MediaWiki  master
CheckBlocksSecondaryAuthenticationProvider.php
Go to the documentation of this file.
1 <?php
22 namespace MediaWiki\Auth;
23 
27 use StatusValue;
28 
39 
41  protected $blockDisablesLogin = null;
42 
48  public function __construct( $params = [] ) {
49  if ( isset( $params['blockDisablesLogin'] ) ) {
50  $this->blockDisablesLogin = (bool)$params['blockDisablesLogin'];
51  }
52  }
53 
55  protected function postInitSetup() {
56  if ( $this->blockDisablesLogin === null ) {
57  $this->blockDisablesLogin = $this->config->get( MainConfigNames::BlockDisablesLogin );
58  }
59  }
60 
62  public function getAuthenticationRequests( $action, array $options ) {
63  return [];
64  }
65 
67  public function beginSecondaryAuthentication( $user, array $reqs ) {
68  if ( !$this->blockDisablesLogin ) {
70  }
71  $block = $user->getBlock();
72  // Ignore IP blocks and partial blocks, $wgBlockDisablesLogin was meant for
73  // blocks banning specific users.
74  if ( $block && $block->isSitewide() && $block->isBlocking( $user ) ) {
76  new \Message( 'login-userblocked', [ $user->getName() ] )
77  );
78  } else {
80  }
81  }
82 
84  public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
86  }
87 
89  public function testUserForCreation( $user, $autocreate, array $options = [] ) {
90  // isBlockedFromCreateAccount() does not return non-accountcreation blocks, but we need them
91  // in the $wgBlockDisablesLogin case; getBlock() is unreliable for IP blocks. So we need both.
92  $blocks = [
93  'local-createaccount' => $user->isBlockedFromCreateAccount(),
94  'local' => $user->getBlock(),
95  ];
96  foreach ( $blocks as $block ) {
98  if ( $block && $block->isSitewide()
99  // This method is for checking a given account/username, not the current user, so
100  // ignore IP blocks; they will be checked elsewhere via authorizeCreateAccount().
101  // FIXME: special-case autocreation which doesn't do that check. Should it?
102  && ( $block->isBlocking( $user ) || $autocreate )
103  && (
104  // Should blocks that prevent account creation also prevent autocreation?
105  // We'll go with yes here.
106  $block->isCreateAccountBlocked()
107  // A successful autocreation means the user is logged in, so we must make sure to
108  // honor $wgBlockDisablesLogin. If it's enabled, sitewide blocks are expected to
109  // prevent login regardless of their flags.
110  || ( $autocreate && $this->blockDisablesLogin )
111  )
112  // FIXME: ideally on autocreation we'd figure out if the user has the ipblock-exempt
113  // or globalblock-exempt right via some central authorization system like
114  // CentralAuth global groups. But at this point the local account doesn't exist
115  // yet so there is no way to do that. There should probably be some separate hook
116  // to fetch user rights for a central user.
117  // FIXME: T249444: there should probably be a way to force autocreation through blocks
118  ) {
119  $formatter = MediaWikiServices::getInstance()->getBlockErrorFormatter();
120 
121  $context = \RequestContext::getMain();
122 
123  $language = $context->getUser()->isSafeToLoad() ?
124  \RequestContext::getMain()->getLanguage() :
125  MediaWikiServices::getInstance()->getContentLanguage();
126 
127  $ip = $context->getRequest()->getIP();
128 
129  return StatusValue::newFatal(
130  $formatter->getMessage( $block, $user, $language, $ip )
131  );
132  }
133  }
134  return StatusValue::newGood();
135  }
136 
137 }
A base class that implements some of the boilerplate for a SecondaryAuthenticationProvider.
static newFail(Message $msg, array $failReasons=[])
Check if the user is blocked, and prevent authentication if so.
beginSecondaryAccountCreation( $user, $creator, array $reqs)
Start an account creation flow.There is no guarantee this will be called in a successful account crea...
testUserForCreation( $user, $autocreate, array $options=[])
Determine whether an account may be created.User being created (not added to the database yet)....
getAuthenticationRequests( $action, array $options)
Return the applicable list of AuthenticationRequests.Possible values for $action depend on whether th...
beginSecondaryAuthentication( $user, array $reqs)
Start an authentication flow.Note that this may be called for a user even if beginSecondaryAccountCre...
postInitSetup()
A provider can override this to do any necessary setup after init() is called.1.37 Stability: stablet...
A class containing constants representing the names of configuration variables.
const BlockDisablesLogin
Name constant for the BlockDisablesLogin setting, for use with Config::get()
Service locator for MediaWiki core services.
static getInstance()
Returns the global default instance of the top level service locator.
The Message class deals with fetching and processing of interface message into a variety of formats.
Definition: Message.php:142
static getMain()
Get the RequestContext object associated with the main request.
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition: StatusValue.php:46
static newFatal( $message,... $parameters)
Factory function for fatal errors.
Definition: StatusValue.php:73
static newGood( $value=null)
Factory function for good results.
Definition: StatusValue.php:85