Last modified: 2011-03-07 17:08:04 UTC
Similar to Bug 27715, the filearchive module doesn't respect rev delete.
This is not a major issue, since you need to be a sysop to use that module whatsoever. However, if you had some of the sysop permissions split up, this could leak data to people with deletedhistory rights. This might also be able to leak some oversighted info to admins.
Easiest way to fix this would probably be to convert filearchive to use file objects, and then just use the various permission related methods of File.
*** Bug 27713 has been marked as a duplicate of this bug. ***
Or you use "fa_deleted = 0" inside the query like list=deletedrevs for 1.17.
But having some userhidden, commenthidden or filehidden information is also a good idea.
Considering that filearchive already does permission checks (and thus has a private cache mode), we might want to show DELETE_RESTRICTED data to users who have the relevant permissions.
There is no object wrapper around filearchive, currently, which needs fixing, but for 1.17 we probably want to go for a simpler solution.