最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

permissions - Filter DELETE REST API calls

programmeradmin5浏览0评论

I have a custom post type, that can be editable by more than one user. Each post of that type has a field with the user ids who can edit it (kinda like co-authors). But since many users have permissions to the post, I am not sure how to prevent deletion by other users (not in the co-authors' list).

Right now the problem is only present in the REST API which is used to delete from the frontend.

Is there a pre delete hook in which I can check for permissions and block the deletion if the user is not allowed to delete that specific post?

I have a custom post type, that can be editable by more than one user. Each post of that type has a field with the user ids who can edit it (kinda like co-authors). But since many users have permissions to the post, I am not sure how to prevent deletion by other users (not in the co-authors' list).

Right now the problem is only present in the REST API which is used to delete from the frontend.

Is there a pre delete hook in which I can check for permissions and block the deletion if the user is not allowed to delete that specific post?

Share Improve this question asked Oct 3, 2020 at 16:02 CaptainNemoCaptainNemo 1054 bronze badges 5
  • Have you tried the pre_delete_post hook? developer.wordpress/reference/hooks/pre_delete_post – geouser Commented Oct 3, 2020 at 16:31
  • you could also tackle this via the capability filters, avoiding needing to deal with anything REST API related at all – Tom J Nowell Commented Oct 3, 2020 at 16:32
  • @geouser I have thought about it but did not know how to stop the deletion if need be – CaptainNemo Commented Oct 4, 2020 at 12:47
  • @TomJNowell I am not sure how this can be done for every post has different authors. – CaptainNemo Commented Oct 4, 2020 at 12:48
  • There are filters that let you do this on a per post basis – Tom J Nowell Commented Oct 4, 2020 at 13:48
Add a comment  | 

1 Answer 1

Reset to default 2

pre_delete_post hook filters whether a post deletion should take place. So callback function must return a boolean value: true - whether to go forward with deletion, false - if not.

pre_trash_post hook filters whether a post trashing should take place. So callback function must return a boolean value: true - whether to go forward with trashing, false - if not.

add_filter( 'pre_delete_post', 'filter_function_name', 10, 2 );
add_filter( 'pre_trash_post', 'filter_function_name', 10, 2 );

function filter_function_name( $delete, $post ) {

    // You have a field with user IDs for the post, get them as array of IDs
    $authors = array(1, 2, 3);
    
    // Get current user ID, who attempts to delete the post
    $current_user_ID = get_current_user_id();
    
    // make a check if the current user ID is among the co-authors IDs
    if ( !in_array( $current_user_ID, $authors ) ) {
        // If so, return false to prevent post deletion
        return false;
    }
    
    // else do nothing, and return default value
    return $delete;
}
发布评论

评论列表(0)

  1. 暂无评论