From 1d286560d2cd4f2adf6138f62a8dfcfad5991c14 Mon Sep 17 00:00:00 2001 From: Petr Pchelko Date: Fri, 16 Aug 2019 11:13:56 -0700 Subject: [PATCH] Replace User::isAllowed with PermissionManager. Covers root includes, actions, api, block, changes, changetags, diff and PermissionManager itself. Bug: T220191 Change-Id: Ic027d32f5dd8f4c74865df0c8a9fcf91123c889c --- includes/AjaxDispatcher.php | 4 +- includes/EditPage.php | 17 +++--- includes/FileDeleteForm.php | 9 ++- includes/Linker.php | 10 ++- includes/MergeHistory.php | 3 +- includes/MovePage.php | 8 ++- includes/Permissions/PermissionManager.php | 55 +++++++++-------- includes/ProtectionForm.php | 3 +- includes/ServiceWiring.php | 3 +- includes/Title.php | 3 +- includes/actions/HistoryAction.php | 3 +- includes/actions/InfoAction.php | 4 +- includes/actions/RawAction.php | 3 +- includes/actions/WatchAction.php | 9 ++- includes/actions/pagers/HistoryPager.php | 11 ++-- includes/api/ApiBlock.php | 3 +- includes/api/ApiImport.php | 5 +- includes/api/ApiMain.php | 11 ++-- includes/api/ApiManageTags.php | 4 +- includes/api/ApiMove.php | 7 ++- includes/api/ApiPageSet.php | 3 +- includes/api/ApiQueryAllDeletedRevisions.php | 2 +- includes/api/ApiQueryAllRevisions.php | 2 +- includes/api/ApiQueryBase.php | 2 +- includes/api/ApiQueryBlocks.php | 2 +- includes/api/ApiQueryDeletedRevisions.php | 2 +- includes/api/ApiQueryDeletedrevs.php | 4 +- includes/api/ApiQueryFilearchive.php | 2 +- includes/api/ApiQueryInfo.php | 21 ++++--- includes/api/ApiQueryLogEvents.php | 2 +- includes/api/ApiQueryRecentChanges.php | 4 +- includes/api/ApiQueryRevisions.php | 5 +- includes/api/ApiQueryUserContribs.php | 2 +- includes/api/ApiQueryUserInfo.php | 5 +- includes/api/ApiUnblock.php | 2 +- includes/api/ApiUserrights.php | 2 +- includes/block/AbstractBlock.php | 7 ++- includes/block/BlockManager.php | 12 +++- includes/changes/RecentChange.php | 13 ++-- includes/changetags/ChangeTags.php | 28 ++++++--- includes/diff/DifferenceEngine.php | 6 +- .../includes/actions/WatchActionTest.php | 61 +++++++++++-------- .../includes/block/BlockManagerTest.php | 3 +- 43 files changed, 223 insertions(+), 144 deletions(-) diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index f6c9075136..ea10a2e863 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -114,6 +114,7 @@ class AjaxDispatcher { return; } + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) { wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" ); wfHttpError( @@ -121,7 +122,8 @@ class AjaxDispatcher { 'Bad Request', "unknown function " . $this->func_name ); - } elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) { + } elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) && + !$permissionManager->userHasRight( $user, 'read' ) ) { wfHttpError( 403, 'Forbidden', diff --git a/includes/EditPage.php b/includes/EditPage.php index 74ec883a06..550a018e5e 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1593,7 +1593,8 @@ class EditPage { // This is needed since PageUpdater no longer checks these rights! // Allow bots to exempt some edits from bot flagging - $bot = $this->context->getUser()->isAllowed( 'bot' ) && $this->bot; + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + $bot = $permissionManager->userHasRight( $this->context->getUser(), 'bot' ) && $this->bot; $status = $this->internalAttemptSave( $resultDetails, $bot ); Hooks::run( 'EditPage::attemptSave:after', [ $this, $status, $resultDetails ] ); @@ -1870,6 +1871,7 @@ ERROR; public function internalAttemptSave( &$result, $bot = false ) { $status = Status::newGood(); $user = $this->context->getUser(); + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); if ( !Hooks::run( 'EditPage::attemptSave', [ $this ] ) ) { wfDebug( "Hook 'EditPage::attemptSave' aborted article saving\n" ); @@ -1918,7 +1920,7 @@ ERROR; # Check image redirect if ( $this->mTitle->getNamespace() == NS_FILE && $textbox_content->isRedirect() && - !$user->isAllowed( 'upload' ) + !$permissionManager->userHasRight( $user, 'upload' ) ) { $code = $user->isAnon() ? self::AS_IMAGE_REDIRECT_ANON : self::AS_IMAGE_REDIRECT_LOGGED; $status->setResult( false, $code ); @@ -1968,7 +1970,7 @@ ERROR; return $status; } - if ( $user->isBlockedFrom( $this->mTitle ) ) { + if ( $permissionManager->isBlockedFrom( $user, $this->mTitle ) ) { // Auto-block user's IP if the account was "hard" blocked if ( !wfReadOnly() ) { $user->spreadAnyEditBlock(); @@ -1988,7 +1990,7 @@ ERROR; return $status; } - if ( !$user->isAllowed( 'edit' ) ) { + if ( !$permissionManager->userHasRight( $user, 'edit' ) ) { if ( $user->isAnon() ) { $status->setResult( false, self::AS_READ_ONLY_PAGE_ANON ); return $status; @@ -1999,15 +2001,13 @@ ERROR; } } - $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); - $changingContentModel = false; if ( $this->contentModel !== $this->mTitle->getContentModel() ) { if ( !$config->get( 'ContentHandlerUseDB' ) ) { $status->fatal( 'editpage-cannot-use-custom-model' ); $status->value = self::AS_CANNOT_USE_CUSTOM_MODEL; return $status; - } elseif ( !$user->isAllowed( 'editcontentmodel' ) ) { + } elseif ( !$permissionManager->userHasRight( $user, 'editcontentmodel' ) ) { $status->setResult( false, self::AS_NO_CHANGE_CONTENT_MODEL ); return $status; } @@ -4159,7 +4159,8 @@ ERROR; $user = $this->context->getUser(); // don't show the minor edit checkbox if it's a new page or section - if ( !$this->isNew && $user->isAllowed( 'minoredit' ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( !$this->isNew && $permissionManager->userHasRight( $user, 'minoredit' ) ) { $checkboxes['wpMinoredit'] = [ 'id' => 'wpMinoredit', 'label-message' => 'minoredit', diff --git a/includes/FileDeleteForm.php b/includes/FileDeleteForm.php index 5aa6edf879..8272ccf767 100644 --- a/includes/FileDeleteForm.php +++ b/includes/FileDeleteForm.php @@ -79,7 +79,9 @@ class FileDeleteForm { $this->oldimage = $wgRequest->getText( 'oldimage', false ); $token = $wgRequest->getText( 'wpEditToken' ); # Flag to hide all contents of the archived revisions - $suppress = $wgRequest->getCheck( 'wpSuppress' ) && $wgUser->isAllowed( 'suppressrevision' ); + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + $suppress = $wgRequest->getCheck( 'wpSuppress' ) && + $permissionManager->userHasRight( $wgUser, 'suppressrevision' ); if ( $this->oldimage ) { $this->oldfile = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName( @@ -245,6 +247,7 @@ class FileDeleteForm { */ private function showForm() { global $wgOut, $wgUser, $wgRequest; + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); $wgOut->addModules( 'mediawiki.action.delete.file' ); @@ -296,7 +299,7 @@ class FileDeleteForm { ] ); - if ( $wgUser->isAllowed( 'suppressrevision' ) ) { + if ( $permissionManager->userHasRight( $wgUser, 'suppressrevision' ) ) { $fields[] = new OOUI\FieldLayout( new OOUI\CheckboxInputWidget( [ 'name' => 'wpSuppress', @@ -370,7 +373,7 @@ class FileDeleteForm { ] ) ); - if ( $wgUser->isAllowed( 'editinterface' ) ) { + if ( $permissionManager->userHasRight( $wgUser, 'editinterface' ) ) { $linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer(); $link = $linkRenderer->makeKnownLink( $wgOut->msg( 'filedelete-reason-dropdown' )->inContentLanguage()->getTitle(), diff --git a/includes/Linker.php b/includes/Linker.php index db3e2f5f03..47be8a27ea 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -978,7 +978,9 @@ class Linker { $items[] = self::link( $contribsPage, wfMessage( 'contribslink' )->escaped(), $attribs ); } - if ( $blockable && $wgUser->isAllowed( 'block' ) ) { + $userCanBlock = MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'block' ); + if ( $blockable && $userCanBlock ) { $items[] = self::blockLink( $userId, $userText ); } @@ -2103,8 +2105,10 @@ class Linker { * @return string HTML fragment */ public static function getRevDeleteLink( User $user, Revision $rev, LinkTarget $title ) { - $canHide = $user->isAllowed( 'deleterevision' ); - if ( !$canHide && !( $rev->getVisibility() && $user->isAllowed( 'deletedhistory' ) ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + $canHide = $permissionManager->userHasRight( $user, 'deleterevision' ); + $canHideHistory = $permissionManager->userHasRight( $user, 'deletedhistory' ); + if ( !$canHide && !( $rev->getVisibility() && $canHideHistory ) ) { return ''; } diff --git a/includes/MergeHistory.php b/includes/MergeHistory.php index 6bd4471723..4045a5436b 100644 --- a/includes/MergeHistory.php +++ b/includes/MergeHistory.php @@ -178,7 +178,8 @@ class MergeHistory { } // Check mergehistory permission - if ( !$user->isAllowed( 'mergehistory' ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( !$permissionManager->userHasRight( $user, 'mergehistory' ) ) { // User doesn't have the right to merge histories $status->fatal( 'mergehistory-fail-permission' ); } diff --git a/includes/MovePage.php b/includes/MovePage.php index 832e24af81..5aa4857cd1 100644 --- a/includes/MovePage.php +++ b/includes/MovePage.php @@ -77,8 +77,9 @@ class MovePage { } $tp = $this->newTitle->getTitleProtection(); - if ( $tp !== false && !$user->isAllowed( $tp['permission'] ) ) { - $status->fatal( 'cantmove-titleprotected' ); + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( $tp !== false && !$permissionManager->userHasRight( $user, $tp['permission'] ) ) { + $status->fatal( 'cantmove-titleprotected' ); } Hooks::run( 'MovePageCheckPermissions', @@ -287,7 +288,8 @@ class MovePage { } // Check suppressredirect permission - if ( !$user->isAllowed( 'suppressredirect' ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( !$permissionManager->userHasRight( $user, 'suppressredirect' ) ) { $createRedirect = true; } diff --git a/includes/Permissions/PermissionManager.php b/includes/Permissions/PermissionManager.php index d256e9b18e..248ba14dc6 100644 --- a/includes/Permissions/PermissionManager.php +++ b/includes/Permissions/PermissionManager.php @@ -501,10 +501,10 @@ class PermissionManager { $title = Title::newFromLinkTarget( $page ); $whitelisted = false; - if ( User::isEveryoneAllowed( 'read' ) ) { + if ( $this->isEveryoneAllowed( 'read' ) ) { # Shortcut for public wikis, allows skipping quite a bit of code $whitelisted = true; - } elseif ( $user->isAllowed( 'read' ) ) { + } elseif ( $this->userHasRight( $user, 'read' ) ) { # If the user is allowed to read pages, he is allowed to read all pages $whitelisted = true; } elseif ( $this->isSameSpecialPage( 'Userlogin', $title ) @@ -729,33 +729,35 @@ class PermissionManager { if ( $action == 'create' ) { if ( ( $this->nsInfo->isTalk( $title->getNamespace() ) && - !$user->isAllowed( 'createtalk' ) ) || + !$this->userHasRight( $user, 'createtalk' ) ) || ( !$this->nsInfo->isTalk( $title->getNamespace() ) && - !$user->isAllowed( 'createpage' ) ) + !$this->userHasRight( $user, 'createpage' ) ) ) { $errors[] = $user->isAnon() ? [ 'nocreatetext' ] : [ 'nocreate-loggedin' ]; } } elseif ( $action == 'move' ) { - if ( !$user->isAllowed( 'move-rootuserpages' ) + if ( !$this->userHasRight( $user, 'move-rootuserpages' ) && $title->getNamespace() == NS_USER && !$isSubPage ) { // Show user page-specific message only if the user can move other pages $errors[] = [ 'cant-move-user-page' ]; } // Check if user is allowed to move files if it's a file - if ( $title->getNamespace() == NS_FILE && !$user->isAllowed( 'movefile' ) ) { + if ( $title->getNamespace() == NS_FILE && + !$this->userHasRight( $user, 'movefile' ) ) { $errors[] = [ 'movenotallowedfile' ]; } // Check if user is allowed to move category pages if it's a category page - if ( $title->getNamespace() == NS_CATEGORY && !$user->isAllowed( 'move-categorypages' ) ) { + if ( $title->getNamespace() == NS_CATEGORY && + !$this->userHasRight( $user, 'move-categorypages' ) ) { $errors[] = [ 'cant-move-category-page' ]; } - if ( !$user->isAllowed( 'move' ) ) { + if ( !$this->userHasRight( $user, 'move' ) ) { // User can't move anything - $userCanMove = User::groupHasPermission( 'user', 'move' ); - $autoconfirmedCanMove = User::groupHasPermission( 'autoconfirmed', 'move' ); + $userCanMove = $this->groupHasPermission( 'user', 'move' ); + $autoconfirmedCanMove = $this->groupHasPermission( 'autoconfirmed', 'move' ); if ( $user->isAnon() && ( $userCanMove || $autoconfirmedCanMove ) ) { // custom message if logged-in users without any special rights can move $errors[] = [ 'movenologintext' ]; @@ -764,19 +766,19 @@ class PermissionManager { } } } elseif ( $action == 'move-target' ) { - if ( !$user->isAllowed( 'move' ) ) { + if ( !$this->userHasRight( $user, 'move' ) ) { // User can't move anything $errors[] = [ 'movenotallowed' ]; - } elseif ( !$user->isAllowed( 'move-rootuserpages' ) + } elseif ( !$this->userHasRight( $user, 'move-rootuserpages' ) && $title->getNamespace() == NS_USER && !$isSubPage ) { // Show user page-specific message only if the user can move other pages $errors[] = [ 'cant-move-to-user-page' ]; - } elseif ( !$user->isAllowed( 'move-categorypages' ) + } elseif ( !$this->userHasRight( $user, 'move-categorypages' ) && $title->getNamespace() == NS_CATEGORY ) { // Show category page-specific message only if the user can move other pages $errors[] = [ 'cant-move-to-category-page' ]; } - } elseif ( !$user->isAllowed( $action ) ) { + } elseif ( !$this->userHasRight( $user, $action ) ) { $errors[] = $this->missingPermissionError( $action, $short ); } @@ -823,9 +825,10 @@ class PermissionManager { if ( $right == '' ) { continue; } - if ( !$user->isAllowed( $right ) ) { + if ( !$this->userHasRight( $user, $right ) ) { $errors[] = [ 'protectedpagetext', $right, $action ]; - } elseif ( $title->areRestrictionsCascading() && !$user->isAllowed( 'protect' ) ) { + } elseif ( $title->areRestrictionsCascading() && + !$this->userHasRight( $user, 'protect' ) ) { $errors[] = [ 'protectedpagetext', 'protect', $action ]; } } @@ -933,7 +936,7 @@ class PermissionManager { $title_protection = $title->getTitleProtection(); if ( $title_protection ) { if ( $title_protection['permission'] == '' - || !$user->isAllowed( $title_protection['permission'] ) + || !$this->userHasRight( $user, $title_protection['permission'] ) ) { $errors[] = [ 'titleprotected', @@ -1063,23 +1066,23 @@ class PermissionManager { $error = null; // Sitewide CSS/JSON/JS changes, like all NS_MEDIAWIKI changes, also require the // editinterface right. That's implemented as a restriction so no check needed here. - if ( $title->isSiteCssConfigPage() && !$user->isAllowed( 'editsitecss' ) ) { + if ( $title->isSiteCssConfigPage() && !$this->userHasRight( $user, 'editsitecss' ) ) { $error = [ 'sitecssprotected', $action ]; - } elseif ( $title->isSiteJsonConfigPage() && !$user->isAllowed( 'editsitejson' ) ) { + } elseif ( $title->isSiteJsonConfigPage() && !$this->userHasRight( $user, 'editsitejson' ) ) { $error = [ 'sitejsonprotected', $action ]; - } elseif ( $title->isSiteJsConfigPage() && !$user->isAllowed( 'editsitejs' ) ) { + } elseif ( $title->isSiteJsConfigPage() && !$this->userHasRight( $user, 'editsitejs' ) ) { $error = [ 'sitejsprotected', $action ]; } elseif ( $title->isRawHtmlMessage() ) { // Raw HTML can be used to deploy CSS or JS so require rights for both. - if ( !$user->isAllowed( 'editsitejs' ) ) { + if ( !$this->userHasRight( $user, 'editsitejs' ) ) { $error = [ 'sitejsprotected', $action ]; - } elseif ( !$user->isAllowed( 'editsitecss' ) ) { + } elseif ( !$this->userHasRight( $user, 'editsitecss' ) ) { $error = [ 'sitecssprotected', $action ]; } } if ( $error ) { - if ( $user->isAllowed( 'editinterface' ) ) { + if ( $this->userHasRight( $user, 'editinterface' ) ) { // Most users / site admins will probably find out about the new, more restrictive // permissions by failing to edit something. Give them more info. // TODO remove this a few release cycles after 1.32 @@ -1166,17 +1169,17 @@ class PermissionManager { if ( !in_array( $action, [ 'delete', 'deleterevision', 'suppressrevision' ], true ) ) { if ( $title->isUserCssConfigPage() - && !$user->isAllowed( 'editusercss' ) + && !$this->userHasRight( $user, 'editusercss' ) ) { $errors[] = [ 'customcssprotected', $action ]; } elseif ( $title->isUserJsonConfigPage() - && !$user->isAllowed( 'edituserjson' ) + && !$this->userHasRight( $user, 'edituserjson' ) ) { $errors[] = [ 'customjsonprotected', $action ]; } elseif ( $title->isUserJsConfigPage() - && !$user->isAllowed( 'edituserjs' ) + && !$this->userHasRight( $user, 'edituserjs' ) ) { $errors[] = [ 'customjsprotected', $action ]; } diff --git a/includes/ProtectionForm.php b/includes/ProtectionForm.php index 4bead3464c..adca805168 100644 --- a/includes/ProtectionForm.php +++ b/includes/ProtectionForm.php @@ -553,7 +553,8 @@ class ProtectionForm { } $out .= Xml::closeElement( 'fieldset' ); - if ( $user->isAllowed( 'editinterface' ) ) { + if ( MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'editinterface' ) ) { $linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer(); $link = $linkRenderer->makeKnownLink( $context->msg( 'protect-dropdown' )->inContentLanguage()->getTitle(), diff --git a/includes/ServiceWiring.php b/includes/ServiceWiring.php index c192b5a266..a0d329066e 100644 --- a/includes/ServiceWiring.php +++ b/includes/ServiceWiring.php @@ -97,7 +97,8 @@ return [ BlockManager::$constructorOptions, $services->getMainConfig() ), $context->getUser(), - $context->getRequest() + $context->getRequest(), + $services->getPermissionManager() ); }, diff --git a/includes/Title.php b/includes/Title.php index 281f75bac1..94800a9a51 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -2506,8 +2506,9 @@ class Title implements LinkTarget, IDBAccessObject { global $wgNamespaceProtection; if ( isset( $wgNamespaceProtection[$this->mNamespace] ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); foreach ( (array)$wgNamespaceProtection[$this->mNamespace] as $right ) { - if ( $right != '' && !$user->isAllowed( $right ) ) { + if ( !$permissionManager->userHasRight( $user, $right ) ) { return true; } } diff --git a/includes/actions/HistoryAction.php b/includes/actions/HistoryAction.php index 958ec06f47..385ccc9607 100644 --- a/includes/actions/HistoryAction.php +++ b/includes/actions/HistoryAction.php @@ -265,7 +265,8 @@ class HistoryAction extends FormlessAction { 'value' => $tagFilter, ] ]; - if ( $this->getUser()->isAllowed( 'deletedhistory' ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( $permissionManager->userHasRight( $this->getUser(), 'deletedhistory' ) ) { $fields[] = [ 'type' => 'check', 'label' => $this->msg( 'history-show-deleted' )->text(), diff --git a/includes/actions/InfoAction.php b/includes/actions/InfoAction.php index 279c13bd04..15cee948ae 100644 --- a/includes/actions/InfoAction.php +++ b/includes/actions/InfoAction.php @@ -345,7 +345,7 @@ class InfoAction extends FormlessAction { $unwatchedPageThreshold = $config->get( 'UnwatchedPageThreshold' ); if ( - $user->isAllowed( 'unwatchedpages' ) || + $services->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ) || ( $unwatchedPageThreshold !== false && $pageCounts['watchers'] >= $unwatchedPageThreshold ) ) { @@ -360,7 +360,7 @@ class InfoAction extends FormlessAction { ) { $minToDisclose = $config->get( 'UnwatchedPageSecret' ); if ( $pageCounts['visitingWatchers'] > $minToDisclose || - $user->isAllowed( 'unwatchedpages' ) ) { + $services->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ) ) { $pageInfo['header-basic'][] = [ $this->msg( 'pageinfo-visiting-watchers' ), $lang->formatNum( $pageCounts['visitingWatchers'] ) diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php index abb8ff5b1f..8fd4e0ad55 100644 --- a/includes/actions/RawAction.php +++ b/includes/actions/RawAction.php @@ -111,7 +111,8 @@ class RawAction extends FormlessAction { $rootPage = strtok( $title->getText(), '/' ); $userFromTitle = User::newFromName( $rootPage, 'usable' ); if ( !$userFromTitle || $userFromTitle->getId() === 0 ) { - $elevated = $this->getUser()->isAllowed( 'editinterface' ); + $elevated = MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $this->getUser(), 'editinterface' ); $elevatedText = $elevated ? 'by elevated ' : ''; $log = LoggerFactory::getInstance( "security" ); $log->warning( diff --git a/includes/actions/WatchAction.php b/includes/actions/WatchAction.php index 0eba613a20..e88654ad2f 100644 --- a/includes/actions/WatchAction.php +++ b/includes/actions/WatchAction.php @@ -20,6 +20,8 @@ * @ingroup Actions */ +use MediaWiki\MediaWikiServices; + /** * Page addition to a user's watchlist * @@ -116,7 +118,8 @@ class WatchAction extends FormAction { User $user, $checkRights = User::CHECK_USER_RIGHTS ) { - if ( $checkRights && !$user->isAllowed( 'editmywatchlist' ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( $checkRights && !$permissionManager->userHasRight( $user, 'editmywatchlist' ) ) { return User::newFatalPermissionDeniedStatus( 'editmywatchlist' ); } @@ -140,7 +143,9 @@ class WatchAction extends FormAction { * @return Status */ public static function doUnwatch( Title $title, User $user ) { - if ( !$user->isAllowed( 'editmywatchlist' ) ) { + if ( !MediaWikiServices::getInstance() + ->getPermissionManager() + ->userHasRight( $user, 'editmywatchlist' ) ) { return User::newFatalPermissionDeniedStatus( 'editmywatchlist' ); } diff --git a/includes/actions/pagers/HistoryPager.php b/includes/actions/pagers/HistoryPager.php index c5c090d21b..14f76bc37f 100644 --- a/includes/actions/pagers/HistoryPager.php +++ b/includes/actions/pagers/HistoryPager.php @@ -172,6 +172,7 @@ class HistoryPager extends ReverseChronologicalPager { * @return string HTML output */ protected function getStartBody() { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); $this->lastRow = false; $this->counter = 1; $this->oldIdChecked = 0; @@ -197,7 +198,7 @@ class HistoryPager extends ReverseChronologicalPager { $user = $this->getUser(); $actionButtons = ''; - if ( $user->isAllowed( 'deleterevision' ) ) { + if ( $permissionManager->userHasRight( $user, 'deleterevision' ) ) { $actionButtons .= $this->getRevisionButton( 'revisiondelete', 'showhideselectedversions' ); } @@ -210,7 +211,7 @@ class HistoryPager extends ReverseChronologicalPager { 'mw-history-revisionactions' ], $actionButtons ); } - if ( $user->isAllowed( 'deleterevision' ) || $this->showTagEditUI ) { + if ( $permissionManager->userHasRight( $user, 'deleterevision' ) || $this->showTagEditUI ) { $this->buttons .= ( new ListToggle( $this->getOutput() ) )->getHTML(); } @@ -305,6 +306,7 @@ class HistoryPager extends ReverseChronologicalPager { */ function historyLine( $row, $next, $notificationtimestamp = false, $dummy = false, $firstInList = false ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); $rev = new Revision( $row, 0, $this->getTitle() ); if ( is_object( $next ) ) { @@ -332,7 +334,7 @@ class HistoryPager extends ReverseChronologicalPager { $del = ''; $user = $this->getUser(); - $canRevDelete = $user->isAllowed( 'deleterevision' ); + $canRevDelete = $permissionManager->userHasRight( $user, 'deleterevision' ); // Show checkboxes for each revision, to allow for revision deletion and // change tags if ( $canRevDelete || $this->showTagEditUI ) { @@ -349,7 +351,8 @@ class HistoryPager extends ReverseChronologicalPager { [ 'name' => 'ids[' . $rev->getId() . ']' ] ); } // User can only view deleted revisions... - } elseif ( $rev->getVisibility() && $user->isAllowed( 'deletedhistory' ) ) { + } elseif ( $rev->getVisibility() && + $permissionManager->userHasRight( $user, 'deletedhistory' ) ) { // If revision was hidden from sysops, disable the link if ( !$rev->userCan( RevisionRecord::DELETED_RESTRICTED, $user ) ) { $del = Linker::revDeleteLinkDisabled( false ); diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index 480126760e..2c1564e085 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -98,7 +98,8 @@ class ApiBlock extends ApiBase { } } - if ( $params['hidename'] && !$user->isAllowed( 'hideuser' ) ) { + if ( $params['hidename'] && + !$this->getPermissionManager()->userHasRight( $user, 'hideuser' ) ) { $this->dieWithError( 'apierror-canthide' ); } if ( $params['noemail'] && !SpecialBlock::canBlockEmail( $user ) ) { diff --git a/includes/api/ApiImport.php b/includes/api/ApiImport.php index b36045e1f4..e787e2671a 100644 --- a/includes/api/ApiImport.php +++ b/includes/api/ApiImport.php @@ -29,7 +29,6 @@ class ApiImport extends ApiBase { public function execute() { $this->useTransactionalTimeLimit(); - $user = $this->getUser(); $params = $this->extractRequestParams(); @@ -37,7 +36,7 @@ class ApiImport extends ApiBase { $isUpload = false; if ( isset( $params['interwikisource'] ) ) { - if ( !$user->isAllowed( 'import' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'import' ) ) { $this->dieWithError( 'apierror-cantimport' ); } if ( !isset( $params['interwikipage'] ) ) { @@ -52,7 +51,7 @@ class ApiImport extends ApiBase { $usernamePrefix = $params['interwikisource']; } else { $isUpload = true; - if ( !$user->isAllowed( 'importupload' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'importupload' ) ) { $this->dieWithError( 'apierror-cantimport-upload' ); } $source = ImportStreamSource::newFromUpload( 'xml' ); diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 554ab6a285..6b9e4ac541 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -1410,8 +1410,8 @@ class ApiMain extends ApiBase { */ protected function checkExecutePermissions( $module ) { $user = $this->getUser(); - if ( $module->isReadMode() && !User::isEveryoneAllowed( 'read' ) && - !$user->isAllowed( 'read' ) + if ( $module->isReadMode() && !$this->getPermissionManager()->isEveryoneAllowed( 'read' ) && + !$this->getPermissionManager()->userHasRight( $user, 'read' ) ) { $this->dieWithError( 'apierror-readapidenied' ); } @@ -1419,7 +1419,7 @@ class ApiMain extends ApiBase { if ( $module->isWriteMode() ) { if ( !$this->mEnableWrite ) { $this->dieWithError( 'apierror-noapiwrite' ); - } elseif ( !$user->isAllowed( 'writeapi' ) ) { + } elseif ( !$this->getPermissionManager()->userHasRight( $user, 'writeapi' ) ) { $this->dieWithError( 'apierror-writeapidenied' ); } elseif ( $this->getRequest()->getHeader( 'Promise-Non-Write-API-Action' ) ) { $this->dieWithError( 'apierror-promised-nonwrite-api' ); @@ -1504,7 +1504,7 @@ class ApiMain extends ApiBase { } break; case 'bot': - if ( !$user->isAllowed( 'bot' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'bot' ) ) { $this->dieWithError( 'apierror-assertbotfailed' ); } break; @@ -2052,7 +2052,8 @@ class ApiMain extends ApiBase { */ public function canApiHighLimits() { if ( !isset( $this->mCanApiHighLimits ) ) { - $this->mCanApiHighLimits = $this->getUser()->isAllowed( 'apihighlimits' ); + $this->mCanApiHighLimits = $this->getPermissionManager() + ->userHasRight( $this->getUser(), 'apihighlimits' ); } return $this->mCanApiHighLimits; diff --git a/includes/api/ApiManageTags.php b/includes/api/ApiManageTags.php index 42de161018..6cd717a680 100644 --- a/includes/api/ApiManageTags.php +++ b/includes/api/ApiManageTags.php @@ -31,10 +31,10 @@ class ApiManageTags extends ApiBase { // make sure the user is allowed if ( $params['operation'] !== 'delete' - && !$this->getUser()->isAllowed( 'managechangetags' ) + && !$this->getPermissionManager()->userHasRight( $user, 'managechangetags' ) ) { $this->dieWithError( 'tags-manage-no-permission', 'permissiondenied' ); - } elseif ( !$this->getUser()->isAllowed( 'deletechangetags' ) ) { + } elseif ( !$this->getPermissionManager()->userHasRight( $user, 'deletechangetags' ) ) { $this->dieWithError( 'tags-delete-no-permission', 'permissiondenied' ); } diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php index 540860b3a9..01f8ba9daf 100644 --- a/includes/api/ApiMove.php +++ b/includes/api/ApiMove.php @@ -63,9 +63,10 @@ class ApiMove extends ApiBase { && !RepoGroup::singleton()->getLocalRepo()->findFile( $toTitle ) && MediaWikiServices::getInstance()->getRepoGroup()->findFile( $toTitle ) ) { - if ( !$params['ignorewarnings'] && $user->isAllowed( 'reupload-shared' ) ) { + if ( !$params['ignorewarnings'] && + $this->getPermissionManager()->userHasRight( $user, 'reupload-shared' ) ) { $this->dieWithError( 'apierror-fileexists-sharedrepo-perm' ); - } elseif ( !$user->isAllowed( 'reupload-shared' ) ) { + } elseif ( !$this->getPermissionManager()->userHasRight( $user, 'reupload-shared' ) ) { $this->dieWithError( 'apierror-cantoverwrite-sharedfile' ); } } @@ -185,7 +186,7 @@ class ApiMove extends ApiBase { } // Check suppressredirect permission - if ( !$user->isAllowed( 'suppressredirect' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'suppressredirect' ) ) { $createRedirect = true; } diff --git a/includes/api/ApiPageSet.php b/includes/api/ApiPageSet.php index 6b24b6347a..1b588650f0 100644 --- a/includes/api/ApiPageSet.php +++ b/includes/api/ApiPageSet.php @@ -971,7 +971,8 @@ class ApiPageSet extends ApiBase { // If the user can see deleted revisions, pull out the corresponding // titles from the archive table and include them too. We ignore // ar_page_id because deleted revisions are tied by title, not page_id. - if ( $goodRemaining && $this->getUser()->isAllowed( 'deletedhistory' ) ) { + if ( $goodRemaining && + $this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { $tables = [ 'archive' ]; $fields = [ 'ar_rev_id', 'ar_namespace', 'ar_title' ]; $where = [ 'ar_rev_id' => array_keys( $goodRemaining ) ]; diff --git a/includes/api/ApiQueryAllDeletedRevisions.php b/includes/api/ApiQueryAllDeletedRevisions.php index 85ca6480f1..4eead4c1f6 100644 --- a/includes/api/ApiQueryAllDeletedRevisions.php +++ b/includes/api/ApiQueryAllDeletedRevisions.php @@ -237,7 +237,7 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase { // Paranoia: avoid brute force searches (T19342) // (shouldn't be able to get here without 'deletedhistory', but // check it again just in case) - if ( !$user->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryAllRevisions.php b/includes/api/ApiQueryAllRevisions.php index 050bc0f81e..17a6e00090 100644 --- a/includes/api/ApiQueryAllRevisions.php +++ b/includes/api/ApiQueryAllRevisions.php @@ -154,7 +154,7 @@ class ApiQueryAllRevisions extends ApiQueryRevisionsBase { if ( $params['user'] !== null || $params['excludeuser'] !== null ) { // Paranoia: avoid brute force searches (T19342) - if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$this->getUser()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php index 50ca99a45d..846a8b134b 100644 --- a/includes/api/ApiQueryBase.php +++ b/includes/api/ApiQueryBase.php @@ -460,7 +460,7 @@ abstract class ApiQueryBase extends ApiBase { $this->addJoinConds( $joinConds ); // Don't show hidden names - if ( !$this->getUser()->isAllowed( 'hideuser' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'hideuser' ) ) { $this->addWhere( 'ipb_deleted = 0 OR ipb_deleted IS NULL' ); } } diff --git a/includes/api/ApiQueryBlocks.php b/includes/api/ApiQueryBlocks.php index 5615f46213..c5a8d0825f 100644 --- a/includes/api/ApiQueryBlocks.php +++ b/includes/api/ApiQueryBlocks.php @@ -176,7 +176,7 @@ class ApiQueryBlocks extends ApiQueryBase { $this->addWhereIf( 'ipb_range_end > ipb_range_start', isset( $show['range'] ) ); } - if ( !$this->getUser()->isAllowed( 'hideuser' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'hideuser' ) ) { $this->addWhereFld( 'ipb_deleted', 0 ); } diff --git a/includes/api/ApiQueryDeletedRevisions.php b/includes/api/ApiQueryDeletedRevisions.php index bbb987f760..ac12b472f0 100644 --- a/includes/api/ApiQueryDeletedRevisions.php +++ b/includes/api/ApiQueryDeletedRevisions.php @@ -132,7 +132,7 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase { // Paranoia: avoid brute force searches (T19342) // (shouldn't be able to get here without 'deletedhistory', but // check it again just in case) - if ( !$user->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php index a6366f2c8d..aa88a51353 100644 --- a/includes/api/ApiQueryDeletedrevs.php +++ b/includes/api/ApiQueryDeletedrevs.php @@ -67,7 +67,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase { } // If user can't undelete, no tokens - if ( !$user->isAllowed( 'undelete' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'undelete' ) ) { $fld_token = false; } @@ -197,7 +197,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase { // Paranoia: avoid brute force searches (T19342) // (shouldn't be able to get here without 'deletedhistory', but // check it again just in case) - if ( !$user->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryFilearchive.php b/includes/api/ApiQueryFilearchive.php index 8e464d0195..fe484a81cc 100644 --- a/includes/api/ApiQueryFilearchive.php +++ b/includes/api/ApiQueryFilearchive.php @@ -114,7 +114,7 @@ class ApiQueryFilearchive extends ApiQueryBase { } // Exclude files this user can't view. - if ( !$user->isAllowed( 'deletedtext' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedtext' ) ) { $bitmask = File::DELETED_FILE; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = File::DELETED_FILE | File::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryInfo.php b/includes/api/ApiQueryInfo.php index 90f1340eb5..50bd63f696 100644 --- a/includes/api/ApiQueryInfo.php +++ b/includes/api/ApiQueryInfo.php @@ -135,7 +135,8 @@ class ApiQueryInfo extends ApiQueryBase { // but that's too expensive for this purpose // and would break caching global $wgUser; - if ( !$wgUser->isAllowed( 'edit' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'edit' ) ) { return false; } @@ -152,7 +153,8 @@ class ApiQueryInfo extends ApiQueryBase { */ public static function getDeleteToken( $pageid, $title ) { global $wgUser; - if ( !$wgUser->isAllowed( 'delete' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'delete' ) ) { return false; } @@ -169,7 +171,8 @@ class ApiQueryInfo extends ApiQueryBase { */ public static function getProtectToken( $pageid, $title ) { global $wgUser; - if ( !$wgUser->isAllowed( 'protect' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'protect' ) ) { return false; } @@ -186,7 +189,8 @@ class ApiQueryInfo extends ApiQueryBase { */ public static function getMoveToken( $pageid, $title ) { global $wgUser; - if ( !$wgUser->isAllowed( 'move' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'move' ) ) { return false; } @@ -203,7 +207,8 @@ class ApiQueryInfo extends ApiQueryBase { */ public static function getBlockToken( $pageid, $title ) { global $wgUser; - if ( !$wgUser->isAllowed( 'block' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'block' ) ) { return false; } @@ -808,7 +813,7 @@ class ApiQueryInfo extends ApiQueryBase { $user = $this->getUser(); if ( $user->isAnon() || count( $this->everything ) == 0 - || !$user->isAllowed( 'viewmywatchlist' ) + || !$this->getPermissionManager()->userHasRight( $user, 'viewmywatchlist' ) ) { return; } @@ -843,7 +848,7 @@ class ApiQueryInfo extends ApiQueryBase { } $user = $this->getUser(); - $canUnwatchedpages = $user->isAllowed( 'unwatchedpages' ); + $canUnwatchedpages = $this->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ); $unwatchedPageThreshold = $this->getConfig()->get( 'UnwatchedPageThreshold' ); if ( !$canUnwatchedpages && !is_int( $unwatchedPageThreshold ) ) { return; @@ -873,7 +878,7 @@ class ApiQueryInfo extends ApiQueryBase { $user = $this->getUser(); $db = $this->getDB(); - $canUnwatchedpages = $user->isAllowed( 'unwatchedpages' ); + $canUnwatchedpages = $this->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ); $unwatchedPageThreshold = $this->getConfig()->get( 'UnwatchedPageThreshold' ); if ( !$canUnwatchedpages && !is_int( $unwatchedPageThreshold ) ) { return; diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php index 962d956130..c995ec5e8f 100644 --- a/includes/api/ApiQueryLogEvents.php +++ b/includes/api/ApiQueryLogEvents.php @@ -220,7 +220,7 @@ class ApiQueryLogEvents extends ApiQueryBase { // Paranoia: avoid brute force searches (T19342) if ( $params['namespace'] !== null || !is_null( $title ) || !is_null( $user ) ) { - if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { $titleBits = LogPage::DELETED_ACTION; $userBits = LogPage::DELETED_USER; } elseif ( !$this->getUser()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { diff --git a/includes/api/ApiQueryRecentChanges.php b/includes/api/ApiQueryRecentChanges.php index f5952e3c18..a74faf2f04 100644 --- a/includes/api/ApiQueryRecentChanges.php +++ b/includes/api/ApiQueryRecentChanges.php @@ -361,7 +361,7 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase { // Paranoia: avoid brute force searches (T19342) if ( !is_null( $params['user'] ) || !is_null( $params['excludeuser'] ) ) { - if ( !$user->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; @@ -374,7 +374,7 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase { } if ( $this->getRequest()->getCheck( 'namespace' ) ) { // LogPage::DELETED_ACTION hides the affected page, too. - if ( !$user->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = LogPage::DELETED_ACTION; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = LogPage::DELETED_ACTION | LogPage::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryRevisions.php b/includes/api/ApiQueryRevisions.php index fe3ae87d52..3a06e3691d 100644 --- a/includes/api/ApiQueryRevisions.php +++ b/includes/api/ApiQueryRevisions.php @@ -76,7 +76,8 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase { */ public static function getRollbackToken( $pageid, $title, $rev ) { global $wgUser; - if ( !$wgUser->isAllowed( 'rollback' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $wgUser, 'rollback' ) ) { return false; } @@ -332,7 +333,7 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase { } if ( $params['user'] !== null || $params['excludeuser'] !== null ) { // Paranoia: avoid brute force searches (T19342) - if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$this->getUser()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryUserContribs.php b/includes/api/ApiQueryUserContribs.php index 379f1afd39..cfefcb283c 100644 --- a/includes/api/ApiQueryUserContribs.php +++ b/includes/api/ApiQueryUserContribs.php @@ -408,7 +408,7 @@ class ApiQueryUserContribs extends ApiQueryBase { // Don't include any revisions where we're not supposed to be able to // see the username. $user = $this->getUser(); - if ( !$user->isAllowed( 'deletedhistory' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; } elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; diff --git a/includes/api/ApiQueryUserInfo.php b/includes/api/ApiQueryUserInfo.php index ba7280da10..e058e5d8de 100644 --- a/includes/api/ApiQueryUserInfo.php +++ b/includes/api/ApiQueryUserInfo.php @@ -180,7 +180,7 @@ class ApiQueryUserInfo extends ApiQueryBase { if ( isset( $this->prop['preferencestoken'] ) && !$this->lacksSameOriginSecurity() && - $user->isAllowed( 'editmyoptions' ) + $this->getPermissionManager()->userHasRight( $user, 'editmyoptions' ) ) { $vals['preferencestoken'] = $user->getEditToken( '', $this->getMain()->getRequest() ); } @@ -201,7 +201,8 @@ class ApiQueryUserInfo extends ApiQueryBase { $vals['realname'] = $user->getRealName(); } - if ( $user->isAllowed( 'viewmyprivateinfo' ) && isset( $this->prop['email'] ) ) { + if ( $this->getPermissionManager()->userHasRight( $user, 'viewmyprivateinfo' ) && + isset( $this->prop['email'] ) ) { $vals['email'] = $user->getEmail(); $auth = $user->getEmailAuthenticationTimestamp(); if ( $auth !== null ) { diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php index 5cef194f36..0718ac82c3 100644 --- a/includes/api/ApiUnblock.php +++ b/includes/api/ApiUnblock.php @@ -41,7 +41,7 @@ class ApiUnblock extends ApiBase { $this->requireOnlyOneParameter( $params, 'id', 'user', 'userid' ); - if ( !$user->isAllowed( 'block' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $user, 'block' ) ) { $this->dieWithError( 'apierror-permissiondenied-unblock', 'permissiondenied' ); } # T17810: blocked admins should have limited access here diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php index 8f3c404116..89ec6cbdbc 100644 --- a/includes/api/ApiUserrights.php +++ b/includes/api/ApiUserrights.php @@ -51,7 +51,7 @@ class ApiUserrights extends ApiBase { // Deny if the user is blocked and doesn't have the full 'userrights' permission. // This matches what Special:UserRights does for the web UI. - if ( !$pUser->isAllowed( 'userrights' ) ) { + if ( !$this->getPermissionManager()->userHasRight( $pUser, 'userrights' ) ) { $block = $pUser->getBlock(); if ( $block && $block->isSitewide() ) { $this->dieBlocked( $block ); diff --git a/includes/block/AbstractBlock.php b/includes/block/AbstractBlock.php index f6544040bb..9ad753498b 100644 --- a/includes/block/AbstractBlock.php +++ b/includes/block/AbstractBlock.php @@ -23,6 +23,7 @@ namespace MediaWiki\Block; use IContextSource; use InvalidArgumentException; use IP; +use MediaWiki\MediaWikiServices; use RequestContext; use Title; use User; @@ -279,8 +280,9 @@ abstract class AbstractBlock { if ( !$res && $blockDisablesLogin ) { // If a block would disable login, then it should // prevent any right that all users cannot do + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); $anon = new User; - $res = $anon->isAllowed( $right ) ? $res : true; + $res = $permissionManager->userHasRight( $anon, $right ) ? $res : true; } return $res; @@ -339,8 +341,9 @@ abstract class AbstractBlock { if ( !$res && $blockDisablesLogin ) { // If a block would disable login, then it should // prevent any action that all users cannot do + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); $anon = new User; - $res = $anon->isAllowed( $action ) ? $res : true; + $res = $permissionManager->userHasRight( $anon, $action ) ? $res : true; } return $res; diff --git a/includes/block/BlockManager.php b/includes/block/BlockManager.php index b67703cab1..a42f095b26 100644 --- a/includes/block/BlockManager.php +++ b/includes/block/BlockManager.php @@ -24,6 +24,7 @@ use DateTime; use DeferredUpdates; use IP; use MediaWiki\Config\ServiceOptions; +use MediaWiki\Permissions\PermissionManager; use MediaWiki\User\UserIdentity; use MWCryptHash; use User; @@ -45,6 +46,9 @@ class BlockManager { /** @var WebRequest */ private $currentRequest; + /** @var PermissionManager */ + private $permissionManager; + /** * TODO Make this a const when HHVM support is dropped (T192166) * @@ -67,16 +71,19 @@ class BlockManager { * @param ServiceOptions $options * @param User $currentUser * @param WebRequest $currentRequest + * @param PermissionManager $permissionManager */ public function __construct( ServiceOptions $options, User $currentUser, - WebRequest $currentRequest + WebRequest $currentRequest, + PermissionManager $permissionManager ) { $options->assertRequiredOptions( self::$constructorOptions ); $this->options = $options; $this->currentUser = $currentUser; $this->currentRequest = $currentRequest; + $this->permissionManager = $permissionManager; } /** @@ -110,7 +117,8 @@ class BlockManager { $globalUserName = $sessionUser->isSafeToLoad() ? $sessionUser->getName() : IP::sanitizeIP( $this->currentRequest->getIP() ); - if ( $user->getName() === $globalUserName && !$user->isAllowed( 'ipblock-exempt' ) ) { + if ( $user->getName() === $globalUserName && + !$this->permissionManager->userHasRight( $user, 'ipblock-exempt' ) ) { $ip = $this->currentRequest->getIP(); } diff --git a/includes/changes/RecentChange.php b/includes/changes/RecentChange.php index 95c9fa6c63..c3b472845e 100644 --- a/includes/changes/RecentChange.php +++ b/includes/changes/RecentChange.php @@ -20,6 +20,7 @@ * @file */ use MediaWiki\ChangeTags\Taggable; +use MediaWiki\MediaWikiServices; /** * Utility class for creating new RC entries @@ -608,8 +609,9 @@ class RecentChange implements Taggable { } // Users without the 'autopatrol' right can't patrol their // own revisions - if ( $user->getName() === $this->getAttribute( 'rc_user_text' ) - && !$user->isAllowed( 'autopatrol' ) + if ( $user->getName() === $this->getAttribute( 'rc_user_text' ) && + !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'autopatrol' ) ) { $errors[] = [ 'markedaspatrollederror-noautopatrol' ]; } @@ -857,6 +859,7 @@ class RecentChange implements Taggable { $type, $action, $target, $logComment, $params, $newId = 0, $actionCommentIRC = '', $revId = 0, $isPatrollable = false ) { global $wgRequest; + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); # # Get pageStatus for email notification switch ( $type . '-' . $action ) { @@ -881,7 +884,8 @@ class RecentChange implements Taggable { } // Allow unpatrolled status for patrollable log entries - $markPatrolled = $isPatrollable ? $user->isAllowed( 'autopatrol' ) : true; + $canAutopatrol = $permissionManager->userHasRight( $user, 'autopatrol' ); + $markPatrolled = $isPatrollable ? $canAutopatrol : true; $rc = new RecentChange; $rc->mTitle = $target; @@ -902,7 +906,8 @@ class RecentChange implements Taggable { 'rc_comment_data' => null, 'rc_this_oldid' => $revId, 'rc_last_oldid' => 0, - 'rc_bot' => $user->isAllowed( 'bot' ) ? (int)$wgRequest->getBool( 'bot', true ) : 0, + 'rc_bot' => $permissionManager->userHasRight( $user, 'bot' ) ? + (int)$wgRequest->getBool( 'bot', true ) : 0, 'rc_ip' => self::checkIPAddress( $ip ), 'rc_patrolled' => $markPatrolled ? self::PRC_AUTOPATROLLED : self::PRC_UNPATROLLED, 'rc_new' => 0, # obsolete diff --git a/includes/changetags/ChangeTags.php b/includes/changetags/ChangeTags.php index 0f6e2323d9..30c2f7a428 100644 --- a/includes/changetags/ChangeTags.php +++ b/includes/changetags/ChangeTags.php @@ -520,7 +520,9 @@ class ChangeTags { */ public static function canAddTagsAccompanyingChange( array $tags, User $user = null ) { if ( !is_null( $user ) ) { - if ( !$user->isAllowed( 'applychangetags' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'applychangetags' ) + ) { return Status::newFatal( 'tags-apply-no-permission' ); } elseif ( $user->getBlock() ) { // @TODO Ensure that the block does not apply to the `applychangetags` @@ -595,7 +597,9 @@ class ChangeTags { User $user = null ) { if ( !is_null( $user ) ) { - if ( !$user->isAllowed( 'changetags' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'changetags' ) + ) { return Status::newFatal( 'tags-update-no-permission' ); } elseif ( $user->getBlock() ) { // @TODO Ensure that the block does not apply to the `changetags` @@ -1015,7 +1019,9 @@ class ChangeTags { */ public static function canActivateTag( $tag, User $user = null ) { if ( !is_null( $user ) ) { - if ( !$user->isAllowed( 'managechangetags' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'managechangetags' ) + ) { return Status::newFatal( 'tags-manage-no-permission' ); } elseif ( $user->getBlock() ) { // @TODO Ensure that the block does not apply to the `managechangetags` @@ -1089,7 +1095,9 @@ class ChangeTags { */ public static function canDeactivateTag( $tag, User $user = null ) { if ( !is_null( $user ) ) { - if ( !$user->isAllowed( 'managechangetags' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'managechangetags' ) + ) { return Status::newFatal( 'tags-manage-no-permission' ); } elseif ( $user->getBlock() ) { // @TODO Ensure that the block does not apply to the `managechangetags` @@ -1188,7 +1196,9 @@ class ChangeTags { */ public static function canCreateTag( $tag, User $user = null ) { if ( !is_null( $user ) ) { - if ( !$user->isAllowed( 'managechangetags' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'managechangetags' ) + ) { return Status::newFatal( 'tags-manage-no-permission' ); } elseif ( $user->getBlock() ) { // @TODO Ensure that the block does not apply to the `managechangetags` @@ -1308,7 +1318,9 @@ class ChangeTags { $tagUsage = self::tagUsageStatistics(); if ( !is_null( $user ) ) { - if ( !$user->isAllowed( 'deletechangetags' ) ) { + if ( !MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'deletechangetags' ) + ) { return Status::newFatal( 'tags-delete-no-permission' ); } elseif ( $user->getBlock() ) { // @TODO Ensure that the block does not apply to the `deletechangetags` @@ -1566,6 +1578,8 @@ class ChangeTags { * @return bool */ public static function showTagEditingUI( User $user ) { - return $user->isAllowed( 'changetags' ) && (bool)self::listExplicitlyDefinedTags(); + return MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'changetags' ) && + (bool)self::listExplicitlyDefinedTags(); } } diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php index 841daea195..1d3b402076 100644 --- a/includes/diff/DifferenceEngine.php +++ b/includes/diff/DifferenceEngine.php @@ -401,7 +401,8 @@ class DifferenceEngine extends ContextSource { * @return string|bool Link HTML or false */ public function deletedLink( $id ) { - if ( $this->getUser()->isAllowed( 'deletedhistory' ) ) { + $permissionManager = MediaWikiServices::getInstance()->getPermissionManager(); + if ( $permissionManager->userHasRight( $this->getUser(), 'deletedhistory' ) ) { $dbr = wfGetDB( DB_REPLICA ); $arQuery = Revision::getArchiveQueryInfo(); $row = $dbr->selectRow( @@ -803,7 +804,8 @@ class DifferenceEngine extends ContextSource { // Build the link if ( $rcid ) { $this->getOutput()->preventClickjacking(); - if ( $user->isAllowed( 'writeapi' ) ) { + if ( MediaWikiServices::getInstance()->getPermissionManager() + ->userHasRight( $user, 'writeapi' ) ) { $this->getOutput()->addModules( 'mediawiki.page.patrol.ajax' ); } diff --git a/tests/phpunit/includes/actions/WatchActionTest.php b/tests/phpunit/includes/actions/WatchActionTest.php index cdd7576e10..6244ed6ebf 100644 --- a/tests/phpunit/includes/actions/WatchActionTest.php +++ b/tests/phpunit/includes/actions/WatchActionTest.php @@ -166,34 +166,30 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doWatch() + * @throws Exception */ public function testDoWatchNoCheckRights() { - $notPermittedUser = $this->getMock( User::class ); - $notPermittedUser->method( 'isAllowed' )->willReturn( false ); - + $notPermittedUser = $this->getUser( null, null, [] ); $actual = WatchAction::doWatch( $this->testWikiPage->getTitle(), $notPermittedUser, false ); - $this->assertTrue( $actual->isGood() ); } /** * @covers WatchAction::doWatch() + * @throws Exception */ public function testDoWatchUserNotPermittedStatusNotGood() { - $notPermittedUser = $this->getMock( User::class ); - $notPermittedUser->method( 'isAllowed' )->willReturn( false ); - + $notPermittedUser = $this->getUser( null, null, [] ); $actual = WatchAction::doWatch( $this->testWikiPage->getTitle(), $notPermittedUser, true ); - $this->assertFalse( $actual->isGood() ); } /** * @covers WatchAction::doWatch() + * @throws Exception */ public function testDoWatchCallsUserAddWatch() { - $permittedUser = $this->getMock( User::class ); - $permittedUser->method( 'isAllowed' )->willReturn( true ); + $permittedUser = $this->getUser( null, null, [ 'editmywatchlist' ] ); $permittedUser->expects( $this->once() ) ->method( 'addWatch' ) ->with( $this->equalTo( $this->testWikiPage->getTitle() ), $this->equalTo( true ) ); @@ -205,11 +201,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doUnWatch() + * @throws Exception */ public function testDoUnWatchWithoutRights() { - $notPermittedUser = $this->getMock( User::class ); - $notPermittedUser->method( 'isAllowed' )->willReturn( false ); - + $notPermittedUser = $this->getUser( null, null, [] ); $actual = WatchAction::doUnWatch( $this->testWikiPage->getTitle(), $notPermittedUser ); $this->assertFalse( $actual->isGood() ); @@ -219,8 +214,7 @@ class WatchActionTest extends MediaWikiTestCase { * @covers WatchAction::doUnWatch() */ public function testDoUnWatchUserHookAborted() { - $permittedUser = $this->getMock( User::class ); - $permittedUser->method( 'isAllowed' )->willReturn( true ); + $permittedUser = $this->getUser( null, null, [ 'editmywatchlist' ] ); Hooks::register( 'UnwatchArticle', function () { return false; } ); @@ -235,10 +229,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doUnWatch() + * @throws Exception */ public function testDoUnWatchCallsUserRemoveWatch() { - $permittedUser = $this->getMock( User::class ); - $permittedUser->method( 'isAllowed' )->willReturn( true ); + $permittedUser = $this->getUser( null, null, [ 'editmywatchlist' ] ); $permittedUser->expects( $this->once() ) ->method( 'removeWatch' ) ->with( $this->equalTo( $this->testWikiPage->getTitle() ) ); @@ -250,9 +244,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::getWatchToken() + * @throws Exception */ public function testGetWatchTokenNormalizesToWatch() { - $user = $this->getMock( User::class ); + $user = $this->getUser( null, null ); $user->expects( $this->once() ) ->method( 'getEditToken' ) ->with( $this->equalTo( 'watch' ) ); @@ -262,9 +257,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::getWatchToken() + * @throws Exception */ public function testGetWatchTokenProxiesUserGetEditToken() { - $user = $this->getMock( User::class ); + $user = $this->getUser( null, null ); $user->expects( $this->once() )->method( 'getEditToken' ); WatchAction::getWatchToken( $this->watchAction->getTitle(), $user ); @@ -272,9 +268,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doWatchOrUnwatch() + * @throws Exception */ public function testDoWatchOrUnwatchUserNotLoggedIn() { - $user = $this->getLoggedInIsWatchedUser( false ); + $user = $this->getUser( false ); $user->expects( $this->never() )->method( 'removeWatch' ); $user->expects( $this->never() )->method( 'addWatch' ); @@ -285,9 +282,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doWatchOrUnwatch() + * @throws Exception */ public function testDoWatchOrUnwatchSkipsIfAlreadyWatched() { - $user = $this->getLoggedInIsWatchedUser(); + $user = $this->getUser(); $user->expects( $this->never() )->method( 'removeWatch' ); $user->expects( $this->never() )->method( 'addWatch' ); @@ -298,9 +296,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doWatchOrUnwatch() + * @throws Exception */ public function testDoWatchOrUnwatchSkipsIfAlreadyUnWatched() { - $user = $this->getLoggedInIsWatchedUser( true, false ); + $user = $this->getUser( true, false ); $user->expects( $this->never() )->method( 'removeWatch' ); $user->expects( $this->never() )->method( 'addWatch' ); @@ -311,9 +310,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doWatchOrUnwatch() + * @throws Exception */ public function testDoWatchOrUnwatchWatchesIfWatch() { - $user = $this->getLoggedInIsWatchedUser( true, false ); + $user = $this->getUser( true, false ); $user->expects( $this->never() )->method( 'removeWatch' ); $user->expects( $this->once() ) ->method( 'addWatch' ) @@ -326,10 +326,10 @@ class WatchActionTest extends MediaWikiTestCase { /** * @covers WatchAction::doWatchOrUnwatch() + * @throws Exception */ public function testDoWatchOrUnwatchUnwatchesIfUnwatch() { - $user = $this->getLoggedInIsWatchedUser(); - $user->method( 'isAllowed' )->willReturn( true ); + $user = $this->getUser( true, true, [ 'editmywatchlist' ] ); $user->expects( $this->never() )->method( 'addWatch' ); $user->expects( $this->once() ) ->method( 'removeWatch' ) @@ -343,13 +343,20 @@ class WatchActionTest extends MediaWikiTestCase { /** * @param bool $isLoggedIn Whether the user should be "marked" as logged in * @param bool $isWatched The value any call to isWatched should return + * @param array $permissions The permissions of the user * @return PHPUnit_Framework_MockObject_MockObject + * @throws Exception */ - private function getLoggedInIsWatchedUser( $isLoggedIn = true, $isWatched = true ) { + private function getUser( + $isLoggedIn = true, + $isWatched = true, + $permissions = [] + ) { $user = $this->getMock( User::class ); + $user->method( 'getId' )->willReturn( 42 ); $user->method( 'isLoggedIn' )->willReturn( $isLoggedIn ); $user->method( 'isWatched' )->willReturn( $isWatched ); - + $this->overrideUserPermissions( $user, $permissions ); return $user; } diff --git a/tests/phpunit/includes/block/BlockManagerTest.php b/tests/phpunit/includes/block/BlockManagerTest.php index f42777c503..97ef528db5 100644 --- a/tests/phpunit/includes/block/BlockManagerTest.php +++ b/tests/phpunit/includes/block/BlockManagerTest.php @@ -55,7 +55,8 @@ class BlockManagerTest extends MediaWikiTestCase { MediaWikiServices::getInstance()->getMainConfig() ), $this->user, - $this->user->getRequest() + $this->user->getRequest(), + MediaWikiServices::getInstance()->getPermissionManager() ]; } -- 2.20.1