Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Replace User::isAllowed with PermissionManager.

Browse source 
Covers root includes, actions, api, block, changes,
changetags, diff and PermissionManager itself.

Bug: T220191
Change-Id: Ic027d32f5dd8f4c74865df0c8a9fcf91123c889c
This commit is contained in:
Petr Pchelko 2019-08-16 11:13:56 -07:00
parent 2479041060
commit 1d286560d2
43 changed files with 223 additions and 144 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
includes/AjaxDispatcher.php
View file

@ -114,6 +114,7 @@ class AjaxDispatcher {
return;
}
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !in_array( $this->func_name, $this->config->get( 'AjaxExportList' ) ) ) {
wfDebug( __METHOD__ . ' Bad Request for unknown function ' . $this->func_name . "\n" );
wfHttpError(
@ -121,7 +122,8 @@ class AjaxDispatcher {
'Bad Request',
"unknown function " . $this->func_name
);
} elseif ( !User::isEveryoneAllowed( 'read' ) && !$user->isAllowed( 'read' ) ) {
} elseif ( !$permissionManager->isEveryoneAllowed( 'read' ) &&
!$permissionManager->userHasRight( $user, 'read' ) ) {
wfHttpError(
403,
'Forbidden',

17
includes/EditPage.php
View file

@ -1593,7 +1593,8 @@ class EditPage {
// This is needed since PageUpdater no longer checks these rights!
// Allow bots to exempt some edits from bot flagging
$bot = $this->context->getUser()->isAllowed( 'bot' ) && $this->bot;
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$bot = $permissionManager->userHasRight( $this->context->getUser(), 'bot' ) && $this->bot;
$status = $this->internalAttemptSave( $resultDetails, $bot );
Hooks::run( 'EditPage::attemptSave:after', [ $this, $status, $resultDetails ] );
@ -1870,6 +1871,7 @@ ERROR;
public function internalAttemptSave( &$result, $bot = false ) {
$status = Status::newGood();
$user = $this->context->getUser();
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !Hooks::run( 'EditPage::attemptSave', [ $this ] ) ) {
wfDebug( "Hook 'EditPage::attemptSave' aborted article saving\n" );
@ -1918,7 +1920,7 @@ ERROR;
# Check image redirect
if ( $this->mTitle->getNamespace() == NS_FILE &&
$textbox_content->isRedirect() &&
!$user->isAllowed( 'upload' )
!$permissionManager->userHasRight( $user, 'upload' )
) {
$code = $user->isAnon() ? self::AS_IMAGE_REDIRECT_ANON : self::AS_IMAGE_REDIRECT_LOGGED;
$status->setResult( false, $code );
@ -1968,7 +1970,7 @@ ERROR;
return $status;
}
if ( $user->isBlockedFrom( $this->mTitle ) ) {
if ( $permissionManager->isBlockedFrom( $user, $this->mTitle ) ) {
// Auto-block user's IP if the account was "hard" blocked
if ( !wfReadOnly() ) {
$user->spreadAnyEditBlock();
@ -1988,7 +1990,7 @@ ERROR;
return $status;
}
if ( !$user->isAllowed( 'edit' ) ) {
if ( !$permissionManager->userHasRight( $user, 'edit' ) ) {
if ( $user->isAnon() ) {
$status->setResult( false, self::AS_READ_ONLY_PAGE_ANON );
return $status;
@ -1999,15 +2001,13 @@ ERROR;
}
}
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$changingContentModel = false;
if ( $this->contentModel !== $this->mTitle->getContentModel() ) {
if ( !$config->get( 'ContentHandlerUseDB' ) ) {
$status->fatal( 'editpage-cannot-use-custom-model' );
$status->value = self::AS_CANNOT_USE_CUSTOM_MODEL;
return $status;
} elseif ( !$user->isAllowed( 'editcontentmodel' ) ) {
} elseif ( !$permissionManager->userHasRight( $user, 'editcontentmodel' ) ) {
$status->setResult( false, self::AS_NO_CHANGE_CONTENT_MODEL );
return $status;
}
@ -4159,7 +4159,8 @@ ERROR;
$user = $this->context->getUser();
// don't show the minor edit checkbox if it's a new page or section
if ( !$this->isNew && $user->isAllowed( 'minoredit' ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !$this->isNew && $permissionManager->userHasRight( $user, 'minoredit' ) ) {
$checkboxes['wpMinoredit'] = [
'id' => 'wpMinoredit',
'label-message' => 'minoredit',

9
includes/FileDeleteForm.php
View file

@ -79,7 +79,9 @@ class FileDeleteForm {
$this->oldimage = $wgRequest->getText( 'oldimage', false );
$token = $wgRequest->getText( 'wpEditToken' );
# Flag to hide all contents of the archived revisions
$suppress = $wgRequest->getCheck( 'wpSuppress' ) && $wgUser->isAllowed( 'suppressrevision' );
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$suppress = $wgRequest->getCheck( 'wpSuppress' ) &&
$permissionManager->userHasRight( $wgUser, 'suppressrevision' );
if ( $this->oldimage ) {
$this->oldfile = RepoGroup::singleton()->getLocalRepo()->newFromArchiveName(
@ -245,6 +247,7 @@ class FileDeleteForm {
*/
private function showForm() {
global $wgOut, $wgUser, $wgRequest;
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$wgOut->addModules( 'mediawiki.action.delete.file' );
@ -296,7 +299,7 @@ class FileDeleteForm {
]
);
if ( $wgUser->isAllowed( 'suppressrevision' ) ) {
if ( $permissionManager->userHasRight( $wgUser, 'suppressrevision' ) ) {
$fields[] = new OOUI\FieldLayout(
new OOUI\CheckboxInputWidget( [
'name' => 'wpSuppress',
@ -370,7 +373,7 @@ class FileDeleteForm {
] )
);
if ( $wgUser->isAllowed( 'editinterface' ) ) {
if ( $permissionManager->userHasRight( $wgUser, 'editinterface' ) ) {
$linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer();
$link = $linkRenderer->makeKnownLink(
$wgOut->msg( 'filedelete-reason-dropdown' )->inContentLanguage()->getTitle(),

10
includes/Linker.php
View file

@ -978,7 +978,9 @@ class Linker {
$items[] = self::link( $contribsPage, wfMessage( 'contribslink' )->escaped(), $attribs );
}
if ( $blockable && $wgUser->isAllowed( 'block' ) ) {
$userCanBlock = MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'block' );
if ( $blockable && $userCanBlock ) {
$items[] = self::blockLink( $userId, $userText );
}
@ -2103,8 +2105,10 @@ class Linker {
* @return string HTML fragment
*/
public static function getRevDeleteLink( User $user, Revision $rev, LinkTarget $title ) {
$canHide = $user->isAllowed( 'deleterevision' );
if ( !$canHide && !( $rev->getVisibility() && $user->isAllowed( 'deletedhistory' ) ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$canHide = $permissionManager->userHasRight( $user, 'deleterevision' );
$canHideHistory = $permissionManager->userHasRight( $user, 'deletedhistory' );
if ( !$canHide && !( $rev->getVisibility() && $canHideHistory ) ) {
return '';
}

