Code Coverage for /workspace/src/maintenance/createAndPromote.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	96.00% covered (success)	96.00%	120 / 125	66.67% covered (warning)	66.67%	2 / 3	CRAP	0.00% covered (danger)	0.00%	0 / 1
CreateAndPromote	96.00% covered (success)	96.00%	120 / 125	66.67% covered (warning)	66.67%	2 / 3	32	0.00% covered (danger)	0.00%	0 / 1
__construct	100.00% covered (success)	100.00%	28 / 28	100.00% covered (success)	100.00%	1 / 1	2
execute	94.25% covered (success)	94.25%	82 / 87	0.00% covered (danger)	0.00%	0 / 1	29.16
addLogEntry	100.00% covered (success)	100.00%	10 / 10	100.00% covered (success)	100.00%	1 / 1	1

1	<?php
2	/**
3	* Creates an account and grants it rights.
4	*
5	* @license GPL-2.0-or-later
6	* @file
7	* @ingroup Maintenance
8	* @author Rob Church <robchur@gmail.com>
9	* @author Pablo Castellano <pablo@anche.no>
10	*/
11
12	// @codeCoverageIgnoreStart
13	require_once __DIR__ . '/Maintenance.php';
14	// @codeCoverageIgnoreEnd
15
16	use MediaWiki\Auth\AuthManager;
17	use MediaWiki\Deferred\SiteStatsUpdate;
18	use MediaWiki\Logging\ManualLogEntry;
19	use MediaWiki\Maintenance\Maintenance;
20	use MediaWiki\Password\PasswordError;
21	use MediaWiki\Permissions\UltimateAuthority;
22	use MediaWiki\User\User;
23	use MediaWiki\WikiMap\WikiMap;
24
25	/**
26	* Maintenance script to create an account and grant it rights.
27	*
28	* Note that, if CentralAuth is loaded and $wgCentralAuthAutomaticGlobalGroups is
29	* configured, this script will not update the global groups automatically.
30	*
31	* @ingroup Maintenance
32	*/
33	class CreateAndPromote extends Maintenance {
34	private const PERMIT_ROLES = [ 'sysop', 'bureaucrat', 'interface-admin', 'bot' ];
35
36	public function __construct() {
37	parent::__construct();
38	$this->addDescription( 'Create a new user account and/or grant it additional rights' );
39	$this->addOption(
40	'email',
41	'Sets the users email address',
42	false,
43	true
44	);
45	$this->addOption(
46	'force',
47	'If account exists already, just grant it rights or change password.'
48	);
49	foreach ( self::PERMIT_ROLES as $role ) {
50	$this->addOption( $role, "Add the account to the {$role} group" );
51	}
52
53	$this->addOption(
54	'custom-groups',
55	'Comma-separated list of groups to add the user to',
56	false,
57	true
58	);
59
60	$this->addOption(
61	'reason',
62	'Reason for account creation and user rights assignment to log to wiki',
63	false,
64	true
65	);
66
67	$this->addArg( 'username', 'Username of new user' );
68	$this->addArg( 'password', 'Password to set', false );
69	}
70
71	public function execute() {
72	$username = $this->getArg( 0 );
73	$password = $this->getArg( 1 );
74	$force = $this->hasOption( 'force' );
75	$inGroups = [];
76	$services = $this->getServiceContainer();
77
78	$user = $services->getUserFactory()->newFromName( $username );
79	if ( !is_object( $user ) ) {
80	$this->fatalError( 'invalid username.' );
81	}
82
83	if ( $services->getUserNameUtils()->isTemp( $user->getName() ) ) {
84	$this->fatalError(
85	'Temporary accounts cannot have groups or a password, so this script should not be used ' .
86	'to create a temporary account. Temporary accounts can be created by making an edit while logged out.'
