I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text, neither can I restore an accidentally deleted page.

In T256427#6258446, @Tacsipacsi wrote:

I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text, neither can I restore an accidentally deleted page.

This is not intentional - see, eg, the documentation at https://en.wikipedia.org/wiki/Wikipedia:Interface_administrators#Technical_access - you should be able to delete it

@sbassett why is this not in the purview of the security team?

Hey @DannyS712 - The Security-Team is ostensibly interested in any security-related issue within the Wikimedia universe. But the way we are currently using our Phab team tag is primarily to triage incoming security tasks. While we'd love to work on all of these tasks, there is no feasible way we can do so given our current resources. So if we un-tag our team, it means there is very little probability we'd ever be able to directly work on the task. When a patch or solution does exist, we can of course be re-tagged (Incoming) for a quick review or security deployment.

If it’s not a security issue, can you make it public? Even though it’s a “Task”-type task now, it still has a custom visibility policy hiding it from the public. (I don’t see how to change it, probably because I’m not allowed to do so.)

In T256427#6318207, @Ammarpad wrote:

In T256427#6258446, @Tacsipacsi wrote:

I’m not sure whether it’s not intentional—I’ve always found it strange that as a normal admin, I can delete a such page, but can’t see its deleted text,

Probably what you deleted was 'userconfig' page. You cannot delete siteconfig page without editsite-* permission. If you believe you did that or saw where it was done (without being interface admin/having the relevant editsite-* permission ), please provide a link to the deletion log, that might be a bug.

Yeah, probably that was the case. I still find it strange, though, that I can delete something, but I can’t view it from that point (so e.g. I can’t email it to the user whose page I accidentally deleted to let them restore it).

In T256427#6318431, @DannyS712 wrote:

In T256427#6318207, @Ammarpad wrote:

This is not a bug.

When I go to https://simple.wikipedia.org/wiki/MediaWiki:Gadget-newpagesbox.js?action=delete
I should be able to delete the gadget

That's not possible without editsitejs permission.

From what I recall this was possible previously (deleting without being able to edit the site js pages). If not, it should be, for the same reason the exclusions were added to allow deletion of user js when normal admins couldn't edit them. If its not a bug then its a feature request, not invalid.

It was never possible (after creation of interface admin). You're probably recollecting wrong. Otherwise provide a link to where such deletions happened.

I have clarified the incorrect documentation that led to this confusion. The transcluded table chart may also need to be updated.

see also T202989

In T256427#6318439, @Ammarpad wrote:

This bug report is invalid. The code is working as intended, you should get that. If you want request something open a new task and explain that there.

The hack was intentionally not added for siteconfig pages because the rationale for adding it to userconfig pages T200176 does not apply there.

Not sure why a different task is needed, rather than just changing the subtype of this to a feature request, but fine. See T258383: Allow Administrators to delete site-wide script pages

Not sure why a different task is needed, rather than just changing the subtype of this to a feature request

It's important to keep it in case of similar future misunderstanding. Changing the scope completely will obscure the discussion and makes it harder to differentiate valid bug reports and invalid ones (like this task).