4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License along
15 * with this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 * http://www.gnu.org/copyleft/gpl.html
22 namespace MediaWiki\Block
;
24 use MediaWiki\Permissions\PermissionManager
;
25 use MediaWiki\User\UserIdentity
;
31 * This class is responsible for making sure a user has permission to block
33 * This class is usable for both blocking as well as
34 * the unblocking process.
38 class BlockPermissionChecker
{
40 * @var UserIdentity|string Block target
45 * @var int $targetType One of AbstractBlock::TYPE_* constants
47 private $targetType = null;
50 * @var User Block performer
55 * @var PermissionManager
57 private $permissionManager;
59 public function __construct(
60 PermissionManager
$permissionManager,
64 $this->permissionManager
= $permissionManager;
65 list( $this->target
, $this->targetType
) = AbstractBlock
::parseTarget( $target );
66 $this->performer
= $performer;
70 * Check base permission of the unblock
73 * @param bool $checkHideuser
76 public function checkBasePermissions( $checkHideuser = false ) {
77 if ( !$this->permissionManager
->userHasRight( $this->performer
, 'block' ) ) {
78 return 'badaccess-group0';
83 !$this->permissionManager
->userHasRight( $this->performer
, 'hideuser' )
85 return 'badaccess-group0';
92 * Checks block-related permissions (doesn't check any other permissions)
94 * T17810: Sitewide blocked admins should not be able to block/unblock
95 * others with one exception; they can block the user who blocked them,
96 * to reduce advantage of a malicious account blocking all admins (T150826).
98 * T208965: Partially blocked admins can block and unblock others as normal.
100 * @return bool|string True when checks passed, message code for failures
102 public function checkBlockPermissions() {
103 $block = $this->performer
->getBlock();
105 // User is not blocked, process as normal
109 if ( !$block->isSitewide() ) {
110 // T208965: Partially blocked admins should have full access
115 $this->target
instanceof UserIdentity
&&
116 $this->target
->getId() === $this->performer
->getId()
118 // Blocked admin is trying to alter their own block
120 // Self-blocked admins can always remove or alter their block
121 if ( $this->performer
->blockedBy() === $this->performer
->getName() ) {
125 // Users with 'unblockself' right can unblock themselves or alter their own block
126 if ( $this->permissionManager
->userHasRight( $this->performer
, 'unblockself' ) ) {
129 return 'ipbnounblockself';
134 $this->target
instanceof UserIdentity
&&
135 $this->performer
->blockedBy() === $this->target
->getName()
137 // T150826: Blocked admins can always block the admin who blocked them
141 // User is blocked and no exception took effect