'patrol',
'patrolmarks',
'protect',
- 'proxyunbannable',
'purge',
'read',
'reupload',
$block = Block::newFromTarget( $this, $ip, !$bFromSlave );
// Proxy blocking
- if ( !$block instanceof Block && $ip !== null && !$this->isAllowed( 'proxyunbannable' )
- && !in_array( $ip, $wgProxyWhitelist )
- ) {
+ if ( !$block instanceof Block && $ip !== null && !in_array( $ip, $wgProxyWhitelist ) ) {
// Local list
if ( self::isLocallyBlockedProxy( $ip ) ) {
$block = new Block;
if ( !$block instanceof Block
&& $wgApplyIpBlocksToXff
&& $ip !== null
- && !$this->isAllowed( 'proxyunbannable' )
&& !in_array( $ip, $wgProxyWhitelist )
) {
$xff = $this->getRequest()->getHeader( 'X-Forwarded-For' );
),
__METHOD__
);
+
+ // When the main password is changed, invalidate all bot passwords too
+ BotPassword::invalidateAllPasswordsForUser( $this->getName() );
}
/**
public function getRights() {
if ( is_null( $this->mRights ) ) {
$this->mRights = self::getGroupPermissions( $this->getEffectiveGroups() );
+
+ $allowedRights = $this->getRequest()->getSession()->getAllowedUserRights();
+ if ( $allowedRights !== null ) {
+ $this->mRights = array_intersect( $this->mRights, $allowedRights );
+ }
+
Hooks::run( 'UserGetRights', array( $this, &$this->mRights ) );
// Force reindexation of rights when a hook has unset one of them
$this->mRights = array_values( array_unique( $this->mRights ) );
if ( $action === '' ) {
return true; // In the spirit of DWIM
}
- // Patrolling may not be enabled
- if ( $action === 'patrol' || $action === 'autopatrol' ) {
- global $wgUseRCPatrol, $wgUseNPPatrol;
- if ( !$wgUseRCPatrol && !$wgUseNPPatrol ) {
- return false;
- }
- }
// Use strict parameter to avoid matching numeric 0 accidentally inserted
// by misconfiguration: 0 == 'foo'
return in_array( $action, $this->getRights(), true );
);
}
- /**
- * Generate a looking random token for various uses.
- *
- * @return string The new random token
- * @deprecated since 1.20: Use MWCryptRand for secure purposes or
- * wfRandomString for pseudo-randomness.
- */
- public static function generateToken() {
- return MWCryptRand::generateHex( 32 );
- }
-
/**
* Get the embedded timestamp from a token.
* @param string $val Input token
}
/**
- * Check if all users have the given permission
+ * Check if all users may be assumed to have the given permission
+ *
+ * We generally assume so if the right is granted to '*' and isn't revoked
+ * on any group. It doesn't attempt to take grants or other extension
+ * limitations on rights into account in the general case, though, as that
+ * would require it to always return false and defeat the purpose.
+ * Specifically, session-based rights restrictions (such as OAuth or bot
+ * passwords) are applied based on the current session.
*
* @since 1.22
* @param string $right Right to check
}
}
- // Allow extensions (e.g. OAuth) to say false
+ // Remove any rights that aren't allowed to the global-session user
+ $allowedRights = SessionManager::getGlobalSession()->getAllowedUserRights();
+ if ( $allowedRights !== null && !in_array( $right, $allowedRights, true ) ) {
+ $cache[$right] = false;
+ return false;
+ }
+
+ // Allow extensions to say false
if ( !Hooks::run( 'UserIsEveryoneAllowed', array( $right ) ) ) {
$cache[$right] = false;
return false;