diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php index 84e64a1710b..58833ce3d50 100644 --- a/includes/api/ApiBase.php +++ b/includes/api/ApiBase.php @@ -27,8 +27,11 @@ use MediaWiki\Block\DatabaseBlock; use MediaWiki\HookContainer\HookContainer; use MediaWiki\Linker\LinkTarget; use MediaWiki\MediaWikiServices; +use MediaWiki\Page\PageIdentity; use MediaWiki\ParamValidator\TypeDef\NamespaceDef; +use MediaWiki\Permissions\GroupPermissionsLookup; use MediaWiki\Permissions\PermissionManager; +use MediaWiki\Permissions\PermissionStatus; use Wikimedia\ParamValidator\ParamValidator; use Wikimedia\ParamValidator\TypeDef\EnumDef; use Wikimedia\ParamValidator\TypeDef\IntegerDef; @@ -628,6 +631,17 @@ abstract class ApiBase extends ContextSource { return MediaWikiServices::getInstance()->getPermissionManager(); } + /** + * Obtain a GroupPermissionsLookup instance that subclasses may use to access group permissions. + * + * @since 1.36 + * @return GroupPermissionsLookup + * @internal + */ + protected function getGroupPermissionsLookup(): GroupPermissionsLookup { + return MediaWikiServices::getInstance()->getGroupPermissionsLookup(); + } + /** * Get a HookContainer, for running extension hooks or for hook metadata. * @@ -1465,18 +1479,18 @@ abstract class ApiBase extends ContextSource { * Helper function for permission-denied errors * @since 1.29 * @param string|string[] $rights - * @param User|null $user + * @param User|null $user deprecated since 1.36 * @throws ApiUsageException if the user doesn't have any of the rights. * The error message is based on $rights[0]. */ public function checkUserRightsAny( $rights, $user = null ) { - if ( !$user ) { - $user = $this->getUser(); + $authority = $this->getAuthority(); + if ( $user !== null ) { + wfDeprecatedMsg( __METHOD__ . ': $user parameter is deprecated', '1.36' ); + $authority = $user; } $rights = (array)$rights; - if ( !$this->getPermissionManager() - ->userHasAnyRight( $user, ...$rights ) - ) { + if ( !$authority->isAllowedAny( ...$rights ) ) { $this->dieWithError( [ 'apierror-permissiondenied', $this->msg( "action-{$rights[0]}" ) ] ); } } @@ -1484,7 +1498,7 @@ abstract class ApiBase extends ContextSource { /** * Helper function for permission-denied errors * - * @param LinkTarget $linkTarget + * @param PageIdentity|LinkTarget $pageIdentity deprecated passing LinkTarget since 1.36 * @param string|string[] $actions * @param array $options Additional options * - user: (User) User to use rather than $this->getUser() @@ -1493,28 +1507,31 @@ abstract class ApiBase extends ContextSource { * * @since 1.29 * @since 1.33 Changed the third parameter from $user to $options. + * @since 1.36 deprecated passing LinkTarget as first parameter */ public function checkTitleUserPermissions( - LinkTarget $linkTarget, + $pageIdentity, $actions, array $options = [] ) { - $user = $options['user'] ?? $this->getUser(); - - $errors = []; - foreach ( (array)$actions as $action ) { - $errors = array_merge( - $errors, - $this->getPermissionManager()->getPermissionErrors( $action, $user, $linkTarget ) - ); + if ( !$pageIdentity instanceof PageIdentity ) { + wfDeprecatedMsg( __METHOD__ . ': passing LinkTarget as $pageIdentity parameter is deprecated', + '1.36' ); + $pageIdentity = Title::castFromLinkTarget( $pageIdentity ); } - - if ( $errors ) { - if ( !empty( $options['autoblock'] ) ) { - $user->spreadAnyEditBlock(); + $status = new PermissionStatus(); + foreach ( (array)$actions as $action ) { + if ( $this->isWriteMode() ) { + $this->getAuthority()->authorizeWrite( $action, $pageIdentity, $status ); + } else { + $this->getAuthority()->authorizeRead( $action, $pageIdentity, $status ); } - - $this->dieStatus( $this->errorArrayToStatus( $errors, $user ) ); + } + if ( !$status->isGood() ) { + if ( !empty( $options['autoblock'] ) ) { + $this->getUser()->spreadAnyEditBlock(); + } + $this->dieStatus( $status ); } } diff --git a/includes/api/ApiComparePages.php b/includes/api/ApiComparePages.php index 9072dcd5148..ed7536b7eb7 100644 --- a/includes/api/ApiComparePages.php +++ b/includes/api/ApiComparePages.php @@ -241,9 +241,7 @@ class ApiComparePages extends ApiBase { */ private function getRevisionById( $id ) { $rev = $this->revisionStore->getRevisionById( $id ); - if ( !$rev && $this->getPermissionManager() - ->userHasAnyRight( $this->getUser(), 'deletedtext', 'undelete' ) - ) { + if ( !$rev && $this->getAuthority()->isAllowedAny( 'deletedtext', 'undelete' ) ) { // Try the 'archive' table $arQuery = $this->revisionStore->getArchiveQueryInfo(); $row = $this->getDB()->selectRow( diff --git a/includes/api/ApiFeedContributions.php b/includes/api/ApiFeedContributions.php index 0f8037f1d26..c9b0487f2ff 100644 --- a/includes/api/ApiFeedContributions.php +++ b/includes/api/ApiFeedContributions.php @@ -154,9 +154,8 @@ class ApiFeedContributions extends ApiBase { // Hook completed and did not return a valid feed item $title = Title::makeTitle( (int)$row->page_namespace, $row->page_title ); - $user = $this->getUser(); - if ( $title && $this->getPermissionManager()->userCan( 'read', $user, $title ) ) { + if ( $title && $this->getAuthority()->authorizeRead( 'read', $title ) ) { $date = $row->rev_timestamp; $comments = $title->getTalkPage()->getFullURL(); $revision = $this->revisionStore->newRevisionFromRow( $row, 0, $title ); diff --git a/includes/api/ApiImport.php b/includes/api/ApiImport.php index e6d318cdefd..b6d5a8aac44 100644 --- a/includes/api/ApiImport.php +++ b/includes/api/ApiImport.php @@ -36,7 +36,7 @@ class ApiImport extends ApiBase { $isUpload = false; if ( isset( $params['interwikisource'] ) ) { - if ( !