3
includes/MergeHistory.php
View file

@ -178,7 +178,8 @@ class MergeHistory {
}
// Check mergehistory permission
if ( !$user->isAllowed( 'mergehistory' ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !$permissionManager->userHasRight( $user, 'mergehistory' ) ) {
// User doesn't have the right to merge histories
$status->fatal( 'mergehistory-fail-permission' );
}

8
includes/MovePage.php
View file

@ -77,8 +77,9 @@ class MovePage {
}
$tp = $this->newTitle->getTitleProtection();
if ( $tp !== false && !$user->isAllowed( $tp['permission'] ) ) {
$status->fatal( 'cantmove-titleprotected' );
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( $tp !== false && !$permissionManager->userHasRight( $user, $tp['permission'] ) ) {
$status->fatal( 'cantmove-titleprotected' );
}
Hooks::run( 'MovePageCheckPermissions',
@ -287,7 +288,8 @@ class MovePage {
}
// Check suppressredirect permission
if ( !$user->isAllowed( 'suppressredirect' ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !$permissionManager->userHasRight( $user, 'suppressredirect' ) ) {
$createRedirect = true;
}

55
includes/Permissions/PermissionManager.php
View file

@ -501,10 +501,10 @@ class PermissionManager {
$title = Title::newFromLinkTarget( $page );
$whitelisted = false;
if ( User::isEveryoneAllowed( 'read' ) ) {
if ( $this->isEveryoneAllowed( 'read' ) ) {
# Shortcut for public wikis, allows skipping quite a bit of code
$whitelisted = true;
} elseif ( $user->isAllowed( 'read' ) ) {
} elseif ( $this->userHasRight( $user, 'read' ) ) {
# If the user is allowed to read pages, he is allowed to read all pages
$whitelisted = true;
} elseif ( $this->isSameSpecialPage( 'Userlogin', $title )
@ -729,33 +729,35 @@ class PermissionManager {
if ( $action == 'create' ) {
if (
( $this->nsInfo->isTalk( $title->getNamespace() ) &&
!$user->isAllowed( 'createtalk' ) ) ||
!$this->userHasRight( $user, 'createtalk' ) ) ||
( !$this->nsInfo->isTalk( $title->getNamespace() ) &&
!$user->isAllowed( 'createpage' ) )
!$this->userHasRight( $user, 'createpage' ) )
) {
$errors[] = $user->isAnon() ? [ 'nocreatetext' ] : [ 'nocreate-loggedin' ];
}
} elseif ( $action == 'move' ) {
if ( !$user->isAllowed( 'move-rootuserpages' )
if ( !$this->userHasRight( $user, 'move-rootuserpages' )
&& $title->getNamespace() == NS_USER && !$isSubPage ) {
// Show user page-specific message only if the user can move other pages
$errors[] = [ 'cant-move-user-page' ];
}
// Check if user is allowed to move files if it's a file
if ( $title->getNamespace() == NS_FILE && !$user->isAllowed( 'movefile' ) ) {
if ( $title->getNamespace() == NS_FILE &&
!$this->userHasRight( $user, 'movefile' ) ) {
$errors[] = [ 'movenotallowedfile' ];
}
// Check if user is allowed to move category pages if it's a category page
if ( $title->getNamespace() == NS_CATEGORY && !$user->isAllowed( 'move-categorypages' ) ) {
if ( $title->getNamespace() == NS_CATEGORY &&
!$this->userHasRight( $user, 'move-categorypages' ) ) {
$errors[] = [ 'cant-move-category-page' ];
}
if ( !$user->isAllowed( 'move' ) ) {
if ( !$this->userHasRight( $user, 'move' ) ) {
// User can't move anything
$userCanMove = User::groupHasPermission( 'user', 'move' );
$autoconfirmedCanMove = User::groupHasPermission( 'autoconfirmed', 'move' );
$userCanMove = $this->groupHasPermission( 'user', 'move' );
$autoconfirmedCanMove = $this->groupHasPermission( 'autoconfirmed', 'move' );
if ( $user->isAnon() && ( $userCanMove || $autoconfirmedCanMove ) ) {
// custom message if logged-in users without any special rights can move
$errors[] = [ 'movenologintext' ];
@ -764,19 +766,19 @@ class PermissionManager {
}
}
} elseif ( $action == 'move-target' ) {
if ( !$user->isAllowed( 'move' ) ) {
if ( !$this->userHasRight( $user, 'move' ) ) {
// User can't move anything
$errors[] = [ 'movenotallowed' ];
} elseif ( !$user->isAllowed( 'move-rootuserpages' )
} elseif ( !$this->userHasRight( $user, 'move-rootuserpages' )
&& $title->getNamespace() == NS_USER && !$isSubPage ) {
// Show user page-specific message only if the user can move other pages
$errors[] = [ 'cant-move-to-user-page' ];
} elseif ( !$user->isAllowed( 'move-categorypages' )
} elseif ( !$this->userHasRight( $user, 'move-categorypages' )
&& $title->getNamespace() == NS_CATEGORY ) {
// Show category page-specific message only if the user can move other pages
$errors[] = [ 'cant-move-to-category-page' ];
}
} elseif ( !$user->isAllowed( $action ) ) {
} elseif ( !$this->userHasRight( $user, $action ) ) {
$errors[] = $this->missingPermissionError( $action, $short );
}
@ -823,9 +825,10 @@ class PermissionManager {
if ( $right == '' ) {
continue;
}
if ( !$user->isAllowed( $right ) ) {
if ( !$this->userHasRight( $user, $right ) ) {
$errors[] = [ 'protectedpagetext', $right, $action ];
} elseif ( $title->areRestrictionsCascading() && !$user->isAllowed( 'protect' ) ) {
} elseif ( $title->areRestrictionsCascading() &&
!$this->userHasRight( $user, 'protect' ) ) {
$errors[] = [ 'protectedpagetext', 'protect', $action ];
}
}
@ -933,7 +936,7 @@ class PermissionManager {
$title_protection = $title->getTitleProtection();
if ( $title_protection ) {
if ( $title_protection['permission'] == ''
|| !$user->isAllowed( $title_protection['permission'] )
|| !$this->userHasRight( $user, $title_protection['permission'] )
) {
$errors[] = [
'titleprotected',
@ -1063,23 +1066,23 @@ class PermissionManager {
$error = null;
// Sitewide CSS/JSON/JS changes, like all NS_MEDIAWIKI changes, also require the
// editinterface right. That's implemented as a restriction so no check needed here.
if ( $title->isSiteCssConfigPage() && !$user->isAllowed( 'editsitecss' ) ) {
if ( $title->isSiteCssConfigPage() && !$this->userHasRight( $user, 'editsitecss' ) ) {
$error = [ 'sitecssprotected', $action ];
} elseif ( $title->isSiteJsonConfigPage() && !$user->isAllowed( 'editsitejson' ) ) {
} elseif ( $title->isSiteJsonConfigPage() && !$this->userHasRight( $user, 'editsitejson' ) ) {
$error = [ 'sitejsonprotected', $action ];
} elseif ( $title->isSiteJsConfigPage() && !$user->isAllowed( 'editsitejs' ) ) {
} elseif ( $title->isSiteJsConfigPage() && !$this->userHasRight( $user, 'editsitejs' ) ) {
$error = [ 'sitejsprotected', $action ];
} elseif ( $title->isRawHtmlMessage() ) {
// Raw HTML can be used to deploy CSS or JS so require rights for both.
if ( !$user->isAllowed( 'editsitejs' ) ) {
if ( !$this->userHasRight( $user, 'editsitejs' ) ) {
$error = [ 'sitejsprotected', $action ];
} elseif ( !$user->isAllowed( 'editsitecss' ) ) {
} elseif ( !$this->userHasRight( $user, 'editsitecss' ) ) {
$error = [ 'sitecssprotected', $action ];
}
}
if ( $error ) {
if ( $user->isAllowed( 'editinterface' ) ) {
if ( $this->userHasRight( $user, 'editinterface' ) ) {
// Most users / site admins will probably find out about the new, more restrictive
// permissions by failing to edit something. Give them more info.
// TODO remove this a few release cycles after 1.32
@ -1166,17 +1169,17 @@ class PermissionManager {
if ( !in_array( $action, [ 'delete', 'deleterevision', 'suppressrevision' ], true ) ) {
if (
$title->isUserCssConfigPage()
&& !$user->isAllowed( 'editusercss' )
&& !$this->userHasRight( $user, 'editusercss' )
) {
$errors[] = [ 'customcssprotected', $action ];
} elseif (
$title->isUserJsonConfigPage()
&& !$user->isAllowed( 'edituserjson' )
&& !$this->userHasRight( $user, 'edituserjson' )
) {
$errors[] = [ 'customjsonprotected', $action ];
} elseif (
$title->isUserJsConfigPage()
&& !$user->isAllowed( 'edituserjs' )
&& !$this->userHasRight( $user, 'edituserjs' )
) {
$errors[] = [ 'customjsprotected', $action ];
}

