3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
22 namespace MediaWiki\Auth
;
24 use MediaWiki\Block\AbstractBlock
;
25 use MediaWiki\MainConfigNames
;
26 use MediaWiki\MediaWikiServices
;
30 * Check if the user is blocked, and prevent authentication if so.
32 * Not all scenarios are covered by this class, AuthManager does some block checks itself
33 * via AuthManager::authorizeCreateAccount().
38 class CheckBlocksSecondaryAuthenticationProvider
extends AbstractSecondaryAuthenticationProvider
{
41 protected $blockDisablesLogin = null;
44 * @param array $params
45 * - blockDisablesLogin: (bool) Whether blocked accounts can log in,
46 * defaults to $wgBlockDisablesLogin
48 public function __construct( $params = [] ) {
49 if ( isset( $params['blockDisablesLogin'] ) ) {
50 $this->blockDisablesLogin
= (bool)$params['blockDisablesLogin'];
55 protected function postInitSetup() {
56 $this->blockDisablesLogin ??
= $this->config
->get( MainConfigNames
::BlockDisablesLogin
);
60 public function getAuthenticationRequests( $action, array $options ) {
65 public function beginSecondaryAuthentication( $user, array $reqs ) {
66 if ( !$this->blockDisablesLogin
) {
67 return AuthenticationResponse
::newAbstain();
69 $block = $user->getBlock();
70 // Ignore IP blocks and partial blocks, $wgBlockDisablesLogin was meant for
71 // blocks banning specific users.
72 if ( $block && $block->isSitewide() && $block->isBlocking( $user ) ) {
73 return AuthenticationResponse
::newFail(
74 new \
Message( 'login-userblocked', [ $user->getName() ] )
77 return AuthenticationResponse
::newPass();
82 public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
83 return AuthenticationResponse
::newAbstain();
87 public function testUserForCreation( $user, $autocreate, array $options = [] ) {
88 // isBlockedFromCreateAccount() does not return non-accountcreation blocks, but we need them
89 // in the $wgBlockDisablesLogin case; getBlock() is unreliable for IP blocks. So we need both.
91 'local-createaccount' => $user->isBlockedFromCreateAccount(),
92 'local' => $user->getBlock(),
94 foreach ( $blocks as $block ) {
95 /** @var AbstractBlock $block */
96 if ( $block && $block->isSitewide()
97 // This method is for checking a given account/username, not the current user, so
98 // ignore IP blocks; they will be checked elsewhere via authorizeCreateAccount().
99 // FIXME: special-case autocreation which doesn't do that check. Should it?
100 && ( $block->isBlocking( $user ) ||
$autocreate )
102 // Should blocks that prevent account creation also prevent autocreation?
103 // We'll go with yes here.
104 $block->isCreateAccountBlocked()
105 // A successful autocreation means the user is logged in, so we must make sure to
106 // honor $wgBlockDisablesLogin. If it's enabled, sitewide blocks are expected to
107 // prevent login regardless of their flags.
108 ||
( $autocreate && $this->blockDisablesLogin
)
110 // FIXME: ideally on autocreation we'd figure out if the user has the ipblock-exempt
111 // or globalblock-exempt right via some central authorization system like
112 // CentralAuth global groups. But at this point the local account doesn't exist
113 // yet so there is no way to do that. There should probably be some separate hook
114 // to fetch user rights for a central user.
115 // FIXME: T249444: there should probably be a way to force autocreation through blocks
117 $formatter = MediaWikiServices
::getInstance()->getBlockErrorFormatter();
119 $context = \RequestContext
::getMain();
121 $language = $context->getUser()->isSafeToLoad() ?
122 \RequestContext
::getMain()->getLanguage() :
123 MediaWikiServices
::getInstance()->getContentLanguage();
125 $ip = $context->getRequest()->getIP();
127 return StatusValue
::newFatal(
128 $formatter->getMessage( $block, $user, $language, $ip )
132 return StatusValue
::newGood();