Page MenuHomePhabricator
Create Task
Maniphest T406668

Admins should be able to undelete wishlist entities
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Create a wish
  • Delete it
  • Attempt to undelete the page (i.e. Special:Undelete/Community Wishlist/W123)

What happens?:

There's no "Undelete revisions" form.

What should have happened instead?:

You should be able to undelete revisions just like any other page.

Other information (browser name/version, screenshots, etc.):

This is because of CommunityRequestsHooks::onGetUserPermissionsErrorsExpensive(). If the page is deleted, the $title->exists() check fails and we disallow the action, even for admins. The intent was to make everyone use the form to create new entities, but we accidentally also prevented admins from undeleting entities.

The easiest solution is probably to use one of the undelete hooks and set CommuntiyRequestsHooks::allowManualEditing = true.

Here is the updated version with a separate AC2 test case for non-admin users:

Derived Requirement

Ensure that administrators can undelete Community Wishlist wish pages using Special\:Undelete, consistent with standard MediaWiki behavior.

  • Deleted wishlist pages must display the "Undelete revisions" form to administrators.
  • Administrators must be able to restore deleted revisions of wishlist entities.
  • The undelete capability must not be blocked by custom permission checks.
  • Non-admin users must not gain undelete permissions.
Test Steps

Preconditions:

  • A Community Wishlist wish page exists (e.g., Community_Wishlist/W123).
  • The page has been deleted.
  • One administrator account and one non-admin account are available.

Test Case 1: Ensure administrators can undelete wishlist entities

  1. Log in as an administrator.
  2. Navigate to Special\:Undelete/Community_Wishlist/W123.
  3. Observe whether the "Undelete revisions" form is displayed.
  4. Restore the deleted revision.
  5. Verify the wish page is accessible again.
  6. Delete the page again to reset state (if needed).
  7. ✅❓❌⬜ AC1: The administrator can see and use the "Undelete revisions" form to restore the page.

Test Case 2: Ensure non-admin users cannot undelete wishlist entities

  1. Log in as a non-admin user.
  2. Navigate to Special\:Undelete/Community_Wishlist/W123.
  3. Observe the page behavior.
  4. ✅❓❌⬜ AC2: The "Undelete revisions" form is not available and the non-admin user cannot restore the deleted page.

QA Results - Meta Beta

ACStatusDetails
1T406668#11676067
2T406668#11676067
SideT406668#11679747

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
PermissionHooks: allow admins/Wishlist managers to undelete entitiesmediawiki/extensions/CommunityRequestsmaster+22 -3
Customize query in gerrit

Related Objects

Event Timeline

MusikAnimal created this task.Oct 7 2025, 11:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2025, 11:21 PM
MusikAnimal triaged this task as Low priority.Oct 7 2025, 11:21 PM
MusikAnimal moved this task from Backlog to Entities on the MediaWiki-extensions-CommunityRequests board.Oct 7 2025, 11:26 PM
HMonroy removed a project: Community-Tech (Sea Lion Squad).Oct 9 2025, 4:44 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptOct 9 2025, 4:44 PM
Pppery awarded a token.Dec 23 2025, 5:50 AM
Pppery subscribed.Dec 23 2025, 5:52 AM

(I was trying to undelete https://meta.wikimedia.org/wiki/Community_Wishlist/W318 since I don't think being a duplicate is a valid reason to outright delete a wish; the later version should have remained as a historical record)

Pppery added a comment.Dec 23 2025, 4:55 PM

The easiest solution is probably to use one of the undelete hooks and set CommuntiyRequestsHooks::allowManualEditing = true.

That doesn't work; the only hook that runs before getUserPermissionExpensive checking for edit is getUserPermissionExpensive checking for undelete. I guess you could set a flag in the undelete hook to allow edits of that specific page, but that feels very very wrong.

gerritbot added a comment.Dec 28 2025, 5:46 AM

Change #1221223 had a related patch set uploaded (by MusikAnimal; author: MusikAnimal):

[mediawiki/extensions/CommunityRequests@master] PermissionHooks: allow admins/Wishlist managers to undelete entities

https://gerrit.wikimedia.org/r/1221223

gerritbot added a project: Patch-For-Review.Dec 28 2025, 5:46 AM
MusikAnimal added a comment.Dec 28 2025, 5:46 AM
In T406668#11483559, @Pppery wrote:

The easiest solution is probably to use one of the undelete hooks and set CommuntiyRequestsHooks::allowManualEditing = true.

That doesn't work; the only hook that runs before getUserPermissionExpensive checking for edit is getUserPermissionExpensive checking for undelete.

You're right there apparently is no suitable undeletion hook to use. There used to be, but my team actually removed as part of an earlier project, hehe! (T290021 – though I don't know if that worked for the action API).

