MediaWiki  master
BlockPermissionChecker.php
Go to the documentation of this file.
1 <?php
2 
22 namespace MediaWiki\Block;
23 
24 use MediaWiki\Config\ServiceOptions;
25 use MediaWiki\MainConfigNames;
26 use MediaWiki\Permissions\Authority;
27 use MediaWiki\User\UserIdentity;
28 
38 class BlockPermissionChecker {
42  private $target;
43 
47  private $performer;
48 
52  public const CONSTRUCTOR_OPTIONS = [
53  MainConfigNames::EnableUserEmail,
54  ];
55 
57  private $options;
58 
65  public function __construct(
66  ServiceOptions $options,
67  BlockUtils $blockUtils,
68  $target,
69  Authority $performer
70  ) {
71  $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
72  $this->options = $options;
73  [ $this->target, ] = $blockUtils->parseBlockTarget( $target );
74  $this->performer = $performer;
75  }
76 
84  public function checkBasePermissions( $checkHideuser = false ) {
85  if ( !$this->performer->isAllowed( 'block' ) ) {
86  return 'badaccess-group0';
87  }
88 
89  if (
90  $checkHideuser &&
91  !$this->performer->isAllowed( 'hideuser' )
92  ) {
93  return 'unblock-hideuser';
94  }
95 
96  return true;
97  }
98 
110  public function checkBlockPermissions() {
111  $block = $this->performer->getBlock(); // TODO: pass disposition parameter
112  if ( !$block ) {
113  // User is not blocked, process as normal
114  return true;
115  }
116 
117  if ( !$block->isSitewide() ) {
118  // T208965: Partially blocked admins should have full access
119  return true;
120  }
121 
122  $performerIdentity = $this->performer->getUser();
123 
124  if (
125  $this->target instanceof UserIdentity &&
126  $this->target->getId() === $performerIdentity->getId()
127  ) {
128  // Blocked admin is trying to alter their own block
129 
130  // Self-blocked admins can always remove or alter their block
131  if ( $block->getBlocker() && $performerIdentity->equals( $block->getBlocker() ) ) {
132  return true;
133  }
134 
135  // Users with 'unblockself' right can unblock themselves or alter their own block
136  if ( $this->performer->isAllowed( 'unblockself' ) ) {
137  return true;
138  } else {
139  return 'ipbnounblockself';
140  }
141  }
142 
143  if (
144  $this->target instanceof UserIdentity &&
145  $block->getBlocker() &&
146  $this->target->equals( $block->getBlocker() )
147  ) {
148  // T150826: Blocked admins can always block the admin who blocked them
149  return true;
150  }
151 
152  // User is blocked and no exception took effect
153  return 'ipbblocked';
154  }
155 
162  public function checkEmailPermissions() {
163  return $this->options->get( MainConfigNames::EnableUserEmail ) &&
164  $this->performer->isAllowed( 'blockemail' );
165  }
166 }
MediaWiki\Block\BlockPermissionChecker\__construct
__construct(ServiceOptions $options, BlockUtils $blockUtils, $target, Authority $performer)
Definition: BlockPermissionChecker.php:65
MediaWiki\Block\BlockPermissionChecker\checkEmailPermissions
checkEmailPermissions()
Check permission to block emailing.
Definition: BlockPermissionChecker.php:162
MediaWiki\Block\BlockPermissionChecker\checkBlockPermissions
checkBlockPermissions()
Checks block-related permissions (doesn't check any other permissions)
Definition: BlockPermissionChecker.php:110
MediaWiki\Block\BlockPermissionChecker\checkBasePermissions
checkBasePermissions( $checkHideuser=false)
Check the base permission that applies to either block or unblock.
Definition: BlockPermissionChecker.php:84
MediaWiki\Block\BlockUtils
Backend class for blocking utils.
Definition: BlockUtils.php:46
MediaWiki\Block\BlockUtils\parseBlockTarget
parseBlockTarget( $target)
From an existing block, get the target and the type of target.
Definition: BlockUtils.php:92
MediaWiki\Config\ServiceOptions
A class for passing options to services.
Definition: ServiceOptions.php:26
MediaWiki\Config\ServiceOptions\assertRequiredOptions
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
Definition: ServiceOptions.php:70
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition: MainConfigNames.php:22
MediaWiki\MainConfigNames\EnableUserEmail
const EnableUserEmail
Name constant for the EnableUserEmail setting, for use with Config::get()
Definition: MainConfigNames.php:927
MediaWiki\Permissions\Authority
This interface represents the authority associated the current execution context, such as a web reque...
Definition: Authority.php:37
MediaWiki\User\UserIdentity
Interface for objects representing user identity.
Definition: UserIdentity.php:39
MediaWiki\User\UserIdentity\equals
equals(?UserIdentity $user)
MediaWiki\User\UserIdentity\getId
getId( $wikiId=self::LOCAL)