66f85fa125
* In AuthManager::autoCreateUser(), check the permissions of the performer instead of relying on the secondary providers. This means that auto-creation will be denied when the anonymous user is globally IP-blocked. * Remove create account block check from CheckBlocksSecondaryAuthenticationProvider. testUserForCreation() is supposed to only do target name checks, but it's not actually possible to block a non-existent local name. So we don't need this code. * Add a $performer parameter to autoCreateUser() so that Special:CreateLocalAccount can have elevated permissions when it creates an account with IP block exemption. * When a performer is passed, don't use the session as a cache. * Since we are passing autocreateaccount as the action to PermissionManager instead of createaccount, some special cases need to be tweaked. Previously AuthManager checked for either autocreateaccount or createaccount rights. Now PermissionManager does that when the action is autocreateaccount. By removing redundant checks from testUserForCreation(), the number of ipblocks queries during a normal Special:CreateAccount post request is reduced from 8 to 6. The CentralAuth change I7e7a7fc8bcd86285f857063a38de02b41b5175d0 should be merged immediately after this one. Bug: T234371 Bug: T345683 Change-Id: If2937c7d717d2adc249f608d4585122b02a43fff
83 lines
2.5 KiB
PHP
83 lines
2.5 KiB
PHP
<?php
|
|
/**
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*
|
|
* @file
|
|
* @ingroup Auth
|
|
*/
|
|
|
|
namespace MediaWiki\Auth;
|
|
|
|
use MediaWiki\MainConfigNames;
|
|
|
|
/**
|
|
* Check if the user is blocked, and prevent authentication if so.
|
|
*
|
|
* Not all scenarios are covered by this class, AuthManager does some block checks itself
|
|
* via AuthManager::authorizeCreateAccount().
|
|
*
|
|
* @ingroup Auth
|
|
* @since 1.27
|
|
*/
|
|
class CheckBlocksSecondaryAuthenticationProvider extends AbstractSecondaryAuthenticationProvider {
|
|
|
|
/** @var bool */
|
|
protected $blockDisablesLogin = null;
|
|
|
|
/**
|
|
* @param array $params
|
|
* - blockDisablesLogin: (bool) Whether blocked accounts can log in,
|
|
* defaults to $wgBlockDisablesLogin
|
|
*/
|
|
public function __construct( $params = [] ) {
|
|
if ( isset( $params['blockDisablesLogin'] ) ) {
|
|
$this->blockDisablesLogin = (bool)$params['blockDisablesLogin'];
|
|
}
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
protected function postInitSetup() {
|
|
$this->blockDisablesLogin ??= $this->config->get( MainConfigNames::BlockDisablesLogin );
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function getAuthenticationRequests( $action, array $options ) {
|
|
return [];
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function beginSecondaryAuthentication( $user, array $reqs ) {
|
|
if ( !$this->blockDisablesLogin ) {
|
|
return AuthenticationResponse::newAbstain();
|
|
}
|
|
$block = $user->getBlock();
|
|
// Ignore IP blocks and partial blocks, $wgBlockDisablesLogin was meant for
|
|
// blocks banning specific users.
|
|
if ( $block && $block->isSitewide() && $block->isBlocking( $user ) ) {
|
|
return AuthenticationResponse::newFail(
|
|
new \Message( 'login-userblocked', [ $user->getName() ] )
|
|
);
|
|
} else {
|
|
return AuthenticationResponse::newPass();
|
|
}
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
|
|
return AuthenticationResponse::newAbstain();
|
|
}
|
|
|
|
}
|