I guess you could set a flag in the undelete hook to allow edits of that specific page, but that feels very very wrong.

How so? What we're doing here with the static variable I think should be safe. It's good for only one request. getUserPermissionExpensive won't even get called if the user doesn't have undelete right, so we should be able to set the static var and allow subsequent calls (in the same request) to the hook handler to return true so things work as expected.

Pppery added a comment.Dec 28 2025, 5:51 AM

I'm saying it feels ugly as a code-organization principle for the getUserPermissionExpensive hook to mutate state. I agree you're right it's probably safe, but I don't like it.

HMonroy edited projects, added Community-Tech (Sea Lion Squad); removed Community-Tech.Mar 4 2026, 4:51 PM
gerritbot added a comment.Mar 4 2026, 4:54 PM

Change #1221223 merged by jenkins-bot:

[mediawiki/extensions/CommunityRequests@master] PermissionHooks: allow admins/Wishlist managers to undelete entities

https://gerrit.wikimedia.org/r/1221223

jenkins-bot mentioned this in rECOR46ae35da9511: PermissionHooks: allow admins/Wishlist managers to undelete entities.Mar 4 2026, 4:56 PM
HMonroy moved this task from Backlog - groomed to QA on the Community-Tech (Sea Lion Squad) board.Mar 4 2026, 4:57 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.19; 2026-03-10).Mar 4 2026, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 4 2026, 5:31 PM
GMikesell-WMF updated the task description. (Show Details)Mar 4 2026, 6:58 PM
GMikesell-WMF updated Other Assignee, added: GMikesell-WMF.
GMikesell-WMF added subscribers: HMonroy, GMikesell-WMF.Mar 4 2026, 11:40 PM

@HMonroy Can you please review the side issue video below and whether I should create a separate task for it or if it's fine?

Test Result - Meta Beta

Status: ✅ PASS
Environment: Meta Beta
OS: macOS Tahoe 26.3
Browser: Chrome 143
Device: MBA
Emulated Device: NA

Test Artifact(s): Deleted wishlist page, Special\:Undelete interface

https://meta.wikimedia.beta.wmcloud.org/wiki/Special:Undelete/Community_Wishlist/W46

Test Steps

Preconditions:

  • A Community Wishlist wish page exists (e.g., Community_Wishlist/W123).
  • The page has been deleted.
  • One administrator account and one non-admin account are available.

Test Case 1: Ensure administrators can undelete wishlist entities

  1. Log in as an administrator.
  2. Navigate to Special\:Undelete/Community_Wishlist/W123.
  3. Observe whether the "Undelete revisions" form is displayed.
  4. Restore the deleted revision.
  5. Verify the wish page is accessible again.
  6. Delete the page again to reset state (if needed).
  7. AC1: The administrator can see and use the "Undelete revisions" form to restore the page.

Test Case 2: Ensure non-admin users cannot undelete wishlist entities

  1. Log in as a non-admin user.
  2. Navigate to Special\:{F72561874}Undelete/Community_Wishlist/W123.
  3. Observe the page behavior.
  4. AC2: The "Undelete revisions" form is not available and the non-admin user cannot restore the deleted page.

❓Side Issue-
Did you want the voting comment removed, or should everything be as it was when you undeleted it?

GMikesell-WMF changed the task status from Open to In Progress.Mar 4 2026, 11:41 PM
GMikesell-WMF updated the task description. (Show Details)
GMikesell-WMF moved this task from QA to In Development on the Community-Tech (Sea Lion Squad) board.
MusikAnimal moved this task from In Development to QA on the Community-Tech (Sea Lion Squad) board.Mar 4 2026, 11:55 PM

Did you want the voting comment removed, or should everything be as it was when you undeleted it?

Undeleting the Votes subpage sounds appropriate given we auto-delete it, but yeah, that should be a separate task. What we did here was just about access control as opposed to actually hooking to the undelete action.

Xaosflux subscribed.Mar 5 2026, 6:19 PM
Xaosflux added a comment.Mar 5 2026, 6:23 PM

@MusikAnimal you may be able to read that task with your staff account, any suggestions would be welcome

Nardog subscribed.Mar 5 2026, 6:28 PM
MusikAnimal changed the task status from In Progress to Open.Mar 5 2026, 7:59 PM
Johannnes89 subscribed.Mar 5 2026, 8:35 PM
GMikesell-WMF added a comment.Mar 5 2026, 11:12 PM

Ok sounds good, I created T419180: Voting comment is removed after deleting and undeleting a wish , regarding the voting comment no reappearing after undeleting the wish. As for the task, I will mark this as Resolved. Thanks for all your work!

GMikesell-WMF closed this task as Resolved.Mar 5 2026, 11:13 PM
GMikesell-WMF updated the task description. (Show Details)
GMikesell-WMF updated Other Assignee, removed: GMikesell-WMF.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits