UserGroupManager.php

Go to the documentation of this file.

<?php
namespace MediaWiki\User;
 
use ConfiguredReadOnlyMode;
use DBAccessObjectUtils;
use DeferredUpdates;
use IDBAccessObject;
use InvalidArgumentException;
use JobQueueGroup;
use ManualLogEntry;
use MediaWiki\Config\ServiceOptions;
use MediaWiki\HookContainer\HookContainer;
use MediaWiki\HookContainer\HookRunner;
use MediaWiki\Permissions\Authority;
use MediaWiki\Permissions\GroupPermissionsLookup;
use Psr\Log\LoggerInterface;
use ReadOnlyMode;
use Sanitizer;
use User;
use UserGroupExpiryJob;
use UserGroupMembership;
use WikiMap;
use Wikimedia\Assert\Assert;
use Wikimedia\IPUtils;
use Wikimedia\Rdbms\DBConnRef;
use Wikimedia\Rdbms\ILBFactory;
use Wikimedia\Rdbms\ILoadBalancer;
 
class UserGroupManager implements IDBAccessObject {
 
    public const CONSTRUCTOR_OPTIONS = [
        'AddGroups',
        'Autopromote',
        'AutopromoteOnce',
        'AutopromoteOnceLogInRC',
        'EmailAuthentication',
        'ImplicitGroups',
        'GroupPermissions',
        'GroupsAddToSelf',
        'GroupsRemoveFromSelf',
        'RevokePermissions',
        'RemoveGroups',
    ];
 
    private $options;
 
    private $loadBalancerFactory;
 
    private $loadBalancer;
 
    private $hookContainer;
 
    private $hookRunner;
 
    private $readOnlyMode;
 
    private $userEditTracker;
 
    private $groupPermissionsLookup;
 
    private $jobQueueGroup;
 
    private $logger;
 
    private $clearCacheCallbacks;
 
    private $dbDomain;
 
    private const CACHE_IMPLICIT = 'implicit';
 
    private const CACHE_EFFECTIVE = 'effective';
 
    private const CACHE_MEMBERSHIP = 'membership';
 
    private const CACHE_FORMER = 'former';
 
    private $userGroupCache = [];
 
    private $queryFlagsUsedForCaching = [];
 
    public function __construct(
        ServiceOptions $options,
        ConfiguredReadOnlyMode $configuredReadOnlyMode,
        ILBFactory $loadBalancerFactory,
        HookContainer $hookContainer,
        UserEditTracker $userEditTracker,
        GroupPermissionsLookup $groupPermissionsLookup,
        JobQueueGroup $jobQueueGroup,
        LoggerInterface $logger,
        array $clearCacheCallbacks = [],
        $dbDomain = false
    ) {
        $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
        $this->options = $options;
        $this->loadBalancerFactory = $loadBalancerFactory;
        $this->loadBalancer = $loadBalancerFactory->getMainLB( $dbDomain );
        $this->hookContainer = $hookContainer;
        $this->hookRunner = new HookRunner( $hookContainer );
        $this->userEditTracker = $userEditTracker;
        $this->groupPermissionsLookup = $groupPermissionsLookup;
        $this->jobQueueGroup = $jobQueueGroup;
        $this->logger = $logger;
        // Can't just inject ROM since we LB can be for foreign wiki
        $this->readOnlyMode = new ReadOnlyMode( $configuredReadOnlyMode, $this->loadBalancer );
        $this->clearCacheCallbacks = $clearCacheCallbacks;
        $this->dbDomain = $dbDomain;
    }
 
    public function listAllGroups(): array {
        return array_values( array_diff(
            array_merge(
                array_keys( $this->options->get( 'GroupPermissions' ) ),
                array_keys( $this->options->get( 'RevokePermissions' ) )
            ),
            $this->listAllImplicitGroups()
        ) );
    }
 
