MediaWiki master
GroupPermissionsLookup.php
Go to the documentation of this file.
1<?php
21namespace MediaWiki\Permissions;
22
25
41
45 public const CONSTRUCTOR_OPTIONS = [
49 ];
50
52 private $groupPermissions;
53
55 private $revokePermissions;
56
58 private $groupInheritance;
59
60 public function __construct( ServiceOptions $options ) {
61 $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
62 $this->groupPermissions = $options->get( MainConfigNames::GroupPermissions );
63 $this->revokePermissions = $options->get( MainConfigNames::RevokePermissions );
64 $this->groupInheritance = $options->get( MainConfigNames::GroupInheritsPermissions );
65 }
66
79 public function groupHasPermission( string $group, string $permission ): bool {
80 $inheritsFrom = $this->groupInheritance[$group] ?? false;
81 $has = isset( $this->groupPermissions[$group][$permission] ) &&
82 $this->groupPermissions[$group][$permission];
83 // If the group doesn't have the permission and inherits from somewhere,
84 // check that group too
85 if ( !$has && $inheritsFrom !== false ) {
86 $has = isset( $this->groupPermissions[$inheritsFrom][$permission] ) &&
87 $this->groupPermissions[$inheritsFrom][$permission];
88 }
89 if ( !$has ) {
90 // If they don't have the permission, exit early
91 return false;
92 }
93
94 // Check if the permission has been revoked
95 $revoked = isset( $this->revokePermissions[$group][$permission] ) &&
96 $this->revokePermissions[$group][$permission];
97 if ( !$revoked && $inheritsFrom !== false ) {
98 $revoked = isset( $this->revokePermissions[$inheritsFrom][$permission] ) &&
99 $this->revokePermissions[$inheritsFrom][$permission];
100 }
101
102 return !$revoked;
103 }
104
115 public function getGrantedPermissions( string $group ): array {
116 $rights = array_keys( array_filter( $this->groupPermissions[$group] ?? [] ) );
117 $inheritsFrom = $this->groupInheritance[$group] ?? false;
118 if ( $inheritsFrom !== false ) {
119 $rights = array_merge(
120 $rights,
121 // array_filter removes empty items
122 array_keys( array_filter( $this->groupPermissions[$inheritsFrom] ?? [] ) )
123 );
124 }
125
126 return array_unique( $rights );
127 }
128
136 public function getRevokedPermissions( string $group ): array {
137 $rights = array_keys( array_filter( $this->revokePermissions[$group] ?? [] ) );
138 $inheritsFrom = $this->groupInheritance[$group] ?? false;
139 if ( $inheritsFrom !== false ) {
140 $rights = array_merge(
141 $rights,
142 // array_filter removes empty items
143 array_keys( array_filter( $this->revokePermissions[$inheritsFrom] ?? [] ) )
144 );
145 }
146
147 return array_unique( $rights );
148 }
149
159 public function getGroupPermissions( array $groups ): array {
160 $rights = [];
161 $checkGroups = [];
162
163 // Add inherited groups to the list of groups to check
164 foreach ( $groups as $group ) {
165 $checkGroups[] = $group;
166 if ( isset( $this->groupInheritance[$group] ) ) {
167 $checkGroups[] = $this->groupInheritance[$group];
168 }
169 }
170
171 // grant every granted permission first
172 foreach ( $checkGroups as $group ) {
173 if ( isset( $this->groupPermissions[$group] ) ) {
174 $rights = array_merge(
175 $rights,
176 // array_filter removes empty items
177 array_keys( array_filter( $this->groupPermissions[$group] ) )
178 );
179 }
180 }
181 // now revoke the revoked permissions
182 foreach ( $checkGroups as $group ) {
183 if ( isset( $this->revokePermissions[$group] ) ) {
184 $rights = array_diff(
185 $rights,
186 array_keys( array_filter( $this->revokePermissions[$group] ) )
187 );
188 }
189 }
190 return array_unique( $rights );
191 }
192
199 public function getGroupsWithPermission( string $permission ): array {
200 $allowedGroups = [];
201 $groups = array_unique( array_merge(
202 array_keys( $this->groupPermissions ),
203 array_keys( $this->groupInheritance )
204 ) );
205 foreach ( $groups as $group ) {
206 if ( $this->groupHasPermission( $group, $permission ) ) {
207 $allowedGroups[] = $group;
208 }
209 }
210 return $allowedGroups;
211 }
212}
A class for passing options to services.
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
A class containing constants representing the names of configuration variables.
const GroupInheritsPermissions
Name constant for the GroupInheritsPermissions setting, for use with Config::get()
const RevokePermissions
Name constant for the RevokePermissions setting, for use with Config::get()
const GroupPermissions
Name constant for the GroupPermissions setting, for use with Config::get()
getGroupsWithPermission(string $permission)
Get all the groups who have a given permission.
groupHasPermission(string $group, string $permission)
Check, if the given group has the given permission.
getRevokedPermissions(string $group)
Get a list of permissions revoked from this group.
getGroupPermissions(array $groups)
Get the permissions associated with membership in a combination of groups.
getGrantedPermissions(string $group)
Get a list of permissions granted to this group.