Last modified: 2014-10-15 13:28:13 UTC
We should have a selenium tests that makes sure that items can not be viewed if the user does not have the read permission. This should be done at least for normal pages views, history views, and diffs. It could possibly also cover action=raw (currently completely disabled), Special:Export, and API modules for listing revisions, rendering pages, etc.