master/php/GroupPermissionsLookup_8php_source.html

<?php

namespace MediaWiki\Permissions;


use MediaWiki\Config\ServiceOptions;

use MediaWiki\MainConfigNames;


class GroupPermissionsLookup {


    public const CONSTRUCTOR_OPTIONS = [

        MainConfigNames::GroupInheritsPermissions,

        MainConfigNames::GroupPermissions,

        MainConfigNames::RevokePermissions,

    ];


    private $groupPermissions;


    private $revokePermissions;


    private $groupInheritance;


    public function __construct( ServiceOptions $options ) {

        $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );

        $this->groupPermissions = $options->get( MainConfigNames::GroupPermissions );

        $this->revokePermissions = $options->get( MainConfigNames::RevokePermissions );

        $this->groupInheritance = $options->get( MainConfigNames::GroupInheritsPermissions );

    }


    public function groupHasPermission( string $group, string $permission ): bool {

        $inheritsFrom = $this->groupInheritance[$group] ?? false;

        $has = isset( $this->groupPermissions[$group][$permission] ) &&

            $this->groupPermissions[$group][$permission];

        // If the group doesn't have the permission and inherits from somewhere,

        // check that group too

        if ( !$has && $inheritsFrom !== false ) {

            $has = isset( $this->groupPermissions[$inheritsFrom][$permission] ) &&

                $this->groupPermissions[$inheritsFrom][$permission];

        }

        if ( !$has ) {

            // If they don't have the permission, exit early

            return false;

        }


        // Check if the permission has been revoked

        $revoked = isset( $this->revokePermissions[$group][$permission] ) &&

            $this->revokePermissions[$group][$permission];

        if ( !$revoked && $inheritsFrom !== false ) {

            $revoked = isset( $this->revokePermissions[$inheritsFrom][$permission] ) &&

                $this->revokePermissions[$inheritsFrom][$permission];

        }


        return !$revoked;

    }


    public function getGrantedPermissions( string $group ): array {

        $rights = array_keys( array_filter( $this->groupPermissions[$group] ?? [] ) );

        $inheritsFrom = $this->groupInheritance[$group] ?? false;

        if ( $inheritsFrom !== false ) {

            $rights = array_merge(

                $rights,

                // array_filter removes empty items

                array_keys( array_filter( $this->groupPermissions[$inheritsFrom] ?? [] ) )

            );

        }


        return array_unique( $rights );

    }


    public function getRevokedPermissions( string $group ): array {

        $rights = array_keys( array_filter( $this->revokePermissions[$group] ?? [] ) );

        $inheritsFrom = $this->groupInheritance[$group] ?? false;

        if ( $inheritsFrom !== false ) {

            $rights = array_merge(

                $rights,

                // array_filter removes empty items

                array_keys( array_filter( $this->revokePermissions[$inheritsFrom] ?? [] ) )

            );

        }


        return array_unique( $rights );

    }


    public function getGroupPermissions( array $groups ): array {

        $rights = [];

        $checkGroups = [];


        // Add inherited groups to the list of groups to check

        foreach ( $groups as $group ) {

            $checkGroups[] = $group;

            if ( isset( $this->groupInheritance[$group] ) ) {

                $checkGroups[] = $this->groupInheritance[$group];

            }

        }


        // grant every granted permission first

        foreach ( $checkGroups as $group ) {

            if ( isset( $this->groupPermissions[$group] ) ) {

                $rights = array_merge(

                    $rights,

                    // array_filter removes empty items

                    array_keys( array_filter( $this->groupPermissions[$group] ) )

                );

            }

        }

        // now revoke the revoked permissions

        foreach ( $checkGroups as $group ) {

            if ( isset( $this->revokePermissions[$group] ) ) {

                $rights = array_diff(

                    $rights,

                    array_keys( array_filter( $this->revokePermissions[$group] ) )

                );

            }

        }

        return array_unique( $rights );

    }


    public function getGroupsWithPermission( string $permission ): array {

        $allowedGroups = [];

        $groups = array_unique( array_merge(

            array_keys( $this->groupPermissions ),

            array_keys( $this->groupInheritance )

        ) );

        foreach ( $groups as $group ) {

            if ( $this->groupHasPermission( $group, $permission ) ) {

                $allowedGroups[] = $group;

            }

        }

        return $allowedGroups;

    }


}


MediaWiki\Config\ServiceOptions
A class for passing options to services.
Definition ServiceOptions.php:26

MediaWiki\Config\ServiceOptions\assertRequiredOptions
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
Definition ServiceOptions.php:70

MediaWiki\Config\ServiceOptions\get
get( $key)
Definition ServiceOptions.php:92

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22

MediaWiki\MainConfigNames\GroupInheritsPermissions
const GroupInheritsPermissions
Name constant for the GroupInheritsPermissions setting, for use with Config::get()
Definition MainConfigNames.php:2775

MediaWiki\MainConfigNames\RevokePermissions
const RevokePermissions
Name constant for the RevokePermissions setting, for use with Config::get()
Definition MainConfigNames.php:2769

MediaWiki\MainConfigNames\GroupPermissions
const GroupPermissions
Name constant for the GroupPermissions setting, for use with Config::get()
Definition MainConfigNames.php:2757

MediaWiki\Permissions\GroupPermissionsLookup
Definition GroupPermissionsLookup.php:40

MediaWiki\Permissions\GroupPermissionsLookup\getGroupsWithPermission
getGroupsWithPermission(string $permission)
Get all the groups who have a given permission.
Definition GroupPermissionsLookup.php:203

MediaWiki\Permissions\GroupPermissionsLookup\groupHasPermission
groupHasPermission(string $group, string $permission)
Check, if the given group has the given permission.
Definition GroupPermissionsLookup.php:83

MediaWiki\Permissions\GroupPermissionsLookup\__construct
__construct(ServiceOptions $options)
Definition GroupPermissionsLookup.php:64

MediaWiki\Permissions\GroupPermissionsLookup\getRevokedPermissions
getRevokedPermissions(string $group)
Get a list of permissions revoked from this group.
Definition GroupPermissionsLookup.php:140

MediaWiki\Permissions\GroupPermissionsLookup\getGroupPermissions
getGroupPermissions(array $groups)
Get the permissions associated with membership in a combination of groups.
Definition GroupPermissionsLookup.php:163

MediaWiki\Permissions\GroupPermissionsLookup\getGrantedPermissions
getGrantedPermissions(string $group)
Get a list of permissions granted to this group.
Definition GroupPermissionsLookup.php:119

MediaWiki\Permissions
Definition Authority.php:21