Changes between Initial Version and Version 1 of Ticket #43316, comment 71
- Timestamp:
- 04/06/2018 01:21:47 PM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #43316, comment 71
initial v1 8 8 The more I think about this, the worse it looks... 9 9 10 Yes, deleting revisions checks the ` edit_post` cap on the actual post, however this is still not adequate. Nobody should be able to circumvent the audit trail, not even admins. This is a safety/security feature. I see this as a blocking regression in the API. The only way this should be possible is from a plugin (same as now for non-API).10 Yes, deleting revisions checks the `delete_post` cap, however this is still not adequate. Nobody should be able to circumvent the audit trail, not even admins. This is a safety/security feature. I see this as a blocking regression in the API. The only way this should be possible is from a plugin (same as now for non-API). 11 11 12 12 If you don't want to remove the delete revision endpoint, we probably can map it to a `delete_revisions` capability that will not be mapped to any existing role and will always return false, i.e. a plugin will have to specifically assign that capability to a role.