Check if the user is blocked, and prevent authentication if so. More...

Inherits MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

Collaboration diagram for MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider:

[legend]

Public Member Functions

__construct ( $params=[])

beginSecondaryAccountCreation ( $user, $creator, array $reqs)

Start an account creation flow.

Note: There is no guarantee this will be called in a successful account creation process as the user can just abandon the process at any time after the primary provider has issued a PASS and still have a valid account. Be prepared to handle any database inconsistencies that result from this or continueSecondaryAccountCreation() not being called.

Parameters

User	$user	User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such.
User	$creator	User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns

AuthenticationResponse Expected responses:

PASS: The user creation is ok. Additional secondary providers may run.
ABSTAIN: Additional secondary providers may run.
UI: Additional AuthenticationRequests are needed to complete the process.
REDIRECT: Redirection to a third party is needed to complete the process.

beginSecondaryAuthentication ( $user, array $reqs)

Start an authentication flow.Note that this may be called for a user even if beginSecondaryAccountCreation() was never called. The module should take the opportunity to do any necessary setup in that case.

Parameters

User	$user	User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns

AuthenticationResponse Expected responses:

PASS: The user is authenticated. Additional secondary providers may run.
FAIL: The user is not authenticated. Fail the authentication process.
ABSTAIN: Additional secondary providers may run.
UI: Additional AuthenticationRequests are needed to complete the process.
REDIRECT: Redirection to a third party is needed to complete the process.

getAuthenticationRequests ( $action, array $options)

Return the applicable list of AuthenticationRequests.Possible values for $action depend on whether the implementing class is also a PreAuthenticationProvider, PrimaryAuthenticationProvider, or SecondaryAuthenticationProvider.

ACTION_LOGIN: Valid for passing to beginAuthentication. Called on all providers.
ACTION_CREATE: Valid for passing to beginAccountCreation. Called on all providers.
ACTION_LINK: Valid for passing to beginAccountLink. Called on linking primary providers only.
ACTION_CHANGE: Valid for passing to AuthManager::changeAuthenticationData to change credentials. Called on primary and secondary providers.
ACTION_REMOVE: Valid for passing to AuthManager::changeAuthenticationData to remove credentials. Must work without additional user input (i.e. without calling loadFromSubmission). Called on primary and secondary providers.

See also: AuthManager::getAuthenticationRequests()

Parameters

string	$action
array	$options	Options are: username: Username related to the action, or null/unset if anon. ACTION_LOGIN: The currently logged-in user, if any. ACTION_CREATE: The account creator, if non-anonymous. ACTION_LINK: The local user being linked to. ACTION_CHANGE: The user having data changed. ACTION_REMOVE: The user having data removed. If you leave the username property of the returned requests empty, this will automatically be copied there (except for ACTION_CREATE and ACTION_LOGIN).

Returns: AuthenticationRequest[]

Public Member Functions inherited from MediaWiki\Auth\AbstractSecondaryAuthenticationProvider

autoCreatedAccount ( $user, $source)

Post-auto-creation callback.

Parameters

User	$user	User being created (has been added to the database now). This may become a "UserValue" in the future, or User may be refactored into such.
string	$source	The source of the auto-creation passed to AuthManager::autoCreateUser().

continueSecondaryAccountCreation ( $user, $creator, array $reqs)

Continue an authentication flow.

Parameters

User	$user	User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such.
User	$creator	User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns

AuthenticationResponse Expected responses:

PASS: The user creation is ok. Additional secondary providers may run.
ABSTAIN: Additional secondary providers may run.
UI: Additional AuthenticationRequests are needed to complete the process.
REDIRECT: Redirection to a third party is needed to complete the process.

continueSecondaryAuthentication ( $user, array $reqs)

Continue an authentication flow.

Parameters

User	$user	User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns

AuthenticationResponse Expected responses:

PASS: The user is authenticated. Additional secondary providers may run.
FAIL: The user is not authenticated. Fail the authentication process.
ABSTAIN: Additional secondary providers may run.
UI: Additional AuthenticationRequests are needed to complete the process.
REDIRECT: Redirection to a third party is needed to complete the process.

postAccountCreation ( $user, $creator, AuthenticationResponse $response)

Post-creation callback.This will be called at the end of an account creation attempt. It will not be called if the account creation process results in a session timeout (possibly after a successful user creation, while a secondary provider is waiting for a response).

Parameters

User	$user	User that was attempted to be created. This may become a "UserValue" in the future, or User may be refactored into such.
User	$creator	User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationResponse	$response	Authentication response that will be returned (PASS or FAIL)

postAuthentication ( $user, AuthenticationResponse $response)

Post-login callback.This will be called at the end of a login attempt. It will not be called for unfinished login attempts that fail by the session timing out.

Parameters

User \| null	$user	User that was attempted to be logged in, if known. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationResponse	$response	Authentication response that will be returned (PASS or FAIL)

providerAllowsAuthenticationDataChange (AuthenticationRequest $req, $checkData=true)

Validate a change of authentication data (e.g.passwords)Return StatusValue::newGood( 'ignored' ) if you don't support this AuthenticationRequest type.

Parameters

AuthenticationRequest	$req
bool	$checkData	If false, $req hasn't been loaded from the submission so checks on user-submitted fields should be skipped. $req->username is considered user-submitted for this purpose, even if it cannot be changed via $req->loadFromSubmission.

Returns: StatusValue

providerAllowsPropertyChange ( $property)

Determine whether a property can change.

See also: AuthManager::allowsPropertyChange()

Parameters

string $property

Returns: bool

providerChangeAuthenticationData (AuthenticationRequest $req)

Change or remove authentication data (e.g.passwords)If $req was returned for AuthManager::ACTION_CHANGE, the corresponding credentials should result in a successful login in the future.If $req was returned for AuthManager::ACTION_REMOVE, the corresponding credentials should no longer result in a successful login.It can be assumed that providerAllowsAuthenticationDataChange with $checkData === true was called before this, and passed. This method should never fail (other than throwing an exception).

Parameters

AuthenticationRequest $req

providerRevokeAccessForUser ( $username)

Revoke the user's credentials.This may cause the user to no longer exist for the provider, or the user may continue to exist in a "disabled" state.The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the revocation of access).

Parameters

string $username

testForAccountCreation ( $user, $creator, array $reqs)

Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()

Note: No need to test if the account exists, AuthManager checks that

Parameters

User	$user	User being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such.
User	$creator	User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns: StatusValue

testUserForCreation ( $user, $autocreate, array $options=[])

Determine whether an account may be created.

Parameters

User	$user	User being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such.
bool \| string	$autocreate	False if this is not an auto-creation, or the source of the auto-creation passed to AuthManager::autoCreateUser().
array	$options	flags: (int) Bitfield of IDBAccessObject::READ_* constants, default IDBAccessObject::READ_NORMAL creating: (bool) If false (or missing), this call is only testing if a user could be created. If set, this (non-autocreation) is for actually creating an account and will be followed by a call to testForAccountCreation(). In this case, the provider might return StatusValue::newGood() here and let the later call to testForAccountCreation() do a more thorough test.

Returns: StatusValue

Public Member Functions inherited from MediaWiki\Auth\AbstractAuthenticationProvider

getUniqueId ()

Return a unique identifier for this instance.This must be the same across requests. If multiple instances return the same ID, exceptions will be thrown from AuthManager.

Returns: string

init (LoggerInterface $logger, AuthManager $manager, HookContainer $hookContainer, Config $config, UserNameUtils $userNameUtils)

Initialise with dependencies of an AuthenticationProvider.

Protected Member Functions
	postInitSetup ()
	A provider can override this to do any necessary setup after init() is called. Since 1.37 Stability: stable to override

Protected Member Functions inherited from MediaWiki\Auth\AbstractAuthenticationProvider
	getHookContainer ()

	getHookRunner ()

Protected Attributes
bool	$blockDisablesLogin = null

Protected Attributes inherited from MediaWiki\Auth\AbstractAuthenticationProvider
Config	$config

LoggerInterface	$logger

AuthManager	$manager

UserNameUtils	$userNameUtils

Detailed Description

Check if the user is blocked, and prevent authentication if so.

