Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revisions Controller: return single revision only when it matches the parent id #5655

Original file line number Diff line number Diff line change
Expand Up @@ -387,6 +387,7 @@ public function get_item_permissions_check( $request ) {
* Retrieves one revision from the collection.
*
* @since 4.7.0
* @since 6.5.0 Added a condition to check that parent id matches revision parent id.
*
* @param WP_REST_Request $request Full details about the request.
* @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
Expand All @@ -402,6 +403,15 @@ public function get_item( $request ) {
return $revision;
}

if ( (int) $parent->ID !== (int) $revision->post_parent ) {
return new WP_Error(
spacedmonkey marked this conversation as resolved.
Show resolved Hide resolved
'rest_post_invalid_parent',
/* translators: %s: A post revision id. */
ramonjd marked this conversation as resolved.
Show resolved Hide resolved
sprintf( __( 'Parent post does not have a revision with id of "%s"' ), $request['id'] ),
ramonjd marked this conversation as resolved.
Show resolved Hide resolved
array( 'status' => 404 )
);
}

$response = $this->prepare_item_for_response( $revision, $request );
return rest_ensure_response( $response );
}
Expand Down
48 changes: 46 additions & 2 deletions tests/phpunit/tests/rest-api/rest-revisions-controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
*/
class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase {
protected static $post_id;
ramonjd marked this conversation as resolved.
Show resolved Hide resolved
protected static $post_id_2;
protected static $page_id;

protected static $editor_id;
Expand All @@ -22,10 +23,12 @@ class WP_Test_REST_Revisions_Controller extends WP_Test_REST_Controller_Testcase
private $revision_id2;
private $revision_3;
private $revision_id3;
private $revision_2_1_id;

public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
self::$post_id = $factory->post->create();
self::$page_id = $factory->post->create( array( 'post_type' => 'page' ) );
self::$post_id = $factory->post->create();
self::$post_id_2 = $factory->post->create();
self::$page_id = $factory->post->create( array( 'post_type' => 'page' ) );

self::$editor_id = $factory->user->create(
array(
Expand Down Expand Up @@ -57,12 +60,25 @@ public static function wpSetUpBeforeClass( WP_UnitTest_Factory $factory ) {
'ID' => self::$post_id,
)
);
wp_update_post(
array(
'post_content' => 'A second post.',
'ID' => self::$post_id_2,
)
);
wp_update_post(
array(
'post_content' => 'A second post. How prolific.',
'ID' => self::$post_id_2,
)
);
wp_set_current_user( 0 );
}

public static function wpTearDownAfterClass() {
// Also deletes revisions.
wp_delete_post( self::$post_id, true );
wp_delete_post( self::$post_id_2, true );
wp_delete_post( self::$page_id, true );

self::delete_user( self::$editor_id );
Expand All @@ -72,6 +88,7 @@ public static function wpTearDownAfterClass() {
public function set_up() {
parent::set_up();

// Set first post revision vars.
$revisions = wp_get_post_revisions( self::$post_id );
$this->total_revisions = count( $revisions );
$this->revisions = $revisions;
Expand All @@ -81,6 +98,11 @@ public function set_up() {
$this->revision_id2 = $this->revision_2->ID;
$this->revision_3 = array_pop( $revisions );
$this->revision_id3 = $this->revision_3->ID;

// Set second post revision vars.
$revisions = wp_get_post_revisions( self::$post_id_2 );
$post_2_revision = array_pop( $revisions );
$this->revision_2_1_id = $post_2_revision->ID;
}

public function _filter_map_meta_cap_remove_no_allow_revisions( $caps, $cap, $user_id, $args ) {
Expand Down Expand Up @@ -234,6 +256,28 @@ public function test_get_item_invalid_parent_post_type() {
$this->assertErrorResponse( 'rest_post_invalid_parent', $response, 404 );
}

/**
ramonjd marked this conversation as resolved.
Show resolved Hide resolved
* @ticket 59875
*/
public function test_get_item_valid_parent_id() {
ramonjd marked this conversation as resolved.
Show resolved Hide resolved
wp_set_current_user( self::$editor_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
$response = rest_get_server()->dispatch( $request );
$data = $response->get_data();
$this->assertSame( self::$post_id, $data['parent'], "The returned revision's id should match the parent id." );
$this->check_get_revision_response( $response, $this->revision_1 );
}

/**
* @ticket 59875
*/
public function test_get_item_invalid_parent_id() {
wp_set_current_user( self::$editor_id );
$request = new WP_REST_Request( 'GET', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_2_1_id );
$response = rest_get_server()->dispatch( $request );
$this->assertErrorResponse( 'rest_post_invalid_parent', $response, 404 );
}

public function test_delete_item() {
wp_set_current_user( self::$editor_id );
$request = new WP_REST_Request( 'DELETE', '/wp/v2/posts/' . self::$post_id . '/revisions/' . $this->revision_id1 );
Expand Down
Loading