A service class for checking permissions To obtain an instance, use MediaWikiServices::getInstance()->getPermissionManager(). More...

Public Member Functions
	__construct (ServiceOptions $options, SpecialPageFactory $specialPageFactory, NamespaceInfo $nsInfo, GroupPermissionsLookup $groupPermissionsLookup, UserGroupManager $userGroupManager, BlockManager $blockManager, BlockErrorFormatter $blockErrorFormatter, HookContainer $hookContainer, UserCache $userCache, RedirectLookup $redirectLookup, RestrictionStore $restrictionStore, TitleFormatter $titleFormatter, TempUserConfig $tempUserConfig, UserFactory $userFactory, ActionFactory $actionFactory)

	addTemporaryUserRights (UserIdentity $user, $rights)
	Add temporary user rights, only valid for the current function scope.

	getAllPermissions ()
	Get a list of all permissions that can be managed through group permissions.

	getApplicableBlock (string $action, User $user, string $rigor, $page, ?WebRequest $request)
	Return the Block object applicable for the given permission check, if any.

	getImplicitRights ()
	Get a list of implicit rights.

	getNamespaceRestrictionLevels ( $index, UserIdentity $user=null)
	Determine which restriction levels it makes sense to use in a namespace, optionally filtered by a user's rights.

	getPermissionErrors ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $ignoreErrors=[])
	Can $user perform $action on a page?

	getUserPermissions (UserIdentity $user)
	Get the permissions this user has.

	invalidateUsersRightsCache ( $user=null)
	Clear the in-process permission cache for one or all users.

	isBlockedFrom (User $user, $page, $fromReplica=false)
	Check if user is blocked from editing a particular article.

	isEveryoneAllowed ( $right)
	Check if all users may be assumed to have the given permission.

	newFatalPermissionDeniedStatus ( $permission, IContextSource $context)
	Factory function for fatal permission-denied errors.

	overrideUserRightsForTesting ( $user, $rights=[])
	Override the user permissions cache.

	quickUserCan ( $action, User $user, LinkTarget $page)
	A convenience method for calling PermissionManager::userCan with PermissionManager::RIGOR_QUICK.

	throwPermissionErrors ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $ignoreErrors=[])
	Like `getPermissionErrors`, but immediately throw if there are any errors.

	userCan ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE)
	Can $user perform $action on a page?

	userHasAllRights (UserIdentity $user,... $actions)
	Whether the user is allowed to perform all of the given actions.

	userHasAnyRight (UserIdentity $user,... $actions)
	Whether the user is generally allowed to perform at least one of the actions.

	userHasRight (UserIdentity $user, $action='')
	Whether the user is generally allowed to perform the given action.

Public Attributes
const	CONSTRUCTOR_OPTIONS

Detailed Description

A service class for checking permissions To obtain an instance, use MediaWikiServices::getInstance()->getPermissionManager().

Since: 1.33

Definition at line 65 of file PermissionManager.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Permissions\PermissionManager::__construct	(	ServiceOptions	$options,
		SpecialPageFactory	$specialPageFactory,
		NamespaceInfo	$nsInfo,
		GroupPermissionsLookup	$groupPermissionsLookup,
		UserGroupManager	$userGroupManager,
		BlockManager	$blockManager,
		BlockErrorFormatter	$blockErrorFormatter,
		HookContainer	$hookContainer,
		UserCache	$userCache,
		RedirectLookup	$redirectLookup,
		RestrictionStore	$restrictionStore,
		TitleFormatter	$titleFormatter,
		TempUserConfig	$tempUserConfig,
		UserFactory	$userFactory,
		ActionFactory	$actionFactory )

Parameters

ServiceOptions	$options
SpecialPageFactory	$specialPageFactory
NamespaceInfo	$nsInfo
GroupPermissionsLookup	$groupPermissionsLookup
UserGroupManager	$userGroupManager
BlockManager	$blockManager
BlockErrorFormatter	$blockErrorFormatter
HookContainer	$hookContainer
UserCache	$userCache
RedirectLookup	$redirectLookup
RestrictionStore	$restrictionStore
TitleFormatter	$titleFormatter
TempUserConfig	$tempUserConfig
UserFactory	$userFactory
ActionFactory	$actionFactory

Definition at line 283 of file PermissionManager.php.

References MediaWiki\Config\ServiceOptions\assertRequiredOptions().

Member Function Documentation

◆ addTemporaryUserRights()

MediaWiki\Permissions\PermissionManager::addTemporaryUserRights	(	UserIdentity	$user,
			$rights )

Add temporary user rights, only valid for the current function scope.

This is meant for making it possible to programatically trigger certain actions that the user wouldn't be able to trigger themselves; e.g. allow users without the bot right to make bot-flagged actions through certain special pages.

This returns a "scope guard" variable. Its only purpose is to be stored in a variable by the caller, which is automatically closed at the end of the function, at which point the rights are revoked again. Alternatively, you can close it earlier by consuming it via ScopedCallback::consume().

Since: 1.34

Parameters

UserIdentity	$user
string \| string[]	$rights

Returns: ScopedCallback

Definition at line 1886 of file PermissionManager.php.

