MediaWiki  master
GroupPermissionsLookup.php
Go to the documentation of this file.
1 <?php
21 namespace MediaWiki\Permissions;
22 
25 
32 
37  public const CONSTRUCTOR_OPTIONS = [
41  ];
42 
45 
48 
51 
52  /*
53  * @param ServiceOptions $options
54  */
55  public function __construct( ServiceOptions $options ) {
56  $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
57  $this->groupPermissions = $options->get( MainConfigNames::GroupPermissions );
58  $this->revokePermissions = $options->get( MainConfigNames::RevokePermissions );
59  $this->groupInheritance = $options->get( MainConfigNames::GroupInheritsPermissions );
60  }
61 
74  public function groupHasPermission( string $group, string $permission ): bool {
75  $inheritsFrom = $this->groupInheritance[$group] ?? false;
76  $has = isset( $this->groupPermissions[$group][$permission] ) &&
77  $this->groupPermissions[$group][$permission];
78  // If the group doesn't have the permission and inherits from somewhere,
79  // check that group too
80  if ( !$has && $inheritsFrom !== false ) {
81  $has = isset( $this->groupPermissions[$inheritsFrom][$permission] ) &&
82  $this->groupPermissions[$inheritsFrom][$permission];
83  }
84  if ( !$has ) {
85  // If they don't have the permission, exit early
86  return false;
87  }
88 
89  // Check if the permission has been revoked
90  $revoked = isset( $this->revokePermissions[$group][$permission] ) &&
91  $this->revokePermissions[$group][$permission];
92  if ( !$revoked && $inheritsFrom !== false ) {
93  $revoked = isset( $this->revokePermissions[$inheritsFrom][$permission] ) &&
94  $this->revokePermissions[$inheritsFrom][$permission];
95  }
96 
97  return !$revoked;
98  }
99 
110  public function getGrantedPermissions( string $group ): array {
111  $rights = array_keys( array_filter( $this->groupPermissions[$group] ?? [] ) );
112  $inheritsFrom = $this->groupInheritance[$group] ?? false;
113  if ( $inheritsFrom !== false ) {
114  $rights = array_merge(
115  $rights,
116  // array_filter removes empty items
117  array_keys( array_filter( $this->groupPermissions[$inheritsFrom] ?? [] ) )
118  );
119  }
120 
121  return array_unique( $rights );
122  }
123 
131  public function getRevokedPermissions( string $group ): array {
132  $rights = array_keys( array_filter( $this->revokePermissions[$group] ?? [] ) );
133  $inheritsFrom = $this->groupInheritance[$group] ?? false;
134  if ( $inheritsFrom !== false ) {
135  $rights = array_merge(
136  $rights,
137  // array_filter removes empty items
138  array_keys( array_filter( $this->revokePermissions[$inheritsFrom] ?? [] ) )
139  );
140  }
141 
142  return array_unique( $rights );
143  }
144 
151  public function getGroupPermissions( array $groups ): array {
152  $rights = [];
153  $checkGroups = [];
154 
155  // Add inherited groups to the list of groups to check
156  foreach ( $groups as $group ) {
157  $checkGroups[] = $group;
158  if ( isset( $this->groupInheritance[$group] ) ) {
159  $checkGroups[] = $this->groupInheritance[$group];
160  }
161  }
162 
163  // grant every granted permission first
164  foreach ( $checkGroups as $group ) {
165  if ( isset( $this->groupPermissions[$group] ) ) {
166  $rights = array_merge(
167  $rights,
168  // array_filter removes empty items
169  array_keys( array_filter( $this->groupPermissions[$group] ) )
170  );
171  }
172  }
173  // now revoke the revoked permissions
174  foreach ( $checkGroups as $group ) {
175  if ( isset( $this->revokePermissions[$group] ) ) {
176  $rights = array_diff(
177  $rights,
178  array_keys( array_filter( $this->revokePermissions[$group] ) )
179  );
180  }
181  }
182  return array_unique( $rights );
183  }
184 
191  public function getGroupsWithPermission( string $permission ): array {
192  $allowedGroups = [];
193  $groups = array_merge(
194  array_keys( $this->groupPermissions ),
195  array_keys( $this->groupInheritance )
196  );
197  foreach ( $groups as $group ) {
198  if ( $this->groupHasPermission( $group, $permission ) ) {
199  $allowedGroups[] = $group;
200  }
201  }
202  return $allowedGroups;
203  }
204 }
A class for passing options to services.
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
A class containing constants representing the names of configuration variables.
const GroupInheritsPermissions
Name constant for the GroupInheritsPermissions setting, for use with Config::get()
const RevokePermissions
Name constant for the RevokePermissions setting, for use with Config::get()
const GroupPermissions
Name constant for the GroupPermissions setting, for use with Config::get()
getGroupsWithPermission(string $permission)
Get all the groups who have a given permission.
groupHasPermission(string $group, string $permission)
Check, if the given group has the given permission.
getRevokedPermissions(string $group)
Get a list of permissions revoked from this group.
getGroupPermissions(array $groups)
Get the permissions associated with a given list of groups.
getGrantedPermissions(string $group)
Get a list of permissions granted to this group.