MediaWiki  master
MediaWiki\Permissions\PermissionManager Class Reference

A service class for checking permissions To obtain an instance, use MediaWikiServices::getInstance()->getPermissionManager(). More...

Public Member Functions

 __construct (ServiceOptions $options, SpecialPageFactory $specialPageFactory, NamespaceInfo $nsInfo, GroupPermissionsLookup $groupPermissionsLookup, UserGroupManager $userGroupManager, BlockErrorFormatter $blockErrorFormatter, HookContainer $hookContainer, UserCache $userCache, RedirectLookup $redirectLookup, RestrictionStore $restrictionStore, TitleFormatter $titleFormatter, TempUserConfig $tempUserConfig, UserFactory $userFactory, ActionFactory $actionFactory)
 
 addTemporaryUserRights (UserIdentity $user, $rights)
 Add temporary user rights, only valid for the current function scope. More...
 
 getAllPermissions ()
 Get a list of all available permissions. More...
 
 getGroupPermissions ( $groups)
 Get the permissions associated with a given list of groups. More...
 
 getGroupsWithPermission ( $role)
 Get all the groups who have a given permission. More...
 
 getNamespaceRestrictionLevels ( $index, UserIdentity $user=null)
 Determine which restriction levels it makes sense to use in a namespace, optionally filtered by a user's rights. More...
 
 getPermissionErrors ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $ignoreErrors=[])
 Can $user perform $action on a page? More...
 
 getUserPermissions (UserIdentity $user)
 Get the permissions this user has. More...
 
 groupHasPermission ( $group, $role)
 Check, if the given group has the given permission. More...
 
 invalidateUsersRightsCache ( $user=null)
 Clear the in-process permission cache for one or all users. More...
 
 isBlockedFrom (User $user, $page, $fromReplica=false)
 Check if user is blocked from editing a particular article. More...
 
 isEveryoneAllowed ( $right)
 Check if all users may be assumed to have the given permission. More...
 
 overrideUserRightsForTesting ( $user, $rights=[])
 Override the user permissions cache. More...
 
 quickUserCan ( $action, User $user, LinkTarget $page)
 A convenience method for calling PermissionManager::userCan with PermissionManager::RIGOR_QUICK. More...
 
 throwPermissionErrors ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE, $ignoreErrors=[])
 Like getPermissionErrors, but immediately throw if there are any errors. More...
 
 userCan ( $action, User $user, LinkTarget $page, $rigor=self::RIGOR_SECURE)
 Can $user perform $action on a page? More...
 
 userHasAllRights (UserIdentity $user,... $actions)
 Whether the user is allowed to perform all of the given actions. More...
 
 userHasAnyRight (UserIdentity $user,... $actions)
 Whether the user is generally allowed to perform at least one of the actions. More...
 
 userHasRight (UserIdentity $user, $action='')
 Whether the user is generally allowed to perform the given action. More...
 

Public Attributes

const CONSTRUCTOR_OPTIONS
 

Detailed Description

A service class for checking permissions To obtain an instance, use MediaWikiServices::getInstance()->getPermissionManager().

Since
1.33

Definition at line 57 of file PermissionManager.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Permissions\PermissionManager::__construct ( ServiceOptions  $options,
SpecialPageFactory  $specialPageFactory,
NamespaceInfo  $nsInfo,
GroupPermissionsLookup  $groupPermissionsLookup,
UserGroupManager  $userGroupManager,
BlockErrorFormatter  $blockErrorFormatter,
HookContainer  $hookContainer,
UserCache  $userCache,
RedirectLookup  $redirectLookup,
RestrictionStore  $restrictionStore,
TitleFormatter  $titleFormatter,
TempUserConfig  $tempUserConfig,
UserFactory  $userFactory,
ActionFactory  $actionFactory 
)
Parameters
ServiceOptions$options
SpecialPageFactory$specialPageFactory
NamespaceInfo$nsInfo
GroupPermissionsLookup$groupPermissionsLookup
UserGroupManager$userGroupManager
BlockErrorFormatter$blockErrorFormatter
HookContainer$hookContainer
UserCache$userCache
RedirectLookup$redirectLookup
RestrictionStore$restrictionStore
TitleFormatter$titleFormatter
TempUserConfig$tempUserConfig
UserFactory$userFactory
ActionFactory$actionFactory

Definition at line 248 of file PermissionManager.php.

References MediaWiki\Config\ServiceOptions\assertRequiredOptions().

Member Function Documentation

◆ addTemporaryUserRights()

MediaWiki\Permissions\PermissionManager::addTemporaryUserRights ( UserIdentity  $user,
  $rights 
)

Add temporary user rights, only valid for the current function scope.

This is meant for making it possible to programatically trigger certain actions that the user wouldn't be able to trigger themselves; e.g. allow users without the bot right to make bot-flagged actions through certain special pages.

This returns a "scope guard" variable. Its only purpose is to be stored in a variable by the caller, which is automatically closed at the end of the function, at which point the rights are revoked again. Alternatively, you can close it earlier by consuming it via ScopedCallback::consume().

Since
1.34
Parameters
UserIdentity$user
string | string[]$rights
Returns
ScopedCallback

Definition at line 1796 of file PermissionManager.php.

References MediaWiki\User\UserIdentity\getId().

◆ getAllPermissions()

MediaWiki\Permissions\PermissionManager::getAllPermissions ( )

Get a list of all available permissions.

Since
1.34
Returns
string[] Array of permission names

Definition at line 1657 of file PermissionManager.php.

◆ getGroupPermissions()

MediaWiki\Permissions\PermissionManager::getGroupPermissions (   $groups)

Get the permissions associated with a given list of groups.

Since
1.34
Deprecated:
since 1.36 Use GroupPermissionsLookup instead
Parameters
string[]$groupsinternal group names
Returns
string[] permission key names for given groups combined

Definition at line 1577 of file PermissionManager.php.

◆ getGroupsWithPermission()

MediaWiki\Permissions\PermissionManager::getGroupsWithPermission (   $role)

Get all the groups who have a given permission.

Since
1.34
Deprecated:
since 1.36, use GroupPermissionsLookup instead.
Parameters
string$roleRole to check
Returns
string[] internal group names with the given permission

Definition at line 1589 of file PermissionManager.php.

◆ getNamespaceRestrictionLevels()

MediaWiki\Permissions\PermissionManager::getNamespaceRestrictionLevels (   $index,
UserIdentity  $user = null 
)

Determine which restriction levels it makes sense to use in a namespace, optionally filtered by a user's rights.

Parameters
int$indexNamespace ID (index) to check
UserIdentity | null$userUser to check
Returns
string[]

Definition at line 1695 of file PermissionManager.php.

◆ getPermissionErrors()

MediaWiki\Permissions\PermissionManager::getPermissionErrors (   $action,
User  $user,
LinkTarget  $page,
  $rigor = self::RIGOR_SECURE,
  $ignoreErrors = [] 
)

Can $user perform $action on a page?

Todo:
FIXME: This does not check throttles (User::pingLimiter()).
Parameters
string$actionAction that permission needs to be checked for
User$userUser to check
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
string[]$ignoreErrorsSet this to a list of message keys whose corresponding errors may be ignored.
Returns
array[] Array of arrays of the arguments to wfMessage to explain permissions problems.

Definition at line 338 of file PermissionManager.php.

◆ getUserPermissions()

MediaWiki\Permissions\PermissionManager::getUserPermissions ( UserIdentity  $user)

Get the permissions this user has.

Since
1.34
Parameters
UserIdentity$user
Returns
string[] permission names

Definition at line 1476 of file PermissionManager.php.

References User\newFromIdentity().

◆ groupHasPermission()

MediaWiki\Permissions\PermissionManager::groupHasPermission (   $group,
  $role 
)

Check, if the given group has the given permission.

If you're wanting to check whether all users have a permission, use PermissionManager::isEveryoneAllowed() instead. That properly checks if it's revoked from anyone.

Since
1.34
Deprecated:
since 1.36 Use GroupPermissionsLookup instead
Parameters
string$groupGroup to check
string$roleRole to check
Returns
bool

Definition at line 1565 of file PermissionManager.php.

◆ invalidateUsersRightsCache()

MediaWiki\Permissions\PermissionManager::invalidateUsersRightsCache (   $user = null)

Clear the in-process permission cache for one or all users.

Since
1.34
Parameters
UserIdentity | null$userIf a specific user is provided it will clear the permission cache only for that user.

Definition at line 1533 of file PermissionManager.php.

◆ isBlockedFrom()

MediaWiki\Permissions\PermissionManager::isBlockedFrom ( User  $user,
  $page,
  $fromReplica = false 
)

Check if user is blocked from editing a particular article.

If the user does not have a block, this will return false.

Parameters
User$user
PageIdentity | LinkTarget$pageTitle to check
bool$fromReplicaWhether to check the replica DB instead of the primary DB
Returns
bool

Definition at line 400 of file PermissionManager.php.

◆ isEveryoneAllowed()

MediaWiki\Permissions\PermissionManager::isEveryoneAllowed (   $right)

Check if all users may be assumed to have the given permission.

We generally assume so if the right is granted to '*' and isn't revoked on any group. It doesn't attempt to take grants or other extension limitations on rights into account in the general case, though, as that would require it to always return false and defeat the purpose. Specifically, session-based rights restrictions (such as OAuth or bot passwords) are applied based on the current session.

Since
1.34
Parameters
string$rightRight to check
Returns
bool

Definition at line 1607 of file PermissionManager.php.

◆ overrideUserRightsForTesting()

MediaWiki\Permissions\PermissionManager::overrideUserRightsForTesting (   $user,
  $rights = [] 
)

Override the user permissions cache.

Definition at line 1813 of file PermissionManager.php.

◆ quickUserCan()

MediaWiki\Permissions\PermissionManager::quickUserCan (   $action,
User  $user,
LinkTarget  $page 
)

A convenience method for calling PermissionManager::userCan with PermissionManager::RIGOR_QUICK.

Suitable for use for nonessential UI controls in common cases, but not for functional access control. May provide false positives, but should never provide a false negative.

See also
PermissionManager::userCan()
Parameters
string$action
User$user
LinkTarget$page
Returns
bool

Definition at line 317 of file PermissionManager.php.

◆ throwPermissionErrors()

MediaWiki\Permissions\PermissionManager::throwPermissionErrors (   $action,
User  $user,
LinkTarget  $page,
  $rigor = self::RIGOR_SECURE,
  $ignoreErrors = [] 
)

Like getPermissionErrors, but immediately throw if there are any errors.

Parameters
string$actionAction that permission needs to be checked for
User$userUser to check
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
string[]$ignoreErrorsSet this to a list of message keys whose corresponding errors may be ignored.
Exceptions
PermissionsError

Definition at line 377 of file PermissionManager.php.

◆ userCan()

MediaWiki\Permissions\PermissionManager::userCan (   $action,
User  $user,
LinkTarget  $page,
  $rigor = self::RIGOR_SECURE 
)

Can $user perform $action on a page?

The method replaced Title::userCan() The $user parameter need to be superseded by UserIdentity value in future The $title parameter need to be superseded by PageIdentity value in future

Parameters
string$action
User$user
LinkTarget$page
string$rigorOne of PermissionManager::RIGOR_ constants
  • RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
  • RIGOR_FULL : does cheap and expensive checks possibly from a replica DB
  • RIGOR_SECURE : does cheap and expensive checks, using the primary DB as needed
Returns
bool

Definition at line 298 of file PermissionManager.php.

◆ userHasAllRights()

MediaWiki\Permissions\PermissionManager::userHasAllRights ( UserIdentity  $user,
  $actions 
)

Whether the user is allowed to perform all of the given actions.

Since
1.34
Parameters
UserIdentity$user
string...$actions
Returns
bool True if user is allowed to perform all of the given actions

Definition at line 1460 of file PermissionManager.php.

◆ userHasAnyRight()

MediaWiki\Permissions\PermissionManager::userHasAnyRight ( UserIdentity  $user,
  $actions 
)

Whether the user is generally allowed to perform at least one of the actions.

Since
1.34
Parameters
UserIdentity$user
string...$actions
Returns
bool True if user is allowed to perform any of the actions

Definition at line 1443 of file PermissionManager.php.

◆ userHasRight()

MediaWiki\Permissions\PermissionManager::userHasRight ( UserIdentity  $user,
  $action = '' 
)

Whether the user is generally allowed to perform the given action.

Since
1.34
Parameters
UserIdentity$user
string$action
Returns
bool True if allowed

Definition at line 1425 of file PermissionManager.php.

Member Data Documentation

◆ CONSTRUCTOR_OPTIONS

const MediaWiki\Permissions\PermissionManager::CONSTRUCTOR_OPTIONS
Initial value:
= [
]
const AvailableRights
Name constant for the AvailableRights setting, for use with Config::get()
const NamespaceProtection
Name constant for the NamespaceProtection setting, for use with Config::get()
const RevokePermissions
Name constant for the RevokePermissions setting, for use with Config::get()
const WhitelistRead
Name constant for the WhitelistRead setting, for use with Config::get()
const BlockDisablesLogin
Name constant for the BlockDisablesLogin setting, for use with Config::get()
const DeleteRevisionsLimit
Name constant for the DeleteRevisionsLimit setting, for use with Config::get()
const EmailConfirmToEdit
Name constant for the EmailConfirmToEdit setting, for use with Config::get()
const GroupPermissions
Name constant for the GroupPermissions setting, for use with Config::get()
const RestrictionLevels
Name constant for the RestrictionLevels setting, for use with Config::get()
const WhitelistReadRegexp
Name constant for the WhitelistReadRegexp setting, for use with Config::get()
const EnablePartialActionBlocks
Name constant for the EnablePartialActionBlocks setting, for use with Config::get()
Access: internal
For use by ServiceWiring

Definition at line 71 of file PermissionManager.php.


The documentation for this class was generated from the following file: