Code Coverage for /workspace/src/includes/block/BlockPermissionChecker.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	86.67% covered (warning)	86.67%	26 / 30	75.00% covered (warning)	75.00%	3 / 4	CRAP	0.00% covered (danger)	0.00%	0 / 1
BlockPermissionChecker	86.67% covered (warning)	86.67%	26 / 30	75.00% covered (warning)	75.00%	3 / 4	18.77	0.00% covered (danger)	0.00%	0 / 1
__construct	0.00% covered (danger)	0.00%	0 / 4	0.00% covered (danger)	0.00%	0 / 1	2
checkBasePermissions	100.00% covered (success)	100.00%	6 / 6	100.00% covered (success)	100.00%	1 / 1	4
checkBlockPermissions	100.00% covered (success)	100.00%	18 / 18	100.00% covered (success)	100.00%	1 / 1	11
checkEmailPermissions	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	2

1	<?php
2
3	/**
4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License as published by
6	* the Free Software Foundation; either version 2 of the License, or
7	* (at your option) any later version.
8	*
9	* This program is distributed in the hope that it will be useful,
10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	* GNU General Public License for more details.
13	*
14	* You should have received a copy of the GNU General Public License along
15	* with this program; if not, write to the Free Software Foundation, Inc.,
16	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17	* http://www.gnu.org/copyleft/gpl.html
18	*
19	* @file
20	*/
21
22	namespace MediaWiki\Block;
23
24	use MediaWiki\Config\ServiceOptions;
25	use MediaWiki\MainConfigNames;
26	use MediaWiki\Permissions\Authority;
27	use MediaWiki\User\UserIdentity;
28
29	/**
30	* Block permissions
31	*
32	* This class is responsible for making sure a user has permission to block.
33	*
34	* This class is usable for both blocking and unblocking.
35	*
36	* @since 1.35
37	*/
38	class BlockPermissionChecker {
39	/**
40	* @var UserIdentity\|string\|null Block target or null when unknown
41	*/
42	private $target;
43
44	/**
45	* @var Authority Block performer
46	*/
47	private $performer;
48
49	/**
50	* @internal only for use by ServiceWiring and BlockPermissionCheckerFactory
51	*/
52	public const CONSTRUCTOR_OPTIONS = [
53	MainConfigNames::EnableUserEmail,
54	];
55
56	/** @var ServiceOptions */
57	private $options;
58
59	/**
60	* @param ServiceOptions $options
61	* @param BlockUtils $blockUtils
62	* @param UserIdentity\|string\|null $target
63	* @param Authority $performer
64	*/
65	public function __construct(
66	ServiceOptions $options,
67	BlockUtils $blockUtils,
68	$target,
69	Authority $performer
70	) {
71	$options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
72	$this->options = $options;
73	[ $this->target, ] = $blockUtils->parseBlockTarget( $target );
74	$this->performer = $performer;
75	}
76
77	/**
78	* Check the base permission that applies to either block or unblock
79	*
80	* @since 1.36
81	* @param bool $checkHideuser
82	* @return bool\|string
83	*/
84	public function checkBasePermissions( $checkHideuser = false ) {
85	if ( !$this->performer->isAllowed( 'block' ) ) {
86	return 'badaccess-group0';
87	}
88
89	if (
90	$checkHideuser &&
91	!$this->performer->isAllowed( 'hideuser' )
92	) {
93	return 'unblock-hideuser';
94	}
95
96	return true;
97	}
98
99	/**
100	* Checks block-related permissions (doesn't check any other permissions)
101	*
102	* T17810: Site-wide blocked admins should not be able to block/unblock
103	* others with one exception; they can block the user who blocked them,
104	* to reduce advantage of a malicious account blocking all admins (T150826).
105	*
106	* T208965: Partially blocked admins can block and unblock others as normal.
107	*
108	* @return bool\|string True when checks passed, message code for failures
109	*/
110	public function checkBlockPermissions() {
111	$block = $this->performer->getBlock(); // TODO: pass disposition parameter
112	if ( !$block ) {
113	// User is not blocked, process as normal
114	return true;
115	}
116
117	if ( !$block->isSitewide() ) {
118	// T208965: Partially blocked admins should have full access
119	return true;
120	}
121
122	$performerIdentity = $this->performer->getUser();
123
124	if (
125	$this->target instanceof UserIdentity &&
126	$this->target->getId() === $performerIdentity->getId()
127	) {
128	// Blocked admin is trying to alter their own block
129
130	// Self-blocked admins can always remove or alter their block
131	if ( $block->getBlocker() && $performerIdentity->equals( $block->getBlocker() ) ) {
132	return true;
133	}
134
135	// Users with 'unblockself' right can unblock themselves or alter their own block
136	if ( $this->performer->isAllowed( 'unblockself' ) ) {
137	return true;
138	} else {
139	return 'ipbnounblockself';
140	}
141	}
142
143	if (
144	$this->target instanceof UserIdentity &&
145	$block->getBlocker() &&
146	$this->target->equals( $block->getBlocker() )
147	) {
148	// T150826: Blocked admins can always block the admin who blocked them
149	return true;
150	}
151
152	// User is blocked and no exception took effect
153	return 'ipbblocked';
154	}
155
156	/**
157	* Check permission to block emailing
158	*
159	* @since 1.36
160	* @return bool
161	*/
162	public function checkEmailPermissions() {
163	return $this->options->get( MainConfigNames::EnableUserEmail ) &&
164	$this->performer->isAllowed( 'blockemail' );
165	}
166	}