WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 5 weeks ago

#40577 assigned enhancement

Introduce a capability for viewing the revisions of a post

Reported by: johnbillion Owned by: adamsilverstein
Milestone: Future Release Priority: normal
Severity: normal Version: 2.6
Component: Revisions Keywords: needs-unit-tests granular-capabilities needs-patch
Focuses: administration, rest-api Cc:

Description

In order to view the revisions of a post, a user needs the ability to edit the post. This makes sense because it may be undesirable for users to be able to view older revisions of a post which they cannot edit.

However it may be desirable to allow certain users to view the revisions of a post which they cannot edit, for example for auditing purposes, or to allow contributors to browse the revisions of their own published post.

Attachments (1)

40577.diff (812 bytes) - added by adamsilverstein 3 years ago.

Download all attachments as: .zip

Change History (14)

#1 @Stagger Lee
3 years ago

Hi,

It could be usable when building custom classifieds, or similar. To show revisions history of one custom field, say price field.

#2 @johnbillion
3 years ago

  • Keywords granular-capabilities added

#3 @adamsilverstein
3 years ago

@johnbillion - were you thinking something like 40577.diff? I added read_revision for $revision->ID and read_revisions for $revision->post_parent. Not sure this is enough to get what you were suggesting. If so, we need some unit tests to validate the behavior.

#4 @adamsilverstein
3 years ago

  • Keywords has-patch reporter-feedback added; needs-patch removed

#5 follow-up: @johnbillion
3 years ago

  • Keywords needs-patch added; has-patch reporter-feedback removed

The required change is actually quite a lot more complex than that. I have a patch in progress.

#6 in reply to: ↑ 5 @adamsilverstein
3 years ago

Replying to johnbillion:

The required change is actually quite a lot more complex than that. I have a patch in progress.

Great! Looking forward to seeing and learning from your patch.

#7 @jrchamp
9 months ago

We were recently asked for this functionality, but our use case is: We want a community contributor to be able to edit a post, but we do not want them to be able to view revisions. Part of it is interface clutter, part of it is the ease of revision reversion, but part of it is also that viewing removed content is undesirable (and the administrator wants to be the only user who can).

#8 @adamsilverstein
9 months ago

  • Milestone changed from Future Release to 5.4
  • Owner set to adamsilverstein
  • Status changed from new to assigned

Thanks for the use case description @jrchamp - I'll mark this ticket as 5.4 and try to land it soon. @johnbillion can you share your work in progress here or describe more the approach you propose?

#9 @johnbillion
9 months ago

Chatted with Adam about this at WCUS. A few concerns:

  • The action buttons and links to the editing screen on the revisions listing screen need to be behind corresponding capability checks.
  • IIRC the async loaded revisions data on this screen has some capability checks involved.
  • This needs testing with users with and without various caps such as edit_posts, edit_others_posts, edit_published_posts, etc.

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.


6 months ago

#11 @johnbillion
6 months ago

  • Milestone changed from 5.4 to Future Release

Pulling this out of a milestone until there's patch.

#12 follow-up: @charveyunm
5 weeks ago

Just found this issue and wanted to add that my team is looking for this exact functionality (allowing users who don't have permissions to publish items to view revision history for accountability/historical reasons). Are there any updates on when this might be added since it got taken out of the 5.4 release?

#13 in reply to: ↑ 12 @charveyunm
5 weeks ago

Replying to charveyunm:

Just found this issue and wanted to add that my team is looking for this exact functionality (allowing users who don't have permissions to publish items to view revision history for accountability/historical reasons). Are there any updates on when this might be added since it got taken out of the 5.4 release?

Besides the noted change in the revisions.php code mentioned above - I believe altering the function wp_ajax_get_revision_diffs in ajax-actions.php would provide most of what our team needs.

something like:

if ( ! current_user_can( 'edit_post', $post->ID ) || ! current_user_can('read_revision', $post->ID) ) {
		wp_send_json_error();
	}

Note: See TracTickets for help on using tickets.