Users without the delete permission but with the deletedhistory one should not be...

diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php
index 67694d7..5c9c7f3 100644 (file)
--- a/includes/api/ApiQueryDeletedrevs.php
+++ b/includes/api/ApiQueryDeletedrevs.php
@@ -48,7 +48,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
                global $wgUser;\r
                // Before doing anything at all, let's check permissions\r
                if(!$wgUser->isAllowed('deletedhistory'))\r
-                       $this->dieUsage('You don\'t have permission to view deleted revisions', 'permissiondenied');\r
+                       $this->dieUsage('You don\'t have permission to view deleted revisions information', 'permissiondenied');\r
 \r
                $db = $this->getDB();\r
                $params = $this->extractRequestParams();\r
@@ -88,6 +88,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
                        $userMax = 50;\r
                        $botMax = 200;\r
                        $this->validateLimit('limit', $params['limit'], 1, $userMax, $botMax);\r
+\r
+                       // And also stricter restrictions\r
+                       if(!$wgUser->isAllowed('delete')) {\r
+                               $this->dieUsage('You don\'t have permission to view deleted revisions content', 'permissiondeniedcontent');\r
+                       }\r
                }\r
                if($fld_token)\r
                        // Undelete tokens are identical for all pages, so we cache one here\r