This serves as the entry point to the authentication system. More...
Public Member Functions | |
| __construct (WebRequest $request, Config $config, ObjectFactory $objectFactory, HookContainer $hookContainer, ReadOnlyMode $readOnlyMode, UserNameUtils $userNameUtils, BlockManager $blockManager, WatchlistManager $watchlistManager, ILoadBalancer $loadBalancer, Language $contentLanguage, LanguageConverterFactory $languageConverterFactory, BotPasswordStore $botPasswordStore, UserFactory $userFactory, UserIdentityLookup $userIdentityLookup, UserOptionsManager $userOptionsManager) | |
| forcePrimaryAuthenticationProviders (array $providers, $why) | |
| Force certain PrimaryAuthenticationProviders. | |
| getRequest () | |
| setLogger (LoggerInterface $logger) | |
Authentication | |
| canAuthenticateNow () | |
| Indicate whether user authentication is possible. | |
| beginAuthentication (array $reqs, $returnToUrl) | |
| Start an authentication flow. | |
| continueAuthentication (array $reqs) | |
| Continue an authentication flow. | |
| securitySensitiveOperationStatus ( $operation) | |
| Whether security-sensitive operations should proceed. | |
| userCanAuthenticate ( $username) | |
| Determine whether a username can authenticate. | |
| normalizeUsername ( $username) | |
| Provide normalized versions of the username for security checks. | |
Authentication data changing | |
| revokeAccessForUser ( $username) | |
| Revoke any authentication credentials for a user. | |
| allowsAuthenticationDataChange (AuthenticationRequest $req, $checkData=true) | |
| Validate a change of authentication data (e.g. | |
| changeAuthenticationData (AuthenticationRequest $req, $isAddition=false) | |
| Change authentication data (e.g. | |
Account linking | |
| canLinkAccounts () | |
| Determine whether accounts can be linked. | |
| beginAccountLink (User $user, array $reqs, $returnToUrl) | |
| Start an account linking flow. | |
| continueAccountLink (array $reqs) | |
| Continue an account linking flow. | |
Public Attributes | |
| const | ACTION_CHANGE = 'change' |
| Change a user's credentials. | |
| const | ACTION_CREATE = 'create' |
| Create a new user. | |
| const | ACTION_CREATE_CONTINUE = 'create-continue' |
| Continue a user creation process that was interrupted by the need for user input or communication with an external provider. | |
| const | ACTION_LINK = 'link' |
| Link an existing user to a third-party account. | |
| const | ACTION_LINK_CONTINUE = 'link-continue' |
| Continue a user linking process that was interrupted by the need for user input or communication with an external provider. | |
| const | ACTION_LOGIN = 'login' |
| Log in with an existing (not necessarily local) user. | |
| const | ACTION_LOGIN_CONTINUE = 'login-continue' |
| Continue a login process that was interrupted by the need for user input or communication with an external provider. | |
| const | ACTION_REMOVE = 'remove' |
| Remove a user's credentials. | |
| const | ACTION_UNLINK = 'unlink' |
| Like ACTION_REMOVE but for linking providers only. | |
| const | AUTOCREATE_SOURCE_MAINT = '::Maintenance::' |
| Auto-creation is due to a Maintenance script. | |
| const | AUTOCREATE_SOURCE_SESSION = \MediaWiki\Session\SessionManager::class |
| Auto-creation is due to SessionManager. | |
| const | AUTOCREATE_SOURCE_TEMP = TempUserCreator::class |
| Auto-creation is due to temporary account creation on page save. | |
| const | SEC_FAIL = 'fail' |
| Security-sensitive should not be performed. | |
| const | SEC_OK = 'ok' |
| Security-sensitive operations are ok. | |
| const | SEC_REAUTH = 'reauth' |
| Security-sensitive operations should re-authenticate. | |
Account creation | |
| canCreateAccounts () | |
| Determine whether accounts can be created. | |
| canCreateAccount ( $username, $options=[]) | |
| Determine whether a particular account can be created. | |
| probablyCanCreateAccount (Authority $creator) | |
| Check whether $creator can create accounts. | |
| authorizeCreateAccount (Authority $creator) | |
| Authorize the account creation by $creator. | |
| checkAccountCreatePermissions (Authority $creator) | |
| Basic permissions checks on whether a user can create accounts. | |
| beginAccountCreation (Authority $creator, array $reqs, $returnToUrl) | |
| Start an account creation flow. | |
| continueAccountCreation (array $reqs) | |
