dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
SECURITY: rate-limit and prevent blocked users from changing email
[lhc/web/wiklou.git] / includes / api / ApiUserrights.php
1 <?php
2
3 /**
4 * API userrights module
5 *
6 * Copyright © 2009 Roan Kattouw "<Firstname>.<Lastname>@gmail.com"
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21 * http://www.gnu.org/copyleft/gpl.html
22 *
23 * @file
24 */
25
26 /**
27 * @ingroup API
28 */
29 class ApiUserrights extends ApiBase {
30
31 private $mUser = null;
32
33 /**
34 * Get a UserrightsPage object, or subclass.
35 * @return UserrightsPage
36 */
37 protected function getUserRightsPage() {
38 return new UserrightsPage;
39 }
40
41 /**
42 * Get all available groups.
43 * @return array
44 */
45 protected function getAllGroups() {
46 return User::getAllGroups();
47 }
48
49 public function execute() {
50 $pUser = $this->getUser();
51
52 // Deny if the user is blocked and doesn't have the full 'userrights' permission.
53 // This matches what Special:UserRights does for the web UI.
54 if ( !$pUser->isAllowed( 'userrights' ) ) {
55 // @TODO Should the user be blocked from changing user rights if they
56 // are partially blocked?
57 $block = $pUser->getBlock();
58 if ( $block ) {
59 $this->dieBlocked( $block );
60 }
61 }
62
63 $params = $this->extractRequestParams();
64
65 // Figure out expiry times from the input
66 // $params['expiry'] is not set in CentralAuth's ApiGlobalUserRights subclass
67 if ( isset( $params['expiry'] ) ) {
68 $expiry = (array)$params['expiry'];
69 } else {
70 $expiry = [ 'infinity' ];
71 }
72 $add = (array)$params['add'];
73 if ( !$add ) {
74 $expiry = [];
75 } elseif ( count( $expiry ) !== count( $add ) ) {
76 if ( count( $expiry ) === 1 ) {
77 $expiry = array_fill( 0, count( $add ), $expiry[0] );
78 } else {
79 $this->dieWithError( [
80 'apierror-toofewexpiries',
81 count( $expiry ),
82 count( $add )
83 ] );
84 }
85 }
86
87 // Validate the expiries
88 $groupExpiries = [];
89 foreach ( $expiry as $index => $expiryValue ) {
90 $group = $add[$index];
91 $groupExpiries[$group] = UserrightsPage::expiryToTimestamp( $expiryValue );
92
93 if ( $groupExpiries[$group] === false ) {
94 $this->dieWithError( [ 'apierror-invalidexpiry', wfEscapeWikiText( $expiryValue ) ] );
95 }
96
97 // not allowed to have things expiring in the past
98 if ( $groupExpiries[$group] && $groupExpiries[$group] < wfTimestampNow() ) {
99 $this->dieWithError( [ 'apierror-pastexpiry', wfEscapeWikiText( $expiryValue ) ] );
100 }
101 }
102
103 $user = $this->getUrUser( $params );
104
105 $tags = $params['tags'];
106
107 // Check if user can add tags
108 if ( $tags !== null ) {
109 $ableToTag = ChangeTags::canAddTagsAccompanyingChange( $tags, $pUser );
110 if ( !$ableToTag->isOK() ) {
111 $this->dieStatus( $ableToTag );
112 }
113 }
114
115 $form = $this->getUserRightsPage();
116 $form->setContext( $this->getContext() );
117 $r['user'] = $user->getName();
118 $r['userid'] = $user->getId();
119 list( $r['added'], $r['removed'] ) = $form->doSaveUserGroups(
120 // Don't pass null to doSaveUserGroups() for array params, cast to empty array
121 $user, (array)$add, (array)$params['remove'],
122 $params['reason'], (array)$tags, $groupExpiries
123 );
124
125 $result = $this->getResult();
126 ApiResult::setIndexedTagName( $r['added'], 'group' );
127 ApiResult::setIndexedTagName( $r['removed'], 'group' );
128 $result->addValue( null, $this->getModuleName(), $r );
129 }
130
131 /**
132 * @param array $params
133 * @return User
134 */
135 private function getUrUser( array $params ) {
136 if ( $this->mUser !== null ) {
137 return $this->mUser;
138 }
139
140 $this->requireOnlyOneParameter( $params, 'user', 'userid' );
141
142 $user = $params['user'] ?? '#' . $params['userid'];
143
144 $form = $this->getUserRightsPage();
145 $form->setContext( $this->getContext() );
146 $status = $form->fetchUser( $user );
147 if ( !$status->isOK() ) {
148 $this->dieStatus( $status );
149 }
150
151 $this->mUser = $status->value;
152
153 return $status->value;
154 }
155
156 public function mustBePosted() {
157 return true;
158 }
159
160 public function isWriteMode() {
161 return true;
162 }
163
164 public function getAllowedParams() {
165 $a = [
166 'user' => [
167 ApiBase::PARAM_TYPE => 'user',
168 ],
169 'userid' => [
170 ApiBase::PARAM_TYPE => 'integer',
171 ],
172 'add' => [
173 ApiBase::PARAM_TYPE => $this->getAllGroups(),
174 ApiBase::PARAM_ISMULTI => true
175 ],
176 'expiry' => [
177 ApiBase::PARAM_ISMULTI => true,
178 ApiBase::PARAM_ALLOW_DUPLICATES => true,
179 ApiBase::PARAM_DFLT => 'infinite',
180 ],
181 'remove' => [
182 ApiBase::PARAM_TYPE => $this->getAllGroups(),
183 ApiBase::PARAM_ISMULTI => true
184 ],
185 'reason' => [
186 ApiBase::PARAM_DFLT => ''
187 ],
188 'token' => [
189 // Standard definition automatically inserted
190 ApiBase::PARAM_HELP_MSG_APPEND => [ 'api-help-param-token-webui' ],
191 ],
192 'tags' => [
193 ApiBase::PARAM_TYPE => 'tags',
194 ApiBase::PARAM_ISMULTI => true
195 ],
196 ];
197 // CentralAuth's ApiGlobalUserRights subclass can't handle expiries
198 if ( !$this->getUserRightsPage()->canProcessExpiries() ) {
199 unset( $a['expiry'] );
200 }
201 return $a;
202 }
203
204 public function needsToken() {
205 return 'userrights';
206 }
207
208 protected function getWebUITokenSalt( array $params ) {
209 return $this->getUrUser( $params )->getName();
210 }
211
212 protected function getExamplesMessages() {
213 $a = [
214 'action=userrights&user=FooBot&add=bot&remove=sysop|bureaucrat&token=123ABC'
215 => 'apihelp-userrights-example-user',
216 'action=userrights&userid=123&add=bot&remove=sysop|bureaucrat&token=123ABC'
217 => 'apihelp-userrights-example-userid',
218 ];
219 if ( $this->getUserRightsPage()->canProcessExpiries() ) {
220 $a['action=userrights&user=SometimeSysop&add=sysop&expiry=1%20month&token=123ABC']
221 = 'apihelp-userrights-example-expiry';
222 }
223 return $a;
224 }
225
226 public function getHelpUrls() {
227 return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:User_group_membership';
228 }
229 }
Wiklou, le Wiki du Wiklou