3
includes/ProtectionForm.php
View file

@ -553,7 +553,8 @@ class ProtectionForm {
}
$out .= Xml::closeElement( 'fieldset' );
if ( $user->isAllowed( 'editinterface' ) ) {
if ( MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'editinterface' ) ) {
$linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer();
$link = $linkRenderer->makeKnownLink(
$context->msg( 'protect-dropdown' )->inContentLanguage()->getTitle(),

3
includes/ServiceWiring.php
View file

@ -97,7 +97,8 @@ return [
BlockManager::$constructorOptions, $services->getMainConfig()
),
$context->getUser(),
$context->getRequest()
$context->getRequest(),
$services->getPermissionManager()
);
},

3
includes/Title.php
View file

@ -2506,8 +2506,9 @@ class Title implements LinkTarget, IDBAccessObject {
global $wgNamespaceProtection;
if ( isset( $wgNamespaceProtection[$this->mNamespace] ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
foreach ( (array)$wgNamespaceProtection[$this->mNamespace] as $right ) {
if ( $right != '' && !$user->isAllowed( $right ) ) {
if ( !$permissionManager->userHasRight( $user, $right ) ) {
return true;
}
}

3
includes/actions/HistoryAction.php
View file

@ -265,7 +265,8 @@ class HistoryAction extends FormlessAction {
'value' => $tagFilter,
]
];
if ( $this->getUser()->isAllowed( 'deletedhistory' ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( $permissionManager->userHasRight( $this->getUser(), 'deletedhistory' ) ) {
$fields[] = [
'type' => 'check',
'label' => $this->msg( 'history-show-deleted' )->text(),

4
includes/actions/InfoAction.php
View file

@ -345,7 +345,7 @@ class InfoAction extends FormlessAction {
$unwatchedPageThreshold = $config->get( 'UnwatchedPageThreshold' );
if (
$user->isAllowed( 'unwatchedpages' ) ||
$services->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ) ||
( $unwatchedPageThreshold !== false &&
$pageCounts['watchers'] >= $unwatchedPageThreshold )
) {
@ -360,7 +360,7 @@ class InfoAction extends FormlessAction {
) {
$minToDisclose = $config->get( 'UnwatchedPageSecret' );
if ( $pageCounts['visitingWatchers'] > $minToDisclose ||
$user->isAllowed( 'unwatchedpages' ) ) {
$services->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ) ) {
$pageInfo['header-basic'][] = [
$this->msg( 'pageinfo-visiting-watchers' ),
$lang->formatNum( $pageCounts['visitingWatchers'] )

3
includes/actions/RawAction.php
View file

@ -111,7 +111,8 @@ class RawAction extends FormlessAction {
$rootPage = strtok( $title->getText(), '/' );
$userFromTitle = User::newFromName( $rootPage, 'usable' );
if ( !$userFromTitle || $userFromTitle->getId() === 0 ) {
$elevated = $this->getUser()->isAllowed( 'editinterface' );
$elevated = MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $this->getUser(), 'editinterface' );
$elevatedText = $elevated ? 'by elevated ' : '';
$log = LoggerFactory::getInstance( "security" );
$log->warning(

9
includes/actions/WatchAction.php
View file

@ -20,6 +20,8 @@
* @ingroup Actions
*/
use MediaWiki\MediaWikiServices;
/**
* Page addition to a user's watchlist
*
@ -116,7 +118,8 @@ class WatchAction extends FormAction {
User $user,
$checkRights = User::CHECK_USER_RIGHTS
) {
if ( $checkRights && !$user->isAllowed( 'editmywatchlist' ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( $checkRights && !$permissionManager->userHasRight( $user, 'editmywatchlist' ) ) {
return User::newFatalPermissionDeniedStatus( 'editmywatchlist' );
}
@ -140,7 +143,9 @@ class WatchAction extends FormAction {
* @return Status
*/
public static function doUnwatch( Title $title, User $user ) {
if ( !$user->isAllowed( 'editmywatchlist' ) ) {
if ( !MediaWikiServices::getInstance()
->getPermissionManager()
->userHasRight( $user, 'editmywatchlist' ) ) {
return User::newFatalPermissionDeniedStatus( 'editmywatchlist' );
}