    public function listAllImplicitGroups(): array {
        return $this->options->get( 'ImplicitGroups' );
    }
 
    public function newGroupMembershipFromRow( \stdClass $row ): UserGroupMembership {
        return new UserGroupMembership(
            (int)$row->ug_user,
            $row->ug_group,
            $row->ug_expiry === null ? null : wfTimestamp(
                TS_MW,
                $row->ug_expiry
            )
        );
    }
 
    public function loadGroupMembershipsFromArray(
        UserIdentity $user,
        array $userGroups,
        int $queryFlags = self::READ_NORMAL
    ) {
        $membershipGroups = [];
        reset( $userGroups );
        foreach ( $userGroups as $row ) {
            $ugm = $this->newGroupMembershipFromRow( $row );
            $membershipGroups[ $ugm->getGroup() ] = $ugm;
        }
        $this->setCache(
            $this->getCacheKey( $user ),
            self::CACHE_MEMBERSHIP,
            $membershipGroups,
            $queryFlags
        );
    }
 
    public function getUserImplicitGroups(
        UserIdentity $user,
        int $queryFlags = self::READ_NORMAL,
        bool $recache = false
    ): array {
        $userKey = $this->getCacheKey( $user );
        if ( $recache ||
            !isset( $this->userGroupCache[$userKey][self::CACHE_IMPLICIT] ) ||
            !$this->canUseCachedValues( $user, self::CACHE_IMPLICIT, $queryFlags )
        ) {
            $groups = [ '*' ];
            if ( $user->isRegistered() ) {
                $groups[] = 'user';
 
                $groups = array_unique( array_merge(
                    $groups,
                    $this->getUserAutopromoteGroups( $user )
                ) );
            }
            $this->setCache( $userKey, self::CACHE_IMPLICIT, $groups, $queryFlags );
            if ( $recache ) {
                // Assure data consistency with rights/groups,
                // as getUserEffectiveGroups() depends on this function
                $this->clearUserCacheForKind( $user, self::CACHE_EFFECTIVE );
            }
        }
        return $this->userGroupCache[$userKey][self::CACHE_IMPLICIT];
    }
 
    public function getUserEffectiveGroups(
        UserIdentity $user,
        int $queryFlags = self::READ_NORMAL,
        bool $recache = false
    ): array {
        $userKey = $this->getCacheKey( $user );
        // Ignore cache if the $recache flag is set, cached values can not be used
        // or the cache value is missing
        if ( $recache ||
            !$this->canUseCachedValues( $user, self::CACHE_EFFECTIVE, $queryFlags ) ||
            !isset( $this->userGroupCache[$userKey][self::CACHE_EFFECTIVE] )
        ) {
            $groups = array_unique( array_merge(
                $this->getUserGroups( $user, $queryFlags ), // explicit groups
                $this->getUserImplicitGroups( $user, $queryFlags, $recache ) // implicit groups
            ) );
            // TODO: Deprecate passing out user object in the hook by introducing
            // an alternative hook
            if ( $this->hookContainer->isRegistered( 'UserEffectiveGroups' ) ) {
                $userObj = User::newFromIdentity( $user );
                $userObj->load();
                // Hook for additional groups
                $this->hookRunner->onUserEffectiveGroups( $userObj, $groups );
            }
            // Force reindexation of groups when a hook has unset one of them
            $effectiveGroups = array_values( array_unique( $groups ) );
            $this->setCache( $userKey, self::CACHE_EFFECTIVE, $effectiveGroups, $queryFlags );
        }
        return $this->userGroupCache[$userKey][self::CACHE_EFFECTIVE];
    }
 
    public function getUserFormerGroups(
        UserIdentity $user,
        int $queryFlags = self::READ_NORMAL
    ): array {
        $userKey = $this->getCacheKey( $user );
 
        if ( $this->canUseCachedValues( $user, self::CACHE_FORMER, $queryFlags ) &&
            isset( $this->userGroupCache[$userKey][self::CACHE_FORMER] )
        ) {
            return $this->userGroupCache[$userKey][self::CACHE_FORMER];
        }
 
        if ( !$user->isRegistered() ) {
            // Anon users don't have groups stored in the database
            return [];
        }
 
        $db = $this->getDBConnectionRefForQueryFlags( $queryFlags );
        $res = $db->select(
            'user_former_groups',
            [ 'ufg_group' ],
            [ 'ufg_user' => $user->getId() ],
            __METHOD__
        );
        $formerGroups = [];
        foreach ( $res as $row ) {
            $formerGroups[] = $row->ufg_group;
        }
        $this->setCache( $userKey, self::CACHE_FORMER, $formerGroups, $queryFlags );
 
        return $this->userGroupCache[$userKey][self::CACHE_FORMER];
    }
 
    public function getUserAutopromoteGroups( UserIdentity $user ): array {
        $promote = [];
        // TODO: remove the need for the full user object
        $userObj = User::newFromIdentity( $user );
        foreach ( $this->options->get( 'Autopromote' ) as $group => $cond ) {
            if ( $this->recCheckCondition( $cond, $userObj ) ) {
                $promote[] = $group;
            }
        }
 
        $this->hookRunner->onGetAutoPromoteGroups( $userObj, $promote );
        return $promote;
    }
 
    public function getUserAutopromoteOnceGroups(
        UserIdentity $user,
        string $event
    ): array {
        $autopromoteOnce = $this->options->get( 'AutopromoteOnce' );
        $promote = [];
 
        if ( isset( $autopromoteOnce[$event] ) && count( $autopromoteOnce[$event] ) ) {
            $currentGroups = $this->getUserGroups( $user );
            $formerGroups = $this->getUserFormerGroups( $user );
            // TODO: remove the need for the full user object
            $userObj = User::newFromIdentity( $user );
            foreach ( $autopromoteOnce[$event] as $group => $cond ) {
                // Do not check if the user's already a member
                if ( in_array( $group, $currentGroups ) ) {
                    continue;
                }
                // Do not autopromote if the user has belonged to the group
                if ( in_array( $group, $formerGroups ) ) {
                    continue;
                }
                // Finally - check the conditions
                if ( $this->recCheckCondition( $cond, $userObj ) ) {
                    $promote[] = $group;
                }
            }
        }
 
        return $promote;
    }
 
    private function recCheckCondition( $cond, User $user ): bool {
        $validOps = [ '&', '|', '^', '!' ];
 
        if ( is_array( $cond ) && count( $cond ) >= 2 && in_array( $cond[0], $validOps ) ) {
            // Recursive condition
            if ( $cond[0] == '&' ) { // AND (all conds pass)
                foreach ( array_slice( $cond, 1 ) as $subcond ) {
                    if ( !$this->recCheckCondition( $subcond, $user ) ) {
                        return false;
                    }
                }
 
                return true;
            } elseif ( $cond[0] == '|' ) { // OR (at least one cond passes)
                foreach ( array_slice( $cond, 1 ) as $subcond ) {
                    if ( $this->recCheckCondition( $subcond, $user ) ) {
                        return true;
                    }
                }
 
                return false;
            } elseif ( $cond[0] == '^' ) { // XOR (exactly one cond passes)
                if ( count( $cond ) > 3 ) {
                    $this->logger->warning(
                        'recCheckCondition() given XOR ("^") condition on three or more conditions.' .
                        ' Check your $wgAutopromote and $wgAutopromoteOnce settings.'
                    );
                }
                return $this->recCheckCondition( $cond[1], $user )
                    xor $this->recCheckCondition( $cond[2], $user );
            } elseif ( $cond[0] == '!' ) { // NOT (no conds pass)
                foreach ( array_slice( $cond, 1 ) as $subcond ) {
                    if ( $this->recCheckCondition( $subcond, $user ) ) {
                        return false;
                    }
                }
 