| Continue an account creation flow. | |
| autoCreateUser (User $user, $source, $login=true, $log=true) | |
| Auto-create an account, and optionally log into that account. | |
Information methods | |
| getAuthenticationRequests ( $action, UserIdentity $user=null) | |
| Return the applicable list of AuthenticationRequests. | |
| userExists ( $username, $flags=User::READ_NORMAL) | |
| Determine whether a username exists. | |
| allowsPropertyChange ( $property) | |
| Determine whether a user property should be allowed to be changed. | |
| getAuthenticationProvider ( $id) | |
| Get a provider by ID. | |
Internal methods | |
| setAuthenticationSessionData ( $key, $data) | |
| Store authentication in the current session. | |
| getAuthenticationSessionData ( $key, $default=null) | |
| Fetch authentication data from the current session. | |
| removeAuthenticationSessionData ( $key) | |
| Remove authentication data. | |
| providerArrayFromSpecs ( $class, array $specs) | |
| Create an array of AuthenticationProviders from an array of ObjectFactory specs. | |
| getPreAuthenticationProviders () | |
| Get the list of PreAuthenticationProviders. | |
| getPrimaryAuthenticationProviders () | |
| Get the list of PrimaryAuthenticationProviders. | |
| getSecondaryAuthenticationProviders () | |
| Get the list of SecondaryAuthenticationProviders. | |
Detailed Description
This serves as the entry point to the authentication system.
In the future, it may also serve as the entry point to the authorization system.
If you are looking at this because you are working on an extension that creates its own login or signup page, then 1) you really shouldn't do that, 2) if you feel you absolutely have to, subclass AuthManagerSpecialPage or build it on the client side using the clientlogin or the createaccount API. Trying to call this class directly will very likely end up in security vulnerabilities or broken UX in edge cases.
If you are working on an extension that needs to integrate with the authentication system (e.g. by providing a new login method, or doing extra permission checks), you'll probably need to write an AuthenticationProvider.
If you want to create a "reserved" user programmatically, User::newSystemUser() might be what you are looking for. If you want to change user data, use User::changeAuthenticationData(). Code that is related to some SessionProvider or PrimaryAuthenticationProvider can create a (non-reserved) user by calling AuthManager::autoCreateUser(); it is then the provider's responsibility to ensure that the user can authenticate somehow (see especially PrimaryAuthenticationProvider::autoCreatedAccount()). The same functionality can also be used from Maintenance scripts such as createAndPromote.php. If you are writing code that is not associated with such a provider and needs to create accounts programmatically for real users, you should rethink your architecture. There is no good way to do that as such code has no knowledge of what authentication methods are enabled on the wiki and cannot provide any means for users to access the accounts it would create.
The two main control flows when using this class are as follows:
- Login, user creation or account linking code will call getAuthenticationRequests(), populate the requests with data (by using them to build a HTMLForm and have the user fill it, or by exposing a form specification via the API, so that the client can build it), and pass them to the appropriate begin* method. That will return either a success/failure response, or more requests to fill (either by building a form or by redirecting the user to some external provider which will send the data back), in which case they need to be submitted to the appropriate continue* method and that step has to be repeated until the response is a success or failure response. AuthManager will use the session to maintain internal state during the process.
- Code doing an authentication data change will call getAuthenticationRequests(), select a single request, populate it, and pass it to allowsAuthenticationDataChange() and then changeAuthenticationData(). If the data change is user-initiated, the whole process needs to be preceded by a call to securitySensitiveOperationStatus() and aborted if that returns a non-OK status.
- Since
- 1.27
Definition at line 106 of file AuthManager.php.
Constructor & Destructor Documentation
◆ __construct()
| MediaWiki\Auth\AuthManager::__construct | ( | WebRequest | $request, |
| Config | $config, | ||
| ObjectFactory | $objectFactory, | ||
| HookContainer | $hookContainer, | ||
| ReadOnlyMode | $readOnlyMode, | ||
| UserNameUtils | $userNameUtils, | ||
| BlockManager | $blockManager, | ||
| WatchlistManager | $watchlistManager, | ||
| ILoadBalancer | $loadBalancer, | ||
| Language | $contentLanguage, | ||
| LanguageConverterFactory | $languageConverterFactory, | ||
| BotPasswordStore | $botPasswordStore, | ||
| UserFactory | $userFactory, | ||
| UserIdentityLookup | $userIdentityLookup, | ||
| UserOptionsManager | $userOptionsManager ) |
- Parameters
-
WebRequest $request Config $config ObjectFactory $objectFactory HookContainer $hookContainer ReadOnlyMode $readOnlyMode UserNameUtils $userNameUtils BlockManager $blockManager WatchlistManager $watchlistManager ILoadBalancer $loadBalancer Language $contentLanguage LanguageConverterFactory $languageConverterFactory BotPasswordStore $botPasswordStore UserFactory $userFactory UserIdentityLookup $userIdentityLookup UserOptionsManager $userOptionsManager
Definition at line 231 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\setLogger().
Member Function Documentation
◆ allowsAuthenticationDataChange()
| MediaWiki\Auth\AuthManager::allowsAuthenticationDataChange | ( | AuthenticationRequest | $req, |
| $checkData = true ) |
Validate a change of authentication data (e.g.
passwords)
- Parameters
-
AuthenticationRequest $req bool $checkData If false, $req hasn't been loaded from the submission so checks on user-submitted fields should be skipped. $req->username is considered user-submitted for this purpose, even if it cannot be changed via $req->loadFromSubmission.
- Returns
- Status
Definition at line 959 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders(), and MediaWiki\Auth\AuthManager\getSecondaryAuthenticationProviders().
◆ allowsPropertyChange()
| MediaWiki\Auth\AuthManager::allowsPropertyChange | ( | $property | ) |
Determine whether a user property should be allowed to be changed.
Supported properties are:
- emailaddress
- realname
- nickname
- Parameters
-
string $property
- Returns
- bool
Definition at line 2368 of file AuthManager.php.
◆ authorizeCreateAccount()
| MediaWiki\Auth\AuthManager::authorizeCreateAccount | ( | Authority | $creator | ) |
Authorize the account creation by $creator.
- Note
- this method should be used right before the account is created. To check whether a current performer has the potential to create accounts, use
self::probablyCanCreateAccountinstead.
- Since
- 1.39
- Parameters
-
Authority $creator
- Returns
- StatusValue
Definition at line 1154 of file AuthManager.php.
References MediaWiki\Permissions\Authority\authorizeWrite().
◆ autoCreateUser()
Auto-create an account, and optionally log into that account.
PrimaryAuthenticationProviders can invoke this method by returning a PASS from beginPrimaryAuthentication/continuePrimaryAuthentication with the username of a non-existing user. SessionProviders can invoke it by returning a SessionInfo with the username of a non-existing user from provideSessionInfo(). Calling this method explicitly (e.g. from a maintenance script) is also fine.
- Parameters
-
User $user User to auto-create string $source What caused the auto-creation? This must be one of: - the ID of a PrimaryAuthenticationProvider,
- one of the self::AUTOCREATE_SOURCE_* constants
bool $login Whether to also log the user in bool $log Whether to generate a user creation log entry (since 1.36)
- Returns
- Status Good if user was created, Ok if user already existed, otherwise Fatal
Definition at line 1710 of file AuthManager.php.
References $cache, $source, User\addToDatabase(), User\getId(), User\getName(), User\getUserPage(), User\loadFromId(), User\saveSettings(), User\setId(), and wfMessage().
Referenced by MediaWiki\Auth\AuthManager\continueAuthentication().
◆ beginAccountCreation()
| MediaWiki\Auth\AuthManager::beginAccountCreation | ( | Authority | $creator, |
| array | $reqs, | ||
| $returnToUrl ) |
Start an account creation flow.