11
includes/actions/pagers/HistoryPager.php
View file

@ -172,6 +172,7 @@ class HistoryPager extends ReverseChronologicalPager {
* @return string HTML output
*/
protected function getStartBody() {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$this->lastRow = false;
$this->counter = 1;
$this->oldIdChecked = 0;
@ -197,7 +198,7 @@ class HistoryPager extends ReverseChronologicalPager {
$user = $this->getUser();
$actionButtons = '';
if ( $user->isAllowed( 'deleterevision' ) ) {
if ( $permissionManager->userHasRight( $user, 'deleterevision' ) ) {
$actionButtons .= $this->getRevisionButton(
'revisiondelete', 'showhideselectedversions' );
}
@ -210,7 +211,7 @@ class HistoryPager extends ReverseChronologicalPager {
'mw-history-revisionactions' ], $actionButtons );
}
if ( $user->isAllowed( 'deleterevision' ) || $this->showTagEditUI ) {
if ( $permissionManager->userHasRight( $user, 'deleterevision' ) || $this->showTagEditUI ) {
$this->buttons .= ( new ListToggle( $this->getOutput() ) )->getHTML();
}
@ -305,6 +306,7 @@ class HistoryPager extends ReverseChronologicalPager {
*/
function historyLine( $row, $next, $notificationtimestamp = false,
$dummy = false, $firstInList = false ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$rev = new Revision( $row, 0, $this->getTitle() );
if ( is_object( $next ) ) {
@ -332,7 +334,7 @@ class HistoryPager extends ReverseChronologicalPager {
$del = '';
$user = $this->getUser();
$canRevDelete = $user->isAllowed( 'deleterevision' );
$canRevDelete = $permissionManager->userHasRight( $user, 'deleterevision' );
// Show checkboxes for each revision, to allow for revision deletion and
// change tags
if ( $canRevDelete || $this->showTagEditUI ) {
@ -349,7 +351,8 @@ class HistoryPager extends ReverseChronologicalPager {
[ 'name' => 'ids[' . $rev->getId() . ']' ] );
}
// User can only view deleted revisions...
} elseif ( $rev->getVisibility() && $user->isAllowed( 'deletedhistory' ) ) {
} elseif ( $rev->getVisibility() &&
$permissionManager->userHasRight( $user, 'deletedhistory' ) ) {
// If revision was hidden from sysops, disable the link
if ( !$rev->userCan( RevisionRecord::DELETED_RESTRICTED, $user ) ) {
$del = Linker::revDeleteLinkDisabled( false );

3
includes/api/ApiBlock.php
View file

@ -98,7 +98,8 @@ class ApiBlock extends ApiBase {
}
}
if ( $params['hidename'] && !$user->isAllowed( 'hideuser' ) ) {
if ( $params['hidename'] &&
!$this->getPermissionManager()->userHasRight( $user, 'hideuser' ) ) {
$this->dieWithError( 'apierror-canthide' );
}
if ( $params['noemail'] && !SpecialBlock::canBlockEmail( $user ) ) {

5
includes/api/ApiImport.php
View file

@ -29,7 +29,6 @@ class ApiImport extends ApiBase {
public function execute() {
$this->useTransactionalTimeLimit();
$user = $this->getUser();
$params = $this->extractRequestParams();
@ -37,7 +36,7 @@ class ApiImport extends ApiBase {
$isUpload = false;
if ( isset( $params['interwikisource'] ) ) {
if ( !$user->isAllowed( 'import' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'import' ) ) {
$this->dieWithError( 'apierror-cantimport' );
}
if ( !isset( $params['interwikipage'] ) ) {
@ -52,7 +51,7 @@ class ApiImport extends ApiBase {
$usernamePrefix = $params['interwikisource'];
} else {
$isUpload = true;
if ( !$user->isAllowed( 'importupload' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'importupload' ) ) {
$this->dieWithError( 'apierror-cantimport-upload' );
}
$source = ImportStreamSource::newFromUpload( 'xml' );

11
includes/api/ApiMain.php
View file

@ -1410,8 +1410,8 @@ class ApiMain extends ApiBase {
*/
protected function checkExecutePermissions( $module ) {
$user = $this->getUser();
if ( $module->isReadMode() && !User::isEveryoneAllowed( 'read' ) &&
!$user->isAllowed( 'read' )
if ( $module->isReadMode() && !$this->getPermissionManager()->isEveryoneAllowed( 'read' ) &&
!$this->getPermissionManager()->userHasRight( $user, 'read' )
) {
$this->dieWithError( 'apierror-readapidenied' );
}
@ -1419,7 +1419,7 @@ class ApiMain extends ApiBase {
if ( $module->isWriteMode() ) {
if ( !$this->mEnableWrite ) {
$this->dieWithError( 'apierror-noapiwrite' );
} elseif ( !$user->isAllowed( 'writeapi' ) ) {
} elseif ( !$this->getPermissionManager()->userHasRight( $user, 'writeapi' ) ) {
$this->dieWithError( 'apierror-writeapidenied' );
} elseif ( $this->getRequest()->getHeader( 'Promise-Non-Write-API-Action' ) ) {
$this->dieWithError( 'apierror-promised-nonwrite-api' );
@ -1504,7 +1504,7 @@ class ApiMain extends ApiBase {
}
break;
case 'bot':
if ( !$user->isAllowed( 'bot' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'bot' ) ) {
$this->dieWithError( 'apierror-assertbotfailed' );
}
break;
@ -2052,7 +2052,8 @@ class ApiMain extends ApiBase {
*/
public function canApiHighLimits() {
if ( !isset( $this->mCanApiHighLimits ) ) {
$this->mCanApiHighLimits = $this->getUser()->isAllowed( 'apihighlimits' );
$this->mCanApiHighLimits = $this->getPermissionManager()
->userHasRight( $this->getUser(), 'apihighlimits' );
}
return $this->mCanApiHighLimits;

4
includes/api/ApiManageTags.php
View file

@ -31,10 +31,10 @@ class ApiManageTags extends ApiBase {
// make sure the user is allowed
if ( $params['operation'] !== 'delete'
&& !$this->getUser()->isAllowed( 'managechangetags' )
&& !$this->getPermissionManager()->userHasRight( $user, 'managechangetags' )
) {
$this->dieWithError( 'tags-manage-no-permission', 'permissiondenied' );
} elseif ( !$this->getUser()->isAllowed( 'deletechangetags' ) ) {
} elseif ( !$this->getPermissionManager()->userHasRight( $user, 'deletechangetags' ) ) {
$this->dieWithError( 'tags-delete-no-permission', 'permissiondenied' );
}

7
includes/api/ApiMove.php
View file

@ -63,9 +63,10 @@ class ApiMove extends ApiBase {
&& !RepoGroup::singleton()->getLocalRepo()->findFile( $toTitle )
&& MediaWikiServices::getInstance()->getRepoGroup()->findFile( $toTitle )
) {
if ( !$params['ignorewarnings'] && $user->isAllowed( 'reupload-shared' ) ) {
if ( !$params['ignorewarnings'] &&
$this->getPermissionManager()->userHasRight( $user, 'reupload-shared' ) ) {
$this->dieWithError( 'apierror-fileexists-sharedrepo-perm' );
} elseif ( !$user->isAllowed( 'reupload-shared' ) ) {
} elseif ( !$this->getPermissionManager()->userHasRight( $user, 'reupload-shared' ) ) {
$this->dieWithError( 'apierror-cantoverwrite-sharedfile' );
}
}
@ -185,7 +186,7 @@ class ApiMove extends ApiBase {
}
// Check suppressredirect permission
if ( !$user->isAllowed( 'suppressredirect' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'suppressredirect' ) ) {
$createRedirect = true;
}

3
includes/api/ApiPageSet.php
View file

@ -971,7 +971,8 @@ class ApiPageSet extends ApiBase {
// If the user can see deleted revisions, pull out the corresponding
// titles from the archive table and include them too. We ignore
// ar_page_id because deleted revisions are tied by title, not page_id.
if ( $goodRemaining && $this->getUser()->isAllowed( 'deletedhistory' ) ) {
if ( $goodRemaining &&
$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) {
$tables = [ 'archive' ];
$fields = [ 'ar_rev_id', 'ar_namespace', 'ar_title' ];
$where = [ 'ar_rev_id' => array_keys( $goodRemaining ) ];

2
includes/api/ApiQueryAllDeletedRevisions.php
View file

@ -237,7 +237,7 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase {
// Paranoia: avoid brute force searches (T19342)
// (shouldn't be able to get here without 'deletedhistory', but
// check it again just in case)
if ( !$user->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;

2
includes/api/ApiQueryAllRevisions.php
View file

@ -154,7 +154,7 @@ class ApiQueryAllRevisions extends ApiQueryRevisionsBase {
if ( $params['user'] !== null || $params['excludeuser'] !== null ) {
// Paranoia: avoid brute force searches (T19342)
if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$this->getUser()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;

2
includes/api/ApiQueryBase.php
View file

@ -460,7 +460,7 @@ abstract class ApiQueryBase extends ApiBase {
$this->addJoinConds( $joinConds );
// Don't show hidden names
if ( !$this->getUser()->isAllowed( 'hideuser' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'hideuser' ) ) {
$this->addWhere( 'ipb_deleted = 0 OR ipb_deleted IS NULL' );
}
}

2
includes/api/ApiQueryBlocks.php
View file

@ -176,7 +176,7 @@ class ApiQueryBlocks extends ApiQueryBase {
$this->addWhereIf( 'ipb_range_end > ipb_range_start', isset( $show['range'] ) );
}
if ( !$this->getUser()->isAllowed( 'hideuser' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'hideuser' ) ) {
$this->addWhereFld( 'ipb_deleted', 0 );
}

2
includes/api/ApiQueryDeletedRevisions.php
View file

@ -132,7 +132,7 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase {
// Paranoia: avoid brute force searches (T19342)
// (shouldn't be able to get here without 'deletedhistory', but
// check it again just in case)
if ( !$user->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;

4
includes/api/ApiQueryDeletedrevs.php
View file

@ -67,7 +67,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
}
// If user can't undelete, no tokens
if ( !$user->isAllowed( 'undelete' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'undelete' ) ) {
$fld_token = false;
}
@ -197,7 +197,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
// Paranoia: avoid brute force searches (T19342)
// (shouldn't be able to get here without 'deletedhistory', but
// check it again just in case)
if ( !$user->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;

2
includes/api/ApiQueryFilearchive.php
View file

@ -114,7 +114,7 @@ class ApiQueryFilearchive extends ApiQueryBase {
}
// Exclude files this user can't view.
if ( !$user->isAllowed( 'deletedtext' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedtext' ) ) {
$bitmask = File::DELETED_FILE;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = File::DELETED_FILE | File::DELETED_RESTRICTED;

21
includes/api/ApiQueryInfo.php
View file

@ -135,7 +135,8 @@ class ApiQueryInfo extends ApiQueryBase {
// but that's too expensive for this purpose
// and would break caching
global $wgUser;
if ( !$wgUser->isAllowed( 'edit' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'edit' ) ) {
return false;
}
@ -152,7 +153,8 @@ class ApiQueryInfo extends ApiQueryBase {
*/
public static function getDeleteToken( $pageid, $title ) {
global $wgUser;
if ( !$wgUser->isAllowed( 'delete' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'delete' ) ) {
return false;
}
@ -169,7 +171,8 @@ class ApiQueryInfo extends ApiQueryBase {
*/
public static function getProtectToken( $pageid, $title ) {
global $wgUser;
if ( !$wgUser->isAllowed( 'protect' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'protect' ) ) {
return false;
}
@ -186,7 +189,8 @@ class ApiQueryInfo extends ApiQueryBase {
*/
public static function getMoveToken( $pageid, $title ) {
global $wgUser;
if ( !$wgUser->isAllowed( 'move' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'move' ) ) {
return false;
}
@ -203,7 +207,8 @@ class ApiQueryInfo extends ApiQueryBase {
*/
public static function getBlockToken( $pageid, $title ) {
global $wgUser;
if ( !$wgUser->isAllowed( 'block' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'block' ) ) {
return false;
}
@ -808,7 +813,7 @@ class ApiQueryInfo extends ApiQueryBase {
$user = $this->getUser();
if ( $user->isAnon() || count( $this->everything ) == 0
|| !$user->isAllowed( 'viewmywatchlist' )
|| !$this->getPermissionManager()->userHasRight( $user, 'viewmywatchlist' )
) {
return;
}
@ -843,7 +848,7 @@ class ApiQueryInfo extends ApiQueryBase {
}
$user = $this->getUser();
$canUnwatchedpages = $user->isAllowed( 'unwatchedpages' );
$canUnwatchedpages = $this->getPermissionManager()->userHasRight( $user, 'unwatchedpages' );
$unwatchedPageThreshold = $this->getConfig()->get( 'UnwatchedPageThreshold' );
if ( !$canUnwatchedpages && !is_int( $unwatchedPageThreshold ) ) {
return;
@ -873,7 +878,7 @@ class ApiQueryInfo extends ApiQueryBase {
$user = $this->getUser();
$db = $this->getDB();
$canUnwatchedpages = $user->isAllowed( 'unwatchedpages' );
$canUnwatchedpages = $this->getPermissionManager()->userHasRight( $user, 'unwatchedpages' );
$unwatchedPageThreshold = $this->getConfig()->get( 'UnwatchedPageThreshold' );
if ( !$canUnwatchedpages && !is_int( $unwatchedPageThreshold ) ) {
return;

2
includes/api/ApiQueryLogEvents.php
View file

@ -220,7 +220,7 @@ class ApiQueryLogEvents extends ApiQueryBase {
// Paranoia: avoid brute force searches (T19342)
if ( $params['namespace'] !== null || !is_null( $title ) || !is_null( $user ) ) {
if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) {
$titleBits = LogPage::DELETED_ACTION;
$userBits = LogPage::DELETED_USER;
} elseif ( !$this->getUser()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {

4
includes/api/ApiQueryRecentChanges.php
View file

@ -361,7 +361,7 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase {
// Paranoia: avoid brute force searches (T19342)
if ( !is_null( $params['user'] ) || !is_null( $params['excludeuser'] ) ) {
if ( !$user->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;
@ -374,7 +374,7 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase {
}
if ( $this->getRequest()->getCheck( 'namespace' ) ) {
// LogPage::DELETED_ACTION hides the affected page, too.
if ( !$user->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = LogPage::DELETED_ACTION;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = LogPage::DELETED_ACTION | LogPage::DELETED_RESTRICTED;

5
includes/api/ApiQueryRevisions.php
View file

@ -76,7 +76,8 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase {
*/
public static function getRollbackToken( $pageid, $title, $rev ) {
global $wgUser;
if ( !$wgUser->isAllowed( 'rollback' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $wgUser, 'rollback' ) ) {
return false;
}
@ -332,7 +333,7 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase {
}
if ( $params['user'] !== null || $params['excludeuser'] !== null ) {
// Paranoia: avoid brute force searches (T19342)
if ( !$this->getUser()->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$this->getUser()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;

2
includes/api/ApiQueryUserContribs.php
View file

@ -408,7 +408,7 @@ class ApiQueryUserContribs extends ApiQueryBase {
// Don't include any revisions where we're not supposed to be able to
// see the username.
$user = $this->getUser();
if ( !$user->isAllowed( 'deletedhistory' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) {
$bitmask = RevisionRecord::DELETED_USER;
} elseif ( !$user->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
$bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED;

5
includes/api/ApiQueryUserInfo.php
View file

@ -180,7 +180,7 @@ class ApiQueryUserInfo extends ApiQueryBase {
if ( isset( $this->prop['preferencestoken'] ) &&
!$this->lacksSameOriginSecurity() &&
$user->isAllowed( 'editmyoptions' )
$this->getPermissionManager()->userHasRight( $user, 'editmyoptions' )
) {
$vals['preferencestoken'] = $user->getEditToken( '', $this->getMain()->getRequest() );
}
@ -201,7 +201,8 @@ class ApiQueryUserInfo extends ApiQueryBase {
$vals['realname'] = $user->getRealName();
}
if ( $user->isAllowed( 'viewmyprivateinfo' ) && isset( $this->prop['email'] ) ) {
if ( $this->getPermissionManager()->userHasRight( $user, 'viewmyprivateinfo' ) &&
isset( $this->prop['email'] ) ) {
$vals['email'] = $user->getEmail();
$auth = $user->getEmailAuthenticationTimestamp();
if ( $auth !== null ) {

2
includes/api/ApiUnblock.php
View file

@ -41,7 +41,7 @@ class ApiUnblock extends ApiBase {
$this->requireOnlyOneParameter( $params, 'id', 'user', 'userid' );
if ( !$user->isAllowed( 'block' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $user, 'block' ) ) {
$this->dieWithError( 'apierror-permissiondenied-unblock', 'permissiondenied' );
}
# T17810: blocked admins should have limited access here

2
includes/api/ApiUserrights.php
View file

@ -51,7 +51,7 @@ class ApiUserrights extends ApiBase {
// Deny if the user is blocked and doesn't have the full 'userrights' permission.
// This matches what Special:UserRights does for the web UI.
if ( !$pUser->isAllowed( 'userrights' ) ) {
if ( !$this->getPermissionManager()->userHasRight( $pUser, 'userrights' ) ) {
$block = $pUser->getBlock();
if ( $block && $block->isSitewide() ) {
$this->dieBlocked( $block );

7
includes/block/AbstractBlock.php
View file

@ -23,6 +23,7 @@ namespace MediaWiki\Block;
use IContextSource;
use InvalidArgumentException;
use IP;
use MediaWiki\MediaWikiServices;
use RequestContext;
use Title;
use User;
@ -279,8 +280,9 @@ abstract class AbstractBlock {
if ( !$res && $blockDisablesLogin ) {
// If a block would disable login, then it should
// prevent any right that all users cannot do
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$anon = new User;
$res = $anon->isAllowed( $right ) ? $res : true;
$res = $permissionManager->userHasRight( $anon, $right ) ? $res : true;
}
return $res;
@ -339,8 +341,9 @@ abstract class AbstractBlock {
if ( !$res && $blockDisablesLogin ) {
// If a block would disable login, then it should
// prevent any action that all users cannot do
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
$anon = new User;
$res = $anon->isAllowed( $action ) ? $res : true;
$res = $permissionManager->userHasRight( $anon, $action ) ? $res : true;
}
return $res;

12
includes/block/BlockManager.php
View file

@ -24,6 +24,7 @@ use DateTime;
use DeferredUpdates;
use IP;
use MediaWiki\Config\ServiceOptions;
use MediaWiki\Permissions\PermissionManager;
use MediaWiki\User\UserIdentity;
use MWCryptHash;
use User;
@ -45,6 +46,9 @@ class BlockManager {
/** @var WebRequest */
private $currentRequest;
/** @var PermissionManager */
private $permissionManager;
/**
* TODO Make this a const when HHVM support is dropped (T192166)
*
@ -67,16 +71,19 @@ class BlockManager {
* @param ServiceOptions $options
* @param User $currentUser
* @param WebRequest $currentRequest
* @param PermissionManager $permissionManager
*/
public function __construct(
ServiceOptions $options,
User $currentUser,
WebRequest $currentRequest
WebRequest $currentRequest,
PermissionManager $permissionManager
) {
$options->assertRequiredOptions( self::$constructorOptions );
$this->options = $options;
$this->currentUser = $currentUser;
$this->currentRequest = $currentRequest;
$this->permissionManager = $permissionManager;
}
/**
@ -110,7 +117,8 @@ class BlockManager {
$globalUserName = $sessionUser->isSafeToLoad()
? $sessionUser->getName()
: IP::sanitizeIP( $this->currentRequest->getIP() );
if ( $user->getName() === $globalUserName && !$user->isAllowed( 'ipblock-exempt' ) ) {
if ( $user->getName() === $globalUserName &&
!$this->permissionManager->userHasRight( $user, 'ipblock-exempt' ) ) {
$ip = $this->currentRequest->getIP();
}

13
includes/changes/RecentChange.php
View file

@ -20,6 +20,7 @@
* @file
*/
use MediaWiki\ChangeTags\Taggable;
use MediaWiki\MediaWikiServices;
/**
* Utility class for creating new RC entries
@ -608,8 +609,9 @@ class RecentChange implements Taggable {
}
// Users without the 'autopatrol' right can't patrol their
// own revisions
if ( $user->getName() === $this->getAttribute( 'rc_user_text' )
&& !$user->isAllowed( 'autopatrol' )
if ( $user->getName() === $this->getAttribute( 'rc_user_text' ) &&
!MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'autopatrol' )
) {
$errors[] = [ 'markedaspatrollederror-noautopatrol' ];
}
@ -857,6 +859,7 @@ class RecentChange implements Taggable {
$type, $action, $target, $logComment, $params, $newId = 0, $actionCommentIRC = '',
$revId = 0, $isPatrollable = false ) {
global $wgRequest;
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
# # Get pageStatus for email notification
switch ( $type . '-' . $action ) {
@ -881,7 +884,8 @@ class RecentChange implements Taggable {
}
// Allow unpatrolled status for patrollable log entries
$markPatrolled = $isPatrollable ? $user->isAllowed( 'autopatrol' ) : true;
$canAutopatrol = $permissionManager->userHasRight( $user, 'autopatrol' );
$markPatrolled = $isPatrollable ? $canAutopatrol : true;
$rc = new RecentChange;
$rc->mTitle = $target;
@ -902,7 +906,8 @@ class RecentChange implements Taggable {
'rc_comment_data' => null,
'rc_this_oldid' => $revId,
'rc_last_oldid' => 0,
'rc_bot' => $user->isAllowed( 'bot' ) ? (int)$wgRequest->getBool( 'bot', true ) : 0,
'rc_bot' => $permissionManager->userHasRight( $user, 'bot' ) ?
(int)$wgRequest->getBool( 'bot', true ) : 0,
'rc_ip' => self::checkIPAddress( $ip ),
'rc_patrolled' => $markPatrolled ? self::PRC_AUTOPATROLLED : self::PRC_UNPATROLLED,
'rc_new' => 0, # obsolete

28
includes/changetags/ChangeTags.php
View file

@ -520,7 +520,9 @@ class ChangeTags {
*/
public static function canAddTagsAccompanyingChange( array $tags, User $user = null ) {
if ( !is_null( $user ) ) {
if ( !$user->isAllowed( 'applychangetags' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'applychangetags' )
) {
return Status::newFatal( 'tags-apply-no-permission' );
} elseif ( $user->getBlock() ) {
// @TODO Ensure that the block does not apply to the `applychangetags`
@ -595,7 +597,9 @@ class ChangeTags {
User $user = null
) {
if ( !is_null( $user ) ) {
if ( !$user->isAllowed( 'changetags' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'changetags' )
) {
return Status::newFatal( 'tags-update-no-permission' );
} elseif ( $user->getBlock() ) {
// @TODO Ensure that the block does not apply to the `changetags`
@ -1015,7 +1019,9 @@ class ChangeTags {
*/
public static function canActivateTag( $tag, User $user = null ) {
if ( !is_null( $user ) ) {
if ( !$user->isAllowed( 'managechangetags' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'managechangetags' )
) {
return Status::newFatal( 'tags-manage-no-permission' );
} elseif ( $user->getBlock() ) {
// @TODO Ensure that the block does not apply to the `managechangetags`
@ -1089,7 +1095,9 @@ class ChangeTags {
*/
public static function canDeactivateTag( $tag, User $user = null ) {
if ( !is_null( $user ) ) {
if ( !$user->isAllowed( 'managechangetags' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'managechangetags' )
) {
return Status::newFatal( 'tags-manage-no-permission' );
} elseif ( $user->getBlock() ) {
// @TODO Ensure that the block does not apply to the `managechangetags`
@ -1188,7 +1196,9 @@ class ChangeTags {
*/
public static function canCreateTag( $tag, User $user = null ) {
if ( !is_null( $user ) ) {
if ( !$user->isAllowed( 'managechangetags' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'managechangetags' )
) {
return Status::newFatal( 'tags-manage-no-permission' );
} elseif ( $user->getBlock() ) {
// @TODO Ensure that the block does not apply to the `managechangetags`
@ -1308,7 +1318,9 @@ class ChangeTags {
$tagUsage = self::tagUsageStatistics();
if ( !is_null( $user ) ) {
if ( !$user->isAllowed( 'deletechangetags' ) ) {
if ( !MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'deletechangetags' )
) {
return Status::newFatal( 'tags-delete-no-permission' );
} elseif ( $user->getBlock() ) {
// @TODO Ensure that the block does not apply to the `deletechangetags`
@ -1566,6 +1578,8 @@ class ChangeTags {
* @return bool
*/
public static function showTagEditingUI( User $user ) {
return $user->isAllowed( 'changetags' ) && (bool)self::listExplicitlyDefinedTags();
return MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'changetags' ) &&
(bool)self::listExplicitlyDefinedTags();
}
}

6
includes/diff/DifferenceEngine.php
View file

@ -401,7 +401,8 @@ class DifferenceEngine extends ContextSource {
* @return string|bool Link HTML or false
*/
public function deletedLink( $id ) {
if ( $this->getUser()->isAllowed( 'deletedhistory' ) ) {
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( $permissionManager->userHasRight( $this->getUser(), 'deletedhistory' ) ) {
$dbr = wfGetDB( DB_REPLICA );
$arQuery = Revision::getArchiveQueryInfo();
$row = $dbr->selectRow(
@ -803,7 +804,8 @@ class DifferenceEngine extends ContextSource {
// Build the link
if ( $rcid ) {
$this->getOutput()->preventClickjacking();
if ( $user->isAllowed( 'writeapi' ) ) {
if ( MediaWikiServices::getInstance()->getPermissionManager()
->userHasRight( $user, 'writeapi' ) ) {
$this->getOutput()->addModules( 'mediawiki.page.patrol.ajax' );
}

61
tests/phpunit/includes/actions/WatchActionTest.php
View file

@ -166,34 +166,30 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doWatch()
* @throws Exception
*/
public function testDoWatchNoCheckRights() {
$notPermittedUser = $this->getMock( User::class );
$notPermittedUser->method( 'isAllowed' )->willReturn( false );
$notPermittedUser = $this->getUser( null, null, [] );
$actual = WatchAction::doWatch( $this->testWikiPage->getTitle(), $notPermittedUser, false );
$this->assertTrue( $actual->isGood() );
}
/**
* @covers WatchAction::doWatch()
* @throws Exception
*/
public function testDoWatchUserNotPermittedStatusNotGood() {
$notPermittedUser = $this->getMock( User::class );
$notPermittedUser->method( 'isAllowed' )->willReturn( false );
$notPermittedUser = $this->getUser( null, null, [] );
$actual = WatchAction::doWatch( $this->testWikiPage->getTitle(), $notPermittedUser, true );
$this->assertFalse( $actual->isGood() );
}
/**
* @covers WatchAction::doWatch()
* @throws Exception
*/
public function testDoWatchCallsUserAddWatch() {
$permittedUser = $this->getMock( User::class );
$permittedUser->method( 'isAllowed' )->willReturn( true );
$permittedUser = $this->getUser( null, null, [ 'editmywatchlist' ] );
$permittedUser->expects( $this->once() )
->method( 'addWatch' )
->with( $this->equalTo( $this->testWikiPage->getTitle() ), $this->equalTo( true ) );
@ -205,11 +201,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doUnWatch()
* @throws Exception
*/
public function testDoUnWatchWithoutRights() {
$notPermittedUser = $this->getMock( User::class );
$notPermittedUser->method( 'isAllowed' )->willReturn( false );
$notPermittedUser = $this->getUser( null, null, [] );
$actual = WatchAction::doUnWatch( $this->testWikiPage->getTitle(), $notPermittedUser );
$this->assertFalse( $actual->isGood() );
@ -219,8 +214,7 @@ class WatchActionTest extends MediaWikiTestCase {
* @covers WatchAction::doUnWatch()
*/
public function testDoUnWatchUserHookAborted() {
$permittedUser = $this->getMock( User::class );
$permittedUser->method( 'isAllowed' )->willReturn( true );
$permittedUser = $this->getUser( null, null, [ 'editmywatchlist' ] );
Hooks::register( 'UnwatchArticle', function () {
return false;
} );
@ -235,10 +229,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doUnWatch()
* @throws Exception
*/
public function testDoUnWatchCallsUserRemoveWatch() {
$permittedUser = $this->getMock( User::class );
$permittedUser->method( 'isAllowed' )->willReturn( true );
$permittedUser = $this->getUser( null, null, [ 'editmywatchlist' ] );
$permittedUser->expects( $this->once() )
->method( 'removeWatch' )
->with( $this->equalTo( $this->testWikiPage->getTitle() ) );
@ -250,9 +244,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::getWatchToken()
* @throws Exception
*/
public function testGetWatchTokenNormalizesToWatch() {
$user = $this->getMock( User::class );
$user = $this->getUser( null, null );
$user->expects( $this->once() )
->method( 'getEditToken' )
->with( $this->equalTo( 'watch' ) );
@ -262,9 +257,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::getWatchToken()
* @throws Exception
*/
public function testGetWatchTokenProxiesUserGetEditToken() {
$user = $this->getMock( User::class );
$user = $this->getUser( null, null );
$user->expects( $this->once() )->method( 'getEditToken' );
WatchAction::getWatchToken( $this->watchAction->getTitle(), $user );
@ -272,9 +268,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doWatchOrUnwatch()
* @throws Exception
*/
public function testDoWatchOrUnwatchUserNotLoggedIn() {
$user = $this->getLoggedInIsWatchedUser( false );
$user = $this->getUser( false );
$user->expects( $this->never() )->method( 'removeWatch' );
$user->expects( $this->never() )->method( 'addWatch' );
@ -285,9 +282,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doWatchOrUnwatch()
* @throws Exception
*/
public function testDoWatchOrUnwatchSkipsIfAlreadyWatched() {
$user = $this->getLoggedInIsWatchedUser();
$user = $this->getUser();
$user->expects( $this->never() )->method( 'removeWatch' );
$user->expects( $this->never() )->method( 'addWatch' );
@ -298,9 +296,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doWatchOrUnwatch()
* @throws Exception
*/
public function testDoWatchOrUnwatchSkipsIfAlreadyUnWatched() {
$user = $this->getLoggedInIsWatchedUser( true, false );
$user = $this->getUser( true, false );
$user->expects( $this->never() )->method( 'removeWatch' );
$user->expects( $this->never() )->method( 'addWatch' );
@ -311,9 +310,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doWatchOrUnwatch()
* @throws Exception
*/
public function testDoWatchOrUnwatchWatchesIfWatch() {
$user = $this->getLoggedInIsWatchedUser( true, false );
$user = $this->getUser( true, false );
$user->expects( $this->never() )->method( 'removeWatch' );
$user->expects( $this->once() )
->method( 'addWatch' )
@ -326,10 +326,10 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @covers WatchAction::doWatchOrUnwatch()
* @throws Exception
*/
public function testDoWatchOrUnwatchUnwatchesIfUnwatch() {
$user = $this->getLoggedInIsWatchedUser();
$user->method( 'isAllowed' )->willReturn( true );
$user = $this->getUser( true, true, [ 'editmywatchlist' ] );
$user->expects( $this->never() )->method( 'addWatch' );
$user->expects( $this->once() )
->method( 'removeWatch' )
@ -343,13 +343,20 @@ class WatchActionTest extends MediaWikiTestCase {
/**
* @param bool $isLoggedIn Whether the user should be "marked" as logged in
* @param bool $isWatched The value any call to isWatched should return
* @param array $permissions The permissions of the user
* @return PHPUnit_Framework_MockObject_MockObject
* @throws Exception
*/
private function getLoggedInIsWatchedUser( $isLoggedIn = true, $isWatched = true ) {
private function getUser(
$isLoggedIn = true,
$isWatched = true,
$permissions = []
) {
$user = $this->getMock( User::class );
$user->method( 'getId' )->willReturn( 42 );
$user->method( 'isLoggedIn' )->willReturn( $isLoggedIn );
$user->method( 'isWatched' )->willReturn( $isWatched );
$this->overrideUserPermissions( $user, $permissions );
return $user;
}

3
tests/phpunit/includes/block/BlockManagerTest.php
View file

@ -55,7 +55,8 @@ class BlockManagerTest extends MediaWikiTestCase {
MediaWikiServices::getInstance()->getMainConfig()
),
$this->user,
$this->user->getRequest()
$this->user->getRequest(),
MediaWikiServices::getInstance()->getPermissionManager()
];
}