https://bugzilla.wikimedia.org/show_bug.cgi?id=69380
--- Comment #9 from Brad Jorsch <[email protected]> --- (In reply to MZMcBride from comment #7) > I think your use of the term "security bug" is pretty dubious. A method for bypassing access restriction is solidly in the category of "security bug". > Need to? What specific use-case or problem are you addressing? The fact that it was possible to bypass access restrictions. The currently-merged patch solves this by requiring 'edit' in order to delete. It would work as well to add an additional access restriction for delete directly. (In reply to Nemo from comment #8) > bug 12343 can be fixed in way better ways. While fixing bug 12343 might well be a good thing, it wouldn't solve the security hole here: the attacker could delete the page and then undelete all except the revision they're trying to revert. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
