MediaWiki master
BlockPermissionChecker.php
Go to the documentation of this file.
1<?php
2
8namespace MediaWiki\Block;
9
10use InvalidArgumentException;
11use MediaWiki\Config\ServiceOptions;
12use MediaWiki\MainConfigNames;
13use MediaWiki\Permissions\Authority;
14use MediaWiki\User\UserIdentity;
15use Wikimedia\Rdbms\IDBAccessObject;
16
26class BlockPermissionChecker {
31 private $target;
32
36 private $blockTargetFactory;
37
41 private $performer;
42
46 public const CONSTRUCTOR_OPTIONS = [
47 MainConfigNames::EnableUserEmail,
48 ];
49
50 private ServiceOptions $options;
51
57 public function __construct(
58 ServiceOptions $options,
59 BlockTargetFactory $blockTargetFactory,
60 Authority $performer
61 ) {
62 $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
63 $this->options = $options;
64 $this->blockTargetFactory = $blockTargetFactory;
65 $this->performer = $performer;
66 }
67
73 public function setTarget( $target ) {
74 $this->target = $this->blockTargetFactory->newFromLegacyUnion( $target );
75 }
76
84 public function checkBasePermissions( $checkHideuser = false ) {
85 if ( !$this->performer->isAllowed( 'block' ) ) {
86 return 'badaccess-group0';
87 }
88
89 if (
90 $checkHideuser &&
91 !$this->performer->isAllowed( 'hideuser' )
92 ) {
93 return 'unblock-hideuser';
94 }
95
96 return true;
97 }
98
117 public function checkBlockPermissions(
118 $target = null,
119 $freshness = IDBAccessObject::READ_NORMAL
120 ) {
121 if ( $target === null ) {
122 if ( $this->target ) {
123 wfDeprecatedMsg(
124 'Passing null to checkBlockPermissions() for $target is deprecated since 1.44',
125 '1.44' );
126 $target = $this->target;
127 } else {
128 throw new InvalidArgumentException( 'A target is required' );
129 }
130 } elseif ( !( $target instanceof BlockTarget ) ) {
131 $target = $this->blockTargetFactory->newFromLegacyUnion( $target );
132 if ( !$target ) {
133 throw new InvalidArgumentException( 'Invalid block target' );
134 }
135 }
136
137 $block = $this->performer->getBlock( $freshness );
138 if ( !$block ) {
139 // User is not blocked, process as normal
140 return true;
141 }
142
143 if ( !$block->isSitewide() ) {
144 // T208965: Partially blocked admins should have full access
145 return true;
146 }
147
148 $performerIdentity = $this->performer->getUser();
149
150 if (
151 $target instanceof UserBlockTarget &&
152 $target->getUserIdentity()->getId() === $performerIdentity->getId()
153 ) {
154 // Blocked admin is trying to alter their own block
155
156 // Self-blocked admins can always remove or alter their block
157 if ( $block->getBlocker() && $performerIdentity->equals( $block->getBlocker() ) ) {
158 return true;
159 }
160
161 // Users with 'unblockself' right can unblock themselves or alter their own block
162 if ( $this->performer->isAllowed( 'unblockself' ) ) {
163 return true;
164 } else {
165 return 'ipbnounblockself';
166 }
167 }
168
169 if (
170 $target instanceof UserBlockTarget &&
171 $block->getBlocker() &&
172 $target->getUserIdentity()->equals( $block->getBlocker() )
173 ) {
174 // T150826: Blocked admins can always block the admin who blocked them
175 return true;
176 }
177
178 // User is blocked and no exception took effect
179 return 'ipbblocked';
180 }
181
188 public function checkEmailPermissions() {
189 return $this->options->get( MainConfigNames::EnableUserEmail ) &&
190 $this->performer->isAllowed( 'blockemail' );
191 }
192}
wfDeprecatedMsg
wfDeprecatedMsg( $msg, $version=false, $component=false, $callerOffset=2)
Log a deprecation warning with arbitrary message text.
Definition GlobalFunctions.php:766
MediaWiki\Block\BlockPermissionChecker\checkEmailPermissions
checkEmailPermissions()
Check permission to block emailing.
Definition BlockPermissionChecker.php:188
MediaWiki\Block\BlockPermissionChecker\__construct
__construct(ServiceOptions $options, BlockTargetFactory $blockTargetFactory, Authority $performer)
Definition BlockPermissionChecker.php:57
MediaWiki\Block\BlockPermissionChecker\checkBlockPermissions
checkBlockPermissions( $target=null, $freshness=IDBAccessObject::READ_NORMAL)
Checks block-related permissions (doesn't check any other permissions)
Definition BlockPermissionChecker.php:117
MediaWiki\Block\BlockPermissionChecker\checkBasePermissions
checkBasePermissions( $checkHideuser=false)
Check the base permission that applies to either block or unblock.
Definition BlockPermissionChecker.php:84
MediaWiki\Block\BlockTargetFactory
Factory for BlockTarget objects.
Definition BlockTargetFactory.php:24
MediaWiki\Block\BlockTarget
Base class for block targets.
Definition BlockTarget.php:17
MediaWiki\Block\BlockTarget\equals
equals(?BlockTarget $other)
Compare this object with another one.
Definition BlockTarget.php:46
MediaWiki\Block\UserBlockTarget
A block target for a registered user.
Definition UserBlockTarget.php:15
MediaWiki\Config\ServiceOptions
A class for passing options to services.
Definition ServiceOptions.php:27
MediaWiki\Config\ServiceOptions\assertRequiredOptions
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
Definition ServiceOptions.php:71
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22
MediaWiki\MainConfigNames\EnableUserEmail
const EnableUserEmail
Name constant for the EnableUserEmail setting, for use with Config::get()
Definition MainConfigNames.php:942
MediaWiki\Permissions\Authority
This interface represents the authority associated with the current execution context,...
Definition Authority.php:23
MediaWiki\User\UserIdentity
Interface for objects representing user identity.
Definition UserIdentity.php:24
Wikimedia\Rdbms\IDBAccessObject
Interface for database access objects.
Definition IDBAccessObject.php:45