Multiblocks preparation in User::getBlock(), PermissionManager and BlockManager

Functional changes:

* On account creation, if both a user block and an IP block apply,
  return a CompositeBlock instead of picking a winner.
* On other actions, instead of returning the whole CompositeBlock if
  some part of it matches the specified page and action, filter the
  individual parts of the CompositeBlock by whether or not they match.

Refactoring:

* Add BlockManager::getBlock(), which is the same as getUserBlock()
  except that it expects the caller to do IP exemption checking.
  Deprecate getUserBlock().
* Migrate some callers of User::getBlock() to use BlockManager.
* Have PermissionManager use BlockManager instead of
  User::getBlock().
* Add $request parameter to PermissionManager::getApplicableBlock(),
  to fix the weird bundling of the request with the User.
* Move the createaccount block database fetch from PermissionManager to
  BlockManager, where it can easily be cached.
* Fix code duplication between PermissionManager::isBlockedFrom() and
  PermissionManager::getApplicableBlock() by having the former call the
  latter.
* In CheckBlocksSecondaryAuthenticationProvider, use
  AuthManager::getRequest(). Previously it used the global request and
  also User::getRequest() via User::getBlock().

Bug: T345683
Change-Id: Icd75025665282a34d8854bda267a0eb3d759719c

1 files changed, 12 insertions, 25 deletions

diff --git a/includes/user/User.php b/includes/user/User.php
index 3d9a55574a33..59a491579d39 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -226,9 +226,6 @@ class User implements Authority, UserIdentity, UserEmailContact {
 	/** @var WebRequest|null */
 	private $mRequest;
 
-	/** @var AbstractBlock|false */
-	private $mBlockedFromCreateAccount = false;
-
 	/** @var int User::READ_* constant bitfield used to load data */
 	protected $queryFlagsUsed = self::READ_NORMAL;
 
@@ -2798,30 +2795,20 @@ class User implements Authority, UserIdentity, UserEmailContact {
 	}
 
 	/**
-	 * Get whether the user is explicitly blocked from account creation.
-	 * @deprecated since 1.37. Instead use Authority::authorize* for createaccount permission.
+	 * If the user is blocked from creating an account, return the Block.
+	 * @deprecated since 1.37. If a Block is needed, use BlockManager::getCreateAccountBlock().
+	 *   If a boolean or error message is needed, use Authority::authorize* for the
+	 *   createaccount permission.
 	 * @return Block|false
 	 */
 	public function isBlockedFromCreateAccount() {
-		$block = $this->getBlock();
-		if ( $block && $block->appliesToRight( 'createaccount' ) ) {
-			return $block;
-		}
-
-		# T15611: if the IP address the user is trying to create an account from is
-		# blocked with createaccount disabled, prevent new account creation there even
-		# when the user is logged in
-		if ( $this->mBlockedFromCreateAccount === false
-			&& !$this->isAllowed( 'ipblock-exempt' )
-		) {
-			$this->mBlockedFromCreateAccount = DatabaseBlock::newFromTarget(
-				null, $this->getRequest()->getIP()
-			);
-		}
-		return $this->mBlockedFromCreateAccount instanceof AbstractBlock
-			&& $this->mBlockedFromCreateAccount->appliesToRight( 'createaccount' )
-			? $this->mBlockedFromCreateAccount
-			: false;
+		$isExempt = $this->isAllowed( 'ipblock-exempt' );
+		$block = MediaWikiServices::getInstance()->getBlockManager()
+			->getCreateAccountBlock(
+				$this,
+				$isExempt ? null : $this->getRequest(),
+				false );
+		return $block ?: false;
 	}
 
 	/**
@@ -2851,7 +2838,7 @@ class User implements Authority, UserIdentity, UserEmailContact {
 	 * @return bool
 	 */
 	public function isAllowedToCreateAccount() {
-		return $this->isAllowed( 'createaccount' ) && !$this->isBlockedFromCreateAccount();
+		return $this->getThisAsAuthority()->isDefinitelyAllowed( 'createaccount' );
 	}
 
 	/**