$this->getPermissionManager()->userHasRight( $user, 'import' ) ) { + if ( !$this->getAuthority()->isAllowed( 'import' ) ) { $this->dieWithError( 'apierror-cantimport' ); } if ( !isset( $params['interwikipage'] ) ) { @@ -51,7 +51,7 @@ class ApiImport extends ApiBase { $usernamePrefix = $params['interwikisource']; } else { $isUpload = true; - if ( !$this->getPermissionManager()->userHasRight( $user, 'importupload' ) ) { + if ( !$this->getAuthority()->isAllowed( 'importupload' ) ) { $this->dieWithError( 'apierror-cantimport-upload' ); } $source = ImportStreamSource::newFromUpload( 'xml' ); diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index b53088ef7dc..1d704b82750 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -139,7 +139,6 @@ class ApiMain extends ApiBase { 'services' => [ 'BlockPermissionCheckerFactory', 'UnblockUserFactory', - 'PermissionManager', 'UserCache', ] ], @@ -1420,7 +1419,7 @@ class ApiMain extends ApiBase { protected function checkExecutePermissions( $module ) { $user = $this->getUser(); if ( $module->isReadMode() && !$this->getPermissionManager()->isEveryoneAllowed( 'read' ) && - !$this->getPermissionManager()->userHasRight( $user, 'read' ) + !$this->getAuthority()->isAllowed( 'read' ) ) { $this->dieWithError( 'apierror-readapidenied' ); } @@ -1428,7 +1427,7 @@ class ApiMain extends ApiBase { if ( $module->isWriteMode() ) { if ( !$this->mEnableWrite ) { $this->dieWithError( 'apierror-noapiwrite' ); - } elseif ( !$this->getPermissionManager()->userHasRight( $user, 'writeapi' ) ) { + } elseif ( !$this->getAuthority()->isAllowed( 'writeapi' ) ) { $this->dieWithError( 'apierror-writeapidenied' ); } elseif ( $this->getRequest()->getHeader( 'Promise-Non-Write-API-Action' ) ) { $this->dieWithError( 'apierror-promised-nonwrite-api' ); @@ -1438,6 +1437,7 @@ class ApiMain extends ApiBase { } // Allow extensions to stop execution for arbitrary reasons. + // TODO: change hook to accept Authority $message = 'hookaborted'; if ( !$this->getHookRunner()->onApiCheckCanExecute( $module, $user, $message ) ) { $this->dieWithError( $message ); @@ -1518,7 +1518,7 @@ class ApiMain extends ApiBase { } break; case 'bot': - if ( !$this->getPermissionManager()->userHasRight( $user, 'bot' ) ) { + if ( !$this->getAuthority()->isAllowed( 'bot' ) ) { $this->dieWithError( 'apierror-assertbotfailed' ); } break; @@ -1973,7 +1973,7 @@ class ApiMain extends ApiBase { $groups = array_map( static function ( $group ) { return $group == '*' ? 'all' : $group; - }, $this->getPermissionManager()->getGroupsWithPermission( $right ) ); + }, $this->getGroupPermissionsLookup()->getGroupsWithPermission( $right ) ); $help['permissions'] .= Html::rawElement( 'dd', null, $this->msg( 'api-help-permissions-granted-to' ) @@ -2104,8 +2104,7 @@ class ApiMain extends ApiBase { */ public function canApiHighLimits() { if ( !isset( $this->mCanApiHighLimits ) ) { - $this->mCanApiHighLimits = $this->getPermissionManager() - ->userHasRight( $this->getUser(), 'apihighlimits' ); + $this->mCanApiHighLimits = $this->getAuthority()->isAllowed( 'apihighlimits' ); } return $this->mCanApiHighLimits; diff --git a/includes/api/ApiManageTags.php b/includes/api/ApiManageTags.php index 9347d787b8e..88685d79360 100644 --- a/includes/api/ApiManageTags.php +++ b/includes/api/ApiManageTags.php @@ -31,15 +31,16 @@ class ApiManageTags extends ApiBase { // make sure the user is allowed if ( $params['operation'] !== 'delete' - && !$this->getPermissionManager()->userHasRight( $user, 'managechangetags' ) + && !$this->getAuthority()->isAllowed( 'managechangetags' ) ) { $this->dieWithError( 'tags-manage-no-permission', 'permissiondenied' ); - } elseif ( !$this->getPermissionManager()->userHasRight( $user, 'deletechangetags' ) ) { + } elseif ( !$this->getAuthority()->isAllowed( 'deletechangetags' ) ) { $this->dieWithError( 'tags-delete-no-permission', 'permissiondenied' ); } // Check if user can add the log entry tags which were requested if ( $params['tags'] ) { + // TODO: change to accept Authority $ableToTag = ChangeTags::canAddTagsAccompanyingChange( $params['tags'], $user ); if ( !$ableToTag->isOK() ) { $this->dieStatus( $ableToTag ); diff --git a/includes/api/ApiMove.php b/includes/api/ApiMove.php index 873d7c6aaca..e589e6bad05 100644 --- a/includes/api/ApiMove.php +++ b/includes/api/ApiMove.php @@ -84,9 +84,9 @@ class ApiMove extends ApiBase { && $repoGroup->findFile( $toTitle ) ) { if ( !$params['ignorewarnings'] && - $this->getPermissionManager()->userHasRight( $user, 'reupload-shared' ) ) { + $this->getAuthority()->isAllowed( 'reupload-shared' ) ) { $this->dieWithError( 'apierror-fileexists-sharedrepo-perm' ); - } elseif ( !$this->getPermissionManager()->userHasRight( $user, 'reupload-shared' ) ) { + } elseif ( !$this->getAuthority()->isAllowed( 'reupload-shared' ) ) { $this->dieWithError( 'apierror-cantoverwrite-sharedfile' ); } } @@ -201,13 +201,14 @@ class ApiMove extends ApiBase { } $user = $this->getUser(); + // TODO: change to accept Authority $permStatus = $mp->checkPermissions( $user, $reason ); if ( !$permStatus->isOK() ) { return $permStatus; } // Check suppressredirect permission - if ( !$this->getPermissionManager()->userHasRight( $user, 'suppressredirect' ) ) { + if ( !