                return true;
            }
        }
        // If we got here, the array presumably does not contain other conditions;
        // it's not recursive. Pass it off to checkCondition.
        if ( !is_array( $cond ) ) {
            $cond = [ $cond ];
        }
 
        return $this->checkCondition( $cond, $user );
    }
 
    private function checkCondition( array $cond, User $user ): bool {
        if ( count( $cond ) < 1 ) {
            return false;
        }
 
        switch ( $cond[0] ) {
            case APCOND_EMAILCONFIRMED:
                if ( Sanitizer::validateEmail( $user->getEmail() ) ) {
                    if ( $this->options->get( 'EmailAuthentication' ) ) {
                        return (bool)$user->getEmailAuthenticationTimestamp();
                    } else {
                        return true;
                    }
                }
                return false;
            case APCOND_EDITCOUNT:
                $reqEditCount = $cond[1];
 
                // T157718: Avoid edit count lookup if specified edit count is 0 or invalid
                if ( $reqEditCount <= 0 ) {
                    return true;
                }
                return $user->isRegistered() && $this->userEditTracker->getUserEditCount( $user ) >= $reqEditCount;
            case APCOND_AGE:
                $age = time() - (int)wfTimestampOrNull( TS_UNIX, $user->getRegistration() );
                return $age >= $cond[1];
            case APCOND_AGE_FROM_EDIT:
                $age = time() - (int)wfTimestampOrNull(
                    TS_UNIX, $this->userEditTracker->getFirstEditTimestamp( $user ) );
                return $age >= $cond[1];
            case APCOND_INGROUPS:
                $groups = array_slice( $cond, 1 );
                return count( array_intersect( $groups, $this->getUserGroups( $user ) ) ) == count( $groups );
            case APCOND_ISIP:
                return $cond[1] == $user->getRequest()->getIP();
            case APCOND_IPINRANGE:
                return IPUtils::isInRange( $user->getRequest()->getIP(), $cond[1] );
            case APCOND_BLOCKED:
                // Because checking for ipblock-exempt leads back to here (thus infinite recursion),
                // we stop checking for ipblock-exempt via here. We do this by setting the second
                // param to true.
                // See T270145.
                $block = $user->getBlock( Authority::READ_LATEST, true );
                return $block && $block->isSitewide();
            case APCOND_ISBOT:
                return in_array( 'bot', $this->groupPermissionsLookup
                    ->getGroupPermissions( $this->getUserGroups( $user ) ) );
            default:
                $result = null;
                $this->hookRunner->onAutopromoteCondition( $cond[0],
                    array_slice( $cond, 1 ), $user, $result );
                if ( $result === null ) {
                    throw new InvalidArgumentException(
                        "Unrecognized condition {$cond[0]} for autopromotion!"
                    );
                }
 
                return (bool)$result;
        }
    }
 
    public function addUserToAutopromoteOnceGroups(
        UserIdentity $user,
        string $event
    ): array {
        Assert::precondition(
            !$this->dbDomain || WikiMap::isCurrentWikiDbDomain( $this->dbDomain ),
            __METHOD__ . " is not supported for foreign domains: {$this->dbDomain} used"
        );
 
        if ( $this->readOnlyMode->isReadOnly() || !$user->getId() ) {
            return [];
        }
 
        $toPromote = $this->getUserAutopromoteOnceGroups( $user, $event );
        if ( $toPromote === [] ) {
            return [];
        }
 
        $userObj = User::newFromIdentity( $user );
        if ( !$userObj->checkAndSetTouched() ) {
            return []; // raced out (bug T48834)
        }
 
        $oldGroups = $this->getUserGroups( $user ); // previous groups
        $oldUGMs = $this->getUserGroupMemberships( $user );
        $this->addUserToMultipleGroups( $user, $toPromote );
        $newGroups = array_merge( $oldGroups, $toPromote ); // all groups
        $newUGMs = $this->getUserGroupMemberships( $user );
 
        // update groups in external authentication database
        // TODO: deprecate passing full User object to hook
        $this->hookRunner->onUserGroupsChanged(
            $userObj,
            $toPromote, [],
            false,
            false,
            $oldUGMs,
            $newUGMs
        );
 
        $logEntry = new ManualLogEntry( 'rights', 'autopromote' );
        $logEntry->setPerformer( $user );
        $logEntry->setTarget( $userObj->getUserPage() );
        $logEntry->setParameters( [
            '4::oldgroups' => $oldGroups,
            '5::newgroups' => $newGroups,
        ] );
        $logid = $logEntry->insert();
        if ( $this->options->get( 'AutopromoteOnceLogInRC' ) ) {
            $logEntry->publish( $logid );
        }
 
        return $toPromote;
    }
 
    public function getUserGroups(
        UserIdentity $user,
        int $queryFlags = self::READ_NORMAL
    ): array {
        return array_keys( $this->getUserGroupMemberships( $user, $queryFlags ) );
    }
 
    public function getUserGroupMemberships(
        UserIdentity $user,
        int $queryFlags = self::READ_NORMAL
    ): array {
        $userKey = $this->getCacheKey( $user );
 
        if ( $this->canUseCachedValues( $user, self::CACHE_MEMBERSHIP, $queryFlags ) &&
            isset( $this->userGroupCache[$userKey][self::CACHE_MEMBERSHIP] )
        ) {
            return $this->userGroupCache[$userKey][self::CACHE_MEMBERSHIP];
        }
 
        if ( !$user->isRegistered() ) {
            // Anon users don't have groups stored in the database
            return [];
        }
 
        $db = $this->getDBConnectionRefForQueryFlags( $queryFlags );
        $queryInfo = $this->getQueryInfo();
        $res = $db->select(
            $queryInfo['tables'],
            $queryInfo['fields'],
            [ 'ug_user' => $user->getId() ],
            __METHOD__,
            [],
            $queryInfo['joins']
        );
 
        $ugms = [];
        foreach ( $res as $row ) {
            $ugm = $this->newGroupMembershipFromRow( $row );
            if ( !$ugm->isExpired() ) {
                $ugms[$ugm->getGroup()] = $ugm;
            }
        }
        ksort( $ugms );
 
        $this->setCache( $userKey, self::CACHE_MEMBERSHIP, $ugms, $queryFlags );
 
        return $ugms;
    }
 
    public function addUserToGroup(
        UserIdentity $user,
        string $group,
        string $expiry = null,
        bool $allowUpdate = false
    ): bool {
        if ( $this->readOnlyMode->isReadOnly() ) {
            return false;
        }
 
        if ( !$user->isRegistered() ) {
            throw new InvalidArgumentException(
                'UserGroupManager::addUserToGroup() needs a positive user ID. ' .
                'Perhaps addUserToGroup() was called before the user was added to the database.'
            );
        }
 
        if ( $expiry ) {
            $expiry = wfTimestamp( TS_MW, $expiry );
        }
 
        // TODO: Deprecate passing out user object in the hook by introducing
        // an alternative hook
        if ( $this->hookContainer->isRegistered( 'UserAddGroup' ) ) {
            $userObj = User::newFromIdentity( $user );
            $userObj->load();
            if ( !$this->hookRunner->onUserAddGroup( $userObj, $group, $expiry ) ) {
                return false;
            }
        }
 
        $oldUgms = $this->getUserGroupMemberships( $user, self::READ_LATEST );
        $dbw = $this->loadBalancer->getConnectionRef( DB_PRIMARY, [], $this->dbDomain );
 
