diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index eb6b3bbace..e6d16e927a 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -72,11 +72,8 @@ function map_meta_cap( $cap, $user_id, ...$args ) { } if ( 'revision' == $post->post_type ) { - $post = get_post( $post->post_parent ); - if ( ! $post ) { - $caps[] = 'do_not_allow'; - break; - } + $caps[] = 'do_not_allow'; + break; } if ( ( get_option( 'page_for_posts' ) == $post->ID ) || ( get_option( 'page_on_front' ) == $post->ID ) ) { diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php index 1b34619130..0a0a88106b 100644 --- a/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php +++ b/wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php @@ -349,6 +349,11 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { return $parent; } + $parent_post_type = get_post_type_object( $parent->post_type ); + if ( ! current_user_can( $parent_post_type->cap->delete_post, $parent->ID ) ) { + return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete revisions of this post.' ), array( 'status' => rest_authorization_required_code() ) ); + } + $revision = $this->get_revision( $request['id'] ); if ( is_wp_error( $revision ) ) { return $revision; @@ -383,7 +388,12 @@ class WP_REST_Revisions_Controller extends WP_REST_Controller { } $post_type = get_post_type_object( 'revision' ); - return current_user_can( $post_type->cap->delete_post, $revision->ID ); + + if ( ! current_user_can( $post_type->cap->delete_post, $revision->ID ) ) { + return new WP_Error( 'rest_cannot_delete', __( 'Sorry, you are not allowed to delete this revision.' ), array( 'status' => rest_authorization_required_code() ) ); + } + + return true; } /** diff --git a/wp-includes/version.php b/wp-includes/version.php index 73e93054b6..64a34623ca 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.3-alpha-45811'; +$wp_version = '5.3-alpha-45812'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.