From c26b0498591ebe6357b7e152b904a7d5a90017f3 Mon Sep 17 00:00:00 2001
From: Rotem Liss <rotem@users.mediawiki.org>
Date: Mon, 3 Dec 2007 12:36:22 +0000
Subject: [PATCH] Users without the delete permission but with the
 deletedhistory one should not be allowed to access the content of deleted
 revisions.

---
 includes/api/ApiQueryDeletedrevs.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php
index 67694d72be..5c9c7f3591 100644
--- a/includes/api/ApiQueryDeletedrevs.php
+++ b/includes/api/ApiQueryDeletedrevs.php
@@ -48,7 +48,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
 		global $wgUser;
 		// Before doing anything at all, let's check permissions
 		if(!$wgUser->isAllowed('deletedhistory'))
-			$this->dieUsage('You don\'t have permission to view deleted revisions', 'permissiondenied');
+			$this->dieUsage('You don\'t have permission to view deleted revisions information', 'permissiondenied');
 
 		$db = $this->getDB();
 		$params = $this->extractRequestParams();
@@ -88,6 +88,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
 			$userMax = 50;
 			$botMax = 200;
 			$this->validateLimit('limit', $params['limit'], 1, $userMax, $botMax);
+
+			// And also stricter restrictions
+			if(!$wgUser->isAllowed('delete')) {
+				$this->dieUsage('You don\'t have permission to view deleted revisions content', 'permissiondeniedcontent');
+			}
 		}
 		if($fld_token)
 			// Undelete tokens are identical for all pages, so we cache one here
-- 
2.20.1