1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
|
<?php
/**
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
namespace MediaWiki\Permissions;
use MediaWiki\Block\Block;
use MediaWiki\Page\PageIdentity;
use MediaWiki\User\UserIdentity;
use Wikimedia\Rdbms\IDBAccessObject;
/**
* This interface represents the authority associated with the current execution context,
* such as a web request. The authority determines which actions can or cannot be performed
* within that execution context.
*
* See the individual implementations for information on how that authority is determined.
*
* @since 1.36
*/
interface Authority {
/**
* @var int Fetch information quickly, slightly stale data is acceptable.
* @see IDBAccessObject::READ_NORMAL
*/
public const READ_NORMAL = IDBAccessObject::READ_NORMAL;
/**
* @var int Fetch information reliably, stale data is not acceptable.
* @see IDBAccessObject::READ_LATEST
*/
public const READ_LATEST = IDBAccessObject::READ_LATEST;
/**
* Returns the performer of the actions associated with this authority.
*
* Actions performed under this authority should generally be attributed
* to the user identity returned by this method.
*
* @return UserIdentity
*/
public function getUser(): UserIdentity;
/**
* Returns any user block affecting the Authority.
*
* @param int $freshness Indicates whether slightly stale data is acceptable in,
* exchange for a fast response.
*
* @return ?Block
* @since 1.37
*/
public function getBlock( int $freshness = IDBAccessObject::READ_NORMAL ): ?Block;
/**
* Checks whether this authority has the given permission in general.
* For some permissions, exceptions may exist, both positive and negative, on a per-target basis.
* This method offers a fast, lightweight check, but may produce false positives.
* It is intended for determining which UI elements should be offered to the user.
*
* This method will not apply rate limit checks or evaluate user blocks.
*
* @param string $permission
* @param PermissionStatus|null $status
*
* @return bool
* @see isDefinitelyAllowed
*
* @see probablyCan
*/
public function isAllowed( string $permission, ?PermissionStatus $status = null ): bool;
/**
* Checks whether this authority has any of the given permissions in general.
*
* Implementations must ensure that this method returns true if isAllowed would return true
* for any of the given permissions. Calling isAllowedAny() with one parameter must be
* equivalent to calling isAllowed(). Calling isAllowedAny() with no parameter is not allowed.
*
* @see isAllowed
*
* @param string ...$permissions Permissions to test. At least one must be given.
* @return bool True if user is allowed to perform *any* of the given actions
*/
public function isAllowedAny( ...$permissions ): bool;
/**
* Checks whether this authority has any of the given permissions in general.
*
* Implementations must ensure that this method returns false if isAllowed would return false
* for any of the given permissions. Calling isAllowedAll() with one parameter must be
* equivalent to calling isAllowed(). Calling isAllowedAny() with no parameter is not allowed.
*
* @see isAllowed
*
* @param string ...$permissions Permissions to test. At least one must be given.
* @return bool True if the user is allowed to perform *all* of the given actions
*/
public function isAllowedAll( ...$permissions ): bool;
/**
* Checks whether this authority can probably perform the given action on the given target page.
* This method offers a fast, lightweight check, but may produce false positives.
* It is intended for determining which UI elements should be offered to the user.
* This method will not apply rate limit checks or evaluate user blocks.
*
* @see definitelyCan
* @see isAllowed
*
* @param string $action
* @param PageIdentity $target
* @param PermissionStatus|null $status aggregator for failures
*
* @return bool
*/
public function probablyCan(
string $action,
PageIdentity $target,
?PermissionStatus $status = null
): bool;
/**
* Checks whether this authority can perform the given action on the given target page.
* This method performs a thorough check, but does not protect against race conditions.
* It is intended to be used when a user is intending to perform an action, but has not
* yet committed to it. For example, when a user goes to the edit page of an article, this
* method may be used to determine whether the user should be presented with a warning and
* a read-only view instead.
*
* This method may apply rate limit checks and evaluate user blocks.
*
* @see probablyCan
* @see isDefinitelyAllowed
*
* @param string $action
* @param PageIdentity $target
* @param PermissionStatus|null $status aggregator for failures
*
* @return bool
*/
public function definitelyCan(
string $action,
PageIdentity $target,
?PermissionStatus $status = null
): bool;
/**
* Checks whether this authority is allowed to perform the given action.
* This method performs a thorough check, but does not protect against race conditions.
* It is intended to be used when a user is intending to perform an action, but has not
* yet committed to it. For example, when a user visits their preferences page, this
* method may be used to determine whether the user should have the option to change their
* email address.
*
* This method may apply rate limit checks and evaluate user blocks.
*
* @since 1.41
*
* @see isAllowed
* @see definitelyCan
*
* @param string $action
* @param PermissionStatus|null $status aggregator for failures
*
* @return bool
*/
public function isDefinitelyAllowed(
string $action,
?PermissionStatus $status = null
): bool;
/**
* Authorize an action. This should be used immediately before performing the action.
*
* Calling this method may have non-trivial side-effects, such as incrementing a rate limit
* counter.
*
* @since 1.41
*
* @see isDefinitelyAllowed
* @see authorizeRead
* @see authorizeWrite
*
* @param string $action
* @param PermissionStatus|null $status aggregator for failures
*
* @return bool
*/
public function authorizeAction(
string $action,
?PermissionStatus $status = null
): bool;
/**
* Authorize read access. This should be used immediately before performing read access on
* restricted information.
*
* Calling this method may have non-trivial side-effects, such as incrementing a rate limit
* counter.
*
* @param string $action
* @param PageIdentity $target
* @param PermissionStatus|null $status aggregator for failures
*
* @return bool If the user can perform the action
* @see authorizeAction
* @see authorizeWrite
*
* @see definitelyCan
*/
public function authorizeRead(
string $action,
PageIdentity $target,
?PermissionStatus $status = null
): bool;
/**
* Authorize write access. This should be used immediately before updating
* persisted information.
*
* Calling this method may have non-trivial side-effects, such as incrementing a rate limit
* counter.
*
* @param string $action
* @param PageIdentity $target
* @param PermissionStatus|null $status aggregator for failures
*
* @return bool If the user can perform the action
* @see authorizeAction
* @see authorizeRead
*
* @see definitelyCan
*/
public function authorizeWrite(
string $action,
PageIdentity $target,
?PermissionStatus $status = null
): bool;
/**
* Get whether the user is registered.
*
* @return bool
* @since 1.39
*/
public function isRegistered(): bool;
/**
* Is the user an autocreated temporary user?
*
* @since 1.39
* @return bool
*/
public function isTemp(): bool;
/**
* Is the user a normal non-temporary registered user?
*
* @since 1.39
* @return bool
*/
public function isNamed(): bool;
}
|