        $dbw->startAtomic( __METHOD__ );
        $dbw->insert(
            'user_groups',
            [
                'ug_user' => $user->getId(),
                'ug_group' => $group,
                'ug_expiry' => $expiry ? $dbw->timestamp( $expiry ) : null,
            ],
            __METHOD__,
            [ 'IGNORE' ]
        );
 
        $affected = $dbw->affectedRows();
        if ( !$affected ) {
            // Conflicting row already exists; it should be overridden if it is either expired
            // or if $allowUpdate is true and the current row is different than the loaded row.
            $conds = [
                'ug_user' => $user->getId(),
                'ug_group' => $group
            ];
            if ( $allowUpdate ) {
                // Update the current row if its expiry does not match that of the loaded row
                $conds[] = $expiry
                    ? "ug_expiry IS NULL OR ug_expiry != {$dbw->addQuotes( $dbw->timestamp( $expiry ) )}"
                    : 'ug_expiry IS NOT NULL';
            } else {
                // Update the current row if it is expired
                $conds[] = "ug_expiry < {$dbw->addQuotes( $dbw->timestamp() )}";
            }
            $dbw->update(
                'user_groups',
                [ 'ug_expiry' => $expiry ? $dbw->timestamp( $expiry ) : null ],
                $conds,
                __METHOD__
            );
            $affected = $dbw->affectedRows();
        }
        $dbw->endAtomic( __METHOD__ );
 
        // Purge old, expired memberships from the DB
        $fname = __METHOD__;
        DeferredUpdates::addCallableUpdate( function () use ( $fname ) {
            $dbr = $this->loadBalancer->getConnectionRef( DB_REPLICA );
            $hasExpiredRow = (bool)$dbr->selectField( 'user_groups', '1',
                [ 'ug_expiry < ' . $dbr->addQuotes( $dbr->timestamp() ) ],
                $fname
            );
            if ( $hasExpiredRow ) {
                $this->jobQueueGroup->push( new UserGroupExpiryJob( [] ) );
            }
        } );
 
        if ( $affected > 0 ) {
            $oldUgms[$group] = new UserGroupMembership( $user->getId(), $group, $expiry );
            if ( !$oldUgms[$group]->isExpired() ) {
                $this->setCache(
                    $this->getCacheKey( $user ),
                    self::CACHE_MEMBERSHIP,
                    $oldUgms,
                    self::READ_LATEST
                );
                $this->clearUserCacheForKind( $user, self::CACHE_EFFECTIVE );
            }
            foreach ( $this->clearCacheCallbacks as $callback ) {
                $callback( $user );
            }
            return true;
        }
        return false;
    }
 
    public function addUserToMultipleGroups(
        UserIdentity $user,
        array $groups,
        string $expiry = null,
        bool $allowUpdate = false
    ) {
        foreach ( $groups as $group ) {
            $this->addUserToGroup( $user, $group, $expiry, $allowUpdate );
        }
    }
 
    public function removeUserFromGroup( UserIdentity $user, string $group ): bool {
        // TODO: Deprecate passing out user object in the hook by introducing
        // an alternative hook
        if ( $this->hookContainer->isRegistered( 'UserRemoveGroup' ) ) {
            $userObj = User::newFromIdentity( $user );
            $userObj->load();
            if ( !$this->hookRunner->onUserRemoveGroup( $userObj, $group ) ) {
                return false;
            }
        }
 
        if ( $this->readOnlyMode->isReadOnly() ) {
            return false;
        }
 
        if ( !$user->isRegistered() ) {
            throw new InvalidArgumentException(
                'UserGroupManager::removeUserFromGroup() needs a positive user ID. ' .
                'Perhaps removeUserFromGroup() was called before the user was added to the database.'
            );
        }
 
