Page MenuHomePhabricator

Deleted revisions permission scheme is wacky
Closed, ResolvedPublic


Some research shows that the following restrictions are enforced:

  1. To delete pages, the 'delete' right is required (that's logical)
  2. To view deleted revision metadata (timestamps, comments, users), the 'deletedhistory' right is required (also makes sense)
  3. To view deleted revision *content*, the 'delete' right is required (?!?)
  4. To restore deleted revisions, the 'delete' right is also required (also wacky).

IMO, the following should happen:

  • A separate 'undelete' right should be created
  • Viewing deleted revisions, *including content*, should be possible with the 'deletedhistory' right
  • Restoring them should be possible with the 'undelete' right

One could argue that being able to view deleted revision content is just a copy+paste away from being able to restore them. Alternatively, 'deletedhistory' and 'undelete' could be merged.

Either way, the situation as it is now (undeletion requiring the 'delete' right) doesn't make sense.

Version: 1.12.x
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:01 PM
bzimport set Reference to bz12195.
bzimport added a subscriber: Unknown Object (MLST).

rotemliss wrote:

"deletedhistory" right should not be changed to include the content, as it breaks backwards compatibility and may grant the users permissions they are intended to get. It is possible to have a "viewdeletedcontent" right.

Splitting the "delete" permission to "delete" (for deletions) and "undelete" (for restorations and viewing deleted content) makes sense.

Merging "deletedhistory" and "undelete" doesn't make sense, as it means an all-or-nothing situation: Either you can do everything with deleted content, or you can do nothing. However, the current "deletedhistory" permission is much more harmless than the merged one: Just viewing the information about deleted revisions, conveniently viewing the deletion log and matching it to the versions. It only means summaries cannot be hidden. This right was even granted to all the users by default for some months. Viewing the actual content may be problematic in case of copyvios, but viewing the information is generally harmless.

(In reply to comment #1)

Merging "deletedhistory" and "undelete" doesn't make sense, as it means an
all-or-nothing situation

True, some people will want to retain the current metadata/content split.

I split off the 'undelete' right from the 'delete' right in r28151.