Not all scenarios are covered by this class, AuthManager does some block checks itself via AuthManager::authorizeCreateAccount().

Since: 1.27

Definition at line 35 of file CheckBlocksSecondaryAuthenticationProvider.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::__construct ( $params = [] )

Parameters

array

$params

blockDisablesLogin: (bool) Whether blocked accounts can log in, defaults to $wgBlockDisablesLogin

Definition at line 45 of file CheckBlocksSecondaryAuthenticationProvider.php.

References $params.

Member Function Documentation

◆ beginSecondaryAccountCreation()

MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::beginSecondaryAccountCreation	(		$user,
			$creator,
		array	$reqs )

Start an account creation flow.

Note: There is no guarantee this will be called in a successful account creation process as the user can just abandon the process at any time after the primary provider has issued a PASS and still have a valid account. Be prepared to handle any database inconsistencies that result from this or continueSecondaryAccountCreation() not being called.

Parameters

User	$user	User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such.
User	$creator	User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns

AuthenticationResponse Expected responses:

PASS: The user creation is ok. Additional secondary providers may run.
ABSTAIN: Additional secondary providers may run.
UI: Additional AuthenticationRequests are needed to complete the process.
REDIRECT: Redirection to a third party is needed to complete the process.

Implements MediaWiki\Auth\SecondaryAuthenticationProvider.

Definition at line 79 of file CheckBlocksSecondaryAuthenticationProvider.php.

References MediaWiki\Auth\AuthenticationResponse\newAbstain().

◆ beginSecondaryAuthentication()

MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::beginSecondaryAuthentication	(		$user,
		array	$reqs )

Start an authentication flow.Note that this may be called for a user even if beginSecondaryAccountCreation() was never called. The module should take the opportunity to do any necessary setup in that case.

Parameters

User	$user	User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]	$reqs

Returns

AuthenticationResponse Expected responses:

PASS: The user is authenticated. Additional secondary providers may run.
FAIL: The user is not authenticated. Fail the authentication process.
ABSTAIN: Additional secondary providers may run.
UI: Additional AuthenticationRequests are needed to complete the process.
REDIRECT: Redirection to a third party is needed to complete the process.

Implements MediaWiki\Auth\SecondaryAuthenticationProvider.

Definition at line 62 of file CheckBlocksSecondaryAuthenticationProvider.php.

References MediaWiki\Auth\AuthenticationResponse\newAbstain(), MediaWiki\Auth\AuthenticationResponse\newFail(), and MediaWiki\Auth\AuthenticationResponse\newPass().

◆ getAuthenticationRequests()

MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::getAuthenticationRequests	(		$action,
		array	$options )

Return the applicable list of AuthenticationRequests.Possible values for $action depend on whether the implementing class is also a PreAuthenticationProvider, PrimaryAuthenticationProvider, or SecondaryAuthenticationProvider.

ACTION_LOGIN: Valid for passing to beginAuthentication. Called on all providers.
ACTION_CREATE: Valid for passing to beginAccountCreation. Called on all providers.
ACTION_LINK: Valid for passing to beginAccountLink. Called on linking primary providers only.
ACTION_CHANGE: Valid for passing to AuthManager::changeAuthenticationData to change credentials. Called on primary and secondary providers.
ACTION_REMOVE: Valid for passing to AuthManager::changeAuthenticationData to remove credentials. Must work without additional user input (i.e. without calling loadFromSubmission). Called on primary and secondary providers.

See also: AuthManager::getAuthenticationRequests()

Parameters

string	$action
array	$options	Options are: username: Username related to the action, or null/unset if anon. ACTION_LOGIN: The currently logged-in user, if any. ACTION_CREATE: The account creator, if non-anonymous. ACTION_LINK: The local user being linked to. ACTION_CHANGE: The user having data changed. ACTION_REMOVE: The user having data removed. If you leave the username property of the returned requests empty, this will automatically be copied there (except for ACTION_CREATE and ACTION_LOGIN).