use Action;
use ContentHandler;
use FauxRequest;
+use LoggedServiceOptions;
use MediaWiki\Block\DatabaseBlock;
use MediaWiki\Block\Restriction\NamespaceRestriction;
use MediaWiki\Block\Restriction\PageRestriction;
use MediaWiki\Permissions\PermissionManager;
use MediaWiki\Revision\MutableRevisionRecord;
use MediaWiki\Revision\RevisionLookup;
+use MWException;
+use TestAllServiceOptionsUsed;
use Wikimedia\ScopedCallback;
use MediaWiki\Session\SessionId;
use MediaWiki\Session\TestUtils;
* @covers \MediaWiki\Permissions\PermissionManager
*/
class PermissionManagerTest extends MediaWikiLangTestCase {
+ use TestAllServiceOptionsUsed;
/**
* @var string
$this->user = $this->userUser;
}
-
- $this->resetServices();
}
public function tearDown() {
} else {
$this->user = $this->altUser;
}
- $this->resetServices();
}
/**
global $wgGroupPermissions;
$old = $wgGroupPermissions;
- $wgGroupPermissions = [];
- $this->resetServices();
+ $this->setMwGlobals( 'wgGroupPermissions', [] );
$this->assertEquals( $check[$action][1],
MediaWikiServices::getInstance()->getPermissionManager()
$this->assertEquals( $check[$action][1],
MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( $action, $this->user, $this->title, 'secure' ) );
- $wgGroupPermissions = $old;
- $this->resetServices();
+ $this->setMwGlobals( 'wgGroupPermissions', $old );
$this->overrideUserPermissions( $this->user, $action );
$this->assertEquals( $check[$action][2],
->userCan( $action, $this->user, $this->title, true ) );
$this->assertEquals( $check[$action][3],
MediaWikiServices::getInstance()->getPermissionManager()
- ->userCan( $action, $this->user, $this->title,
- PermissionManager::RIGOR_QUICK ) );
+ ->quickUserCan( $action, $this->user, $this->title ) );
# count( User::getGroupsWithPermissions( $action ) ) < 1
}
}
protected function runGroupPermissions( $perm, $action, $result, $result2 = null ) {
- global $wgGroupPermissions;
-
if ( $result2 === null ) {
$result2 = $result;
}
- $wgGroupPermissions['autoconfirmed']['move'] = false;
- $wgGroupPermissions['user']['move'] = false;
- $this->resetServices();
+ $this->setGroupPermissions( 'autoconfirmed', 'move', false );
+ $this->setGroupPermissions( 'user', 'move', false );
$this->overrideUserPermissions( $this->user, $perm );
$res = MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( $action, $this->user, $this->title );
$this->assertEquals( $result, $res );
- $wgGroupPermissions['autoconfirmed']['move'] = true;
- $wgGroupPermissions['user']['move'] = false;
- $this->resetServices();
+ $this->setGroupPermissions( 'autoconfirmed', 'move', true );
+ $this->setGroupPermissions( 'user', 'move', false );
$this->overrideUserPermissions( $this->user, $perm );
$res = MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( $action, $this->user, $this->title );
$this->assertEquals( $result2, $res );
- $wgGroupPermissions['autoconfirmed']['move'] = true;
- $wgGroupPermissions['user']['move'] = true;
- $this->resetServices();
+ $this->setGroupPermissions( 'autoconfirmed', 'move', true );
+ $this->setGroupPermissions( 'user', 'move', true );
$this->overrideUserPermissions( $this->user, $perm );
$res = MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( $action, $this->user, $this->title );
$this->assertEquals( $result2, $res );
- $wgGroupPermissions['autoconfirmed']['move'] = false;
- $wgGroupPermissions['user']['move'] = true;
- $this->resetServices();
+ $this->setGroupPermissions( 'autoconfirmed', 'move', false );
+ $this->setGroupPermissions( 'user', 'move', true );
$this->overrideUserPermissions( $this->user, $perm );
$res = MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( $action, $this->user, $this->title );
* @covers MediaWiki\Permissions\PermissionManager::checkSpecialsAndNSPermissions
*/
public function testSpecialsAndNSPermissions() {
- global $wgNamespaceProtection;
$this->setUser( $this->userName );
$this->setTitle( NS_SPECIAL );
MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( 'bogus', $this->user, $this->title ) );
- $wgNamespaceProtection[NS_USER] = [ 'bogus' ];
+ $this->mergeMwGlobalArrayValue( 'wgNamespaceProtection', [
+ NS_USER => [ 'bogus' ]
+ ] );
+ $this->resetServices();
+ $this->overrideUserPermissions( $this->user, '' );
$this->setTitle( NS_USER );
- $this->overrideUserPermissions( $this->user, '' );
$this->assertEquals( [ [ 'badaccess-group0' ],
[ 'namespaceprotected', 'User', 'bogus' ] ],
MediaWikiServices::getInstance()->getPermissionManager()
MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( 'bogus', $this->user, $this->title ) );
- $wgNamespaceProtection = null;
-
+ $this->setMwGlobals( 'wgNamespaceProtection', null );
+ $this->resetServices();
$this->overrideUserPermissions( $this->user, 'bogus' );
+
$this->assertEquals( [],
MediaWikiServices::getInstance()->getPermissionManager()
->getPermissionErrors( 'bogus', $this->user, $this->title ) );
}
} );
$permissionManager = new PermissionManager(
+ new LoggedServiceOptions(
+ self::$serviceOptionsAccessLog,
+ PermissionManager::$constructorOptions,
+ [
+ 'WhitelistRead' => [],
+ 'WhitelistReadRegexp' => [],
+ 'EmailConfirmToEdit' => false,
+ 'BlockDisablesLogin' => false,
+ 'GroupPermissions' => [],
+ 'RevokePermissions' => [],
+ 'AvailableRights' => [],
+ 'NamespaceProtection' => [],
+ 'RestrictionLevels' => []
+ ]
+ ),
$services->getSpecialPageFactory(),
$revisionLookup,
- [],
- [],
- false,
- false,
- [],
- [],
- [],
MediaWikiServices::getInstance()->getNamespaceInfo()
);
$this->setService( 'PermissionManager', $permissionManager );
$this->assertEquals( true,
MediaWikiServices::getInstance()->getPermissionManager()
- ->userCan( 'edit', $this->user, $this->title, PermissionManager::RIGOR_QUICK ) );
+ ->quickUserCan( 'edit', $this->user, $this->title ) );
$this->title->mRestrictions = [ "edit" => [ 'bogus', "sysop", "protect", "" ],
"bogus" => [ 'bogus', "sysop", "protect", "" ] ];
$this->assertEquals( false,
MediaWikiServices::getInstance()->getPermissionManager()
- ->userCan( 'bogus', $this->user, $this->title, PermissionManager::RIGOR_QUICK ) );
+ ->quickUserCan( 'bogus', $this->user, $this->title ) );
$this->assertEquals( false,
- MediaWikiServices::getInstance()->getPermissionManager()->userCan(
- 'edit', $this->user, $this->title, PermissionManager::RIGOR_QUICK ) );
+ MediaWikiServices::getInstance()->getPermissionManager()->quickUserCan(
+ 'edit', $this->user, $this->title ) );
$this->assertEquals( [ [ 'badaccess-group0' ],
[ 'protectedpagetext', 'bogus', 'bogus' ],
$this->overrideUserPermissions( $this->user, [ "edit", "editprotected" ] );
$this->assertEquals( false,
- MediaWikiServices::getInstance()->getPermissionManager()->userCan(
- 'bogus', $this->user, $this->title, PermissionManager::RIGOR_QUICK ) );
+ MediaWikiServices::getInstance()->getPermissionManager()->quickUserCan(
+ 'bogus', $this->user, $this->title ) );
$this->assertEquals( false,
- MediaWikiServices::getInstance()->getPermissionManager()->userCan(
- 'edit', $this->user, $this->title, PermissionManager::RIGOR_QUICK ) );
+ MediaWikiServices::getInstance()->getPermissionManager()->quickUserCan(
+ 'edit', $this->user, $this->title ) );
$this->assertEquals( [ [ 'badaccess-group0' ],
[ 'protectedpagetext', 'bogus', 'bogus' ],
->getPermissionErrors( 'edit', $this->user, $this->title ) );
$this->setMwGlobals( 'wgEmailConfirmToEdit', false );
- $this->resetServices();
$this->overrideUserPermissions( $this->user, [
'createpage',
'edit',
->userCan( 'move-target', $this->user, $this->title ) );
// quickUserCan should ignore user blocks
$this->assertEquals( true, MediaWikiServices::getInstance()->getPermissionManager()
- ->userCan( 'move-target', $this->user, $this->title,
- PermissionManager::RIGOR_QUICK ) );
+ ->quickUserCan( 'move-target', $this->user, $this->title ) );
global $wgLocalTZoffset;
$wgLocalTZoffset = -60;
$user = $this->getTestUser( [ 'unittesters', 'testwriters' ] )->getUser();
$userWrapper = TestingAccessWrapper::newFromObject( $user );
- $rights = MediaWikiServices::getInstance()->getPermissionManager()
+ $rights = MediaWikiServices::getInstance()
+ ->getPermissionManager()
->getUserPermissions( $user );
$this->assertContains( 'test', $rights, 'sanity check' );
$this->assertContains( 'runtest', $rights, 'sanity check' );
$this->assertNotContains( 'nukeworld', $rights, 'sanity check' );
// Add a hook manipluating the rights
- $this->mergeMwGlobalArrayValue( 'wgHooks', [ 'UserGetRights' => [ function ( $user, &$rights ) {
+ $this->setTemporaryHook( 'UserGetRights', function ( $user, &$rights ) {
$rights[] = 'nukeworld';
$rights = array_diff( $rights, [ 'writetest' ] );
- } ] ] );
+ } );
- $this->resetServices();
- $rights = MediaWikiServices::getInstance()->getPermissionManager()
+ $rights = MediaWikiServices::getInstance()
+ ->getPermissionManager()
->getUserPermissions( $user );
$this->assertContains( 'test', $rights );
$this->assertContains( 'runtest', $rights );
$userWrapper->mRequest = $mockRequest;
$this->resetServices();
- $rights = MediaWikiServices::getInstance()->getPermissionManager()
+ $rights = MediaWikiServices::getInstance()
+ ->getPermissionManager()
->getUserPermissions( $user );
$this->assertContains( 'test', $rights );
$this->assertNotContains( 'runtest', $rights );
return $revision;
}
+ public function provideGetRestrictionLevels() {
+ return [
+ 'No namespace restriction' => [ [ '', 'autoconfirmed', 'sysop' ], NS_TALK ],
+ 'Restricted to autoconfirmed' => [ [ '', 'sysop' ], NS_MAIN ],
+ 'Restricted to sysop' => [ [ '' ], NS_USER ],
+ 'Restricted to someone in two groups' => [ [ '', 'sysop' ], 101 ],
+ 'No special permissions' => [
+ [ '' ],
+ NS_TALK,
+ []
+ ],
+ 'autoconfirmed' => [
+ [ '', 'autoconfirmed' ],
+ NS_TALK,
+ [ 'autoconfirmed' ]
+ ],
+ 'autoconfirmed revoked' => [
+ [ '' ],
+ NS_TALK,
+ [ 'autoconfirmed', 'noeditsemiprotected' ]
+ ],
+ 'sysop' => [
+ [ '', 'autoconfirmed', 'sysop' ],
+ NS_TALK,
+ [ 'sysop' ]
+ ],
+ 'sysop with autoconfirmed revoked (a bit silly)' => [
+ [ '', 'sysop' ],
+ NS_TALK,
+ [ 'sysop', 'noeditsemiprotected' ]
+ ],
+ ];
+ }
+
+ /**
+ * @dataProvider provideGetRestrictionLevels
+ * @covers \MediaWiki\Permissions\PermissionManager::getNamespaceRestrictionLevels
+ *
+ * @param array $expected
+ * @param int $ns
+ * @param array|null $userGroups
+ * @throws MWException
+ */
+ public function testGetRestrictionLevels( array $expected, $ns, array $userGroups = null ) {
+ $this->setMwGlobals( [
+ 'wgGroupPermissions' => [
+ '*' => [ 'edit' => true ],
+ 'autoconfirmed' => [ 'editsemiprotected' => true ],
+ 'sysop' => [
+ 'editsemiprotected' => true,
+ 'editprotected' => true,
+ ],
+ 'privileged' => [ 'privileged' => true ],
+ ],
+ 'wgRevokePermissions' => [
+ 'noeditsemiprotected' => [ 'editsemiprotected' => true ],
+ ],
+ 'wgNamespaceProtection' => [
+ NS_MAIN => 'autoconfirmed',
+ NS_USER => 'sysop',
+ 101 => [ 'editsemiprotected', 'privileged' ],
+ ],
+ 'wgRestrictionLevels' => [ '', 'autoconfirmed', 'sysop' ],
+ 'wgAutopromote' => []
+ ] );
+ $user = is_null( $userGroups ) ? null : $this->getTestUser( $userGroups )->getUser();
+ $this->assertSame( $expected, MediaWikiServices::getInstance()
+ ->getPermissionManager()
+ ->getNamespaceRestrictionLevels( $ns, $user ) );
+ }
+
+ /**
+ * @covers \MediaWiki\Permissions\PermissionManager::getRightsCacheKey
+ * @throws \Exception
+ */
+ public function testAnonPermissionsNotClash() {
+ $user1 = User::newFromName( 'User1' );
+ $user2 = User::newFromName( 'User2' );
+ $pm = MediaWikiServices::getInstance()->getPermissionManager();
+ $pm->overrideUserRightsForTesting( $user2, [] );
+ $this->assertNotSame( $pm->getUserPermissions( $user1 ), $pm->getUserPermissions( $user2 ) );
+ }
+
+ /**
+ * @covers \MediaWiki\Permissions\PermissionManager::getRightsCacheKey
+ */
+ public function testAnonPermissionsNotClashOneRegistered() {
+ $user1 = User::newFromName( 'User1' );
+ $user2 = $this->getTestSysop()->getUser();
+ $pm = MediaWikiServices::getInstance()->getPermissionManager();
+ $this->assertNotSame( $pm->getUserPermissions( $user1 ), $pm->getUserPermissions( $user2 ) );
+ }
}