Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
0.00% |
0 / 81 |
|
0.00% |
0 / 13 |
CRAP | |
0.00% |
0 / 1 |
Hooks | |
0.00% |
0 / 81 |
|
0.00% |
0 / 13 |
1406 | |
0.00% |
0 / 1 |
registerExtension | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
__construct | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
checkUserCan | |
0.00% |
0 / 15 |
|
0.00% |
0 / 1 |
56 | |||
onGetUserPermissionsErrorsExpensive | |
0.00% |
0 / 9 |
|
0.00% |
0 / 1 |
6 | |||
onUserCanSendEmail | |
0.00% |
0 / 12 |
|
0.00% |
0 / 1 |
6 | |||
onGetUserBlock | |
0.00% |
0 / 14 |
|
0.00% |
0 / 1 |
56 | |||
onAbortAutoblock | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
onGetAutoPromoteGroups | |
0.00% |
0 / 9 |
|
0.00% |
0 / 1 |
30 | |||
onAutopromoteCondition | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
6 | |||
onRecentChange_Save | |
0.00% |
0 / 4 |
|
0.00% |
0 / 1 |
12 | |||
onListDefinedTags | |
0.00% |
0 / 4 |
|
0.00% |
0 / 1 |
6 | |||
onChangeTagsListActive | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
onOtherBlockLogLink | |
0.00% |
0 / 7 |
|
0.00% |
0 / 1 |
12 |
1 | <?php |
2 | |
3 | /** |
4 | * Hooks for the Extension:TorBlock for MediaWiki |
5 | * |
6 | * This program is free software; you can redistribute it and/or modify |
7 | * it under the terms of the GNU General Public License as published by |
8 | * the Free Software Foundation; either version 2 of the License, or |
9 | * (at your option) any later version. |
10 | * |
11 | * This program is distributed in the hope that it will be useful, |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | * GNU General Public License for more details. |
15 | * |
16 | * You should have received a copy of the GNU General Public License along |
17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
19 | * http://www.gnu.org/copyleft/gpl.html |
20 | * |
21 | * @file |
22 | * @ingroup Extensions |
23 | * @link https://www.mediawiki.org/wiki/Extension:TorBlock Documentation |
24 | * |
25 | * @author Andrew Garrett <andrew@epstone.net> |
26 | * @license GPL-2.0-or-later |
27 | */ |
28 | |
29 | // phpcs:disable MediaWiki.NamingConventions.LowerCamelFunctionsName.FunctionName |
30 | // Need to be able to define ::onRecentChange_Save |
31 | |
32 | namespace MediaWiki\Extension\TorBlock; |
33 | |
34 | use MediaWiki\Block\AbstractBlock; |
35 | use MediaWiki\Block\DatabaseBlock; |
36 | use MediaWiki\Block\Hook\AbortAutoblockHook; |
37 | use MediaWiki\Block\Hook\GetUserBlockHook; |
38 | use MediaWiki\ChangeTags\Hook\ChangeTagsListActiveHook; |
39 | use MediaWiki\ChangeTags\Hook\ListDefinedTagsHook; |
40 | use MediaWiki\Extension\TorBlock\Hooks\HookRunner; |
41 | use MediaWiki\Hook\OtherBlockLogLinkHook; |
42 | use MediaWiki\Hook\RecentChange_saveHook; |
43 | use MediaWiki\HookContainer\HookContainer; |
44 | use MediaWiki\Html\Html; |
45 | use MediaWiki\Permissions\Hook\GetUserPermissionsErrorsExpensiveHook; |
46 | use MediaWiki\Title\Title; |
47 | use MediaWiki\User\Hook\AutopromoteConditionHook; |
48 | use MediaWiki\User\Hook\GetAutoPromoteGroupsHook; |
49 | use MediaWiki\User\Hook\UserCanSendEmailHook; |
50 | use MediaWiki\User\User; |
51 | use RecentChange; |
52 | use Wikimedia\IPUtils; |
53 | |
54 | class Hooks implements |
55 | AbortAutoblockHook, |
56 | AutopromoteConditionHook, |
57 | GetUserPermissionsErrorsExpensiveHook, |
58 | GetAutoPromoteGroupsHook, |
59 | GetUserBlockHook, |
60 | RecentChange_saveHook, |
61 | ListDefinedTagsHook, |
62 | ChangeTagsListActiveHook, |
63 | UserCanSendEmailHook, |
64 | OtherBlockLogLinkHook |
65 | { |
66 | |
67 | private HookRunner $hookRunner; |
68 | |
69 | public static function registerExtension() { |
70 | // Define new autopromote condition |
71 | // Numbers won't work, we'll get collisions |
72 | define( 'APCOND_TOR', 'tor' ); |
73 | } |
74 | |
75 | public function __construct( HookContainer $hookContainer ) { |
76 | $this->hookRunner = new HookRunner( $hookContainer ); |
77 | } |
78 | |
79 | /** |
80 | * Whether the given user is allowed to perform $action from its current IP |
81 | * |
82 | * @param User $user |
83 | * @param string|null $action |
84 | * @return bool |
85 | */ |
86 | private static function checkUserCan( User $user, $action = null ) { |
87 | global $wgTorAllowedActions, $wgRequest; |
88 | |
89 | if ( ( $action !== null && in_array( $action, $wgTorAllowedActions ) ) |
90 | || !TorExitNodes::isExitNode() |
91 | ) { |
92 | return true; |
93 | } |
94 | |
95 | wfDebugLog( 'torblock', "User detected as editing through tor." ); |
96 | |
97 | global $wgTorBypassPermissions; |
98 | foreach ( $wgTorBypassPermissions as $perm ) { |
99 | if ( $user->isAllowed( $perm ) ) { |
100 | wfDebugLog( 'torblock', "User has $perm permission. Exempting from Tor Blocks." ); |
101 | |
102 | return true; |
103 | } |
104 | } |
105 | |
106 | $ip = $wgRequest->getIP(); |
107 | if ( DatabaseBlock::isExemptedFromAutoblocks( $ip ) ) { |
108 | wfDebugLog( 'torblock', "IP is excluded from autoblocks. Exempting from Tor Blocks." ); |
109 | |
110 | return true; |
111 | } |
112 | |
113 | return false; |
114 | } |
115 | |
116 | /** |
117 | * Check if a user is a Tor node and not excluded from autoblocks or allowed |
118 | * to bypass tor blocks. |
119 | * |
120 | * @param Title $title Title being acted upon |
121 | * @param User $user User performing the action |
122 | * @param string $action Action being performed |
123 | * @param array &$result Will be filled with block status if blocked |
124 | * @return bool |
125 | */ |
126 | public function onGetUserPermissionsErrorsExpensive( |
127 | $title, |
128 | $user, |
129 | $action, |
130 | &$result |
131 | ) { |
132 | global $wgRequest; |
133 | if ( !self::checkUserCan( $user, $action ) ) { |
134 | wfDebugLog( 'torblock', "User detected as editing from Tor node. " . |
135 | "Adding Tor block to permissions errors." ); |
136 | |
137 | // Allow site customization of blocked message. |
138 | $blockedMsg = 'torblock-blocked'; |
139 | $this->hookRunner->onTorBlockBlockedMsg( $blockedMsg ); |
140 | $result = [ $blockedMsg, $wgRequest->getIP() ]; |
141 | |
142 | return false; |
143 | } |
144 | |
145 | return true; |
146 | } |
147 | |
148 | /** |
149 | * Check if the user is logged in from a Tor exit node but is not exempt. |
150 | * If so, block the user. |
151 | * |
152 | * @param User $user |
153 | * @param array &$hookErr |
154 | * @return bool |
155 | */ |
156 | public function onUserCanSendEmail( $user, &$hookErr ) { |
157 | global $wgRequest; |
158 | if ( !self::checkUserCan( $user ) ) { |
159 | wfDebugLog( 'torblock', "User detected as trying to send an email from Tor node. Preventing." ); |
160 | |
161 | // Allow site customization of blocked message. |
162 | $blockedMsg = 'torblock-blocked'; |
163 | $this->hookRunner->onTorBlockBlockedMsg( $blockedMsg ); |
164 | $hookErr = [ |
165 | 'permissionserrors', |
166 | $blockedMsg, |
167 | [ $wgRequest->getIP() ], |
168 | ]; |
169 | return false; |
170 | } |
171 | |
172 | return true; |
173 | } |
174 | |
175 | /** |
176 | * Remove a block if it only targets a Tor node. A composite block comprises |
177 | * multiple blocks, and if any of these target the user, then do not remove the |
178 | * block. |
179 | * |
180 | * @param User $user |
181 | * @param string|null $ip |
182 | * @param AbstractBlock|null &$block |
183 | * @return bool |
184 | */ |
185 | public function onGetUserBlock( $user, $ip, &$block ) { |
186 | global $wgTorDisableAdminBlocks; |
187 | if ( !$block || !$wgTorDisableAdminBlocks || !TorExitNodes::isExitNode() ) { |
188 | return true; |
189 | } |
190 | |
191 | $blocks = $block->toArray(); |
192 | |
193 | $removeBlock = true; |
194 | foreach ( $blocks as $singleBlock ) { |
195 | if ( $singleBlock->getType() === AbstractBlock::TYPE_USER ) { |
196 | $removeBlock = false; |
197 | break; |
198 | } |
199 | } |
200 | |
201 | if ( $removeBlock ) { |
202 | wfDebugLog( 'torblock', "User using Tor node. Disabling IP block as it was " . |
203 | "probably targeted at the Tor node." ); |
204 | // Node is probably blocked for being a Tor node. Remove block. |
205 | $block = null; |
206 | } |
207 | |
208 | return true; |
209 | } |
210 | |
211 | /** |
212 | * If an IP address is an exit node, stop it from being autoblocked. |