87	);
88	}
89
90	$exists = ( $user->idForName() !== 0 );
91
92	if ( $exists && !$force ) {
93	$this->fatalError( 'Account exists. Perhaps you want the --force option?' );
94	} elseif ( !$exists && !$password ) {
95	$this->error( 'Argument <password> required!' );
96	$this->maybeHelp( true );
97	} elseif ( $exists ) {
98	$inGroups = $services->getUserGroupManager()->getUserGroups( $user );
99	}
100
101	$groups = array_filter( self::PERMIT_ROLES, $this->hasOption( ... ) );
102	if ( $this->hasOption( 'custom-groups' ) ) {
103	$allGroups = array_fill_keys( $services->getUserGroupManager()->listAllGroups(), true );
104	$customGroupsText = $this->getOption( 'custom-groups' );
105	if ( $customGroupsText !== '' ) {
106	$customGroups = explode( ',', $customGroupsText );
107	foreach ( $customGroups as $customGroup ) {
108	if ( isset( $allGroups[$customGroup] ) ) {
109	$groups[] = trim( $customGroup );
110	} else {
111	$this->output( "$customGroup is not a valid group, ignoring!\n" );
112	}
113	}
114	}
115	}
116
117	$promotions = array_diff(
118	$groups,
119	$inGroups
120	);
121
122	if ( $exists && !$password && count( $promotions ) === 0 ) {
123	$this->output( "Account exists and nothing to do.\n" );
124
125	return;
126	} elseif ( count( $promotions ) !== 0 ) {
127	$dbDomain = WikiMap::getCurrentWikiDbDomain()->getId();
128	$promoText = "User:{$username} into " . implode( ', ', $promotions ) . "...\n";
129	if ( $exists ) {
130	$this->output( "$dbDomain: Promoting $promoText" );
131	} else {
132	$this->output( "$dbDomain: Creating and promoting $promoText" );
133	}
134	}
135
136	if ( !$exists ) {
137	// Verify the password meets the password requirements before creating.
138	// This check is repeated below to account for differences between
139	// the password policy for regular users and for users in certain groups.
140	if ( $password ) {
141	$status = $user->checkPasswordValidity( $password );
142
143	if ( !$status->isGood() ) {
144	$this->fatalError( $status );
145	}
146	}
147
148	// Create the user via AuthManager as there may be various side
149	// effects that are performed by the configured AuthManager chain.
150	$status = $this->getServiceContainer()->getAuthManager()->autoCreateUser(
151	$user,
152	AuthManager::AUTOCREATE_SOURCE_MAINT,
153	false,
154	true,
155	new UltimateAuthority( User::newSystemUser( User::MAINTENANCE_SCRIPT_USER, [ 'steal' => true ] ) )
156	);
157	if ( !$status->isGood() ) {
158	$this->fatalError( $status );
159	}
160	}
161
162	if ( $promotions ) {
163	// Add groups before changing password, as the password policy for certain groups has
164	// stricter requirements.
165	$userGroupManager = $services->getUserGroupManager();
166	$userGroupManager->addUserToMultipleGroups( $user, $promotions );
167	$reason = $this->getOption( 'reason' ) ?: '';
168	$this->addLogEntry( $user, $inGroups, array_merge( $inGroups, $promotions ), $reason );
169	}
170
171	if ( $password ) {
172	# Try to set the password
173	try {
174	$status = $user->changeAuthenticationData( [
175	'username' => $user->getName(),
176	'password' => $password,
177	'retype' => $password,
178	] );
179	} catch ( PasswordError $pwe ) {
180	$this->fatalError( 'Unexpected PasswordError: ' . $pwe->getMessage() );
181	}
182	if ( !$status->isGood() ) {
183	$this->output( "Setting the password failed.\n" );
184	$this->fatalError( $status );
185	}
186	if ( $exists ) {
187	$this->output( "Password set.\n" );
188	$user->saveSettings();
189	}
190	}
191
192	if ( $this->hasOption( 'email' ) ) {
193	$resetEmail = $this->createChild( ResetUserEmail::class );
194	$resetEmail->setArg( 0, $user->getName() );
195	$resetEmail->setArg( 1, $this->getOption( 'email' ) );
196	$resetEmail->setOption( 'no-reset-password', true );
197	$resetEmail->execute();
198	}
199
200	if ( !$exists ) {
201	# Increment site_stats.ss_users
202	$ssu = SiteStatsUpdate::factory( [ 'users' => 1 ] );
203	$ssu->doUpdate();
204	}
205
206	$this->output( "done.\n" );
207	}
208
209	/**
210	* Add a rights log entry for an action.
211	*
212	* @param User $user
213	* @param array $oldGroups
214	* @param array $newGroups
215	* @param string $reason
216	*/
217	private function addLogEntry( $user, array $oldGroups, array $newGroups, string $reason ) {
218	$logEntry = new ManualLogEntry( 'rights', 'rights' );
219	$logEntry->setPerformer( User::newSystemUser( User::MAINTENANCE_SCRIPT_USER, [ 'steal' => true ] ) );
220	$logEntry->setTarget( $user->getUserPage() );
221	$logEntry->setComment( $reason );
222	$logEntry->setParameters( [
223	'4::oldgroups' => $oldGroups,
224	'5::newgroups' => $newGroups
225	] );
226	$logid = $logEntry->insert();
227	$logEntry->publish( $logid );
228	}
229	}
230
231	// @codeCoverageIgnoreStart
232	$maintClass = CreateAndPromote::class;
233	require_once RUN_MAINTENANCE_IF_MAIN;
234	// @codeCoverageIgnoreEnd