References MediaWiki\User\UserIdentity\getId().

◆ getAllPermissions()

MediaWiki\Permissions\PermissionManager::getAllPermissions ( )

Get a list of all permissions that can be managed through group permissions.

This does not include implicit rights which are granted to all users automatically.

See also: getImplicitRights()

Since: 1.34

Returns: string[] Array of permission names

Definition at line 1724 of file PermissionManager.php.

◆ getApplicableBlock()

MediaWiki\Permissions\PermissionManager::getApplicableBlock	(	string	$action,
		User	$user,
		string	$rigor,
			$page,
		?WebRequest	$request )

Return the Block object applicable for the given permission check, if any.

Access: internal: for use by UserAuthority only

Parameters

string	$action	The action to check
User	$user	User to check
string	$rigor	One of PermissionManager::RIGOR_ constants RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation) RIGOR_FULL : does cheap and expensive checks possibly from a replica DB RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
LinkTarget \| PageReference \| null	$page
WebRequest \| null	$request	The request to get the IP and cookies from. If this is null, IP and cookie blocks will not be checked.

Returns: ?Block

Definition at line 863 of file PermissionManager.php.

◆ getImplicitRights()

MediaWiki\Permissions\PermissionManager::getImplicitRights ( )

Get a list of implicit rights.

Rights in this list should be granted to all users implicitly.

Implicit rights are defined to allow rate limits to be imposed on permissions

Since: 1.41

Returns: string[] Array of permission names

Definition at line 1750 of file PermissionManager.php.

◆ getNamespaceRestrictionLevels()

MediaWiki\Permissions\PermissionManager::getNamespaceRestrictionLevels	(		$index,
		UserIdentity	$user = null )

Determine which restriction levels it makes sense to use in a namespace, optionally filtered by a user's rights.

Parameters

int	$index	Namespace ID (index) to check
UserIdentity \| null	$user	User to check

Returns: string[]

Definition at line 1785 of file PermissionManager.php.

◆ getPermissionErrors()

MediaWiki\Permissions\PermissionManager::getPermissionErrors	(		$action,
		User	$user,
		LinkTarget	$page,
			$rigor = self::RIGOR_SECURE,
			$ignoreErrors = [] )

Can $user perform $action on a page?

Todo: FIXME: This does not check throttles (User::pingLimiter()).

Parameters

string	$action	Action that permission needs to be checked for
User	$user	User to check
LinkTarget	$page
string	$rigor	One of PermissionManager::RIGOR_ constants RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation) RIGOR_FULL : does cheap and expensive checks possibly from a replica DB RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
string[]	$ignoreErrors	Set this to a list of message keys whose corresponding errors may be ignored.

Returns: array[] Array of arrays of the arguments to wfMessage to explain permissions problems.

Definition at line 376 of file PermissionManager.php.

◆ getUserPermissions()

MediaWiki\Permissions\PermissionManager::getUserPermissions ( UserIdentity $user )

Get the permissions this user has.

Since: 1.34

Parameters

UserIdentity $user

Returns: string[] permission names

Definition at line 1580 of file PermissionManager.php.

◆ invalidateUsersRightsCache()

MediaWiki\Permissions\PermissionManager::invalidateUsersRightsCache ( $user = null )

Clear the in-process permission cache for one or all users.

Since: 1.34

Parameters

UserIdentity | null $user If a specific user is provided it will clear the permission cache only for that user.

Definition at line 1639 of file PermissionManager.php.

◆ isBlockedFrom()

MediaWiki\Permissions\PermissionManager::isBlockedFrom	(	User	$user,
			$page,
			$fromReplica = false )

Check if user is blocked from editing a particular article.

If the user does not have a block, this will return false.

Parameters

User	$user
PageIdentity \| LinkTarget	$page	Title to check
bool	$fromReplica	Whether to check the replica DB instead of the primary DB

Returns: bool

Definition at line 438 of file PermissionManager.php.

◆ isEveryoneAllowed()

MediaWiki\Permissions\PermissionManager::isEveryoneAllowed ( $right )

Check if all users may be assumed to have the given permission.

We generally assume so if the right is granted to '*' and isn't revoked on any group. It doesn't attempt to take grants or other extension limitations on rights into account in the general case, though, as that would require it to always return false and defeat the purpose. Specifically, session-based rights restrictions (such as OAuth or bot passwords) are applied based on the current session.

Since: 1.34

Parameters

string $right Right to check

Returns: bool

Definition at line 1672 of file PermissionManager.php.

◆ newFatalPermissionDeniedStatus()

MediaWiki\Permissions\PermissionManager::newFatalPermissionDeniedStatus	(		$permission,
		IContextSource	$context )

Factory function for fatal permission-denied errors.

Access: internal: for use by UserAuthority

Parameters

string	$permission	User right required
IContextSource	$context

Returns: PermissionStatus

Definition at line 764 of file PermissionManager.php.