In addition to the AuthenticationRequests returned by $this->getAuthenticationRequests(), a client might include a CreateFromLoginAuthenticationRequest from a previous login attempt. If $createFromLoginAuthenticationRequest->hasPrimaryStateForAction( AuthManager::ACTION_CREATE ) returns true, any AuthenticationRequest::PRIMARY_REQUIRED requests should be omitted. If the CreateFromLoginAuthenticationRequest has a username set, that username must be used for all other requests.
- Parameters
-
Authority $creator User doing the account creation AuthenticationRequest[] $reqs string $returnToUrl Url that REDIRECT responses should eventually return to.
- Returns
- AuthenticationResponse
Definition at line 1200 of file AuthManager.php.
References MediaWiki\Permissions\Authority\getUser(), and wfMessage().
◆ beginAccountLink()
| MediaWiki\Auth\AuthManager::beginAccountLink | ( | User | $user, |
| array | $reqs, | ||
| $returnToUrl ) |
Start an account linking flow.
- Parameters
-
User $user User being linked AuthenticationRequest[] $reqs string $returnToUrl Url that REDIRECT responses should eventually return to.
- Returns
- AuthenticationResponse
Definition at line 1972 of file AuthManager.php.
References $res, User\getId(), User\getName(), User\isRegistered(), and wfMessage().
◆ beginAuthentication()
| MediaWiki\Auth\AuthManager::beginAuthentication | ( | array | $reqs, |
| $returnToUrl ) |
Start an authentication flow.
In addition to the AuthenticationRequests returned by $this->getAuthenticationRequests(), a client might include a CreateFromLoginAuthenticationRequest from a previous login attempt to preserve state.
Instead of the AuthenticationRequests returned by $this->getAuthenticationRequests(), a client might pass a CreatedAccountAuthenticationRequest from an account creation that just succeeded to log in to the just-created account.
- Parameters
-
AuthenticationRequest[] $reqs string $returnToUrl Url that REDIRECT responses should eventually return to.
- Returns
- AuthenticationResponse See self::continueAuthentication()
Definition at line 362 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\continueAuthentication(), MediaWiki\Auth\AuthManager\getPreAuthenticationProviders(), MediaWiki\Auth\AuthenticationRequest\getRequestByClass(), MediaWiki\Auth\AuthenticationResponse\newFail(), MediaWiki\Auth\AuthenticationResponse\newPass(), and MediaWiki\Auth\AuthManager\removeAuthenticationSessionData().
◆ canAuthenticateNow()
| MediaWiki\Auth\AuthManager::canAuthenticateNow | ( | ) |
Indicate whether user authentication is possible.
It may not be if the session is provided by something like OAuth for which each individual request includes authentication data.
- Returns
- bool
Definition at line 340 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\securitySensitiveOperationStatus().
◆ canCreateAccount()
| MediaWiki\Auth\AuthManager::canCreateAccount | ( | $username, | |
| $options = [] ) |
Determine whether a particular account can be created.
- Parameters
-
string $username MediaWiki username array $options - flags: (int) Bitfield of User:READ_* constants, default User::READ_NORMAL
- creating: (bool) For internal use only. Never specify this.
- Returns
- Status
Definition at line 1044 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\canCreateAccounts(), MediaWiki\Auth\AuthManager\getPreAuthenticationProviders(), MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders(), MediaWiki\Auth\AuthManager\getSecondaryAuthenticationProviders(), and MediaWiki\Auth\AuthManager\userExists().
◆ canCreateAccounts()
| MediaWiki\Auth\AuthManager::canCreateAccounts | ( | ) |
Determine whether accounts can be created.
- Returns
- bool
Definition at line 1025 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders(), MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_CREATE, and MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_LINK.
Referenced by MediaWiki\Auth\AuthManager\canCreateAccount().
◆ canLinkAccounts()
| MediaWiki\Auth\AuthManager::canLinkAccounts | ( | ) |
Determine whether accounts can be linked.
- Returns
- bool
Definition at line 1954 of file AuthManager.php.
◆ changeAuthenticationData()
| MediaWiki\Auth\AuthManager::changeAuthenticationData | ( | AuthenticationRequest | $req, |
| $isAddition = false ) |
Change authentication data (e.g.
passwords)
If $req was returned for AuthManager::ACTION_CHANGE, using $req should result in a successful login in the future.
If $req was returned for AuthManager::ACTION_REMOVE, using $req should no longer result in a successful login.
This method should only be called if allowsAuthenticationDataChange( $req, true ) returned success.
- Parameters
-
AuthenticationRequest $req bool $isAddition Set true if this represents an addition of credentials rather than a change. The main difference is that additions should not invalidate BotPasswords. If you're not sure, leave it false.
Definition at line 1000 of file AuthManager.php.
◆ checkAccountCreatePermissions()
| MediaWiki\Auth\AuthManager::checkAccountCreatePermissions | ( | Authority | $creator | ) |
Basic permissions checks on whether a user can create accounts.
- Deprecated
- since 1.39, use ::authorizeCreateAccount or ::probablyCanCreateAccount instead
- Parameters
-
Authority $creator User doing the account creation
- Returns
- StatusValue
Definition at line 1176 of file AuthManager.php.
◆ continueAccountCreation()
| MediaWiki\Auth\AuthManager::continueAccountCreation | ( | array | $reqs | ) |
Continue an account creation flow.
- Parameters
-
AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse
Definition at line 1302 of file AuthManager.php.
References $cache, $res, and wfMessage().
◆ continueAccountLink()
| MediaWiki\Auth\AuthManager::continueAccountLink | ( | array | $reqs | ) |
Continue an account linking flow.
- Parameters
-
AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse
Definition at line 2081 of file AuthManager.php.
References $res, and wfMessage().
◆ continueAuthentication()
| MediaWiki\Auth\AuthManager::continueAuthentication | ( | array | $reqs | ) |
Continue an authentication flow.
Return values are interpreted as follows:
- status FAIL: Authentication failed. If $response->createRequest is set, that may be passed to self::beginAuthentication() or to self::beginAccountCreation() to preserve state.
- status REDIRECT: The client should be redirected to the contained URL, new AuthenticationRequests should be made (if any), then AuthManager::continueAuthentication() should be called.
- status UI: The client should be presented with a user interface for the fields in the specified AuthenticationRequests, then new AuthenticationRequests should be made, then AuthManager::continueAuthentication() should be called.
- status RESTART: The user logged in successfully with a third-party service, but the third-party credentials aren't attached to any local account. This could be treated as a UI or a FAIL.
- status PASS: Authentication was successful.
- Parameters
-
AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse
Definition at line 487 of file AuthManager.php.
References $res, MediaWiki\Auth\AuthenticationResponse\ABSTAIN, MediaWiki\Auth\RememberMeAuthenticationRequest\ALWAYS_REMEMBER, MediaWiki\Auth\AuthManager\autoCreateUser(), MediaWiki\Auth\AuthenticationResponse\FAIL, MediaWiki\Auth\AuthManager\getAuthenticationProvider(), MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders(), MediaWiki\Auth\AuthenticationRequest\getRequestByClass(), MediaWiki\Auth\AuthManager\getSecondaryAuthenticationProviders(), MediaWiki\Auth\RememberMeAuthenticationRequest\NEVER_REMEMBER, MediaWiki\Auth\AuthenticationResponse\newFail(), MediaWiki\Auth\AuthenticationResponse\newPass(), MediaWiki\Auth\AuthenticationResponse\newRestart(), MediaWiki\Auth\AuthenticationResponse\PASS, MediaWiki\Auth\AuthenticationResponse\REDIRECT, MediaWiki\MainConfigNames\RememberMe, MediaWiki\Auth\AuthManager\removeAuthenticationSessionData(), MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_LINK, MediaWiki\Auth\AuthenticationResponse\UI, and wfMessage().
Referenced by MediaWiki\Auth\AuthManager\beginAuthentication().
◆ forcePrimaryAuthenticationProviders()
| MediaWiki\Auth\AuthManager::forcePrimaryAuthenticationProviders | ( | array | $providers, |
| $why ) |
Force certain PrimaryAuthenticationProviders.
- Deprecated
- For backwards compatibility only
- Parameters
-
PrimaryAuthenticationProvider[] $providers string $why
Definition at line 287 of file AuthManager.php.
◆ getAuthenticationProvider()
| MediaWiki\Auth\AuthManager::getAuthenticationProvider | ( | $id | ) |
Get a provider by ID.
- Note
- This is public so extensions can check whether their own provider is installed and so they can read its configuration if necessary. Other uses are not recommended.
- Parameters
-
string $id
- Returns
- AuthenticationProvider|null
Definition at line 2387 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\continueAuthentication().
◆ getAuthenticationRequests()
| MediaWiki\Auth\AuthManager::getAuthenticationRequests | ( | $action, | |
| UserIdentity | $user = null ) |
Return the applicable list of AuthenticationRequests.
Possible values for $action:
- ACTION_LOGIN: Valid for passing to beginAuthentication
- ACTION_LOGIN_CONTINUE: Valid for passing to continueAuthentication in the current state
- ACTION_CREATE: Valid for passing to beginAccountCreation
- ACTION_CREATE_CONTINUE: Valid for passing to continueAccountCreation in the current state
- ACTION_LINK: Valid for passing to beginAccountLink
- ACTION_LINK_CONTINUE: Valid for passing to continueAccountLink in the current state
- ACTION_CHANGE: Valid for passing to changeAuthenticationData to change credentials
- ACTION_REMOVE: Valid for passing to changeAuthenticationData to remove credentials.
- ACTION_UNLINK: Same as ACTION_REMOVE, but limited to linked accounts.
- Parameters
-
string $action One of the AuthManager::ACTION_* constants UserIdentity | null $user User being acted on, instead of the current user.
- Returns
- AuthenticationRequest[]
Definition at line 2195 of file AuthManager.php.
◆ getAuthenticationSessionData()
| MediaWiki\Auth\AuthManager::getAuthenticationSessionData | ( | $key, | |
| $default = null ) |
Fetch authentication data from the current session.
- Note
- For use by AuthenticationProviders only
- Parameters
-
string $key mixed | null $default
- Returns
- mixed
Definition at line 2439 of file AuthManager.php.
◆ getPreAuthenticationProviders()
|
protected |
Get the list of PreAuthenticationProviders.
- Returns
- PreAuthenticationProvider[]
Definition at line 2515 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\beginAuthentication(), and MediaWiki\Auth\AuthManager\canCreateAccount().
◆ getPrimaryAuthenticationProviders()
|
protected |
Get the list of PrimaryAuthenticationProviders.
- Returns
- PrimaryAuthenticationProvider[]
Definition at line 2529 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\allowsAuthenticationDataChange(), MediaWiki\Auth\AuthManager\canCreateAccount(), MediaWiki\Auth\AuthManager\canCreateAccounts(), MediaWiki\Auth\AuthManager\continueAuthentication(), MediaWiki\Auth\AuthManager\normalizeUsername(), and MediaWiki\Auth\AuthManager\userCanAuthenticate().
◆ getRequest()
| MediaWiki\Auth\AuthManager::getRequest | ( | ) |
- Returns
- WebRequest
Definition at line 277 of file AuthManager.php.
◆ getSecondaryAuthenticationProviders()
|
protected |
Get the list of SecondaryAuthenticationProviders.
- Returns
- SecondaryAuthenticationProvider[]
Definition at line 2543 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\allowsAuthenticationDataChange(), MediaWiki\Auth\AuthManager\canCreateAccount(), and MediaWiki\Auth\AuthManager\continueAuthentication().
◆ normalizeUsername()
| MediaWiki\Auth\AuthManager::normalizeUsername | ( | $username | ) |
Provide normalized versions of the username for security checks.
Since different providers can normalize the input in different ways, this returns an array of all the different ways the name might be normalized for authentication.
The returned strings should not be revealed to the user, as that might leak private information (e.g. an email address might be normalized to a username).
- Parameters
-
string $username
- Returns
- string[]
Definition at line 919 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders().
◆ probablyCanCreateAccount()
| MediaWiki\Auth\AuthManager::probablyCanCreateAccount | ( | Authority | $creator | ) |
Check whether $creator can create accounts.
- Note
- this method does not guarantee full permissions check, so it should only be used to to decide whether to show a form. To authorize the account creation action use
self::authorizeCreateAccountinstead.
- Since
- 1.39
- Parameters
-
Authority $creator
- Returns
- StatusValue
Definition at line 1130 of file AuthManager.php.
References MediaWiki\Permissions\Authority\probablyCan().
◆ providerArrayFromSpecs()
|
protected |
Create an array of AuthenticationProviders from an array of ObjectFactory specs.
- Parameters
-
string $class array[] $specs
- Returns
- AuthenticationProvider[]
Definition at line 2472 of file AuthManager.php.
◆ removeAuthenticationSessionData()
| MediaWiki\Auth\AuthManager::removeAuthenticationSessionData | ( | $key | ) |
Remove authentication data.
- Note
- For use by AuthenticationProviders
- Parameters
-
string | null $key If null, all data is removed
Definition at line 2453 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\beginAuthentication(), and MediaWiki\Auth\AuthManager\continueAuthentication().
◆ revokeAccessForUser()
| MediaWiki\Auth\AuthManager::revokeAccessForUser | ( | $username | ) |
Revoke any authentication credentials for a user.
After this, the user should no longer be able to log in.
- Parameters
-
string $username
Definition at line 943 of file AuthManager.php.
◆ securitySensitiveOperationStatus()
| MediaWiki\Auth\AuthManager::securitySensitiveOperationStatus | ( | $operation | ) |
Whether security-sensitive operations should proceed.
A "security-sensitive operation" is something like a password or email change, that would normally have a "reenter your password to confirm" box if we only supported password-based authentication.
- Parameters
-
string $operation Operation being checked. This should be a message-key-like string such as 'change-password' or 'change-email'.
- Returns
- string One of the SEC_* constants.
Definition at line 818 of file AuthManager.php.
References MediaWiki\MainConfigNames\AllowSecuritySensitiveOperationIfCannotReauthenticate, MediaWiki\Auth\AuthManager\canAuthenticateNow(), MediaWiki\MainConfigNames\ReauthenticateTime, MediaWiki\Auth\AuthManager\SEC_FAIL, MediaWiki\Auth\AuthManager\SEC_OK, and MediaWiki\Auth\AuthManager\SEC_REAUTH.
◆ setAuthenticationSessionData()
| MediaWiki\Auth\AuthManager::setAuthenticationSessionData | ( | $key, | |
| $data ) |
Store authentication in the current session.
- Note
- For use by AuthenticationProviders only
- Parameters
-
string $key mixed $data Must be serializable
Definition at line 2422 of file AuthManager.php.
◆ setLogger()
| MediaWiki\Auth\AuthManager::setLogger | ( | LoggerInterface | $logger | ) |
- Parameters
-
LoggerInterface $logger
Definition at line 270 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\__construct().
◆ userCanAuthenticate()
| MediaWiki\Auth\AuthManager::userCanAuthenticate | ( | $username | ) |
Determine whether a username can authenticate.
This is mainly for internal purposes and only takes authentication data into account, not things like blocks that can change without the authentication system being aware.
- Parameters
-
string $username MediaWiki username
- Returns
- bool
Definition at line 896 of file AuthManager.php.
References MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders().
◆ userExists()
| MediaWiki\Auth\AuthManager::userExists | ( | $username, | |
| $flags = User::READ_NORMAL ) |
Determine whether a username exists.
- Parameters
-
string $username int $flags Bitfield of User:READ_* constants
- Returns
- bool
Definition at line 2347 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\canCreateAccount().
Member Data Documentation
◆ ACTION_CHANGE
| const MediaWiki\Auth\AuthManager::ACTION_CHANGE = 'change' |
Change a user's credentials.
Definition at line 126 of file AuthManager.php.
Referenced by MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider\continueLinkAttempt(), MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\PasswordAuthenticationRequest\getFieldInfo(), and MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider\tryReset().
◆ ACTION_CREATE
| const MediaWiki\Auth\AuthManager::ACTION_CREATE = 'create' |
Create a new user.
Definition at line 114 of file AuthManager.php.
Referenced by MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\CreateFromLoginAuthenticationRequest\hasPrimaryStateForAction(), and MediaWiki\Auth\CreateFromLoginAuthenticationRequest\hasStateForAction().
◆ ACTION_CREATE_CONTINUE
| const MediaWiki\Auth\AuthManager::ACTION_CREATE_CONTINUE = 'create-continue' |
Continue a user creation process that was interrupted by the need for user input or communication with an external provider.
Definition at line 118 of file AuthManager.php.
◆ ACTION_LINK
| const MediaWiki\Auth\AuthManager::ACTION_LINK = 'link' |
Link an existing user to a third-party account.
Definition at line 120 of file AuthManager.php.
◆ ACTION_LINK_CONTINUE
| const MediaWiki\Auth\AuthManager::ACTION_LINK_CONTINUE = 'link-continue' |
Continue a user linking process that was interrupted by the need for user input or communication with an external provider.
Definition at line 124 of file AuthManager.php.
◆ ACTION_LOGIN
| const MediaWiki\Auth\AuthManager::ACTION_LOGIN = 'login' |
Log in with an existing (not necessarily local) user.
Definition at line 108 of file AuthManager.php.
Referenced by MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\PasswordAuthenticationRequest\getFieldInfo(), and MediaWiki\Auth\CreateFromLoginAuthenticationRequest\hasStateForAction().
◆ ACTION_LOGIN_CONTINUE
| const MediaWiki\Auth\AuthManager::ACTION_LOGIN_CONTINUE = 'login-continue' |
Continue a login process that was interrupted by the need for user input or communication with an external provider.
Definition at line 112 of file AuthManager.php.
◆ ACTION_REMOVE
| const MediaWiki\Auth\AuthManager::ACTION_REMOVE = 'remove' |
Remove a user's credentials.
Definition at line 128 of file AuthManager.php.
Referenced by MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider\getAuthenticationRequests(), MediaWiki\Auth\PasswordAuthenticationRequest\getFieldInfo(), MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider\providerChangeAuthenticationData(), MediaWiki\Auth\AbstractPrimaryAuthenticationProvider\providerRevokeAccessForUser(), and MediaWiki\Auth\AbstractSecondaryAuthenticationProvider\providerRevokeAccessForUser().
◆ ACTION_UNLINK
| const MediaWiki\Auth\AuthManager::ACTION_UNLINK = 'unlink' |
Like ACTION_REMOVE but for linking providers only.
Definition at line 130 of file AuthManager.php.
◆ AUTOCREATE_SOURCE_MAINT
| const MediaWiki\Auth\AuthManager::AUTOCREATE_SOURCE_MAINT = '::Maintenance::' |
Auto-creation is due to a Maintenance script.
Definition at line 143 of file AuthManager.php.
◆ AUTOCREATE_SOURCE_SESSION
| const MediaWiki\Auth\AuthManager::AUTOCREATE_SOURCE_SESSION = \MediaWiki\Session\SessionManager::class |
Auto-creation is due to SessionManager.
Definition at line 140 of file AuthManager.php.
◆ AUTOCREATE_SOURCE_TEMP
| const MediaWiki\Auth\AuthManager::AUTOCREATE_SOURCE_TEMP = TempUserCreator::class |
Auto-creation is due to temporary account creation on page save.
Definition at line 146 of file AuthManager.php.
◆ SEC_FAIL
| const MediaWiki\Auth\AuthManager::SEC_FAIL = 'fail' |
Security-sensitive should not be performed.
Definition at line 137 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\securitySensitiveOperationStatus().
◆ SEC_OK
| const MediaWiki\Auth\AuthManager::SEC_OK = 'ok' |
Security-sensitive operations are ok.
Definition at line 133 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\securitySensitiveOperationStatus().
◆ SEC_REAUTH
| const MediaWiki\Auth\AuthManager::SEC_REAUTH = 'reauth' |
Security-sensitive operations should re-authenticate.
Definition at line 135 of file AuthManager.php.
Referenced by MediaWiki\Auth\AuthManager\securitySensitiveOperationStatus().
The documentation for this class was generated from the following file:
- includes/auth/AuthManager.php
