Last modified: 2011-03-07 17:08:04 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T29722, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 27722 - filearchive api module doesn't respect revdelete
filearchive api module doesn't respect revdelete
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.17.x
All All
: Normal major (vote)
: ---
Assigned To: Roan Kattouw
:
: 27713 (view as bug list)
Depends on:
Blocks: revdel 27339
  Show dependency treegraph
 
Reported: 2011-02-25 21:18 UTC by Bawolff (Brian Wolff)
Modified: 2011-03-07 17:08 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bawolff (Brian Wolff) 2011-02-25 21:18:14 UTC 
Similar to Bug 27715, the filearchive module doesn't respect rev delete.

This is not a major issue, since you need to be a sysop to use that module whatsoever. However, if you had some of the sysop permissions split up, this could leak data to people with deletedhistory rights. This might also be able to leak some oversighted info to admins.

Easiest way to fix this would probably be to convert filearchive to use file objects, and then just use the various permission related methods of File.
Comment 1 db [inactive,noenotif] 2011-02-26 11:31:53 UTC 
*** Bug 27713 has been marked as a duplicate of this bug. ***
Comment 2 db [inactive,noenotif] 2011-02-26 11:33:43 UTC 
Or you use "fa_deleted = 0" inside the query like list=deletedrevs for 1.17.

But having some userhidden, commenthidden or filehidden information is also a good idea.
Comment 3 Bawolff (Brian Wolff) 2011-02-26 16:52:57 UTC 
Considering that filearchive already does permission checks (and thus has a private cache mode), we might want to show DELETE_RESTRICTED data to users who have the relevant permissions.
Comment 4 Bryan Tong Minh 2011-03-06 21:47:46 UTC 
There is no object wrapper around filearchive, currently, which needs fixing, but for 1.17 we probably want to go for a simpler solution.
Comment 5 Bryan Tong Minh 2011-03-07 17:08:04 UTC 
r83461
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links