Page MenuHomePhabricator

deleterevision alone does not provide any effective permission to the users
Closed, ResolvedPublic

Description

If a user or group is only given the "deleterevision" the only thing that changes is they can see the checkboxes and the button for "change visibility". But if they check a box and hit the botton, the form for changing visibility gives them an error.

In other words, deleterevision alone is useless.

Since at least one WMF wiki wants deleterevision for a user group without the ability to undelete revisions (FA WP for its Eliminator group), this needs to be fixed.

Event Timeline

Huji created this task.Mar 4 2016, 10:13 PM
Restricted Application added subscribers: JEumerus, Aklapper. · View Herald TranscriptMar 4 2016, 10:13 PM

You need at least 'deletedhistory' to bypass the permission check. 'deleterevision' seems not include the view of the entries.

lfaraone claimed this task.Mar 5 2016, 10:58 PM
lfaraone added a subscriber: lfaraone.

Should we just hide the log if you don't have deletedhistory?

lfaraone added a subscriber: aaron.Mar 5 2016, 11:55 PM

It looks like this was a behaviour change made in 2009 in rMWc2f7ea4d by @aaron

If we want to allow access to the deletion log to holders of deleterevision, it's a one-line change. Otherwise, its probably a two-line change.

Change 275268 had a related patch set uploaded (by LFaraone):
Allow users with deleterevision but not deletedhistory to delete revisions

https://gerrit.wikimedia.org/r/275268

Huji added a comment.Mar 7 2016, 5:49 PM

It looks like this was a behaviour change made in 2009 in rMWc2f7ea4d by @aaron
If we want to allow access to the deletion log to holders of deleterevision, it's a one-line change. Otherwise, its probably a two-line change.

Not exactly. This is what we agree on:

Those with deleterevision but not deletedhistory should be able to access the revision deletion form to delete a revision, and should not be able to see the logs of past deletions (this much, your patch does).

This is what we have to decide:

Can those with deleterevision but not deletedhistory "undelete" a deleted revision? And can they see a previously deleted revision's user/summary/text via a diff? (Like admins can?)

I think the answer to both should be no. You shouldn't be able to see that a revision was deleted if you don't have deletedhistory, therefore you shouldn't be able to restore it either.

I am not sure how your patch handles them.

Huji added a comment.Mar 7 2016, 6:42 PM

So I checked. The answer is with your patch, a user who is in revisiondelete but not in deletedhistory nor in deletedtext will still have the ability to undelete a revision, thereby seeing its text. But that action (the evasion) will be logged. Since we don't have a revisionundelete role (and creating one is beyond the scope of this bug) I guess the best we can do is what you suggest in this patch.

I am going to sign off on this patch. I will also create a separate issue for creating a new role for revisionundelete.

Florian closed this task as Resolved.Oct 14 2016, 2:13 PM

Change 275268 merged by jenkins-bot:
Allow users with deleterevision but not deletedhistory to delete revisions

https://gerrit.wikimedia.org/r/275268

Vogone reopened this task as Open.Jun 10 2017, 4:11 PM
Vogone added a subscriber: Vogone.

Change 275268 had a related patch set uploaded (by LFaraone):
Allow users with deleterevision but not deletedhistory to delete revisions
https://gerrit.wikimedia.org/r/275268

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

Change 358173 had a related patch set uploaded (by Vogone; owner: Vogone):
[mediawiki/core@master] Revert "Allow users with deleterevision but not deletedhistory to delete revisions"

https://gerrit.wikimedia.org/r/358173

Huji added a comment.EditedJun 10 2017, 6:33 PM

Change 275268 had a related patch set uploaded (by LFaraone):
Allow users with deleterevision but not deletedhistory to delete revisions
https://gerrit.wikimedia.org/r/275268

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

Why not give the Ombudsmen the appropriate rights? Just like how they have CheckUser access. If we can trust them with having CheckUser and Oversight access on every project, we can certainly trust them to have deletedhistory and deletedtext rights or even sysop rights everywhere.

In other words, you are trying to revert something that works correctly for many, just because there is a select few for whom it does not work, when there is an easy way to fix the permissions of those few.

Change 275268 had a related patch set uploaded (by LFaraone):
Allow users with deleterevision but not deletedhistory to delete revisions
https://gerrit.wikimedia.org/r/275268

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

Why not give the Ombudsmen the appropriate rights? Just like how they have CheckUser access. If we can trust them with having CheckUser and Oversight access on every project, we can certainly trust them to have deletedhistory and deletedtext rights or even sysop rights everywhere.
In other words, you are trying to revert something that works correctly for many, just because there is a select few for whom it does not work, when there is an easy way to fix the permissions of those few.

I think you are misunderstanding the issue. Ombudsmen do have these passive rights, we would need to add 'deleterevision' in order to "fix" it which would allow ombudsmen to actively hide revisions which is certainly not intended.

Huji added a comment.EditedJun 10 2017, 8:13 PM

Change 275268 had a related patch set uploaded (by LFaraone):
Allow users with deleterevision but not deletedhistory to delete revisions
https://gerrit.wikimedia.org/r/275268

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

Why not give the Ombudsmen the appropriate rights? Just like how they have CheckUser access. If we can trust them with having CheckUser and Oversight access on every project, we can certainly trust them to have deletedhistory and deletedtext rights or even sysop rights everywhere.
In other words, you are trying to revert something that works correctly for many, just because there is a select few for whom it does not work, when there is an easy way to fix the permissions of those few.