$this->getAuthority()->isAllowed( 'suppressredirect' ) ) { $createRedirect = true; } diff --git a/includes/api/ApiPageSet.php b/includes/api/ApiPageSet.php index 8579047f63b..e8b0e13dc89 100644 --- a/includes/api/ApiPageSet.php +++ b/includes/api/ApiPageSet.php @@ -971,7 +971,7 @@ class ApiPageSet extends ApiBase { // titles from the archive table and include them too. We ignore // ar_page_id because deleted revisions are tied by title, not page_id. if ( $goodRemaining && - $this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { + $this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $tables = [ 'archive' ]; $fields = [ 'ar_rev_id', 'ar_namespace', 'ar_title' ]; $where = [ 'ar_rev_id' => array_keys( $goodRemaining ) ]; diff --git a/includes/api/ApiParse.php b/includes/api/ApiParse.php index 078096d64bc..2a5871faddc 100644 --- a/includes/api/ApiParse.php +++ b/includes/api/ApiParse.php @@ -156,8 +156,7 @@ class ApiParse extends ApiBase { $this->dieWithError( [ 'apierror-nosuchrevid', $oldid ] ); } - $revLinkTarget = $rev->getPageAsLinkTarget(); - $this->checkTitleUserPermissions( $revLinkTarget, 'read' ); + $this->checkTitleUserPermissions( $rev->getPage(), 'read' ); if ( !$rev->audienceCan( RevisionRecord::DELETED_TEXT, @@ -169,6 +168,7 @@ class ApiParse extends ApiBase { ); } + $revLinkTarget = $rev->getPageAsLinkTarget(); $titleObj = Title::newFromLinkTarget( $revLinkTarget ); $wgTitle = $titleObj; $pageObj = WikiPage::factory( $titleObj ); diff --git a/includes/api/ApiQuery.php b/includes/api/ApiQuery.php index 8f9941c46ec..888e97d7229 100644 --- a/includes/api/ApiQuery.php +++ b/includes/api/ApiQuery.php @@ -459,7 +459,7 @@ class ApiQuery extends ApiBase { if ( count( $titles ) ) { /** @var Title $title */ foreach ( $titles as $title ) { - if ( $this->getPermissionManager()->userCan( 'read', $this->getUser(), $title ) ) { + if ( $this->getAuthority()->authorizeRead( 'read', $title ) ) { $exportTitles[] = $title; } } diff --git a/includes/api/ApiQueryAllDeletedRevisions.php b/includes/api/ApiQueryAllDeletedRevisions.php index 4cb6cd194e3..302671b3b41 100644 --- a/includes/api/ApiQueryAllDeletedRevisions.php +++ b/includes/api/ApiQueryAllDeletedRevisions.php @@ -147,12 +147,12 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase { // This means stricter restrictions if ( ( $this->fld_comment || $this->fld_parsedcomment ) && - !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) + !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $this->dieWithError( 'apierror-cantview-deleted-comment', 'permissiondenied' ); } if ( $this->fetchContent && - !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' ) + !$this->getAuthority()->isAllowedAny( 'deletedtext', 'undelete' ) ) { $this->dieWithError( 'apierror-cantview-deleted-revision-content', 'permissiondenied' ); } @@ -244,11 +244,9 @@ class ApiQueryAllDeletedRevisions extends ApiQueryRevisionsBase { if ( $params['user'] !== null || $params['excludeuser'] !== null ) { // Paranoia: avoid brute force searches (T19342) - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { $bitmask = 0; diff --git a/includes/api/ApiQueryAllImages.php b/includes/api/ApiQueryAllImages.php index 622b2495789..cc955850105 100644 --- a/includes/api/ApiQueryAllImages.php +++ b/includes/api/ApiQueryAllImages.php @@ -215,7 +215,7 @@ class ApiQueryAllImages extends ApiQueryGeneratorBase { $this->addJoinConds( [ 'user_groups' => [ 'LEFT JOIN', [ - 'ug_group' => $this->getPermissionManager()->getGroupsWithPermission( 'bot' ), + 'ug_group' => $this->getGroupPermissionsLookup()->getGroupsWithPermission( 'bot' ), 'ug_user = ' . $actorQuery['fields']['img_user'], 'ug_expiry IS NULL OR ug_expiry >= ' . $db->addQuotes( $db->timestamp() ) ] diff --git a/includes/api/ApiQueryAllRevisions.php b/includes/api/ApiQueryAllRevisions.php index b0d51c6f1a2..0034d80b215 100644 --- a/includes/api/ApiQueryAllRevisions.php +++ b/includes/api/ApiQueryAllRevisions.php @@ -155,10 +155,9 @@ class ApiQueryAllRevisions extends ApiQueryRevisionsBase { if ( $params['user'] !== null || $params['excludeuser'] !== null ) { // Paranoia: avoid brute force searches (T19342) - if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $this->getUser(), 'suppressrevision', 'viewsuppressed' ) + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { diff --git a/includes/api/ApiQueryAllUsers.php b/includes/api/ApiQueryAllUsers.php index 53a44316818..71e90948100 100644 --- a/includes/api/ApiQueryAllUsers.php +++ b/includes/api/ApiQueryAllUsers.php @@ -91,7 +91,7 @@ class ApiQueryAllUsers extends ApiQueryBase { if ( $params['rights'] !== null && count( $params['rights'] ) ) { $groups = []; foreach ( $params['rights'] as $r ) { - $groups = array_merge( $groups, $this->getPermissionManager() + $groups = array_merge( $groups, $this->getGroupPermissionsLookup() ->getGroupsWithPermission( $r ) ); } @@ -304,7 +304,7 @@ class ApiQueryAllUsers extends ApiQueryBase { } if ( $fld_rights ) { - $data['rights'] = $this->getPermissionManager()->getGroupPermissions( $groups ); + $data['rights'] = $this->getGroupPermissionsLookup()->getGroupPermissions( $groups ); ApiResult::setIndexedTagName( $data['rights'], 'r' ); ApiResult::setArrayType( $data['rights'], 'array' ); } diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php index 1560301615a..0604df8c163 100644 --- a/includes/api/ApiQueryBase.php +++ b/includes/api/ApiQueryBase.php @@ -605,8 +605,7 @@ abstract class ApiQueryBase extends ApiBase { * @return bool */ public function userCanSeeRevDel() { - return $this->getPermissionManager()->userHasAnyRight( - $this->getUser(), + return $this->getAuthority()->isAllowedAny( 'deletedhistory', 'deletedtext', 'suppressrevision', diff --git a/includes/api/ApiQueryBlockInfoTrait.php b/includes/api/ApiQueryBlockInfoTrait.php index 30d55f162b6..70a007127a3 100644 --- a/includes/api/ApiQueryBlockInfoTrait.php +++ b/includes/api/ApiQueryBlockInfoTrait.php @@ -19,7 +19,7 @@ */ use MediaWiki\Block\DatabaseBlock; -use MediaWiki\Permissions\PermissionManager; +use MediaWiki\Permissions\Authority; use Wikimedia\Rdbms\IDatabase; /** @@ -59,7 +59,7 @@ trait ApiQueryBlockInfoTrait { ] ); // Don't show hidden names - if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'hideuser' ) ) { + if ( !$this->getAuthority()->isAllowed( 'hideuser' ) ) { $this->addWhere( 'ipb_deleted = 0 OR ipb_deleted IS NULL' ); } } @@ -75,16 +75,10 @@ trait ApiQueryBlockInfoTrait { abstract protected function getDB(); /** - * @see ApiBase::getPermissionManager - * @return PermissionManager + * @see IContextSource::getAuthority + * @return Authority */ - abstract protected function getPermissionManager(): PermissionManager; - - /** - * @see IContextSource::getUser - * @return User - */ - abstract public function getUser(); + abstract public function getAuthority(); /** * @see ApiQueryBase::addTables diff --git a/includes/api/ApiQueryBlocks.php b/includes/api/ApiQueryBlocks.php index c6072e0ed89..f858387c776 100644 --- a/includes/api/ApiQueryBlocks.php +++ b/includes/api/ApiQueryBlocks.php @@ -178,7 +178,7 @@ class ApiQueryBlocks extends ApiQueryBase { $this->addWhereIf( 'ipb_range_end > ipb_range_start', isset( $show['range'] ) ); } - if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'hideuser' ) ) { + if ( !$this->getAuthority()->isAllowed( 'hideuser' ) ) { $this->addWhereFld( 'ipb_deleted', 0 ); } diff --git a/includes/api/ApiQueryContributors.php b/includes/api/ApiQueryContributors.php index e1ce170a2c4..00bcd8513a6 100644 --- a/includes/api/ApiQueryContributors.php +++ b/includes/api/ApiQueryContributors.php @@ -146,7 +146,7 @@ class ApiQueryContributors extends ApiQueryBase { } elseif ( $params['rights'] ) { $excludeGroups = false; foreach ( $params['rights'] as $r ) { - $limitGroups = array_merge( $limitGroups, $this->getPermissionManager() + $limitGroups = array_merge( $limitGroups, $this->getGroupPermissionsLookup() ->getGroupsWithPermission( $r ) ); } @@ -163,7 +163,7 @@ class ApiQueryContributors extends ApiQueryBase { } elseif ( $params['excluderights'] ) { $excludeGroups = true; foreach ( $params['excluderights'] as $r ) { - $limitGroups = array_merge( $limitGroups, $this->getPermissionManager() + $limitGroups = array_merge( $limitGroups, $this->getGroupPermissionsLookup() ->getGroupsWithPermission( $r ) ); } } diff --git a/includes/api/ApiQueryDeletedRevisions.php b/includes/api/ApiQueryDeletedRevisions.php index 4694dd35ab4..3949cfd990f 100644 --- a/includes/api/ApiQueryDeletedRevisions.php +++ b/includes/api/ApiQueryDeletedRevisions.php @@ -99,13 +99,11 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase { // This means stricter restrictions if ( ( $this->fld_comment || $this->fld_parsedcomment ) && - !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) + !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $this->dieWithError( 'apierror-cantview-deleted-comment', 'permissiondenied' ); } - if ( $this->fetchContent && - !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' ) - ) { + if ( $this->fetchContent && !$this->getAuthority()->isAllowedAny( 'deletedtext', 'undelete' ) ) { $this->dieWithError( 'apierror-cantview-deleted-revision-content', 'permissiondenied' ); } @@ -141,11 +139,9 @@ class ApiQueryDeletedRevisions extends ApiQueryRevisionsBase { if ( $params['user'] !== null || $params['excludeuser'] !== null ) { // Paranoia: avoid brute force searches (T19342) - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $this->getUser(), 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { $bitmask = 0; diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php index b6a279a674c..1fe9e14ec65 100644 --- a/includes/api/ApiQueryDeletedrevs.php +++ b/includes/api/ApiQueryDeletedrevs.php @@ -71,7 +71,7 @@ class ApiQueryDeletedrevs extends ApiQueryBase { } // If user can't undelete, no tokens - if ( !$this->getPermissionManager()->userHasRight( $user, 'undelete' ) ) { + if ( !$this->getAuthority()->isAllowed( 'undelete' ) ) { $fld_token = false; } @@ -210,11 +210,9 @@ class ApiQueryDeletedrevs extends ApiQueryBase { // Paranoia: avoid brute force searches (T19342) // (shouldn't be able to get here without 'deletedhistory', but // check it again just in case) - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { $bitmask = 0; diff --git a/includes/api/ApiQueryFilearchive.php b/includes/api/ApiQueryFilearchive.php index 5742c0860be..2e3f6cc26bc 100644 --- a/includes/api/ApiQueryFilearchive.php +++ b/includes/api/ApiQueryFilearchive.php @@ -57,14 +57,10 @@ class ApiQueryFilearchive extends ApiQueryBase { $fld_bitdepth = isset( $prop['bitdepth'] ); $fld_archivename = isset( $prop['archivename'] ); - if ( $fld_description && - !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) - ) { + if ( $fld_description && !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $this->dieWithError( 'apierror-cantview-deleted-description', 'permissiondenied' ); } - if ( $fld_metadata && - !$this->getPermissionManager()->userHasAnyRight( $user, 'deletedtext', 'undelete' ) - ) { + if ( $fld_metadata && !$this->getAuthority()->isAllowedAny( 'deletedtext', 'undelete' ) ) { $this->dieWithError( 'apierror-cantview-deleted-metadata', 'permissiondenied' ); } @@ -119,11 +115,9 @@ class ApiQueryFilearchive extends ApiQueryBase { if ( $sha1 ) { $this->addWhereFld( 'fa_sha1', $sha1 ); // Paranoia: avoid brute force searches (T19342) - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedtext' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedtext' ) ) { $bitmask = File::DELETED_FILE; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = File::DELETED_FILE | File::DELETED_RESTRICTED; } else { $bitmask = 0; diff --git a/includes/api/ApiQueryInfo.php b/includes/api/ApiQueryInfo.php index a4f7160c506..fbf41a40071 100644 --- a/includes/api/ApiQueryInfo.php +++ b/includes/api/ApiQueryInfo.php @@ -21,9 +21,8 @@ */ use MediaWiki\Cache\LinkBatchFactory; use MediaWiki\Linker\LinkTarget; -use MediaWiki\MediaWikiServices; use MediaWiki\ParamValidator\TypeDef\TitleDef; -use MediaWiki\Permissions\PermissionManager; +use MediaWiki\Permissions\PermissionStatus; /** * A query module to show basic page information. @@ -190,10 +189,7 @@ class ApiQueryInfo extends ApiQueryBase { * @return string|false */ private static function getUserToken( User $user, string $right ) { - if ( !MediaWikiServices::getInstance() - ->getPermissionManager() - ->userHasRight( $user, $right ) - ) { + if ( !$user->isAllowed( $right ) ) { return false; } @@ -284,9 +280,7 @@ class ApiQueryInfo extends ApiQueryBase { * @param User $user */ public static function getImportToken( User $user ) { - if ( !MediaWikiServices::getInstance() - ->getPermissionManager() - ->userHasAnyRight( $user, 'import', 'importupload' ) ) { + if ( !$user->isAllowedAny( 'import', 'importupload' ) ) { return false; } @@ -457,8 +451,6 @@ class ApiQueryInfo extends ApiQueryBase { $pageInfo['pagelanguagehtmlcode'] = $pageLanguage->getHtmlCode(); $pageInfo['pagelanguagedir'] = $pageLanguage->getDir(); - $user = $this->getUser(); - if ( $titleExists ) { $pageInfo['touched'] = wfTimestamp( TS_ISO_8601, $this->pageTouched[$pageid] ); $pageInfo['lastrevid'] = (int)$this->pageLatest[$pageid]; @@ -551,9 +543,7 @@ class ApiQueryInfo extends ApiQueryBase { $pageInfo['canonicalurl'] = wfExpandUrl( $title->getFullURL(), PROTO_CANONICAL ); } if ( $this->fld_readable ) { - $pageInfo['readable'] = $this->getPermissionManager()->userCan( - 'read', $user, $title - ); + $pageInfo['readable'] = $this->getAuthority()->definitelyCan( 'read', $title ); } if ( $this->fld_preload ) { @@ -590,32 +580,27 @@ class ApiQueryInfo extends ApiQueryBase { } $detailLevel = $this->params['testactionsdetail']; - $rigor = $detailLevel === 'quick' - ? PermissionManager::RIGOR_QUICK - // Not using RIGOR_SECURE here, because that results in master connection - : PermissionManager::RIGOR_FULL; $errorFormatter = $this->getErrorFormatter(); if ( $errorFormatter->getFormat() === 'bc' ) { // Eew, no. Use a more modern format here. $errorFormatter = $errorFormatter->newWithFormat( 'plaintext' ); } - $user = $this->getUser(); $pageInfo['actions'] = []; foreach ( $this->params['testactions'] as $action ) { $this->countTestedActions++; if ( $detailLevel === 'boolean' ) { - $pageInfo['actions'][$action] = $this->getPermissionManager()->userCan( - $action, $user, $title - ); + $pageInfo['actions'][$action] = $this->getAuthority()->authorizeRead( $action, $title ); } else { - $pageInfo['actions'][$action] = $errorFormatter->arrayFromStatus( $this->errorArrayToStatus( - $this->getPermissionManager()->getPermissionErrors( - $action, $user, $title, $rigor - ), - $user - ) ); + $status = new PermissionStatus(); + if ( $detailLevel === 'quick' ) { + $this->getAuthority()->probablyCan( $action, $title, $status ); + } else { + $this->getAuthority()->definitelyCan( $action, $title, $status ); + } + $this->addBlockInfoToStatus( $status ); + $pageInfo['actions'][$action] = $errorFormatter->arrayFromStatus( $status ); } } } @@ -916,7 +901,7 @@ class ApiQueryInfo extends ApiQueryBase { $user = $this->getUser(); if ( $user->isAnon() || count( $this->everything ) == 0 - || !$this->getPermissionManager()->userHasRight( $user, 'viewmywatchlist' ) + || !$this->getAuthority()->isAllowed( 'viewmywatchlist' ) ) { return; } @@ -955,8 +940,7 @@ class ApiQueryInfo extends ApiQueryBase { return; } - $user = $this->getUser(); - $canUnwatchedpages = $this->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ); + $canUnwatchedpages = $this->getAuthority()->isAllowed( 'unwatchedpages' ); $unwatchedPageThreshold = $this->getConfig()->get( 'UnwatchedPageThreshold' ); if ( !$canUnwatchedpages && !is_int( $unwatchedPageThreshold ) ) { return; @@ -983,11 +967,10 @@ class ApiQueryInfo extends ApiQueryBase { */ private function getVisitingWatcherInfo() { $config = $this->getConfig(); - $user = $this->getUser(); $db = $this->getDB(); - $canUnwatchedpages = $this->getPermissionManager()->userHasRight( $user, 'unwatchedpages' ); - $unwatchedPageThreshold = $this->getConfig()->get( 'UnwatchedPageThreshold' ); + $canUnwatchedpages = $this->getAuthority()->isAllowed( 'unwatchedpages' ); + $unwatchedPageThreshold = $config->get( 'UnwatchedPageThreshold' ); if ( !$canUnwatchedpages && !is_int( $unwatchedPageThreshold ) ) { return; } diff --git a/includes/api/ApiQueryLogEvents.php b/includes/api/ApiQueryLogEvents.php index 65c7341a34c..228d008e822 100644 --- a/includes/api/ApiQueryLogEvents.php +++ b/includes/api/ApiQueryLogEvents.php @@ -223,12 +223,10 @@ class ApiQueryLogEvents extends ApiQueryBase { // Paranoia: avoid brute force searches (T19342) if ( $params['namespace'] !== null || $title !== null || $user !== null ) { - if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $titleBits = LogPage::DELETED_ACTION; $userBits = LogPage::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $this->getUser(), 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $titleBits = LogPage::DELETED_ACTION | LogPage::DELETED_RESTRICTED; $userBits = LogPage::DELETED_USER | LogPage::DELETED_RESTRICTED; } else { diff --git a/includes/api/ApiQueryRecentChanges.php b/includes/api/ApiQueryRecentChanges.php index b5c5db5a977..44b870e97ec 100644 --- a/includes/api/ApiQueryRecentChanges.php +++ b/includes/api/ApiQueryRecentChanges.php @@ -363,11 +363,9 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase { // Paranoia: avoid brute force searches (T19342) if ( $params['user'] !== null || $params['excludeuser'] !== null ) { - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { $bitmask = 0; @@ -378,11 +376,9 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase { } if ( $this->getRequest()->getCheck( 'namespace' ) ) { // LogPage::DELETED_ACTION hides the affected page, too. - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = LogPage::DELETED_ACTION; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = LogPage::DELETED_ACTION | LogPage::DELETED_RESTRICTED; } else { $bitmask = 0; diff --git a/includes/api/ApiQueryRevisions.php b/includes/api/ApiQueryRevisions.php index 9b83f8f63cf..197a1508cd6 100644 --- a/includes/api/ApiQueryRevisions.php +++ b/includes/api/ApiQueryRevisions.php @@ -77,8 +77,7 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase { * @return string|false */ public static function getRollbackToken( User $user ) { - if ( !MediaWikiServices::getInstance()->getPermissionManager() - ->userHasRight( $user, 'rollback' ) ) { + if ( !$user->isAllowed( 'rollback' ) ) { return false; } @@ -206,11 +205,10 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase { if ( $resultPageSet === null && $this->fetchContent ) { // For each page we will request, the user must have read rights for that page $status = Status::newGood(); - $user = $this->getUser(); /** @var Title $title */ foreach ( $pageSet->getGoodTitles() as $title ) { - if ( !$this->getPermissionManager()->userCan( 'read', $user, $title ) ) { + if ( !$this->getAuthority()->authorizeRead( 'read', $title ) ) { $status->fatal( ApiMessage::create( [ 'apierror-cannotviewtitle', wfEscapeWikiText( $title->getPrefixedText() ) ], 'accessdenied' @@ -343,10 +341,9 @@ class ApiQueryRevisions extends ApiQueryRevisionsBase { if ( $params['user'] !== null || $params['excludeuser'] !== null ) { // Paranoia: avoid brute force searches (T19342) - if ( !$this->getPermissionManager()->userHasRight( $this->getUser(), 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $this->getUser(), 'suppressrevision', 'viewsuppressed' ) + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { diff --git a/includes/api/ApiQueryUserContribs.php b/includes/api/ApiQueryUserContribs.php index b4bf10d8656..a243af9aadb 100644 --- a/includes/api/ApiQueryUserContribs.php +++ b/includes/api/ApiQueryUserContribs.php @@ -340,12 +340,9 @@ class ApiQueryUserContribs extends ApiQueryBase { // Don't include any revisions where we're not supposed to be able to // see the username. - $user = $this->getUser(); - if ( !$this->getPermissionManager()->userHasRight( $user, 'deletedhistory' ) ) { + if ( !$this->getAuthority()->isAllowed( 'deletedhistory' ) ) { $bitmask = RevisionRecord::DELETED_USER; - } elseif ( !$this->getPermissionManager() - ->userHasAnyRight( $user, 'suppressrevision', 'viewsuppressed' ) - ) { + } elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) { $bitmask = RevisionRecord::DELETED_USER | RevisionRecord::DELETED_RESTRICTED; } else { $bitmask = 0; @@ -413,6 +410,7 @@ class ApiQueryUserContribs extends ApiQueryBase { if ( isset( $show['patrolled'] ) || isset( $show['!patrolled'] ) || isset( $show['autopatrolled'] ) || isset( $show['!autopatrolled'] ) || $this->fld_patrolled ) { + $user = $this->getUser(); if ( !$user->useRCPatrol() && !$user->useNPPatrol() ) { $this->dieWithError( 'apierror-permissiondenied-patrolflag', 'permissiondenied' ); } diff --git a/includes/api/ApiQueryUserInfo.php b/includes/api/ApiQueryUserInfo.php index ea5dccea043..44230e968cb 100644 --- a/includes/api/ApiQueryUserInfo.php +++ b/includes/api/ApiQueryUserInfo.php @@ -186,7 +186,7 @@ class ApiQueryUserInfo extends ApiQueryBase { if ( isset( $this->prop['preferencestoken'] ) && !$this->lacksSameOriginSecurity() && - $this->getPermissionManager()->userHasRight( $user, 'editmyoptions' ) + $this->getAuthority()->isAllowed( 'editmyoptions' ) ) { $vals['preferencestoken'] = $user->getEditToken( '', $this->getMain()->getRequest() ); } @@ -212,8 +212,7 @@ class ApiQueryUserInfo extends ApiQueryBase { $vals['realname'] = $user->getRealName(); } - if ( $this->getPermissionManager()->userHasRight( $user, 'viewmyprivateinfo' ) && - isset( $this->prop['email'] ) ) { + if ( $this->getAuthority()->isAllowed( 'viewmyprivateinfo' ) && isset( $this->prop['email'] ) ) { $vals['email'] = $user->getEmail(); $auth = $user->getEmailAuthenticationTimestamp(); if ( $auth !== null ) { diff --git a/includes/api/ApiRevisionDelete.php b/includes/api/ApiRevisionDelete.php index 8076545d404..d2e12c9b730 100644 --- a/includes/api/ApiRevisionDelete.php +++ b/includes/api/ApiRevisionDelete.php @@ -91,6 +91,7 @@ class ApiRevisionDelete extends ApiBase { $this->dieWithError( [ 'apierror-revdel-needtarget' ], 'needtarget' ); } + // TODO: replace use of PermissionManager if ( $this->getPermissionManager()->isBlockedFrom( $user, $targetObj ) ) { $this->dieBlocked( $user->getBlock() ); } diff --git a/includes/api/ApiTag.php b/includes/api/ApiTag.php index ba3250f577b..b9e476183d3 100644 --- a/includes/api/ApiTag.php +++ b/includes/api/ApiTag.php @@ -94,6 +94,7 @@ class ApiTag extends ApiBase { switch ( $type ) { case 'rcid': $valid = RecentChange::newFromId( $id ); + // TODO: replace use of PermissionManager if ( $valid && $this->getPermissionManager()->isBlockedFrom( $user, $valid->getTitle() ) ) { $idResult['status'] = 'error'; // @phan-suppress-next-line PhanTypeMismatchArgument @@ -107,6 +108,7 @@ class ApiTag extends ApiBase { break; case 'revid': $valid = $this->revisionStore->getRevisionById( $id ); + // TODO: replace use of PermissionManager if ( $valid && $this->getPermissionManager()->isBlockedFrom( $user, $valid->getPageAsLinkTarget() ) diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php index 2bec7945662..20fa0717fd4 100644 --- a/includes/api/ApiUnblock.php +++ b/includes/api/ApiUnblock.php @@ -24,7 +24,6 @@ use MediaWiki\Block\BlockPermissionCheckerFactory; use MediaWiki\Block\DatabaseBlock; use MediaWiki\Block\UnblockUserFactory; use MediaWiki\ParamValidator\TypeDef\UserDef; -use MediaWiki\Permissions\PermissionManager; /** * API module that facilitates the unblocking of users. Requires API write mode @@ -42,9 +41,6 @@ class ApiUnblock extends ApiBase { /** @var UnblockUserFactory */ private $unblockUserFactory; - /** @var PermissionManager */ - private $permissionManager; - /** @var UserCache */ private $userCache; @@ -53,14 +49,12 @@ class ApiUnblock extends ApiBase { $action, BlockPermissionCheckerFactory $permissionCheckerFactory, UnblockUserFactory $unblockUserFactory, - PermissionManager $permissionManager, UserCache $userCache ) { parent::__construct( $main, $action ); $this->permissionCheckerFactory = $permissionCheckerFactory; $this->unblockUserFactory = $unblockUserFactory; - $this->permissionManager = $permissionManager; $this->userCache = $userCache; } @@ -73,7 +67,7 @@ class ApiUnblock extends ApiBase { $this->requireOnlyOneParameter( $params, 'id', 'user', 'userid' ); - if ( !$this->permissionManager->userHasRight( $performer, 'block' ) ) { + if ( !$this->getAuthority()->isAllowed( 'block' ) ) { $this->dieWithError( 'apierror-permissiondenied-unblock', 'permissiondenied' ); } diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php index 49b2d76c273..a5d24a0fc66 100644 --- a/includes/api/ApiUndelete.php +++ b/includes/api/ApiUndelete.php @@ -50,12 +50,13 @@ class ApiUndelete extends ApiBase { $this->dieWithError( [ 'apierror-invalidtitle', wfEscapeWikiText( $params['title'] ) ] ); } - if ( !$this->getPermissionManager()->userCan( 'undelete', $this->getUser(), $titleObj ) ) { + if ( !$this->getAuthority()->authorizeWrite( 'undelete', $titleObj ) ) { $this->dieWithError( 'permdenied-undelete' ); } // Check if user can add tags if ( $params['tags'] !== null ) { + // TODO: change to accept Authority $ableToTag = ChangeTags::canAddTagsAccompanyingChange( $params['tags'], $user ); if ( !$ableToTag->isOK() ) { $this->dieStatus( $ableToTag ); diff --git a/includes/api/ApiUserrights.php b/includes/api/ApiUserrights.php index 031f61a7b36..4a17ff61eb0 100644 --- a/includes/api/ApiUserrights.php +++ b/includes/api/ApiUserrights.php @@ -53,7 +53,7 @@ class ApiUserrights extends ApiBase { // Deny if the user is blocked and doesn't have the full 'userrights' permission. // This matches what Special:UserRights does for the web UI. - if ( !$this->getPermissionManager()->userHasRight( $pUser, 'userrights' ) ) { + if ( !$this->getAuthority()->isAllowed( 'userrights' ) ) { $block = $pUser->getBlock(); if ( $block && $block->isSitewide() ) { $this->dieBlocked( $block ); diff --git a/tests/phpunit/includes/api/ApiOptionsTest.php b/tests/phpunit/includes/api/ApiOptionsTest.php index c9febb2011a..791a6a9973d 100644 --- a/tests/phpunit/includes/api/ApiOptionsTest.php +++ b/tests/phpunit/includes/api/ApiOptionsTest.php @@ -44,6 +44,9 @@ class ApiOptionsTest extends MediaWikiLangTestCase { $this->mUserMock->method( 'getOptions' ) ->willReturn( [] ); + $this->mUserMock->expects( $this->any() ) + ->method( 'isAllowedAny' )->willReturn( true ); + // DefaultPreferencesFactory calls a ton of user methods, but we still want to list all of // them in case bugs are caused by unexpected things returning null that shouldn't. $this->mUserMock->expects( $this->never() )->method( $this->anythingBut( @@ -51,7 +54,8 @@ class ApiOptionsTest extends MediaWikiLangTestCase { 'isAnon', 'getRequest', 'isLoggedIn', 'getName', 'getGroupMemberships', 'getEditCount', 'getRegistration', 'isAllowed', 'getRealName', 'getOption', 'getStubThreshold', 'getBoolOption', 'getEmail', 'getDatePreference', 'useRCPatrol', 'useNPPatrol', - 'setOption', 'saveSettings', 'resetOptions', 'isRegistered', 'getTitleKey' + 'setOption', 'saveSettings', 'resetOptions', 'isRegistered', 'getTitleKey', + 'isAllowedAny' ) ); // Create a new context diff --git a/tests/phpunit/includes/api/ApiTestCase.php b/tests/phpunit/includes/api/ApiTestCase.php index 8a4300d7b95..332dda5af64 100644 --- a/tests/phpunit/includes/api/ApiTestCase.php +++ b/tests/phpunit/includes/api/ApiTestCase.php @@ -95,6 +95,7 @@ abstract class ApiTestCase extends MediaWikiLangTestCase { $contextUser = $wgUser; } + $sessionObj->setUser( $contextUser ); if ( $tokenType !== null ) { if ( $tokenType === 'auto' ) { $tokenType = ( new ApiMain() )->getModuleManager() diff --git a/tests/phpunit/includes/api/query/ApiQueryBlockInfoTraitTest.php b/tests/phpunit/includes/api/query/ApiQueryBlockInfoTraitTest.php index 4b374487d8f..52c489b4772 100644 --- a/tests/phpunit/includes/api/query/ApiQueryBlockInfoTraitTest.php +++ b/tests/phpunit/includes/api/query/ApiQueryBlockInfoTraitTest.php @@ -1,7 +1,6 @@ getMockForTrait( ApiQueryBlockInfoTrait::class ); $mock->method( 'getDB' )->willReturn( wfGetDB( DB_REPLICA ) ); - $mock->method( 'getPermissionManager' ) - ->willReturn( MediaWikiServices::getInstance()->getPermissionManager() ); - $mock->method( 'getUser' ) + $mock->method( 'getAuthority' ) ->willReturn( $this->getMutableTestUser()->getUser() ); $mock->method( 'addTables' )->willReturnCallback( static function ( $v ) use ( &$data ) { $data['tables'] = array_merge( $data['tables'] ?? [], (array)$v ); diff --git a/tests/phpunit/includes/api/query/ApiQueryInfoTest.php b/tests/phpunit/includes/api/query/ApiQueryInfoTest.php index 243b6945d67..958986a36fe 100644 --- a/tests/phpunit/includes/api/query/ApiQueryInfoTest.php +++ b/tests/phpunit/includes/api/query/ApiQueryInfoTest.php @@ -38,6 +38,7 @@ class ApiQueryInfoTest extends ApiTestCase { $page = $this->getExistingTestPage( 'Pluto' ); $title = $page->getTitle(); $user = $this->getTestUser()->getUser(); + RequestContext::getMain()->setUser( $user ); WatchAction::doWatch( $title, $user, diff --git a/tests/phpunit/unit/api/ApiUnblockTest.php b/tests/phpunit/unit/api/ApiUnblockTest.php index cda16c47ac2..12da503295b 100644 --- a/tests/phpunit/unit/api/ApiUnblockTest.php +++ b/tests/phpunit/unit/api/ApiUnblockTest.php @@ -11,7 +11,6 @@ use MediaWiki\Block\BlockPermissionCheckerFactory; use MediaWiki\Block\DatabaseBlock; use MediaWiki\Block\UnblockUser; use MediaWiki\Block\UnblockUserFactory; -use MediaWiki\Permissions\PermissionManager; use MediaWikiUnitTestCase; use RequestContext; use Status; @@ -41,7 +40,6 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { $action = 'unblock'; $blockPermissionCheckerFactory = $this->createMock( BlockPermissionCheckerFactory::class ); $unblockUserFactory = $this->createMock( UnblockUserFactory::class ); - $permissionManager = $this->createMock( PermissionManager::class ); $userCache = $this->createMock( UserCache::class ); // Expose requestContext and user so that they can be further modified in the test @@ -50,7 +48,6 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { 'action' => 'unblock', 'blockPermissionCheckerFactory' => $blockPermissionCheckerFactory, 'unblockUserFactory' => $unblockUserFactory, - 'permissionManager' => $permissionManager, 'userCache' => $userCache, 'requestContext' => $requestContext, 'performer' => $performer, @@ -69,7 +66,6 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { $args['action'], $args['blockPermissionCheckerFactory'], $args['unblockUserFactory'], - $args['permissionManager'], $args['userCache'] ] ) ->getMock(); @@ -128,7 +124,6 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { $args['action'], $args['blockPermissionCheckerFactory'], $args['unblockUserFactory'], - $args['permissionManager'], $args['userCache'] ); // Ensure everything was created right @@ -171,10 +166,9 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { // Since the actual internals of that are complicated, mock it $args = $this->getConstructorArgs(); - $args['permissionManager']->expects( $this->once() ) - ->method( 'userHasRight' ) + $args['performer']->expects( $this->once() ) + ->method( 'isAllowed' ) ->with( - $this->equalTo( $args['performer'] ), $this->equalTo( 'block' ) ) ->willReturn( false ); @@ -205,7 +199,7 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { // If $params['userid'] is set and the usercache call returns false, there is an error $args = $this->getConstructorArgs(); - $args['permissionManager']->method( 'userHasRight' )->willReturn( true ); + $args['performer']->method( 'isAllowed' )->willReturn( true ); $args['userCache']->expects( $this->once() ) ->method( 'getProp' ) @@ -246,7 +240,7 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { // Next potential failure is the actual unblock call failing $args = $this->getConstructorArgs(); - $args['permissionManager']->method( 'userHasRight' )->willReturn( true ); + $args['performer']->method( 'isAllowed' )->willReturn( true ); // Return true $args['blockPermissionCheckerFactory'] = $this->getBlockPermissionCheckerFactory( @@ -318,7 +312,7 @@ class ApiUnblockTest extends MediaWikiUnitTestCase { ->willReturn( true ); $args['apiMain']->method( 'getResult' )->willReturn( $apiResult ); - $args['permissionManager']->method( 'userHasRight' )->willReturn( true ); + $args['performer']->method( 'isAllowed' )->willReturn( true ); $args['blockPermissionCheckerFactory'] = $this->getBlockPermissionCheckerFactory( 'targetNameGoesHere', $args['performer'],