        $oldUgms = $this->getUserGroupMemberships( $user, self::READ_LATEST );
        $oldFormerGroups = $this->getUserFormerGroups( $user, self::READ_LATEST );
        $dbw = $this->loadBalancer->getConnectionRef( DB_PRIMARY, [], $this->dbDomain );
        $dbw->delete(
            'user_groups',
            [ 'ug_user' => $user->getId(), 'ug_group' => $group ],
            __METHOD__
        );
 
        if ( !$dbw->affectedRows() ) {
            return false;
        }
        // Remember that the user was in this group
        $dbw->insert(
            'user_former_groups',
            [ 'ufg_user' => $user->getId(), 'ufg_group' => $group ],
            __METHOD__,
            [ 'IGNORE' ]
        );
 
        unset( $oldUgms[$group] );
        $userKey = $this->getCacheKey( $user );
        $this->setCache( $userKey, self::CACHE_MEMBERSHIP, $oldUgms, self::READ_LATEST );
        $oldFormerGroups[] = $group;
        $this->setCache( $userKey, self::CACHE_FORMER, $oldFormerGroups, self::READ_LATEST );
        $this->clearUserCacheForKind( $user, self::CACHE_EFFECTIVE );
        foreach ( $this->clearCacheCallbacks as $callback ) {
            $callback( $user );
        }
        return true;
    }
 
    public function getQueryInfo(): array {
        return [
            'tables' => [ 'user_groups' ],
            'fields' => [
                'ug_user',
                'ug_group',
                'ug_expiry',
            ],
            'joins' => []
        ];
    }
 
    public function purgeExpired() {
        if ( $this->readOnlyMode->isReadOnly() ) {
            return false;
        }
 
        $ticket = $this->loadBalancerFactory->getEmptyTransactionTicket( __METHOD__ );
        $dbw = $this->loadBalancer->getConnectionRef( DB_PRIMARY );
 
        $lockKey = "{$dbw->getDomainID()}:UserGroupManager:purge"; // per-wiki
        $scopedLock = $dbw->getScopedLockAndFlush( $lockKey, __METHOD__, 0 );
        if ( !$scopedLock ) {
            return false; // already running
        }
 
        $now = time();
        $purgedRows = 0;
        $queryInfo = $this->getQueryInfo();
        do {
            $dbw->startAtomic( __METHOD__ );
 
            $res = $dbw->select(
                $queryInfo['tables'],
                $queryInfo['fields'],
                [ 'ug_expiry < ' . $dbw->addQuotes( $dbw->timestamp( $now ) ) ],
                __METHOD__,
                [ 'FOR UPDATE', 'LIMIT' => 100 ],
                $queryInfo['joins']
            );
 
            if ( $res->numRows() > 0 ) {
                $insertData = []; // array of users/groups to insert to user_former_groups
                $deleteCond = []; // array for deleting the rows that are to be moved around
                foreach ( $res as $row ) {
                    $insertData[] = [ 'ufg_user' => $row->ug_user, 'ufg_group' => $row->ug_group ];
                    $deleteCond[] = $dbw->makeList(
                        [ 'ug_user' => $row->ug_user, 'ug_group' => $row->ug_group ],
                        $dbw::LIST_AND
                    );
                }
                // Delete the rows we're about to move
                $dbw->delete(
                    'user_groups',
                    $dbw->makeList( $deleteCond, $dbw::LIST_OR ),
                    __METHOD__
                );
                // Push the groups to user_former_groups
                $dbw->insert(
                    'user_former_groups',
                    $insertData,
                    __METHOD__,
                    [ 'IGNORE' ]
                );
                // Count how many rows were purged
                $purgedRows += $res->numRows();
            }
 
            $dbw->endAtomic( __METHOD__ );
 