I think you are misunderstanding the issue. Ombudsmen do have these passive rights, we would need to add 'deleterevision' in order to "fix" it which would allow ombudsmen to actively hide revisions which is certainly not intended.

I think you are misunderstanding my point. The Ombudsmen currently have rights such as CheckUser and Oversight, using which they could "actively run checks" or "actively suppress revisions". They do not use it for those purposes though, because they know they are not supposed to.

Similarly, it is fine to give them "deleterevision" with the understanding that they are not to use it to actively delete a revision.

Change 275268 had a related patch set uploaded (by LFaraone):
Allow users with deleterevision but not deletedhistory to delete revisions
https://gerrit.wikimedia.org/r/275268

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

Why not give the Ombudsmen the appropriate rights? Just like how they have CheckUser access. If we can trust them with having CheckUser and Oversight access on every project, we can certainly trust them to have deletedhistory and deletedtext rights or even sysop rights everywhere.
In other words, you are trying to revert something that works correctly for many, just because there is a select few for whom it does not work, when there is an easy way to fix the permissions of those few.

I think you are misunderstanding the issue. Ombudsmen do have these passive rights, we would need to add 'deleterevision' in order to "fix" it which would allow ombudsmen to actively hide revisions which is certainly not intended.

I think you are misunderstanding my point. The Ombudsmen currently have rights such as CheckUser and Oversight, using which they could "actively run checks" or "actively suppress revisions". They do not use it for those purposes though, because they know they are not supposed to.
Similarly, it is fine to give them "deleterevision" with the understanding that they are not to use it to actively delete a revision.

No, ombudsmen can NOT "actively suppress revisions".

No, ombudsmen can NOT "actively suppress revisions".

This may be enforced by policy, but I don't believe there's a *technical* enforcement mechanism? Similarly, Stewards have the technical ability to suppress content on the English Wikipedia, but are restricted to specific circumstances by policy.

Vogone added a comment.EditedJun 10 2017, 11:48 PM

I'm sorry if this may sound a little impolite, but is it really so hard to check Special:GlobalGroupPermissions (https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions)? FWIW, I am an ombudsman myself and should probably know which technical access I have.

Huji added a comment.Jun 11 2017, 3:04 AM

No, ombudsmen can NOT "actively suppress revisions".

That is because there exists a "supressionlog" permission and Ombudsmen have it. But there exists no "deletedlog" right. Perhaps we should create one. Until then, we should just give any right that would allow Ombudsmen to get their job done.

As for CU, this *definitely* is not the case. I was an Ombudsman myself, and can guarantee that the rights Ombudsmen have for CU completely allows them to run checks. In fact they may run checks in special circumstances, but generally they don't. So yeah, Ombudsmen are trusted to have CU rights and they know they are not supposed to use it except where allowed, why not trust them to also have sysop rights (or parts of it) with the understanding that they are not to use it except to view deleted revisions related to a case they review, until we create any other necessary rights to fix this issue?

I'm sorry if this may sound a little impolite, but is it really so hard to check Special:GlobalGroupPermissions (https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions)? FWIW, I am an ombudsman myself and should probably know which technical access I have.

Not impolite at all! As a former Ombudsman, I find it less confusing perhaps because I am a very technically savvy person (I am also a MW developer). But I completely understand your point, and encourage you to create a separate task with ideas on how to make that page easier to understand for non-technical users.

I also think granting 'deleterevision' should get the job done short-term, because the active right to delete revisions is logged so there is little abuse potential. For long-term I think the code for Special:RevisionDelete should be fixed to let users with 'deletedtext' / 'deletedhistory' access it and use it passively.

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

I've read this discussion again, and maybe I'm missing it, but could you clarify what accessibility was broken? AIUI you have deletedhistory & deletedtext rights. What functionality do you expect to have that is currently missing?

Vogone added a comment.EditedJun 13 2017, 12:41 AM

This change broke the accessibility of Special:RevisionDelete to ombudsmen which causes quite some trouble. I would suggest to revert this change and look for another way to solve this bug.

I've read this discussion again, and maybe I'm missing it, but could you clarify what accessibility was broken? AIUI you have deletedhistory & deletedtext rights. What functionality do you expect to have that is currently missing?

The change in question broke accessibility of Special:RevisionDelete to users without 'deleterevision' permission, as far as I can see. At least I can access it anywhere where I have that right (wikis where I'm local/global admin), and on wikis where I do not, I can't and get an "you need to be an administrator/oversighter" permission error instead. Prior to this change, this was possible.
This means this change just replaced one bug with another.

In fact, this is exactly the "side-effect" described in LFaraone's initial commit. This means we need a solution which works for both, users with only 'deleterevision' and those with only 'deletedhistory'.

lfaraone closed this task as Resolved.Jul 4 2017, 9:30 PM

@Vogone: Could you open a new bug that makes explicit what functionality you can no longer use? Feel free to even assign it to me, but the specific ask in this bug is still implemented on master.

Change 358173 abandoned by Krinkle:
Revert "Allow users with deleterevision but not deletedhistory to delete revisions"

Reason:
Per Florian.

https://gerrit.wikimedia.org/r/358173