Just like the page deletion where the "delete" and "undelete" rights are separated, a separate role should be created called "revisionundelete". When a user attempts to change the visibility of a page in such a away that any component that was formerly hidden (text, summary or user/IP) will become visible, this right should be verified.
For those changes that only change visibility from visible to invisible (e.g. hiding the username of an edit the summary of which was formerly hidden), only the revisiondelete right should suffice.