            $this->loadBalancerFactory->commitAndWaitForReplication( __METHOD__, $ticket );
        } while ( $res->numRows() > 0 );
        return $purgedRows;
    }
 
    private function expandChangeableGroupConfig( array $config, string $group ): array {
        if ( empty( $config[$group] ) ) {
            return [];
        } elseif ( $config[$group] === true ) {
            // You get everything
            return $this->listAllGroups();
        } elseif ( is_array( $config[$group] ) ) {
            return $config[$group];
        }
        return [];
    }
 
    public function getGroupsChangeableByGroup( string $group ): array {
        return [
            'add' => $this->expandChangeableGroupConfig(
                $this->options->get( 'AddGroups' ), $group
            ),
            'remove' => $this->expandChangeableGroupConfig(
                $this->options->get( 'RemoveGroups' ), $group
            ),
            'add-self' => $this->expandChangeableGroupConfig(
                $this->options->get( 'GroupsAddToSelf' ), $group
            ),
            'remove-self' => $this->expandChangeableGroupConfig(
                $this->options->get( 'GroupsRemoveFromSelf' ), $group
            ),
        ];
    }
 
    public function getGroupsChangeableBy( Authority $authority ): array {
        if ( $authority->isAllowed( 'userrights' ) ) {
            // This group gives the right to modify everything (reverse-
            // compatibility with old "userrights lets you change
            // everything")
            // Using array_merge to make the groups reindexed
            $all = array_merge( $this->listAllGroups() );
            return [
                'add' => $all,
                'remove' => $all,
                'add-self' => [],
                'remove-self' => []
            ];
        }
 
        // Okay, it's not so simple, we will have to go through the arrays
        $groups = [
            'add' => [],
            'remove' => [],
            'add-self' => [],
            'remove-self' => []
        ];
        $actorGroups = $this->getUserEffectiveGroups( $authority->getUser() );
 
        foreach ( $actorGroups as $actorGroup ) {
            $groups = array_merge_recursive(
                $groups, $this->getGroupsChangeableByGroup( $actorGroup )
            );
            $groups['add'] = array_unique( $groups['add'] );
            $groups['remove'] = array_unique( $groups['remove'] );
            $groups['add-self'] = array_unique( $groups['add-self'] );
            $groups['remove-self'] = array_unique( $groups['remove-self'] );
        }
        return $groups;
    }
 
    public function clearCache( UserIdentity $user ) {
        $userKey = $this->getCacheKey( $user );
        unset( $this->userGroupCache[$userKey] );
        unset( $this->queryFlagsUsedForCaching[$userKey] );
    }
 
    private function setCache(
        string $userKey,
        string $cacheKind,
        array $groupValue,
        int $queryFlags
    ) {
        $this->userGroupCache[$userKey][$cacheKind] = $groupValue;
        $this->queryFlagsUsedForCaching[$userKey][$cacheKind] = $queryFlags;
    }
 
    private function clearUserCacheForKind( UserIdentity $user, string $cacheKind ) {
        $userKey = $this->getCacheKey( $user );
        unset( $this->userGroupCache[$userKey][$cacheKind] );
        unset( $this->queryFlagsUsedForCaching[$userKey][$cacheKind] );
    }
 
    private function getDBConnectionRefForQueryFlags( int $queryFlags ): DBConnRef {
        list( $mode, ) = DBAccessObjectUtils::getDBOptions( $queryFlags );
        return $this->loadBalancer->getConnectionRef( $mode, [], $this->dbDomain );
    }
 
    private function getCacheKey( UserIdentity $user ): string {
        return $user->isRegistered() ? "u:{$user->getId()}" : "anon:{$user->getName()}";
    }
 
    private function canUseCachedValues(
        UserIdentity $user,
        string $cacheKind,
        int $queryFlags
    ): bool {
        if ( !$user->isRegistered() ) {
            // Anon users don't have groups stored in the database,
            // so $queryFlags are ignored.
            return true;
        }
        if ( $queryFlags >= self::READ_LOCKING ) {
            return false;
        }
        $userKey = $this->getCacheKey( $user );
        $queryFlagsUsed = $this->queryFlagsUsedForCaching[$userKey][$cacheKind] ?? self::READ_NONE;
        return $queryFlagsUsed >= $queryFlags;
    }
}