Page MenuHomePhabricator
Create Task
Maniphest T208768

Create a PermissionManager service
Closed, ResolvedPublic
Actions

Description

Currently, permission checks are implemented in the Title and User classes. Factoring it out removes baggage from these classes, and helps with resolving the circular dependency between User and Title.

Rough interface draft:

  • userCan( UserIdentity, Title, $permission ); // was Title::userCan* andisNamespaceProtected. Could use PageIdentity instead of Title, once we have this.
  • isBlockedFrom( UserIdentity, Title, $permission ); // was User::isBlockedFrom. Could use PageIdentity instead of Title, once we have this.

Title::userCan* and User::isBlockedFrom should be deprecated. For the deprecation period, they can delegate to the new service via the global service locator.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Introduce PermissionManager servicemediawiki/coremaster+2 K -704
Customize query in gerrit

Related Objects
Search...

Event Timeline

daniel created this task.Nov 5 2018, 7:35 PM
daniel added a parent task: T208766: Deprecate User::isWatched, isTempWatched, addWatch, and removeWatch.Nov 5 2018, 8:02 PM
daniel added a subtask: T208776: RFC: Introduce PageIdentity to be used instead of WikiPage.
daniel removed a parent task: T208766: Deprecate User::isWatched, isTempWatched, addWatch, and removeWatch.
CCicalese_WMF moved this task from Inbox to Later on the Platform Team Legacy board.Nov 6 2018, 5:58 PM
CCicalese_WMF edited projects, added Platform Team Legacy (Later); removed Platform Team Legacy.
daniel mentioned this in T208766: Deprecate User::isWatched, isTempWatched, addWatch, and removeWatch.Nov 8 2018, 12:57 PM
Tgr subscribed.Nov 19 2018, 9:38 PM
Tgr added a project: MediaWiki-Core-AuthManager.Nov 19 2018, 10:38 PM

Maybe a good time to also fix T180888: All permission checks should be able to return a custom error message?

Assuming that one of the goals is to avoid hidden dependencies on global state, the interface seems a bit optimistic about what a permission check will depend on. The session will have to be included (for Session::getAllowedUserRights()) and also the request ( for the IP, but possibly also things like whether it is cross-origin) - I think the current logic just assumes these always match the global context, so that can be done initially, but but's far from optional.

There's also User::isAllowed() which is probably used more often than it should be, but there are always going to be permission checks which do not relate to a page. And User::isEveryoneAllowed(). And User::getBlock()/User::getBlockedStatus() (fun fact: $user->getBlock()->preventsEdit( $title ) is not the same as $user->isBlockedFrom( $title, 'edit' )). And User::isLocallyBlockedProxy() although that can probably be deprecated as a public method. And User::getGlobalBlock()/User::isBlockedGlobally() (which is not checked by User::getBlock() because that would be too simple). And User::isLocked() (not sure if this counts as permission and it does not involve titles, but exposing it in the permission manager interface would at least reduce the number of security bugs where people forget it exists).

Also Title::userCan() has a $rigor parameter, which is not pretty, but I doubt you can just drop it.

Also there is the whole protection/restriction system, which is implemented completely independently, but conceptually very much belongs to permission management.

daniel mentioned this in T209924: Specify PageTypeHandler.Nov 20 2018, 10:16 AM
Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Dec 6 2018, 8:19 AM
Tgr added a comment.Dec 22 2018, 7:43 PM

See also T212311: Blocks should be an implementation detail of an abstract authorization system and T212341: Action authorization has multiple code paths to different results (and my comment there) if there's appetite to do a bigger refactoring of the authz system instead of piecemeal changes.

Tgr added a comment.Dec 27 2018, 8:10 AM

Another thing that would be nice to figure out if there's an authz refactoring is T212639: Separate could do / can do / is doing permission checks in MediaWiki.

Tgr mentioned this in T214626: Title should not use Action.Jan 24 2019, 7:11 PM
tosfos subscribed.Mar 4 2019, 3:28 PM
tosfos reassigned this task from daniel to Vedmaka.Mar 4 2019, 3:32 PM
daniel added a subtask: T212639: Separate could do / can do / is doing permission checks in MediaWiki.Mar 6 2019, 12:49 PM
daniel added a comment.EditedMar 6 2019, 12:53 PM
In T208768#4844079, @Tgr wrote:

Another thing that would be nice to figure out if there's an authz refactoring is T212639: Separate could do / can do / is doing permission checks in MediaWiki.

This could perhaps be done by adding an optional $mode parameter to userCan(): userCan( UserIdentity, Title, $permission, $mode ); Possibly modes would be "could"/"can"/"do" as you suggest, or "quick"/"full"/"final", which more fits with the model used by Title now. We'd want constants of course, not strings. The default mode would be "can" resp "full": no corners cut, and no side effects triggered.

gerritbot subscribed.Mar 12 2019, 7:07 PM

Change 495832 had a related patch set uploaded (by Vedmaka Wakalaka; owner: Vedmaka Wakalaka):
[mediawiki/core@master] PermissionManager service draft

https://gerrit.wikimedia.org/r/495832

gerritbot added a project: Patch-For-Review.Mar 12 2019, 7:07 PM
Jdforrester-WMF subscribed.Mar 13 2019, 6:37 PM
daniel mentioned this in T218394: Create BlockStore service.Mar 15 2019, 12:10 PM
daniel mentioned this in T218395: Create RestrictionStore service.Mar 15 2019, 12:23 PM
CCicalese_WMF added a project: MediaWiki-Decoupling (MediaWiki-Decoupling 2019 Q3/Q4).Mar 15 2019, 3:00 PM
CCicalese_WMF moved this task from Backlog to Doing on the MediaWiki-Decoupling (MediaWiki-Decoupling 2019 Q3/Q4) board.
daniel edited projects, added Platform Team Legacy (Watching / External); removed Platform Team Legacy (Later).Mar 15 2019, 4:19 PM
CCicalese_WMF edited projects, added Platform Engineering (Decoupling (CDP2)); removed Platform Engineering (Needs Cleaning - Code Health (TEC13)).Mar 15 2019, 5:39 PM
CCicalese_WMF triaged this task as Medium priority.Mar 15 2019, 5:41 PM
daniel added a parent task: T218558: Move User::getRights and related methods into PermissionManager.Mar 18 2019, 11:26 AM
gerritbot added a comment.Mar 22 2019, 10:33 AM

Change 495832 had a related patch set uploaded (by Vedmaka Wakalaka; owner: Vedmaka Wakalaka):
[mediawiki/core@master] PermissionManager service draft

https://gerrit.wikimedia.org/r/495832

CCicalese_WMF edited projects, added Platform Team Workboards (Contractor - Doing); removed Platform Team Legacy (Watching / External), MediaWiki-Decoupling (MediaWiki-Decoupling 2019 Q3/Q4).Mar 26 2019, 4:43 PM
Tchanders subscribed.EditedApr 3 2019, 11:49 AM

AHT are discussing implementing a BlockManager: T219441

daniel mentioned this in T219441: Introduce a BlockManager service for getting and combining the blocks that apply to a user/IP.Apr 3 2019, 2:22 PM
dbarratt added a project: Anti-Harassment-Team.Apr 3 2019, 9:09 PM
Restricted Application added a subscriber: MGChecker. · View Herald TranscriptApr 3 2019, 9:09 PM
dbarratt moved this task from Untriaged to Tracking work by others on the Anti-Harassment-Team board.Apr 3 2019, 9:09 PM
daniel mentioned this in T220191: Remove calls to deprecated methods in Title and User with calls to the new PermissionManager service..Apr 5 2019, 10:53 AM
daniel added a parent task: T220191: Remove calls to deprecated methods in Title and User with calls to the new PermissionManager service..
gerritbot added a comment.Apr 5 2019, 4:45 PM

Change 495832 merged by jenkins-bot:
[mediawiki/core@master] Introduce PermissionManager service

https://gerrit.wikimedia.org/r/495832

Tgr added a comment.Apr 10 2019, 4:23 PM

T220623: Unable to view certain pages on incubator.wikimedia.org (Fatal error: operator not supported) seems related.

daniel added a comment.EditedApr 10 2019, 7:00 PM
In T208768#5101644, @Tgr wrote:

T220623: Unable to view certain pages on incubator.wikimedia.org (Fatal error: operator not supported) seems related.

I don't see how - the stack trace points to Title->checkPermissionHooks(string, User, array, string, boolean). This method is removed by the patch that introduces PermissionManager, I94479b44afb3. So the error must have happened before PermissionManager was introduced. In fact, the ticket says that "Users have encountered this since at least php-1.33.0-wmf.21", so long before PermissionManager.

But the fix for whatever is going wrong will probably now involve PermissionManager, since the relevant code moved there.

Jdforrester-WMF added a comment.Apr 10 2019, 7:00 PM
In T208768#5101644, @Tgr wrote:

T220623 seems related.

Probably not; per Timo, those issues have been in production since before this code was written, much less merged.

Vedmaka added a comment.Apr 12 2019, 9:22 PM

Since the related change was merged, do you think we should track this task as Resolved?

Aklapper removed a project: Patch-For-Review.May 1 2019, 1:49 PM

@Vedmaka: This task has subtasks which are still open.

dbarratt subscribed.May 1 2019, 2:07 PM
In T208768#5149810, @Aklapper wrote:

@Vedmaka: This task has subtasks which are still open.

I think they are intended to be parent tasks. :)

daniel closed this task as Resolved.May 14 2019, 3:54 PM
daniel removed subtasks: T212639: Separate could do / can do / is doing permission checks in MediaWiki, T208776: RFC: Introduce PageIdentity to be used instead of WikiPage.
daniel added a parent task: T212639: Separate could do / can do / is doing permission checks in MediaWiki.
Krinkle mentioned this in T11977: Move isNamespaceProtected() and getRestrictionLevels() methods into PermissionManager..May 22 2019, 9:07 PM
WDoranWMF moved this task from Contractor - Doing to S&F Workboard on the Platform Team Workboards board.Jul 5 2019, 5:09 PM
WDoranWMF edited projects, added Platform Team Workboards (S&F Workboard); removed Platform Team Workboards (Contractor - Doing).
WDoranWMF moved this task from Backlog to Done on the Platform Team Workboards (S&F Workboard) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits