MediaWiki  master
BlockPermissionChecker.php
Go to the documentation of this file.
1 <?php
2 
22 namespace MediaWiki\Block;
23 
28 
43  private $target;
44 
48  private $targetType = null;
49 
53  private $performer;
54 
58  public const CONSTRUCTOR_OPTIONS = [
60  ];
61 
63  private $options;
64 
71  public function __construct(
72  ServiceOptions $options,
73  BlockUtils $blockUtils,
74  $target,
75  Authority $performer
76  ) {
77  $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
78  $this->options = $options;
79  [ $this->target, $this->targetType ] = $blockUtils->parseBlockTarget( $target );
80  $this->performer = $performer;
81  }
82 
90  public function checkBasePermissions( $checkHideuser = false ) {
91  if ( !$this->performer->isAllowed( 'block' ) ) {
92  return 'badaccess-group0';
93  }
94 
95  if (
96  $checkHideuser &&
97  !$this->performer->isAllowed( 'hideuser' )
98  ) {
99  return 'unblock-hideuser';
100  }
101 
102  return true;
103  }
104 
116  public function checkBlockPermissions() {
117  $block = $this->performer->getBlock(); // TODO: pass disposition parameter
118  if ( !$block ) {
119  // User is not blocked, process as normal
120  return true;
121  }
122 
123  if ( !$block->isSitewide() ) {
124  // T208965: Partially blocked admins should have full access
125  return true;
126  }
127 
128  $performerIdentity = $this->performer->getUser();
129 
130  if (
131  $this->target instanceof UserIdentity &&
132  $this->target->getId() === $performerIdentity->getId()
133  ) {
134  // Blocked admin is trying to alter their own block
135 
136  // Self-blocked admins can always remove or alter their block
137  if ( $block->getBlocker() && $performerIdentity->equals( $block->getBlocker() ) ) {
138  return true;
139  }
140 
141  // Users with 'unblockself' right can unblock themselves or alter their own block
142  if ( $this->performer->isAllowed( 'unblockself' ) ) {
143  return true;
144  } else {
145  return 'ipbnounblockself';
146  }
147  }
148 
149  if (
150  $this->target instanceof UserIdentity &&
151  $block->getBlocker() &&
152  $this->target->equals( $block->getBlocker() )
153  ) {
154  // T150826: Blocked admins can always block the admin who blocked them
155  return true;
156  }
157 
158  // User is blocked and no exception took effect
159  return 'ipbblocked';
160  }
161 
168  public function checkEmailPermissions() {
169  return $this->options->get( MainConfigNames::EnableUserEmail ) &&
170  $this->performer->isAllowed( 'blockemail' );
171  }
172 }
__construct(ServiceOptions $options, BlockUtils $blockUtils, $target, Authority $performer)
checkEmailPermissions()
Check permission to block emailing.
checkBlockPermissions()
Checks block-related permissions (doesn't check any other permissions)
checkBasePermissions( $checkHideuser=false)
Check base permission that apply to either block or unblock.
Backend class for blocking utils.
Definition: BlockUtils.php:46
parseBlockTarget( $target)
From an existing block, get the target and the type of target.
Definition: BlockUtils.php:92
A class for passing options to services.
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
A class containing constants representing the names of configuration variables.
const EnableUserEmail
Name constant for the EnableUserEmail setting, for use with Config::get()
This interface represents the authority associated the current execution context, such as a web reque...
Definition: Authority.php:37
Interface for objects representing user identity.
equals(?UserIdentity $user)
getId( $wikiId=self::LOCAL)