6f01b0d007
There are common use cases to having a group inherit permissions from another group. For example, if you have to have a "confirmed" group that can be manually handed out to grant "autoconfirmed" status, or if you wanted to make the "sysop" group also have "interface-admin" powers. Previously to make this work you needed to either copy all the $wgGroupPermission entries for the second group, or use a $wgExtensionFunctions to copy it over at runtime. Neither are great solutions, hence this patch. This introduces a new configuration option, $wgGroupInheritsPermissions, that GroupPermissionsLookup will use when determining what permissions each group has. This option is not recursive for simplicity. To make this work, Special:ListGroupRights now consults GroupPermissionsLookup instead of looking at the $wgGroupPermissions/$wgRevokePermissions globals. It also uses UserGroupManager to get the list of all groups instead of looking at more globals. Anything still directly reading permissions from those globals is liable to be broken, if they weren't already. Bug: T275334 Change-Id: Iad72e126d2708012e1e403bee066b3017c16226d
154 lines
4.2 KiB
PHP
154 lines
4.2 KiB
PHP
<?php
|
|
|
|
namespace MediaWiki\Tests\Unit\Permissions;
|
|
|
|
use MediaWiki\Config\ServiceOptions;
|
|
use MediaWiki\Permissions\GroupPermissionsLookup;
|
|
use MediaWikiUnitTestCase;
|
|
|
|
class GroupPermissionsLookupTest extends MediaWikiUnitTestCase {
|
|
|
|
/**
|
|
* @return GroupPermissionsLookup
|
|
*/
|
|
private function createGroupPermissionsLookup(): GroupPermissionsLookup {
|
|
return new GroupPermissionsLookup(
|
|
new ServiceOptions( GroupPermissionsLookup::CONSTRUCTOR_OPTIONS, [
|
|
'GroupPermissions' => [
|
|
'unittesters' => [
|
|
'test' => true,
|
|
'runtest' => true,
|
|
'nukeworld' => true
|
|
],
|
|
'testwriters' => [
|
|
'test' => true,
|
|
'writetest' => true,
|
|
'modifytest' => true,
|
|
],
|
|
],
|
|
'RevokePermissions' => [
|
|
'unittesters' => [
|
|
'nukeworld' => true,
|
|
],
|
|
'formertesters' => [
|
|
'runtest' => true,
|
|
],
|
|
],
|
|
'GroupInheritsPermissions' => [
|
|
'inheritedtesters' => 'unittesters',
|
|
],
|
|
] )
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @dataProvider provideGetGroupsWithPermission
|
|
* @covers \MediaWiki\Permissions\GroupPermissionsLookup::getGroupsWithPermission
|
|
*/
|
|
public function testGetGroupsWithPermission( $expected, $right ) {
|
|
$result = $this->createGroupPermissionsLookup()->getGroupsWithPermission( $right );
|
|
sort( $result );
|
|
sort( $expected );
|
|
|
|
$this->assertEquals( $expected, $result, "Groups with permission $right" );
|
|
}
|
|
|
|
public static function provideGetGroupsWithPermission() {
|
|
return [
|
|
[
|
|
[ 'unittesters', 'testwriters', 'inheritedtesters' ],
|
|
'test'
|
|
],
|
|
[
|
|
[ 'unittesters', 'inheritedtesters' ],
|
|
'runtest'
|
|
],
|
|
[
|
|
[ 'testwriters' ],
|
|
'writetest'
|
|
],
|
|
[
|
|
[ 'testwriters' ],
|
|
'modifytest'
|
|
],
|
|
];
|
|
}
|
|
|
|
/**
|
|
* @covers \MediaWiki\Permissions\GroupPermissionsLookup::getGroupPermissions
|
|
*/
|
|
public function testGroupPermissions() {
|
|
$lookup = $this->createGroupPermissionsLookup();
|
|
$rights = $lookup
|
|
->getGroupPermissions( [ 'unittesters' ] );
|
|
$this->assertContains( 'runtest', $rights );
|
|
$this->assertNotContains( 'writetest', $rights );
|
|
$this->assertNotContains( 'modifytest', $rights );
|
|
$this->assertNotContains( 'nukeworld', $rights );
|
|
|
|
$this->assertEquals(
|
|
$lookup->getGroupPermissions( [ 'unittesters' ] ),
|
|
$lookup->getGroupPermissions( [ 'inheritedtesters' ] )
|
|
);
|
|
|
|
$rights = $lookup
|
|
->getGroupPermissions( [ 'unittesters', 'testwriters' ] );
|
|
$this->assertContains( 'runtest', $rights );
|
|
$this->assertContains( 'writetest', $rights );
|
|
$this->assertContains( 'modifytest', $rights );
|
|
$this->assertNotContains( 'nukeworld', $rights );
|
|
}
|
|
|
|
/**
|
|
* @covers \MediaWiki\Permissions\GroupPermissionsLookup::getGroupPermissions
|
|
*/
|
|
public function testRevokePermissions() {
|
|
$rights = $this->createGroupPermissionsLookup()
|
|
->getGroupPermissions( [ 'unittesters', 'formertesters' ] );
|
|
$this->assertNotContains( 'runtest', $rights );
|
|
$this->assertNotContains( 'writetest', $rights );
|
|
$this->assertNotContains( 'modifytest', $rights );
|
|
$this->assertNotContains( 'nukeworld', $rights );
|
|
}
|
|
|
|
/**
|
|
* @covers \MediaWiki\Permissions\GroupPermissionsLookup::groupHasPermission
|
|
*/
|
|
public function testGroupHasPermission() {
|
|
$lookup = $this->createGroupPermissionsLookup();
|
|
$this->assertTrue( $lookup->groupHasPermission( 'unittesters', 'test' ) );
|
|
$this->assertTrue( $lookup->groupHasPermission( 'inheritedtesters', 'test' ) );
|
|
|
|
$this->assertFalse( $lookup->groupHasPermission( 'formertesters', 'runtest' ) );
|
|
}
|
|
|
|
/**
|
|
* @covers \MediaWiki\Permissions\GroupPermissionsLookup::getGrantedPermissions
|
|
*/
|
|
public function testGetGrantedPermissions() {
|
|
$lookup = $this->createGroupPermissionsLookup();
|
|
$this->assertSame(
|
|
$lookup->getGrantedPermissions( 'unittesters' ),
|
|
[ 'test', 'runtest', 'nukeworld' ]
|
|
);
|
|
$this->assertSame(
|
|
$lookup->getGrantedPermissions( 'inheritedtesters' ),
|
|
[ 'test', 'runtest', 'nukeworld' ]
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @covers \MediaWiki\Permissions\GroupPermissionsLookup::getRevokedPermissions
|
|
*/
|
|
public function testGetRevokedPermissions() {
|
|
$lookup = $this->createGroupPermissionsLookup();
|
|
$this->assertSame(
|
|
$lookup->getRevokedPermissions( 'unittesters' ),
|
|
[ 'nukeworld' ]
|
|
);
|
|
$this->assertSame(
|
|
$lookup->getRevokedPermissions( 'inheritedtesters' ),
|
|
[ 'nukeworld' ]
|
|
);
|
|
}
|
|
}
|