includes/block/BlockPermissionChecker.php

   1 <?php
   2
   3 /**
   4  * This program is free software; you can redistribute it and/or modify
   5  * it under the terms of the GNU General Public License as published by
   6  * the Free Software Foundation; either version 2 of the License, or
   7  * (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License along
  15  * with this program; if not, write to the Free Software Foundation, Inc.,
  16  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  17  * http://www.gnu.org/copyleft/gpl.html
  18  *
  19  * @file
  20  */
  21
  22 namespace MediaWiki\Block;
  23
  24 use MediaWiki\Permissions\PermissionManager;
  25 use MediaWiki\User\UserIdentity;
  26 use User;
  27
  28 /**
  29  * Block permissions
  30  *
  31  * This class is responsible for making sure a user has permission to block
  32  *
  33  * This class is usable for both blocking as well as
  34  * the unblocking process.
  35  *
  36  * @since 1.35
  37  */
  38 class BlockPermissionChecker {
  39         /**
  40          * @var UserIdentity|string Block target
  41          */
  42         private $target;
  43
  44         /**
  45          * @var int $targetType One of AbstractBlock::TYPE_* constants
  46          */
  47         private $targetType = null;
  48
  49         /**
  50          * @var User Block performer
  51          */
  52         private $performer;
  53
  54         /**
  55          * @var PermissionManager
  56          */
  57         private $permissionManager;
  58
  59         public function __construct(
  60                 PermissionManager $permissionManager,
  61                 $target,
  62                 User $performer
  63         ) {
  64                 $this->permissionManager = $permissionManager;
  65                 list( $this->target, $this->targetType ) = AbstractBlock::parseTarget( $target );
  66                 $this->performer = $performer;
  67         }
  68
  69         /**
  70          * Check base permission of the unblock
  71          *
  72          * @since 1.36
  73          * @param bool $checkHideuser
  74          * @return bool|string
  75          */
  76         public function checkBasePermissions( $checkHideuser = false ) {
  77                 if ( !$this->permissionManager->userHasRight( $this->performer, 'block' ) ) {
  78                         return 'badaccess-group0';
  79                 }
  80
  81                 if (
  82                         $checkHideuser &&
  83                         !$this->permissionManager->userHasRight( $this->performer, 'hideuser' )
  84                 ) {
  85                         return 'badaccess-group0';
  86                 }
  87
  88                 return true;
  89         }
  90
  91         /**
  92          * Checks block-related permissions (doesn't check any other permissions)
  93          *
  94          * T17810: Sitewide blocked admins should not be able to block/unblock
  95          * others with one exception; they can block the user who blocked them,
  96          * to reduce advantage of a malicious account blocking all admins (T150826).
  97          *
  98          * T208965: Partially blocked admins can block and unblock others as normal.
  99          *
 100          * @return bool|string True when checks passed, message code for failures
 101          */
 102         public function checkBlockPermissions() {
 103                 $block = $this->performer->getBlock();
 104                 if ( !$block ) {
 105                         // User is not blocked, process as normal
 106                         return true;
 107                 }
 108
 109                 if ( !$block->isSitewide() ) {
 110                         // T208965: Partially blocked admins should have full access
 111                         return true;
 112                 }
 113
 114                 if (
 115                         $this->target instanceof UserIdentity &&
 116                         $this->target->getId() === $this->performer->getId()
 117                 ) {
 118                         // Blocked admin is trying to alter their own block
 119
 120                         // Self-blocked admins can always remove or alter their block
 121                         if ( $this->performer->blockedBy() === $this->performer->getName() ) {
 122                                 return true;
 123                         }
 124
 125                         // Users with 'unblockself' right can unblock themselves or alter their own block
 126                         if ( $this->permissionManager->userHasRight( $this->performer, 'unblockself' ) ) {
 127                                 return true;
 128                         } else {
 129                                 return 'ipbnounblockself';
 130                         }
 131                 }
 132
 133                 if (
 134                         $this->target instanceof UserIdentity &&
 135                         $this->performer->blockedBy() === $this->target->getName()
 136                 ) {
 137                         // T150826: Blocked admins can always block the admin who blocked them
 138                         return true;
 139                 }
 140
 141                 // User is blocked and no exception took effect
 142                 return 'ipbblocked';
 143         }
 144 }