Revert r29705. Simply provide rollback permission if you want people to be able to...

Otherwise you're going to end up with the restricted portions of it incorrectly allowed when they're not meant to be by accident, which seems pretty senseless.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index f4ceed6..79222e2 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -35,11 +35,6 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * New permission userrights-interwiki for changing user rights on foreign wikis.
 * $wgImplictGroups for groups that are hidden from Special:Listusers, etc.
 * $wgAutopromote: automatically promote users who match specified criteria
-* The 'rollback' permission now only affects whether rollback is made available
-  through the interface.  Users without the rollback permission can still use
-  it by generating the proper token through, e.g., a script.  This does nothing
-  but allow automated rollback scripts to operate more efficiently, without al-
-  lowing them to do anything extra.
 
 === New features in 1.12 ===
 * (bug 10735) Add a warning for non-descriptive filenames at Special:Upload

diff --git a/includes/Article.php b/includes/Article.php
index 34ea259..37a836e 100644 (file)
--- a/includes/Article.php
+++ b/includes/Article.php
@@ -2265,13 +2265,9 @@ class Article {
        }
 
        /**
-        * Roll back the most recent consecutive set of edits to a page from the
-        * same user; fails if there are no eligible edits to roll back to, e.g.
-        * user is the sole contributor.
-        *
-        * FIXME: We shouldn't do permissions checking here; that should be done in
-        * a wrapper so that server-side scripts can use this if they know what
-        * they're doing.
+        * Roll back the most recent consecutive set of edits to a page
+        * from the same user; fails if there are no eligible edits to
+        * roll back to, e.g. user is the sole contributor
         *
         * @param string $fromP - Name of the user whose edits to rollback. 
         * @param string $summary - Custom summary. Set to default summary if empty.
@@ -2290,7 +2286,7 @@ class Article {
 
                # Just in case it's being called from elsewhere         
 
-               if( $this->mTitle->userCan( 'edit' ) ) {
+               if( $wgUser->isAllowed( 'rollback' ) && $this->mTitle->userCan( 'edit' ) ) {
                        if( $wgUser->isBlocked() ) {
                                return self::BLOCKED;
                        }
@@ -2395,8 +2391,10 @@ class Article {
 
                $details = null;
 
-               # We do permissions checking twice, for some reason . . .
-               $perm_errors = $this->mTitle->getUserPermissionsErrors( 'edit', $wgUser );
+               # Skip the permissions-checking in doRollback() itself, by checking permissions here.
+
+               $perm_errors = array_merge( $this->mTitle->getUserPermissionsErrors( 'edit', $wgUser ),
+                                               $this->mTitle->getUserPermissionsErrors( 'rollback', $wgUser ) );
 
                if (count($perm_errors)) {
                        $wgOut->showPermissionsErrorPage( $perm_errors );
@@ -2416,7 +2414,7 @@ class Article {
                                $wgOut->blockedPage();
                                break;
                        case self::PERM_DENIED:
-                               $wgOut->permissionRequired( 'edit' );
+                               $wgOut->permissionRequired( 'rollback' );
                                break;
                        case self::READONLY:
                                $wgOut->readOnlyPage( $this->getContent() );