Page Menu
Home
WickedGov Phorge
Search
Configure Global Search
Log In
Files
F1427148
GroupPermissionsLookup.php
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
6 KB
Referenced Files
None
Subscribers
None
GroupPermissionsLookup.php
View Options
<?php
/**
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
namespace
MediaWiki\Permissions
;
use
MediaWiki\Config\ServiceOptions
;
use
MediaWiki\MainConfigNames
;
/**
* A service class for looking up permissions bestowed to groups, groups bestowed with
* permissions, and permissions bestowed by membership in a combination of groups, solely
* according to site configuration for group permissions and inheritence thereof.
*
* This class does *not* account for implicit rights (which are not associated with groups).
* Callers might want to use {@see PermissionManager} if this is an issue.
*
* This class does *not* infer membership in one group (e.g. '*') from membership in another
* (e.g. 'user'). Callers must account for this when using {@see self::getGroupPermissions()}.
*
* @since 1.36
* @package MediaWiki\Permissions
*/
class
GroupPermissionsLookup
{
/**
* @internal
*/
public
const
CONSTRUCTOR_OPTIONS
=
[
MainConfigNames
::
GroupInheritsPermissions
,
MainConfigNames
::
GroupPermissions
,
MainConfigNames
::
RevokePermissions
,
];
/** @var array[] */
private
$groupPermissions
;
/** @var array[] */
private
$revokePermissions
;
/** @var string[] */
private
$groupInheritance
;
/**
* @param ServiceOptions $options
*/
public
function
__construct
(
ServiceOptions
$options
)
{
$options
->
assertRequiredOptions
(
self
::
CONSTRUCTOR_OPTIONS
);
$this
->
groupPermissions
=
$options
->
get
(
MainConfigNames
::
GroupPermissions
);
$this
->
revokePermissions
=
$options
->
get
(
MainConfigNames
::
RevokePermissions
);
$this
->
groupInheritance
=
$options
->
get
(
MainConfigNames
::
GroupInheritsPermissions
);
}
/**
* Check, if the given group has the given permission
*
* If you're wanting to check whether all users have a permission,
* use PermissionManager::isEveryoneAllowed() instead.
* That properly checks if it's revoked from anyone.
*
* @param string $group Group to check
* @param string $permission Role to check
*
* @return bool
*/
public
function
groupHasPermission
(
string
$group
,
string
$permission
):
bool
{
$inheritsFrom
=
$this
->
groupInheritance
[
$group
]
??
false
;
$has
=
isset
(
$this
->
groupPermissions
[
$group
][
$permission
]
)
&&
$this
->
groupPermissions
[
$group
][
$permission
];
// If the group doesn't have the permission and inherits from somewhere,
// check that group too
if
(
!
$has
&&
$inheritsFrom
!==
false
)
{
$has
=
isset
(
$this
->
groupPermissions
[
$inheritsFrom
][
$permission
]
)
&&
$this
->
groupPermissions
[
$inheritsFrom
][
$permission
];
}
if
(
!
$has
)
{
// If they don't have the permission, exit early
return
false
;
}
// Check if the permission has been revoked
$revoked
=
isset
(
$this
->
revokePermissions
[
$group
][
$permission
]
)
&&
$this
->
revokePermissions
[
$group
][
$permission
];
if
(
!
$revoked
&&
$inheritsFrom
!==
false
)
{
$revoked
=
isset
(
$this
->
revokePermissions
[
$inheritsFrom
][
$permission
]
)
&&
$this
->
revokePermissions
[
$inheritsFrom
][
$permission
];
}
return
!
$revoked
;
}
/**
* Get a list of permissions granted to this group. This
* must *NOT* be used for permissions checking as it
* does not check whether a permission has been revoked
* from this group.
*
* @param string $group Group to get permissions of
* @return string[]
* @since 1.38
*/
public
function
getGrantedPermissions
(
string
$group
):
array
{
$rights
=
array_keys
(
array_filter
(
$this
->
groupPermissions
[
$group
]
??
[]
)
);
$inheritsFrom
=
$this
->
groupInheritance
[
$group
]
??
false
;
if
(
$inheritsFrom
!==
false
)
{
$rights
=
array_merge
(
$rights
,
// array_filter removes empty items
array_keys
(
array_filter
(
$this
->
groupPermissions
[
$inheritsFrom
]
??
[]
)
)
);
}
return
array_unique
(
$rights
);
}
/**
* Get a list of permissions revoked from this group
*
* @param string $group Group to get revoked permissions of
* @return string[]
* @since 1.38
*/
public
function
getRevokedPermissions
(
string
$group
):
array
{
$rights
=
array_keys
(
array_filter
(
$this
->
revokePermissions
[
$group
]
??
[]
)
);
$inheritsFrom
=
$this
->
groupInheritance
[
$group
]
??
false
;
if
(
$inheritsFrom
!==
false
)
{
$rights
=
array_merge
(
$rights
,
// array_filter removes empty items
array_keys
(
array_filter
(
$this
->
revokePermissions
[
$inheritsFrom
]
??
[]
)
)
);
}
return
array_unique
(
$rights
);
}
/**
* Get the permissions associated with membership in a combination of groups
*
* Group-based revocation of a permission negates all group-based assignments of that
* permission.
*
* @param string[] $groups internal group names
* @return string[] permission key names for given groups combined
*/
public
function
getGroupPermissions
(
array
$groups
):
array
{
$rights
=
[];
$checkGroups
=
[];
// Add inherited groups to the list of groups to check
foreach
(
$groups
as
$group
)
{
$checkGroups
[]
=
$group
;
if
(
isset
(
$this
->
groupInheritance
[
$group
]
)
)
{
$checkGroups
[]
=
$this
->
groupInheritance
[
$group
];
}
}
// grant every granted permission first
foreach
(
$checkGroups
as
$group
)
{
if
(
isset
(
$this
->
groupPermissions
[
$group
]
)
)
{
$rights
=
array_merge
(
$rights
,
// array_filter removes empty items
array_keys
(
array_filter
(
$this
->
groupPermissions
[
$group
]
)
)
);
}
}
// now revoke the revoked permissions
foreach
(
$checkGroups
as
$group
)
{
if
(
isset
(
$this
->
revokePermissions
[
$group
]
)
)
{
$rights
=
array_diff
(
$rights
,
array_keys
(
array_filter
(
$this
->
revokePermissions
[
$group
]
)
)
);
}
}
return
array_unique
(
$rights
);
}
/**
* Get all the groups who have a given permission
*
* @param string $permission
* @return string[] internal group names with the given permission
*/
public
function
getGroupsWithPermission
(
string
$permission
):
array
{
$allowedGroups
=
[];
$groups
=
array_unique
(
array_merge
(
array_keys
(
$this
->
groupPermissions
),
array_keys
(
$this
->
groupInheritance
)
)
);
foreach
(
$groups
as
$group
)
{
if
(
$this
->
groupHasPermission
(
$group
,
$permission
)
)
{
$allowedGroups
[]
=
$group
;
}
}
return
$allowedGroups
;
}
}
File Metadata
Details
Attached
Mime Type
text/x-php
Expires
Sat, May 16, 14:16 (1 d, 10 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
9d/4d/e356ca3e2c7e53cc85aebeac9bae
Default Alt Text
GroupPermissionsLookup.php (6 KB)
Attached To
Mode
rMWPROD MediaWiki Production
Attached
Detach File
Event Timeline
Log In to Comment