Make WordPress Core

Changeset 47547


Ignore:
Timestamp:
04/03/2020 07:38:15 PM (5 years ago)
Author:
kadamwhite
Message:

REST API: Fix revisions controller get_item permission check.

r45812 incorrectly introduced a delete_post permissions check into the get_item method, breaking some plugins which requested revisions when generating previews.

Props sorenbronsted, yohannp, TimothyBlynJacobs.
Fixes #49645.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

    r47391 r47547  
    385385        }
    386386
     387        $revision = $this->get_revision( $request['id'] );
     388        if ( is_wp_error( $revision ) ) {
     389            return $revision;
     390        }
     391
     392        $response = $this->prepare_item_for_response( $revision, $request );
     393        return rest_ensure_response( $response );
     394    }
     395
     396    /**
     397     * Checks if a given request has access to delete a revision.
     398     *
     399     * @since 4.7.0
     400     *
     401     * @param WP_REST_Request $request Full details about the request.
     402     * @return bool|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
     403     */
     404    public function delete_item_permissions_check( $request ) {
     405        $parent = $this->get_parent( $request['parent'] );
     406        if ( is_wp_error( $parent ) ) {
     407            return $parent;
     408        }
     409
    387410        $parent_post_type = get_post_type_object( $parent->post_type );
    388411
     
    400423        }
    401424
    402         $response = $this->prepare_item_for_response( $revision, $request );
    403         return rest_ensure_response( $response );
    404     }
    405 
    406     /**
    407      * Checks if a given request has access to delete a revision.
    408      *
    409      * @since 4.7.0
    410      *
    411      * @param WP_REST_Request $request Full details about the request.
    412      * @return bool|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
    413      */
    414     public function delete_item_permissions_check( $request ) {
    415         $parent = $this->get_parent( $request['parent'] );
    416         if ( is_wp_error( $parent ) ) {
    417             return $parent;
    418         }
    419 
    420         $revision = $this->get_revision( $request['id'] );
    421         if ( is_wp_error( $revision ) ) {
    422             return $revision;
    423         }
    424 
    425425        $response = $this->get_items_permissions_check( $request );
    426426        if ( ! $response || is_wp_error( $response ) ) {
     
    447447     *
    448448     * @param WP_REST_Request $request Full details about the request.
    449      * @return true|WP_Error True on success, or WP_Error object on failure.
     449     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
    450450     */
    451451    public function delete_item( $request ) {
  • trunk/tests/phpunit/tests/rest-api/rest-revisions-controller.php

    r47122 r47547  
    243243
    244244    /**
     245     * @ticket 49645
     246     */
     247    public function test_delete_item_parent_check() {
     248        wp_set_current_user( self::$contributor_id );
     249        $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
     250        $request->set_param( 'force', true );
     251        $response = rest_get_server()->dispatch( $request );
     252        $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 );
     253        $this->assertNotNull( get_post( $this->revision_id1 ) );
     254    }
     255
     256    /**
    245257     * @ticket 43709
    246258     */
     
    290302        $request  = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
    291303        $response = rest_get_server()->dispatch( $request );
    292         $this->assertErrorResponse( 'rest_cannot_read', $response, 403 );
     304        $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 );
    293305    }
    294306
Note: See TracChangeset for help on using the changeset viewer.