* Check restrictions on cascading pages.
*
* @param string $action The action to check
- * @param User $user User to check
+ * @param UserIdentity $user User to check
* @param array $errors List of current errors
* @param string $rigor One of PermissionManager::RIGOR_ constants
* - RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
*/
private function checkCascadingSourcesRestrictions(
$action,
- User $user,
+ UserIdentity $user,
$errors,
$rigor,
$short,
if ( $right == 'autoconfirmed' ) {
$right = 'editsemiprotected';
}
- if ( $right != '' && !$user->isAllowedAll( 'protect', $right ) ) {
+ if ( $right != '' && !$this->userHasAllRights( $user, 'protect', $right ) ) {
$wikiPages = '';
/** @var Title $wikiPage */
foreach ( $cascadingSources as $wikiPage ) {
* Check permissions on special pages & namespaces
*
* @param string $action The action to check
- * @param User $user User to check
+ * @param UserIdentity $user User to check
* @param array $errors List of current errors
* @param string $rigor One of PermissionManager::RIGOR_ constants
* - RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
*/
private function checkSpecialsAndNSPermissions(
$action,
- User $user,
+ UserIdentity $user,
$errors,
$rigor,
$short,
}
# Check $wgNamespaceProtection for restricted namespaces
- if ( $title->isNamespaceProtected( $user ) ) {
+ if ( $this->isNamespaceProtected( $title->getNamespace(), $user ) ) {
$ns = $title->getNamespace() == NS_MAIN ?
wfMessage( 'nstab-main' )->text() : $title->getNsText();
$errors[] = $title->getNamespace() == NS_MEDIAWIKI ?
* Check CSS/JSON/JS sub-page permissions
*
* @param string $action The action to check
- * @param User $user User to check
+ * @param UserIdentity $user User to check
* @param array $errors List of current errors
* @param string $rigor One of PermissionManager::RIGOR_ constants
* - RIGOR_QUICK : does cheap permission checks from replica DBs (usable for GUI creation)
*/
private function checkUserConfigPermissions(
$action,
- User $user,
+ UserIdentity $user,
$errors,
$rigor,
$short,
// Users need editmyuser* to edit their own CSS/JSON/JS subpages.
if (
$title->isUserCssConfigPage()
- && !$user->isAllowedAny( 'editmyusercss', 'editusercss' )
+ && !$this->userHasAnyRight( $user, 'editmyusercss', 'editusercss' )
) {
$errors[] = [ 'mycustomcssprotected', $action ];
} elseif (
$title->isUserJsonConfigPage()
- && !$user->isAllowedAny( 'editmyuserjson', 'edituserjson' )
+ && !$this->userHasAnyRight( $user, 'editmyuserjson', 'edituserjson' )
) {
$errors[] = [ 'mycustomjsonprotected', $action ];
} elseif (
$title->isUserJsConfigPage()
- && !$user->isAllowedAny( 'editmyuserjs', 'edituserjs' )
+ && !$this->userHasAnyRight( $user, 'editmyuserjs', 'edituserjs' )
) {
$errors[] = [ 'mycustomjsprotected', $action ];
} elseif (
$title->isUserJsConfigPage()
- && !$user->isAllowedAny( 'edituserjs', 'editmyuserjsredirect' )
+ && !$this->userHasAnyRight( $user, 'edituserjs', 'editmyuserjsredirect' )
) {
// T207750 - do not allow users to edit a redirect if they couldn't edit the target
$rev = $this->revisionLookup->getRevisionByTitle( $title );
return in_array( $action, $this->getUserPermissions( $user ), true );
}
+ /**
+ * Check if user is allowed to make any action
+ *
+ * @param UserIdentity $user
+ * // TODO: HHVM can't create mocks with variable params @param string ...$actions
+ * @return bool True if user is allowed to perform *any* of the given actions
+ * @since 1.34
+ */
+ public function userHasAnyRight( UserIdentity $user ) {
+ $actions = array_slice( func_get_args(), 1 );
+ foreach ( $actions as $action ) {
+ if ( $this->userHasRight( $user, $action ) ) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Check if user is allowed to make all actions
+ *
+ * @param UserIdentity $user
+ * // TODO: HHVM can't create mocks with variable params @param string ...$actions
+ * @return bool True if user is allowed to perform *all* of the given actions
+ * @since 1.34
+ */
+ public function userHasAllRights( UserIdentity $user ) {
+ $actions = array_slice( func_get_args(), 1 );
+ foreach ( $actions as $action ) {
+ if ( !$this->userHasRight( $user, $action ) ) {
+ return false;
+ }
+ }
+ return true;
+ }
+
/**
* Get the permissions this user has.
*
*/
public function getUserPermissions( UserIdentity $user ) {
$user = User::newFromIdentity( $user );
- if ( !isset( $this->usersRights[ $user->getId() ] ) ) {
- $this->usersRights[ $user->getId() ] = $this->getGroupPermissions(
+ $rightsCacheKey = $this->getRightsCacheKey( $user );
+ if ( !isset( $this->usersRights[ $rightsCacheKey ] ) ) {
+ $this->usersRights[ $rightsCacheKey ] = $this->getGroupPermissions(
$user->getEffectiveGroups()
);
- Hooks::run( 'UserGetRights', [ $user, &$this->usersRights[ $user->getId() ] ] );
+ Hooks::run( 'UserGetRights', [ $user, &$this->usersRights[ $rightsCacheKey ] ] );
// Deny any rights denied by the user's session, unless this
// endpoint has no sessions.
// FIXME: $user->getRequest().. need to be replaced with something else
$allowedRights = $user->getRequest()->getSession()->getAllowedUserRights();
if ( $allowedRights !== null ) {
- $this->usersRights[ $user->getId() ] = array_intersect(
- $this->usersRights[ $user->getId() ],
+ $this->usersRights[ $rightsCacheKey ] = array_intersect(
+ $this->usersRights[ $rightsCacheKey ],
$allowedRights
);
}
}
- Hooks::run( 'UserGetRightsRemove', [ $user, &$this->usersRights[ $user->getId() ] ] );
+ Hooks::run( 'UserGetRightsRemove', [ $user, &$this->usersRights[ $rightsCacheKey ] ] );
// Force reindexation of rights when a hook has unset one of them
- $this->usersRights[ $user->getId() ] = array_values(
- array_unique( $this->usersRights[ $user->getId() ] )
+ $this->usersRights[ $rightsCacheKey ] = array_values(
+ array_unique( $this->usersRights[ $rightsCacheKey ] )
);
if (
$user->getBlock()
) {
$anon = new User;
- $this->usersRights[ $user->getId() ] = array_intersect(
- $this->usersRights[ $user->getId() ],
+ $this->usersRights[ $rightsCacheKey ] = array_intersect(
+ $this->usersRights[ $rightsCacheKey ],
$this->getUserPermissions( $anon )
);
}
}
- $rights = $this->usersRights[ $user->getId() ];
+ $rights = $this->usersRights[ $rightsCacheKey ];
foreach ( $this->temporaryUserRights[ $user->getId() ] ?? [] as $overrides ) {
$rights = array_values( array_unique( array_merge( $rights, $overrides ) ) );
}
*/
public function invalidateUsersRightsCache( $user = null ) {
if ( $user !== null ) {
- if ( isset( $this->usersRights[ $user->getId() ] ) ) {
- unset( $this->usersRights[$user->getId()] );
+ $rightsCacheKey = $this->getRightsCacheKey( $user );
+ if ( isset( $this->usersRights[ $rightsCacheKey ] ) ) {
+ unset( $this->usersRights[ $rightsCacheKey ] );
}
} else {
$this->usersRights = null;
}
}
+ /**
+ * Gets a unique key for user rights cache.
+ * @param UserIdentity $user
+ * @return string
+ */
+ private function getRightsCacheKey( UserIdentity $user ) {
+ return $user->isRegistered() ? "u:{$user->getId()}" : "anon:{$user->getName()}";
+ }
+
/**
* Check, if the given group has the given permission
*
return $this->allRights;
}
+ /**
+ * Determines if $user is unable to edit pages in namespace because it has been protected.
+ * @param $index
+ * @param UserIdentity $user
+ * @return bool
+ */
+ private function isNamespaceProtected( $index, UserIdentity $user ) {
+ $namespaceProtection = $this->options->get( 'NamespaceProtection' );
+ if ( isset( $namespaceProtection[$index] ) ) {
+ return !$this->userHasAllRights( $user, ...(array)$namespaceProtection[$index] );
+ }
+ return false;
+ }
+
/**
* Determine which restriction levels it makes sense to use in a namespace,
* optionally filtered by a user's rights.
if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
throw new Exception( __METHOD__ . ' can not be called outside of tests' );
}
- $this->usersRights[ $user->getId() ] = is_array( $rights ) ? $rights : [ $rights ];
+ $this->usersRights[ $this->getRightsCacheKey( $user ) ] =
+ is_array( $rights ) ? $rights : [ $rights ];
}
}
dépôts / lhc / web / wiklou.git / blobdiff