MediaWiki master
BlockPermissionChecker.php
Go to the documentation of this file.
1<?php
2
22namespace MediaWiki\Block;
23
24use InvalidArgumentException;
25use MediaWiki\Config\ServiceOptions;
26use MediaWiki\MainConfigNames;
27use MediaWiki\Permissions\Authority;
28use MediaWiki\User\UserIdentity;
29use Wikimedia\Rdbms\IDBAccessObject;
30
40class BlockPermissionChecker {
45 private $target;
46
50 private $blockTargetFactory;
51
55 private $performer;
56
60 public const CONSTRUCTOR_OPTIONS = [
61 MainConfigNames::EnableUserEmail,
62 ];
63
64 private ServiceOptions $options;
65
71 public function __construct(
72 ServiceOptions $options,
73 BlockTargetFactory $blockTargetFactory,
74 Authority $performer
75 ) {
76 $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
77 $this->options = $options;
78 $this->blockTargetFactory = $blockTargetFactory;
79 $this->performer = $performer;
80 }
81
87 public function setTarget( $target ) {
88 $this->target = $this->blockTargetFactory->newFromLegacyUnion( $target );
89 }
90
98 public function checkBasePermissions( $checkHideuser = false ) {
99 if ( !$this->performer->isAllowed( 'block' ) ) {
100 return 'badaccess-group0';
101 }
102
103 if (
104 $checkHideuser &&
105 !$this->performer->isAllowed( 'hideuser' )
106 ) {
107 return 'unblock-hideuser';
108 }
109
110 return true;
111 }
112
131 public function checkBlockPermissions(
132 $target = null,
133 $freshness = IDBAccessObject::READ_NORMAL
134 ) {
135 if ( $target === null ) {
136 if ( $this->target ) {
137 wfDeprecatedMsg(
138 'Passing null to checkBlockPermissions() for $target is deprecated since 1.44',
139 '1.44' );
140 $target = $this->target;
141 } else {
142 throw new InvalidArgumentException( 'A target is required' );
143 }
144 } elseif ( !( $target instanceof BlockTarget ) ) {
145 $target = $this->blockTargetFactory->newFromLegacyUnion( $target );
146 if ( !$target ) {
147 throw new InvalidArgumentException( 'Invalid block target' );
148 }
149 }
150
151 $block = $this->performer->getBlock( $freshness );
152 if ( !$block ) {
153 // User is not blocked, process as normal
154 return true;
155 }
156
157 if ( !$block->isSitewide() ) {
158 // T208965: Partially blocked admins should have full access
159 return true;
160 }
161
162 $performerIdentity = $this->performer->getUser();
163
164 if (
165 $target instanceof UserBlockTarget &&
166 $target->getUserIdentity()->getId() === $performerIdentity->getId()
167 ) {
168 // Blocked admin is trying to alter their own block
169
170 // Self-blocked admins can always remove or alter their block
171 if ( $block->getBlocker() && $performerIdentity->equals( $block->getBlocker() ) ) {
172 return true;
173 }
174
175 // Users with 'unblockself' right can unblock themselves or alter their own block
176 if ( $this->performer->isAllowed( 'unblockself' ) ) {
177 return true;
178 } else {
179 return 'ipbnounblockself';
180 }
181 }
182
183 if (
184 $target instanceof UserBlockTarget &&
185 $block->getBlocker() &&
186 $target->getUserIdentity()->equals( $block->getBlocker() )
187 ) {
188 // T150826: Blocked admins can always block the admin who blocked them
189 return true;
190 }
191
192 // User is blocked and no exception took effect
193 return 'ipbblocked';
194 }
195
202 public function checkEmailPermissions() {
203 return $this->options->get( MainConfigNames::EnableUserEmail ) &&
204 $this->performer->isAllowed( 'blockemail' );
205 }
206}
wfDeprecatedMsg
wfDeprecatedMsg( $msg, $version=false, $component=false, $callerOffset=2)
Log a deprecation warning with arbitrary message text.
Definition GlobalFunctions.php:805
MediaWiki\Block\BlockPermissionChecker\checkEmailPermissions
checkEmailPermissions()
Check permission to block emailing.
Definition BlockPermissionChecker.php:202
MediaWiki\Block\BlockPermissionChecker\__construct
__construct(ServiceOptions $options, BlockTargetFactory $blockTargetFactory, Authority $performer)
Definition BlockPermissionChecker.php:71
MediaWiki\Block\BlockPermissionChecker\checkBlockPermissions
checkBlockPermissions( $target=null, $freshness=IDBAccessObject::READ_NORMAL)
Checks block-related permissions (doesn't check any other permissions)
Definition BlockPermissionChecker.php:131
MediaWiki\Block\BlockPermissionChecker\checkBasePermissions
checkBasePermissions( $checkHideuser=false)
Check the base permission that applies to either block or unblock.
Definition BlockPermissionChecker.php:98
MediaWiki\Block\BlockTargetFactory
Factory for BlockTarget objects.
Definition BlockTargetFactory.php:24
MediaWiki\Block\BlockTarget
Base class for block targets.
Definition BlockTarget.php:17
MediaWiki\Block\BlockTarget\equals
equals(?BlockTarget $other)
Compare this object with another one.
Definition BlockTarget.php:46
MediaWiki\Block\UserBlockTarget
A block target for a registered user.
Definition UserBlockTarget.php:15
MediaWiki\Config\ServiceOptions
A class for passing options to services.
Definition ServiceOptions.php:26
MediaWiki\Config\ServiceOptions\assertRequiredOptions
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
Definition ServiceOptions.php:70
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22
MediaWiki\MainConfigNames\EnableUserEmail
const EnableUserEmail
Name constant for the EnableUserEmail setting, for use with Config::get()
Definition MainConfigNames.php:936
MediaWiki\Permissions\Authority
This interface represents the authority associated with the current execution context,...
Definition Authority.php:37
MediaWiki\User\UserIdentity
Interface for objects representing user identity.
Definition UserIdentity.php:38
Wikimedia\Rdbms\IDBAccessObject
Interface for database access objects.
Definition IDBAccessObject.php:59