Last modified: 2011-03-07 17:08:04 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 27722 - filearchive api module doesn't respect revdelete
filearchive api module doesn't respect revdelete
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
All All
: Normal major (vote)
: ---
Assigned To: Roan Kattouw
: 27713 (view as bug list)
Depends on:
Blocks: revdel 27339
  Show dependency treegraph
Reported: 2011-02-25 21:18 UTC by Bawolff (Brian Wolff)
Modified: 2011-03-07 17:08 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Bawolff (Brian Wolff) 2011-02-25 21:18:14 UTC
Similar to Bug 27715, the filearchive module doesn't respect rev delete.

This is not a major issue, since you need to be a sysop to use that module whatsoever. However, if you had some of the sysop permissions split up, this could leak data to people with deletedhistory rights. This might also be able to leak some oversighted info to admins.

Easiest way to fix this would probably be to convert filearchive to use file objects, and then just use the various permission related methods of File.
Comment 1 db [inactive,noenotif] 2011-02-26 11:31:53 UTC
*** Bug 27713 has been marked as a duplicate of this bug. ***
Comment 2 db [inactive,noenotif] 2011-02-26 11:33:43 UTC
Or you use "fa_deleted = 0" inside the query like list=deletedrevs for 1.17.

But having some userhidden, commenthidden or filehidden information is also a good idea.
Comment 3 Bawolff (Brian Wolff) 2011-02-26 16:52:57 UTC
Considering that filearchive already does permission checks (and thus has a private cache mode), we might want to show DELETE_RESTRICTED data to users who have the relevant permissions.
Comment 4 Bryan Tong Minh 2011-03-06 21:47:46 UTC
There is no object wrapper around filearchive, currently, which needs fixing, but for 1.17 we probably want to go for a simpler solution.
Comment 5 Bryan Tong Minh 2011-03-07 17:08:04 UTC

Note You need to log in before you can comment on or make changes to this bug.