[wp-trac] [WordPress Trac] #43316: REST API: Support autosaves
WordPress Trac
noreply at wordpress.org
Fri Apr 6 13:17:50 UTC 2018
#43316: REST API: Support autosaves
-------------------------------------------------+-------------------------
Reporter: kraftbj | Owner: rmccue
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.0
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing needs-unit- | Focuses: rest-api
tests |
-------------------------------------------------+-------------------------
Comment (by azaozz):
Replying to [comment:67 rmccue]:
> > Yeah, I'm not sure why this was added to the API. IMHO we shouldn't be
removing the functionality of the audit trail. This changes the purpose
and functionality of revisions quite a bit...
>
> This was way back in https://github.com/WP-API/WP-API/pull/1110
>
> It does check the delete cap on revisions, so I'd make the argument this
should be handled in the capability system instead. This is a conversation
for another day though :)
The more I think about this, the worse it looks...
Yes, deleting revisions checks the `edit_post` cap on the actual post,
however this is still not adequate. Nobody should be able to circumvent
the audit trail, not even admins. This is a safety/security feature. I see
this as a blocking regression in the API. The only way this should be
possible is from a plugin (same as now for non-API).
If you don't want to remove the delete revision endpoint, we probably can
map it to a `delete_revisions` capability that will not be mapped to any
existing role and will always return false, i.e. a plugin will have to
specifically assign that capability to a role.
Created #43709 as a follow-up.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43316#comment:71>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list