MediaWiki  master
BlockPermissionChecker.php
Go to the documentation of this file.
1 <?php
2 
22 namespace MediaWiki\Block;
23 
28 
42  private $target;
43 
47  private $performer;
48 
52  public const CONSTRUCTOR_OPTIONS = [
54  ];
55 
57  private $options;
58 
65  public function __construct(
66  ServiceOptions $options,
67  BlockUtils $blockUtils,
68  $target,
69  Authority $performer
70  ) {
71  $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
72  $this->options = $options;
73  [ $this->target, ] = $blockUtils->parseBlockTarget( $target );
74  $this->performer = $performer;
75  }
76 
84  public function checkBasePermissions( $checkHideuser = false ) {
85  if ( !$this->performer->isAllowed( 'block' ) ) {
86  return 'badaccess-group0';
87  }
88 
89  if (
90  $checkHideuser &&
91  !$this->performer->isAllowed( 'hideuser' )
92  ) {
93  return 'unblock-hideuser';
94  }
95 
96  return true;
97  }
98 
110  public function checkBlockPermissions() {
111  $block = $this->performer->getBlock(); // TODO: pass disposition parameter
112  if ( !$block ) {
113  // User is not blocked, process as normal
114  return true;
115  }
116 
117  if ( !$block->isSitewide() ) {
118  // T208965: Partially blocked admins should have full access
119  return true;
120  }
121 
122  $performerIdentity = $this->performer->getUser();
123 
124  if (
125  $this->target instanceof UserIdentity &&
126  $this->target->getId() === $performerIdentity->getId()
127  ) {
128  // Blocked admin is trying to alter their own block
129 
130  // Self-blocked admins can always remove or alter their block
131  if ( $block->getBlocker() && $performerIdentity->equals( $block->getBlocker() ) ) {
132  return true;
133  }
134 
135  // Users with 'unblockself' right can unblock themselves or alter their own block
136  if ( $this->performer->isAllowed( 'unblockself' ) ) {
137  return true;
138  } else {
139  return 'ipbnounblockself';
140  }
141  }
142 
143  if (
144  $this->target instanceof UserIdentity &&
145  $block->getBlocker() &&
146  $this->target->equals( $block->getBlocker() )
147  ) {
148  // T150826: Blocked admins can always block the admin who blocked them
149  return true;
150  }
151 
152  // User is blocked and no exception took effect
153  return 'ipbblocked';
154  }
155 
162  public function checkEmailPermissions() {
163  return $this->options->get( MainConfigNames::EnableUserEmail ) &&
164  $this->performer->isAllowed( 'blockemail' );
165  }
166 }
__construct(ServiceOptions $options, BlockUtils $blockUtils, $target, Authority $performer)
checkEmailPermissions()
Check permission to block emailing.
checkBlockPermissions()
Checks block-related permissions (doesn't check any other permissions)
checkBasePermissions( $checkHideuser=false)
Check the base permission that applies to either block or unblock.
Backend class for blocking utils.
Definition: BlockUtils.php:46
parseBlockTarget( $target)
From an existing block, get the target and the type of target.
Definition: BlockUtils.php:92
A class for passing options to services.
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
A class containing constants representing the names of configuration variables.
const EnableUserEmail
Name constant for the EnableUserEmail setting, for use with Config::get()
This interface represents the authority associated the current execution context, such as a web reque...
Definition: Authority.php:37
Interface for objects representing user identity.
equals(?UserIdentity $user)
getId( $wikiId=self::LOCAL)