MediaWiki master
Public Member Functions | Public Attributes | List of all members
MediaWiki\Permissions\PermissionManager Class Reference

A service class for checking permissions To obtain an instance, use MediaWikiServices::getInstance()->getPermissionManager(). More...

Public Member Functions

 __construct (ServiceOptions $options, SpecialPageFactory $specialPageFactory, NamespaceInfo $nsInfo, GroupPermissionsLookup $groupPermissionsLookup, UserGroupManager $userGroupManager, BlockManager $blockManager, BlockErrorFormatter $blockErrorFormatter, HookContainer $hookContainer, UserIdentityLookup $userIdentityLookup, RedirectLookup $redirectLookup, RestrictionStore $restrictionStore, TitleFormatter $titleFormatter, TempUserConfig $tempUserConfig, UserFactory $userFactory, ActionFactory $actionFactory)
 
 addTemporaryUserRights (UserIdentity $user, $rights)
 Add temporary user rights, only valid for the current function scope.
 
 getAllPermissions ()
 Get a list of all permissions that can be managed through group permissions.
 
 getApplicableBlock (string $action, User $user, string $rigor, $page, ?WebRequest $request)
 Return the Block object applicable for the given permission check, if any.
 
 getImplicitRights ()
 Get a list of implicit rights.
 
 getNamespaceRestrictionLevels ( $index, ?UserIdentity $user=null)
 Determine which restriction levels it makes sense to use in a namespace, optionally filtered by a user's rights.
 
 getPermissionErrors ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $ignoreErrors=[])
 Can $user perform $action on a page?
 
 getPermissionStatus ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $short=false)
 Can $user perform $action on a page?
 
 getUserPermissions (UserIdentity $user)
 Get the permissions this user has.
 
 invalidateUsersRightsCache ( $user=null)
 Clear the in-process permission cache for one or all users.
 
 isBlockedFrom (User $user, $page, $fromReplica=false)
 Check if user is blocked from editing a particular article.
 
 isEveryoneAllowed ( $right)
 Check if all users may be assumed to have the given permission.
 
 newFatalPermissionDeniedStatus ( $permission, IContextSource $context)
 Factory function for fatal permission-denied errors.
 
 overrideUserRightsForTesting ( $user, $rights=[])
 Override the user permissions cache.
 
 quickUserCan ( $action, User $user, LinkTarget $page)
 A convenience method for calling PermissionManager::userCan with PermissionManager::RIGOR_QUICK.
 
 throwPermissionErrors ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $ignoreErrors=[])
 Like getPermissionErrors, but immediately throw if there are any errors.
 
 userCan ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE)
 Can $user perform $action on a page?
 
 userHasAllRights (UserIdentity $user,... $actions)
 Whether the user is allowed to perform all of the given actions.
 
 userHasAnyRight (UserIdentity $user,... $actions)
 Whether the user is generally allowed to perform at least one of the actions.
 
 userHasRight (UserIdentity $user, $action='')
 Whether the user is generally allowed to perform the given action.
 

Public Attributes

const CONSTRUCTOR_OPTIONS
 

Detailed Description

A service class for checking permissions To obtain an instance, use MediaWikiServices::getInstance()->getPermissionManager().

Since
1.33

Definition at line 65 of file PermissionManager.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Permissions\PermissionManager::__construct ( ServiceOptions $options,
SpecialPageFactory $specialPageFactory,
NamespaceInfo $nsInfo,
GroupPermissionsLookup $groupPermissionsLookup,
UserGroupManager $userGroupManager,
BlockManager $blockManager,
BlockErrorFormatter $blockErrorFormatter,
HookContainer $hookContainer,
UserIdentityLookup $userIdentityLookup,
RedirectLookup $redirectLookup,
RestrictionStore $restrictionStore,
TitleFormatter $titleFormatter,
TempUserConfig $tempUserConfig,
UserFactory $userFactory,
ActionFactory $actionFactory )

Definition at line 238 of file PermissionManager.php.

References MediaWiki\Config\ServiceOptions\assertRequiredOptions().

Member Function Documentation

◆ addTemporaryUserRights()

MediaWiki\Permissions\PermissionManager::addTemporaryUserRights ( UserIdentity $user,
$rights )

Add temporary user rights, only valid for the current function scope.

This is meant for making it possible to programatically trigger certain actions that the user wouldn't be able to trigger themselves; e.g. allow users without the bot right to make bot-flagged actions through certain special pages.

This returns a "scope guard" variable. Its only purpose is to be stored in a variable by the caller, which is automatically closed at the end of the function, at which point the rights are revoked again. Alternatively, you can close it earlier by consuming it via ScopedCallback::consume().

Since
1.34
Parameters
UserIdentity$user
string | string[]$rights
Returns
ScopedCallback

Definition at line 1889 of file PermissionManager.php.

References MediaWiki\User\UserIdentity\getId().

◆ getAllPermissions()

MediaWiki\Permissions\PermissionManager::getAllPermissions ( )

Get a list of all permissions that can be managed through group permissions.

This does not include implicit rights which are granted to all users automatically.

See also
getImplicitRights()
Since
1.34
Returns
string[] Array of permission names

Definition at line 1727 of file PermissionManager.php.

◆ getApplicableBlock()

MediaWiki\Permissions\PermissionManager::getApplicableBlock ( string $action,
User $user,
string $rigor,
$page,
?WebRequest $request )

Return the Block object applicable for the given permission check, if any.

Access: internal
for use by UserAuthority only
Parameters
string$actionThe action to check
User$userUser to check
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
LinkTarget | PageReference | null$page
WebRequest | null$requestThe request to get the IP and cookies from. If this is null, IP and cookie blocks will not be checked.
Returns
?Block

Definition at line 850 of file PermissionManager.php.

◆ getImplicitRights()

MediaWiki\Permissions\PermissionManager::getImplicitRights ( )

Get a list of implicit rights.

Rights in this list should be granted to all users implicitly.

Implicit rights are defined to allow rate limits to be imposed on permissions

Since
1.41
Returns
string[] Array of permission names

Definition at line 1753 of file PermissionManager.php.

◆ getNamespaceRestrictionLevels()

MediaWiki\Permissions\PermissionManager::getNamespaceRestrictionLevels ( $index,
?UserIdentity $user = null )

Determine which restriction levels it makes sense to use in a namespace, optionally filtered by a user's rights.

Parameters
int$indexNamespace ID (index) to check
UserIdentity | null$userUser to check
Returns
string[]

Definition at line 1788 of file PermissionManager.php.

◆ getPermissionErrors()

MediaWiki\Permissions\PermissionManager::getPermissionErrors ( $action,
User $user,
LinkTarget $page,
$rigor = self::RIGOR_SECURE,
$ignoreErrors = [] )

Can $user perform $action on a page?

This does not check throttles (User::pingLimiter()). If that's desired, use the Authority interface methods instead.

Deprecated
since 1.43 Use getPermissionStatus() instead.
Parameters
string$actionAction that permission needs to be checked for
User$userUser to check
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
string[]$ignoreErrorsSet this to a list of message keys whose corresponding errors may be ignored.
Returns
array[] Permission errors. Each entry contains valid arguments for wfMessage() / MessageLocalizer::msg(). The format is different from the normal "legacy error array", as used by Status::getErrorsArray() or PermissionStatus::toLegacyErrorArray(): the first element of each entry can be a MessageSpecifier, not just a string.

Definition at line 349 of file PermissionManager.php.

References Wikimedia\Message\MessageSpecifier\getKey().

◆ getPermissionStatus()

MediaWiki\Permissions\PermissionManager::getPermissionStatus ( $action,
User $user,
LinkTarget $page,
$rigor = self::RIGOR_SECURE,
$short = false )

Can $user perform $action on a page?

This does not check throttles (User::pingLimiter()). If that's desired, use the Authority interface methods instead.

Parameters
string$actionAction that permission needs to be checked for
User$userUser to check
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
bool$shortSet this to true to stop after the first permission error.
Returns
PermissionStatus Permission errors as a status. Check $status->isGood() to tell if the user can perform the action. Use $status->getMessages() to display errors if the status is not good.

Definition at line 441 of file PermissionManager.php.

◆ getUserPermissions()

MediaWiki\Permissions\PermissionManager::getUserPermissions ( UserIdentity $user)

Get the permissions this user has.

Since
1.34
Parameters
UserIdentity$user
Returns
string[] permission names

Definition at line 1578 of file PermissionManager.php.

◆ invalidateUsersRightsCache()

MediaWiki\Permissions\PermissionManager::invalidateUsersRightsCache ( $user = null)

Clear the in-process permission cache for one or all users.

Since
1.34
Parameters
UserIdentity | null$userIf a specific user is provided it will clear the permission cache only for that user.

Definition at line 1642 of file PermissionManager.php.

◆ isBlockedFrom()

MediaWiki\Permissions\PermissionManager::isBlockedFrom ( User $user,
$page,
$fromReplica = false )

Check if user is blocked from editing a particular article.

If the user does not have a block, this will return false.

Parameters
User$user
PageIdentity | LinkTarget$pageTitle to check
bool$fromReplicaWhether to check the replica DB instead of the primary DB
Returns
bool

Definition at line 413 of file PermissionManager.php.

◆ isEveryoneAllowed()

MediaWiki\Permissions\PermissionManager::isEveryoneAllowed ( $right)

Check if all users may be assumed to have the given permission.

We generally assume so if the right is granted to '*' and isn't revoked on any group. It doesn't attempt to take grants or other extension limitations on rights into account in the general case, though, as that would require it to always return false and defeat the purpose. Specifically, session-based rights restrictions (such as OAuth or bot passwords) are applied based on the current session.

Since
1.34
Parameters
string$rightRight to check
Returns
bool

Definition at line 1675 of file PermissionManager.php.

◆ newFatalPermissionDeniedStatus()

MediaWiki\Permissions\PermissionManager::newFatalPermissionDeniedStatus ( $permission,
IContextSource $context )

Factory function for fatal permission-denied errors.

Access: internal
for use by UserAuthority
Parameters
string$permissionUser right required
IContextSource$context
Returns
PermissionStatus

Definition at line 752 of file PermissionManager.php.

◆ overrideUserRightsForTesting()

MediaWiki\Permissions\PermissionManager::overrideUserRightsForTesting ( $user,
$rights = [] )

Override the user permissions cache.

Access: internal
For testing only
Since
1.34
Parameters
UserIdentity$user
string[] | string$rights

Definition at line 1906 of file PermissionManager.php.

◆ quickUserCan()

MediaWiki\Permissions\PermissionManager::quickUserCan ( $action,
User $user,
LinkTarget $page )

A convenience method for calling PermissionManager::userCan with PermissionManager::RIGOR_QUICK.

Suitable for use for nonessential UI controls in common cases, but not for functional access control. May provide false positives, but should never provide a false negative.

See also
PermissionManager::userCan()
Parameters
string$action
User$user
LinkTarget$page
Returns
bool

Definition at line 309 of file PermissionManager.php.

◆ throwPermissionErrors()

MediaWiki\Permissions\PermissionManager::throwPermissionErrors ( $action,
User $user,
LinkTarget $page,
$rigor = self::RIGOR_SECURE,
$ignoreErrors = [] )

Like getPermissionErrors, but immediately throw if there are any errors.

Parameters
string$actionAction that permission needs to be checked for
User$userUser to check
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
string[]$ignoreErrorsSet this to a list of message keys whose corresponding errors may be ignored.
Exceptions
PermissionsError

Definition at line 390 of file PermissionManager.php.

◆ userCan()

MediaWiki\Permissions\PermissionManager::userCan ( $action,
User $user,
LinkTarget $page,
$rigor = self::RIGOR_SECURE )

Can $user perform $action on a page?

The method replaced Title::userCan() The $user parameter need to be superseded by UserIdentity value in future The $title parameter need to be superseded by PageIdentity value in future

Parameters
string$action
User$user
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
Returns
bool

Definition at line 290 of file PermissionManager.php.

◆ userHasAllRights()

MediaWiki\Permissions\PermissionManager::userHasAllRights ( UserIdentity $user,
$actions )

Whether the user is allowed to perform all of the given actions.

Since
1.34
Parameters
UserIdentity$user
string...$actions
Returns
bool True if user is allowed to perform all of the given actions

Definition at line 1562 of file PermissionManager.php.