213 | * |
214 | * @param string $autoblockip IP address being blocked |
215 | * @param DatabaseBlock $block Block being applied |
216 | * @return bool |
217 | */ |
218 | public function onAbortAutoblock( $autoblockip, $block ) { |
219 | return !TorExitNodes::isExitNode( $autoblockip ); |
220 | } |
221 | |
222 | /** |
223 | * When the user is a Tor exit node, make sure they meet configured |
224 | * age/edit count requirements before allowing promotions. |
225 | * |
226 | * @param User $user User being promoted |
227 | * @param array &$promote Groups being added |
228 | * @return bool |
229 | */ |
230 | public function onGetAutoPromoteGroups( $user, &$promote ) { |
231 | global $wgTorAutoConfirmAge, $wgTorAutoConfirmCount; |
232 | |
233 | // Check against stricter requirements for tor nodes. |
234 | // Counterintuitively, we do the requirement checks first. |
235 | // This is so that we don't have to hit memcached to get the |
236 | // exit list, unnecessarily. |
237 | |
238 | if ( !count( $promote ) ) { |
239 | // No groups to promote to anyway |
240 | return true; |
241 | } |
242 | |
243 | $age = time() - (int)wfTimestampOrNull( TS_UNIX, $user->getRegistration() ); |
244 | |
245 | if ( $age >= $wgTorAutoConfirmAge && $user->getEditCount() >= $wgTorAutoConfirmCount ) { |
246 | // Does match requirements. Don't bother checking if we're an exit node. |
247 | return true; |
248 | } |
249 | |
250 | if ( TorExitNodes::isExitNode() ) { |
251 | // Tor user, doesn't match the expanded requirements. |
252 | $promote = []; |
253 | } |
254 | |
255 | return true; |
256 | } |
257 | |
258 | /** |
259 | * Check if a user is a Tor node if the wiki is configured |
260 | * to autopromote on Tor status. |
261 | * |
262 | * @param string $type Condition being checked |
263 | * @param array $args Arguments passed to the condition |
264 | * @param User $user User being promoted |
265 | * @param array &$result Will be filled with result of condition |
266 | * @return bool |
267 | */ |
268 | public function onAutopromoteCondition( $type, $args, $user, &$result ) { |
269 | if ( $type == APCOND_TOR ) { |
270 | $result = TorExitNodes::isExitNode(); |
271 | } |
272 | |
273 | return true; |
274 | } |
275 | |
276 | /** |
277 | * If enabled, tag recent changes made by a Tor exit node. |
278 | * |
279 | * @param RecentChange $recentChange The change being saved |
280 | * @return bool true |
281 | */ |
282 | public function onRecentChange_Save( $recentChange ) { |
283 | global $wgTorTagChanges; |
284 | |
285 | if ( $wgTorTagChanges && TorExitNodes::isExitNode() ) { |
286 | $recentChange->addTags( 'tor' ); |
287 | } |
288 | return true; |
289 | } |
290 | |
291 | /** |
292 | * If enabled, add a new tag type for recent changes made by Tor exit nodes. |
293 | * |
294 | * @param array &$emptyTags List of defined tags (for ListDefinedTags hook) or |
295 | * list of active tags (for ChangeTagsListActive hook) |
296 | * @return bool true |
297 | */ |
298 | public function onListDefinedTags( &$emptyTags ) { |
299 | global $wgTorTagChanges; |
300 | |
301 | if ( $wgTorTagChanges ) { |
302 | $emptyTags[] = 'tor'; |
303 | } |
304 | return true; |
305 | } |
306 | |
307 | /** |
308 | * @param string[] &$tags |
309 | * |
310 | * @return bool |
311 | */ |
312 | public function onChangeTagsListActive( &$tags ) { |
313 | return $this->onListDefinedTags( $tags ); |
314 | } |
315 | |
316 | /** |
317 | * Creates a message with the Tor blocking status if applicable. |
318 | * |
319 | * @param array &$msg Message with the status |
320 | * @param string $ip The IP address to be checked |
321 | * @return bool true |
322 | */ |
323 | public function onOtherBlockLogLink( &$msg, $ip ) { |
324 | // IP addresses can be blocked only |
325 | // Fast return if IP is not an exit node |
326 | if ( IPUtils::isIPAddress( $ip ) && TorExitNodes::isExitNode( $ip ) ) { |
327 | $msg[] = Html::rawElement( |
328 | 'span', |
329 | [ 'class' => 'mw-torblock-isexitnode' ], |
330 | wfMessage( 'torblock-isexitnode', $ip )->parse() |
331 | ); |
332 | } |
333 | return true; |
334 | } |
335 | } |