From b5117e1ad5cb3498de8bc30704ce491780c67d80 Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Fri, 3 Apr 2020 19:38:15 +0000 Subject: [PATCH] REST API: Fix revisions controller get_item permission check. r45812 incorrectly introduced a delete_post permissions check into the get_item method, breaking some plugins which requested revisions when generating previews. Props sorenbronsted, yohannp, TimothyBlynJacobs. Fixes #49645. git-svn-id: https://develop.svn.wordpress.org/trunk@47547 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-rest-revisions-controller.php | 22 +++++++++---------- .../rest-api/rest-revisions-controller.php | 14 +++++++++++- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php index 345dcd1596..cc1945ae9d 100644 --- a/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php +++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php @@ -384,16 +384,6 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { return $parent; } - $parent_post_type = get_post_type_object( $parent->post_type ); - - if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { - return new WP_Error( - 'rest_cannot_delete', - __( 'Sorry, you are not allowed to delete revisions of this post.' ), - array( 'status' => rest_authorization_required_code() ) - ); - } - $revision = $this->get_revision( $request['id'] ); if ( is_wp_error( $revision ) ) { return $revision; @@ -417,6 +407,16 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { return $parent; } + $parent_post_type = get_post_type_object( $parent->post_type ); + + if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { + return new WP_Error( + 'rest_cannot_delete', + __( 'Sorry, you are not allowed to delete revisions of this post.' ), + array( 'status' => rest_authorization_required_code() ) + ); + } + $revision = $this->get_revision( $request['id'] ); if ( is_wp_error( $revision ) ) { return $revision; @@ -446,7 +446,7 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { * @since 4.7.0 * * @param WP_REST_Request $request Full details about the request. - * @return true|WP_Error True on success, or WP_Error object on failure. + * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. */ public function delete_item( $request ) { $revision = $this->get_revision( $request['id'] ); diff --git a/tests/phpunit/tests/rest-api/rest-revisions-controller.php b/tests/phpunit/tests/rest-api/rest-revisions-controller.php index 925870b129..346ba801fe 100644 --- a/tests/phpunit/tests/rest-api/rest-revisions-controller.php +++ b/tests/phpunit/tests/rest-api/rest-revisions-controller.php @@ -241,6 +241,18 @@ class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase $this->assertNotNull( get_post( $this->revision_id1 ) ); } + /** + * @ticket 49645 + */ + public function test_delete_item_parent_check() { + wp_set_current_user( self::$contributor_id ); + $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); + $request->set_param( 'force', true ); + $response = rest_get_server()->dispatch( $request ); + $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 ); + $this->assertNotNull( get_post( $this->revision_id1 ) ); + } + /** * @ticket 43709 */ @@ -289,7 +301,7 @@ class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase wp_set_current_user( self::$contributor_id ); $request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 ); $response = rest_get_server()->dispatch( $request ); - $this->assertErrorResponse( 'rest_cannot_read', $response, 403 ); + $this->assertErrorResponse( 'rest_cannot_delete', $response, 403 ); } public function test_prepare_item() {