* @return void
*/
protected function run( ApiPageSet $resultPageSet = null ) {
- // Before doing anything at all, let's check permissions
- $this->checkUserRightsAny( 'deletedhistory' );
-
$user = $this->getUser();
$db = $this->getDB();
$params = $this->extractRequestParams( false );
$this->addJoinConds(
[ 'change_tag' => [ 'JOIN', [ 'ar_rev_id=ct_rev_id' ] ] ]
);
- $changeTagDefStore = MediaWikiServices::getInstance()->getChangeTagDefStore();
+ $changeTagDefStore = $services->getChangeTagDefStore();
try {
$this->addWhereFld( 'ct_tag_id', $changeTagDefStore->getId( $params['tag'] ) );
} catch ( NameTableAccessException $exception ) {
}
// This means stricter restrictions
- if ( $this->fetchContent ) {
- $this->checkUserRightsAny( [ 'deletedtext', 'undelete' ] );
+ if ( ( $this->fld_comment || $this->fld_parsedcomment ) &&
+ !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' )
+ ) {
+ $this->dieWithError( 'apierror-cantview-deleted-comment', 'permissiondenied' );
+ }
+ if ( $this->fetchContent &&
+ !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' )
+ ) {
+ $this->dieWithError( 'apierror-cantview-deleted-revision-content', 'permissiondenied' );
}
$miser_ns = null;
if ( !is_null( $params['user'] ) || !is_null( $params['excludeuser'] ) ) {
// Paranoia: avoid brute force searches (T19342)
- // (shouldn't be able to get here without 'deletedhistory', but
- // check it again just in case)
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
- } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
+ } elseif ( !$this->getPermissionManager()
+ ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' )
+ ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;
} else {
$bitmask = 0;
dépôts / lhc / web / wiklou.git / blobdiff