◆ overrideUserRightsForTesting()

MediaWiki\Permissions\PermissionManager::overrideUserRightsForTesting	(		$user,
			$rights = [] )

Override the user permissions cache.

Access: internal: For testing only

Since: 1.34

Parameters

User	$user
string[] \| string	$rights

Definition at line 1903 of file PermissionManager.php.

◆ quickUserCan()

MediaWiki\Permissions\PermissionManager::quickUserCan	(		$action,
		User	$user,
		LinkTarget	$page )

A convenience method for calling PermissionManager::userCan with PermissionManager::RIGOR_QUICK.

Suitable for use for nonessential UI controls in common cases, but not for functional access control. May provide false positives, but should never provide a false negative.

See also: PermissionManager::userCan()

Parameters

string	$action
User	$user
LinkTarget	$page

Returns: bool

Definition at line 354 of file PermissionManager.php.

◆ throwPermissionErrors()

MediaWiki\Permissions\PermissionManager::throwPermissionErrors	(		$action,
		User	$user,
		LinkTarget	$page,
			$rigor = self::RIGOR_SECURE,
			$ignoreErrors = [] )

Like getPermissionErrors, but immediately throw if there are any errors.

Parameters

string	$action	Action that permission needs to be checked for
User	$user	User to check
LinkTarget	$page
string	$rigor	One of PermissionManager::RIGOR_ constants RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation) RIGOR_FULL : does cheap and expensive checks possibly from a replica DB RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
string[]	$ignoreErrors	Set this to a list of message keys whose corresponding errors may be ignored.

Exceptions

PermissionsError

Definition at line 415 of file PermissionManager.php.

◆ userCan()

MediaWiki\Permissions\PermissionManager::userCan	(		$action,
		User	$user,
		LinkTarget	$page,
			$rigor = self::RIGOR_SECURE )

Can $user perform $action on a page?

The method replaced Title::userCan() The $user parameter need to be superseded by UserIdentity value in future The $title parameter need to be superseded by PageIdentity value in future

Parameters

string	$action
User	$user
LinkTarget	$page
string	$rigor	One of PermissionManager::RIGOR_ constants RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation) RIGOR_FULL : does cheap and expensive checks possibly from a replica DB RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed

Returns: bool

Definition at line 335 of file PermissionManager.php.

◆ userHasAllRights()

MediaWiki\Permissions\PermissionManager::userHasAllRights	(	UserIdentity	$user,
			$actions )

Whether the user is allowed to perform all of the given actions.

Since: 1.34

Parameters

UserIdentity	$user
	string	...$actions

Returns: bool True if user is allowed to perform all of the given actions

Definition at line 1564 of file PermissionManager.php.

◆ userHasAnyRight()

MediaWiki\Permissions\PermissionManager::userHasAnyRight	(	UserIdentity	$user,
			$actions )

Whether the user is generally allowed to perform at least one of the actions.

Since: 1.34

Parameters

UserIdentity	$user
	string	...$actions

Returns: bool True if user is allowed to perform any of the actions

Definition at line 1547 of file PermissionManager.php.

◆ userHasRight()

MediaWiki\Permissions\PermissionManager::userHasRight	(	UserIdentity	$user,
			$action = '' )

Whether the user is generally allowed to perform the given action.

Since: 1.34

Parameters

UserIdentity	$user
string	$action

Returns: bool True if allowed

Definition at line 1528 of file PermissionManager.php.

Member Data Documentation

◆ CONSTRUCTOR_OPTIONS

const MediaWiki\Permissions\PermissionManager::CONSTRUCTOR_OPTIONS

Initial value:

= [
        MainConfigNames::WhitelistRead,
        MainConfigNames::WhitelistReadRegexp,
        MainConfigNames::EmailConfirmToEdit,
        MainConfigNames::BlockDisablesLogin,
        MainConfigNames::EnablePartialActionBlocks,
        MainConfigNames::GroupPermissions,
        MainConfigNames::RevokePermissions,
        MainConfigNames::AvailableRights,
        MainConfigNames::NamespaceProtection,
        MainConfigNames::RestrictionLevels,
        MainConfigNames::DeleteRevisionsLimit,
        MainConfigNames::RateLimits,
        MainConfigNames::ImplicitRights,
    ]

Access: internal: For use by ServiceWiring

Definition at line 79 of file PermissionManager.php.

The documentation for this class was generated from the following file:

includes/Permissions/PermissionManager.php

Public Member Functions

Public Attributes

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ addTemporaryUserRights()

◆ getAllPermissions()

◆ getApplicableBlock()

◆ getImplicitRights()

◆ getNamespaceRestrictionLevels()

◆ getPermissionErrors()

◆ getUserPermissions()

◆ invalidateUsersRightsCache()

◆ isBlockedFrom()

◆ isEveryoneAllowed()

◆ newFatalPermissionDeniedStatus()

◆ overrideUserRightsForTesting()

◆ quickUserCan()

◆ throwPermissionErrors()

◆ userCan()

◆ userHasAllRights()

◆ userHasAnyRight()

◆ userHasRight()

Member Data Documentation

◆ CONSTRUCTOR_OPTIONS