+            return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete this revision.' ), array( 'status' => rest_authorization_required_code() ) );
+        }
+
+        return true;
     }