WordPress.org

Make WordPress Core


Ignore:
Timestamp:
04/03/2020 07:38:15 PM (16 months ago)
Author:
kadamwhite
Message:

REST API: Fix revisions controller get_item permission check.

r45812 incorrectly introduced a delete_post permissions check into the get_item method, breaking some plugins which requested revisions when generating previews.

Props sorenbronsted, yohannp, TimothyBlynJacobs.
Fixes #49645.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php

    r47391 r47547  
    385385        }
    386386
     387        $revision = $this->get_revision( $request['id'] );
     388        if ( is_wp_error( $revision ) ) {
     389            return $revision;
     390        }
     391
     392        $response = $this->prepare_item_for_response( $revision, $request );
     393        return rest_ensure_response( $response );
     394    }
     395
     396    /**
     397     * Checks if a given request has access to delete a revision.
     398     *
     399     * @since 4.7.0
     400     *
     401     * @param WP_REST_Request $request Full details about the request.
     402     * @return bool|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
     403     */
     404    public function delete_item_permissions_check( $request ) {
     405        $parent = $this->get_parent( $request['parent'] );
     406        if ( is_wp_error( $parent ) ) {
     407            return $parent;
     408        }
     409
    387410        $parent_post_type = get_post_type_object( $parent->post_type );
    388411
     
    400423        }
    401424
    402         $response = $this->prepare_item_for_response( $revision, $request );
    403         return rest_ensure_response( $response );
    404     }
    405 
    406     /**
    407      * Checks if a given request has access to delete a revision.
    408      *
    409      * @since 4.7.0
    410      *
    411      * @param WP_REST_Request $request Full details about the request.
    412      * @return bool|WP_Error True if the request has access to delete the item, WP_Error object otherwise.
    413      */
    414     public function delete_item_permissions_check( $request ) {
    415         $parent = $this->get_parent( $request['parent'] );
    416         if ( is_wp_error( $parent ) ) {
    417             return $parent;
    418         }
    419 
    420         $revision = $this->get_revision( $request['id'] );
    421         if ( is_wp_error( $revision ) ) {
    422             return $revision;
    423         }
    424 
    425425        $response = $this->get_items_permissions_check( $request );
    426426        if ( ! $response || is_wp_error( $response ) ) {
     
    447447     *
    448448     * @param WP_REST_Request $request Full details about the request.
    449      * @return true|WP_Error True on success, or WP_Error object on failure.
     449     * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
    450450     */
    451451    public function delete_item( $request ) {
Note: See TracChangeset for help on using the changeset viewer.