Page MenuHomePhabricator
Create Task
Maniphest T421126

User requirements conditions: Ensure that condition type is string or int
Closed, ResolvedPublic
Actions

Description

Background

Code responsible for processing user requirements conditions for purpose of autopromotion or restricted groups, doesn't bother about the what's the type of "condition type" in the condition expression.

Therefore, it's possible to set a thing like below, which has no sense and is likely to break assumptions at different abstraction layers in the condition processing code.

$wgAutopromote['hacker'] = [
    '&',
    new stdClass(),
    fn ( $foo ) => 'bar',
    false
];

Data types in various documentation comments assume that the condition type is either string or int value and we should be able to enforce that. MediaWiki core uses only ints, but there are at least two extensions (OATHAuth and TorBlock), which define conditions with string types. A consequence of MediaWiki not enforcing the condition types is that the hook signatures lack proper type hints for the $type parameters, example below.

/** ...
 * @param string|int $type The evaluated condition
 ... */
public function onUserRequirementsCondition(
    $type,
    array $args,
    UserIdentity $user,
    bool $isPerformingRequest,
    ?bool &$result
): void;

Type datatype of $type is not enforced to avoid runtime PHP errors on invalid data.

Idea

There should exist a new class, responsible for validating the conditions array, so that any other code can assume that the values passed are of exected types and in expected shapes. Then, we can be sure about the datatype of the condition.

What should be validated:

  • Compound conditions (&, |, !, ^) don't contain empty arrays as their arguments
  • The condition type is string or int

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Validate restricted user group conditions on readingmediawiki/coremaster+75 -3
Update user requirements conditions hook signatures with type hintsmediawiki/coremaster+11 -6
Add validator for user requirements conditionsmediawiki/coremaster+197 -18
Update creation of condition checker with 2FA assumption to match coremediawiki/extensions/OATHAuthmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

mszwarc created this task.Mar 24 2026, 3:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2026, 3:03 PM
mszwarc moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Mar 24 2026, 3:03 PM
mszwarc updated the task description. (Show Details)Mar 24 2026, 3:28 PM
mszwarc claimed this task.Mar 25 2026, 11:33 AM
mszwarc moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
gerritbot added a comment.Mar 26 2026, 10:09 AM

Change #1261368 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/core@master] Add validator for user requirements conditions

https://gerrit.wikimedia.org/r/1261368

gerritbot added a project: Patch-For-Review.Mar 26 2026, 10:09 AM

Change #1261369 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/core@master] Validate restricted user group conditions on reading

https://gerrit.wikimedia.org/r/1261369

gerritbot added a comment.Mar 26 2026, 10:09 AM

Change #1261370 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/core@master] Update user requirements conditions hook signatures with type hints

https://gerrit.wikimedia.org/r/1261370

mszwarc moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Mar 26 2026, 11:55 AM
gerritbot added a comment.Mar 27 2026, 11:02 AM

Change #1261395 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/OATHAuth@master] Update creation of condition checker with 2FA assumption to match core

https://gerrit.wikimedia.org/r/1261395

matmarex added a parent task: T421352: User requirements conditions hooks: set the condition type as string|int.Mar 30 2026, 3:50 PM
gerritbot added a comment.Mar 31 2026, 11:32 AM

Change #1261395 abandoned by Mszwarc:

[mediawiki/extensions/OATHAuth@master] Update creation of condition checker with 2FA assumption to match core

Reason:

No longer needed after reordering patches in core

https://gerrit.wikimedia.org/r/1261395

gerritbot added a comment.Apr 8 2026, 1:54 PM

Change #1261368 merged by jenkins-bot:

[mediawiki/core@master] Add validator for user requirements conditions

https://gerrit.wikimedia.org/r/1261368

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.24; 2026-04-14).Apr 8 2026, 2:00 PM
gerritbot added a comment.Apr 8 2026, 2:06 PM

Change #1261369 merged by jenkins-bot:

[mediawiki/core@master] Validate restricted user group conditions on reading

https://gerrit.wikimedia.org/r/1261369

gerritbot added a comment.Apr 8 2026, 2:07 PM

Change #1261370 merged by jenkins-bot:

[mediawiki/core@master] Update user requirements conditions hook signatures with type hints

https://gerrit.wikimedia.org/r/1261370

Maintenance_bot removed a project: Patch-For-Review.Apr 8 2026, 2:32 PM
mszwarc closed this task as Resolved.Apr 9 2026, 7:58 AM
mszwarc moved this task from Needs review to Done on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits