Big problems at PageHistory.php's
if( $this->linesonpage > 1 && $wgUser->isAllowed('deleterevision') ) {...
which makes
<form action="http://example.org/index.php?title=Special:Revisiondelete"
method="get" id="mw-history-revdeleteform" style="visibility:hidden;float:right;"> <input name="target" type="hidden" value="A" /> <input name="oldid" type="hidden" value="" id="revdel-oldid" /> <input type="submit" value="Show/hide selected revisions" /> </form>
Let's examine this one by one:
This should just be action="/index.php". What is a "?" doing in
action? Maybe you fellows were just testing with "pretty URLs" wikis.
- You depend on Javascript to put the values into the form, as
apparently this is the only way you can deal with "dueling forms" here.
Why not combine the two forms into one? Just have a different <input
type="submit" ...> for the second.
I would be willing to write a patch, if you were willing to not insist
on Javascript.
P.S., I don't know what that style="visibility:hidden" stuff is hiding.
By the way,
the above test should be reversed, to
if( $wgUser->isAllowed('deleterevision') && $this->linesonpage > 1 ) {...
considering most views are from normal users, so quit early.
And here's the background of how I found the bug:
Noting SpecialRevisiondelete.php is the second largest special page,
$ ls -S specials|nl|sed 3q
1 SpecialUpload.php 2 SpecialRevisiondelete.php 3 SpecialSearch.php
I decided to give it a try.
We see in the HISTORY file
- Further work on rev_deleted; changed to a bitfield with several data-hiding options. Not yet ready for production use; Special:Revisiondelete is incomplete, and the flags are not preserved across page deletion/undeletion. To try it; add the 'deleterevision' permission to a privileged group.
OK, we do
$wgGroupPermissions['sysop']['deleterevision']=true;
and proceed to browse the history of some page (with more than 1 revision),
http://example.org/index.php?title=A&action=history ... and the
rest is, well, history.
Version: 1.16.x
Severity: normal