Page MenuHomePhabricator
Create Task
Maniphest T29722

filearchive api module doesn't respect revdelete
Closed, ResolvedPublic
Actions

Description

Similar to Bug 27715, the filearchive module doesn't respect rev delete.

This is not a major issue, since you need to be a sysop to use that module whatsoever. However, if you had some of the sysop permissions split up, this could leak data to people with deletedhistory rights. This might also be able to leak some oversighted info to admins.

Easiest way to fix this would probably be to convert filearchive to use file objects, and then just use the various permission related methods of File.

Version: 1.17.x
Severity: major

Details

Reference
bz27722

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:23 PM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz27722.
Bawolff created this task.Feb 25 2011, 9:18 PM
duplicatebug added a comment.Feb 26 2011, 11:31 AM
  • Bug 27713 has been marked as a duplicate of this bug. ***
duplicatebug added a comment.Feb 26 2011, 11:33 AM

Or you use "fa_deleted = 0" inside the query like list=deletedrevs for 1.17.

But having some userhidden, commenthidden or filehidden information is also a good idea.

Bawolff added a comment.Feb 26 2011, 4:52 PM

Considering that filearchive already does permission checks (and thus has a private cache mode), we might want to show DELETE_RESTRICTED data to users who have the relevant permissions.

bzimport added a comment.Mar 6 2011, 9:47 PM

Bryan.TongMinh wrote:

There is no object wrapper around filearchive, currently, which needs fixing, but for 1.17 we probably want to go for a simpler solution.

bzimport added a comment.Mar 7 2011, 5:08 PM

Bryan.TongMinh wrote:

r83461

Phabricator_maintenance added a project: MediaWiki-Revision-deletion.Aug 5 2016, 2:26 PM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptAug 5 2016, 2:26 PM
Phabricator_maintenance removed a parent task: T20840: [DO NOT USE] RevDelete/HideUser (tracking) [superseded by #MediaWiki-Revision-deletion].Aug 5 2016, 2:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL