search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update git submodules
[mediawiki.git] / includes / auth / CheckBlocksSecondaryAuthenticationProvider.php
blobb7ac47824043aa139dc966e42e9dc2fca29da7da
1 <?php
2 /**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
17 *
18 * @file
19 * @ingroup Auth
20 */
21
22 namespace MediaWiki\Auth;
23
24 use MediaWiki\Block\AbstractBlock;
25 use MediaWiki\MainConfigNames;
26 use MediaWiki\MediaWikiServices;
27 use StatusValue;
28
29 /**
30 * Check if the user is blocked, and prevent authentication if so.
31 *
32 * Not all scenarios are covered by this class, AuthManager does some block checks itself
33 * via AuthManager::authorizeCreateAccount().
34 *
35 * @ingroup Auth
36 * @since 1.27
37 */
38 class CheckBlocksSecondaryAuthenticationProvider extends AbstractSecondaryAuthenticationProvider {
39
40 /** @var bool */
41 protected $blockDisablesLogin = null;
42
43 /**
44 * @param array $params
45 * - blockDisablesLogin: (bool) Whether blocked accounts can log in,
46 * defaults to $wgBlockDisablesLogin
47 */
48 public function __construct( $params = [] ) {
49 if ( isset( $params['blockDisablesLogin'] ) ) {
50 $this->blockDisablesLogin = (bool)$params['blockDisablesLogin'];
51 }
52 }
53
54 /** @inheritDoc */
55 protected function postInitSetup() {
56 $this->blockDisablesLogin ??= $this->config->get( MainConfigNames::BlockDisablesLogin );
57 }
58
59 /** @inheritDoc */
60 public function getAuthenticationRequests( $action, array $options ) {
61 return [];
62 }
63
64 /** @inheritDoc */
65 public function beginSecondaryAuthentication( $user, array $reqs ) {
66 if ( !$this->blockDisablesLogin ) {
67 return AuthenticationResponse::newAbstain();
68 }
69 $block = $user->getBlock();
70 // Ignore IP blocks and partial blocks, $wgBlockDisablesLogin was meant for
71 // blocks banning specific users.
72 if ( $block && $block->isSitewide() && $block->isBlocking( $user ) ) {
73 return AuthenticationResponse::newFail(
74 new \Message( 'login-userblocked', [ $user->getName() ] )
75 );
76 } else {
77 return AuthenticationResponse::newPass();
78 }
79 }
80
81 /** @inheritDoc */
82 public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
83 return AuthenticationResponse::newAbstain();
84 }
85
86 /** @inheritDoc */
87 public function testUserForCreation( $user, $autocreate, array $options = [] ) {
88 // isBlockedFromCreateAccount() does not return non-accountcreation blocks, but we need them
89 // in the $wgBlockDisablesLogin case; getBlock() is unreliable for IP blocks. So we need both.
90 $blocks = [
91 'local-createaccount' => $user->isBlockedFromCreateAccount(),
92 'local' => $user->getBlock(),
93 ];
94 foreach ( $blocks as $block ) {
95 /** @var AbstractBlock $block */
96 if ( $block && $block->isSitewide()
97 // This method is for checking a given account/username, not the current user, so
98 // ignore IP blocks; they will be checked elsewhere via authorizeCreateAccount().
99 // FIXME: special-case autocreation which doesn't do that check. Should it?
100 && ( $block->isBlocking( $user ) || $autocreate )
101 && (
102 // Should blocks that prevent account creation also prevent autocreation?
103 // We'll go with yes here.
104 $block->isCreateAccountBlocked()
105 // A successful autocreation means the user is logged in, so we must make sure to
106 // honor $wgBlockDisablesLogin. If it's enabled, sitewide blocks are expected to
107 // prevent login regardless of their flags.
108 || ( $autocreate && $this->blockDisablesLogin )
109 )
110 // FIXME: ideally on autocreation we'd figure out if the user has the ipblock-exempt
111 // or globalblock-exempt right via some central authorization system like
112 // CentralAuth global groups. But at this point the local account doesn't exist
113 // yet so there is no way to do that. There should probably be some separate hook
114 // to fetch user rights for a central user.
115 // FIXME: T249444: there should probably be a way to force autocreation through blocks
116 ) {
117 $formatter = MediaWikiServices::getInstance()->getBlockErrorFormatter();
118
119 $context = \RequestContext::getMain();
120
121 $language = $context->getUser()->isSafeToLoad() ?
122 \RequestContext::getMain()->getLanguage() :
123 MediaWikiServices::getInstance()->getContentLanguage();
124
125 $ip = $context->getRequest()->getIP();
126
127 return StatusValue::newFatal(
128 $formatter->getMessage( $block, $user, $language, $ip )
129 );
130 }
131 }
132 return StatusValue::newGood();
133 }
134
135 }
MediaWiki Core