Allow users with deleterevision but not deletedhistory to delete revisions

Previously, Special:RevisionDelete required that the accessor had
deletedhistory to access it. Instead, we check for `deleterevision`, but
suppress output of the deletion log if the user lacks `deletedhistory`.

This has the side-effect of locking out users who have `deletedhistory` but not
`deleterevision` from accessing this special page, but that information is
available in other logs.

Bug: T128914
Change-Id: I2e194dae84a29c5ace254f55eda63cfe7f86c3ca

diff --git a/includes/specials/SpecialRevisiondelete.php b/includes/specials/SpecialRevisiondelete.php
index fcd4ab5..dcaff4d 100644 (file)
--- a/includes/specials/SpecialRevisiondelete.php
+++ b/includes/specials/SpecialRevisiondelete.php
@@ -106,7 +106,7 @@ class SpecialRevisionDelete extends UnlistedSpecialPage {
        ];
 
        public function __construct() {
-               parent::__construct( 'Revisiondelete', 'deletedhistory' );
+               parent::__construct( 'Revisiondelete', 'deleterevision' );
        }
 
        public function doesWrites() {
@@ -210,17 +210,19 @@ class SpecialRevisionDelete extends UnlistedSpecialPage {
                        $this->showForm();
                }
 
-               $qc = $this->getLogQueryCond();
-               # Show relevant lines from the deletion log
-               $deleteLogPage = new LogPage( 'delete' );
-               $output->addHTML( "<h2>" . $deleteLogPage->getName()->escaped() . "</h2>\n" );
-               LogEventsList::showLogExtract(
-                       $output,
-                       'delete',
-                       $this->targetObj,
-                       '', /* user */
-                       [ 'lim' => 25, 'conds' => $qc, 'useMaster' => $this->wasSaved ]
-               );
+               if ( $user->isAllowed( 'deletedhistory' ) ) {
+                       $qc = $this->getLogQueryCond();
+                       # Show relevant lines from the deletion log
+                       $deleteLogPage = new LogPage( 'delete' );
+                       $output->addHTML( "<h2>" . $deleteLogPage->getName()->escaped() . "</h2>\n" );
+                       LogEventsList::showLogExtract(
+                               $output,
+                               'delete',
+                               $this->targetObj,
+                               '', /* user */
+                               [ 'lim' => 25, 'conds' => $qc, 'useMaster' => $this->wasSaved ]
+                       );
+               }
                # Show relevant lines from the suppression log
                if ( $user->isAllowed( 'suppressionlog' ) ) {
                        $suppressLogPage = new LogPage( 'suppress' );