◆ userHasAnyRight()

MediaWiki\Permissions\PermissionManager::userHasAnyRight ( UserIdentity $user,
$actions )

Whether the user is generally allowed to perform at least one of the actions.

Since
1.34
Parameters
UserIdentity$user
string...$actions
Returns
bool True if user is allowed to perform any of the actions

Definition at line 1545 of file PermissionManager.php.

◆ userHasRight()

MediaWiki\Permissions\PermissionManager::userHasRight ( UserIdentity $user,
$action = '' )

Whether the user is generally allowed to perform the given action.

Since
1.34
Parameters
UserIdentity$user
string$action
Returns
bool True if allowed

Definition at line 1526 of file PermissionManager.php.

Member Data Documentation

◆ CONSTRUCTOR_OPTIONS

const MediaWiki\Permissions\PermissionManager::CONSTRUCTOR_OPTIONS
Initial value:
= [
MainConfigNames::WhitelistRead,
MainConfigNames::WhitelistReadRegexp,
MainConfigNames::EmailConfirmToEdit,
MainConfigNames::BlockDisablesLogin,
MainConfigNames::EnablePartialActionBlocks,
MainConfigNames::GroupPermissions,
MainConfigNames::RevokePermissions,
MainConfigNames::AvailableRights,
MainConfigNames::NamespaceProtection,
MainConfigNames::RestrictionLevels,
MainConfigNames::DeleteRevisionsLimit,
MainConfigNames::RateLimits,
MainConfigNames::ImplicitRights,
]
MediaWiki\MainConfigNames\AvailableRights
const AvailableRights
Name constant for the AvailableRights setting, for use with Config::get()
Definition MainConfigNames.php:2887
MediaWiki\MainConfigNames\NamespaceProtection
const NamespaceProtection
Name constant for the NamespaceProtection setting, for use with Config::get()
Definition MainConfigNames.php:2827
MediaWiki\MainConfigNames\RevokePermissions
const RevokePermissions
Name constant for the RevokePermissions setting, for use with Config::get()
Definition MainConfigNames.php:2773
MediaWiki\MainConfigNames\WhitelistRead
const WhitelistRead
Name constant for the WhitelistRead setting, for use with Config::get()
Definition MainConfigNames.php:2737
MediaWiki\MainConfigNames\BlockDisablesLogin
const BlockDisablesLogin
Name constant for the BlockDisablesLogin setting, for use with Config::get()
Definition MainConfigNames.php:2713
MediaWiki\MainConfigNames\DeleteRevisionsLimit
const DeleteRevisionsLimit
Name constant for the DeleteRevisionsLimit setting, for use with Config::get()
Definition MainConfigNames.php:2899
MediaWiki\MainConfigNames\EmailConfirmToEdit
const EmailConfirmToEdit
Name constant for the EmailConfirmToEdit setting, for use with Config::get()
Definition MainConfigNames.php:2749
MediaWiki\MainConfigNames\RateLimits
const RateLimits
Name constant for the RateLimits setting, for use with Config::get()
Definition MainConfigNames.php:2983
MediaWiki\MainConfigNames\GroupPermissions
const GroupPermissions
Name constant for the GroupPermissions setting, for use with Config::get()
Definition MainConfigNames.php:2761
MediaWiki\MainConfigNames\RestrictionLevels
const RestrictionLevels
Name constant for the RestrictionLevels setting, for use with Config::get()
Definition MainConfigNames.php:2809
MediaWiki\MainConfigNames\WhitelistReadRegexp
const WhitelistReadRegexp
Name constant for the WhitelistReadRegexp setting, for use with Config::get()
Definition MainConfigNames.php:2743
MediaWiki\MainConfigNames\ImplicitRights
const ImplicitRights
Name constant for the ImplicitRights setting, for use with Config::get()
Definition MainConfigNames.php:2893
MediaWiki\MainConfigNames\EnablePartialActionBlocks
const EnablePartialActionBlocks
Name constant for the EnablePartialActionBlocks setting, for use with Config::get()
Definition MainConfigNames.php:2719
Access: internal
For use by ServiceWiring

Definition at line 79 of file PermissionManager.php.

The documentation for this class was generated from the following file: