jenkins-bot has submitted this change and it was merged. Change subject: UserManager: Use wgAddGroups and wgRemoveGroups ......................................................................
UserManager: Use wgAddGroups and wgRemoveGroups With wiki configuration wgAddGroups etc you can now restrict the groups a user can assign to others and self. Change-Id: Id22866cd190aa25c9725d6212d537e808557f39d --- M UserManager/UserManager.class.php M UserManager/extension.json M UserManager/i18n/en.json M UserManager/i18n/qqq.json A UserManager/includes/api/BSApiChangeableGroupStore.php M UserManager/resources/BS.UserManager/panel/Manager.js 6 files changed, 85 insertions(+), 8 deletions(-) Approvals: Robert Vogel: Looks good to me, approved Raimond Spekking: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/UserManager/UserManager.class.php b/UserManager/UserManager.class.php index c3f427d..ffe17b2 100644 --- a/UserManager/UserManager.class.php +++ b/UserManager/UserManager.class.php @@ -347,14 +347,16 @@ /** * Removes / adds groups to a user + * See also https://www.mediawiki.org/wiki/Manual:$wgAddGroups * @param User $oUser * @param type $aGroups * @return type */ public static function setGroups( User $oUser, $aGroups = array() ) { $oLoggedInUser = RequestContext::getMain()->getUser(); + $bAttemptChangeSelf = $oLoggedInUser->getId() == $oUser->getId(); - $bCheckDeSysop = $oLoggedInUser->getId() == $oUser->getId() + $bCheckDeSysop = $bAttemptChangeSelf && in_array( 'sysop', $oLoggedInUser->getEffectiveGroups() ) && !in_array( 'sysop', $aGroups ) ; @@ -363,18 +365,30 @@ } $aCurrentGroups = $oUser->getGroups(); - $aSetGroups = array_diff( $aGroups, $aCurrentGroups ); + $aAddGroups = array_diff( $aGroups, $aCurrentGroups ); $aRemoveGroups = array_diff( $aCurrentGroups, $aGroups ); - foreach ( $aSetGroups as $sGroup ) { + $aChangeableGroups = $oLoggedInUser->changeableGroups(); + + foreach ( $aAddGroups as $sGroup ) { if ( in_array( $sGroup, self::$excludegroups ) ) { continue; + } + if ( !in_array( $sGroup, $aChangeableGroups['add'] ) ) { + if ( !$bAttemptChangeSelf || !in_array( $sGroup, $aChangeableGroups['add-self'] ) ) { + return Status::newFatal( 'bs-usermanager-group-add-not-allowed', $sGroup ); + } } $oUser->addGroup( $sGroup ); } foreach ( $aRemoveGroups as $sGroup ) { if ( in_array( $sGroup, self::$excludegroups ) ) { continue; + } + if ( !in_array( $sGroup, $aChangeableGroups['remove'] ) ) { + if ( !$bAttemptChangeSelf || !in_array( $sGroup, $aChangeableGroups['remove-self'] ) ) { + return Status::newFatal( 'bs-usermanager-group-remove-not-allowed', $sGroup ); + } } $oUser->removeGroup( $sGroup ); } @@ -383,7 +397,7 @@ Hooks::run( 'BSUserManagerAfterSetGroups', array( $oUser, $aGroups, - $aSetGroups, + $aAddGroups, $aRemoveGroups, self::$excludegroups, &$oStatus diff --git a/UserManager/extension.json b/UserManager/extension.json index e7d0b20..65a5726 100644 --- a/UserManager/extension.json +++ b/UserManager/extension.json @@ -26,7 +26,8 @@ "UserManagerAlias": "includes/specials/SpecialUserManager.alias.php" }, "APIModules": { - "bs-usermanager-tasks": "BSApiTasksUserManager" + "bs-usermanager-tasks": "BSApiTasksUserManager", + "bs-usermanager-group-store": "BSApiChangeableGroupStore" }, "MessagesDirs": { "UserManager": [ @@ -36,6 +37,7 @@ "AutoloadClasses": { "UserManager": "UserManager.class.php", "BSApiTasksUserManager": "includes/api/BSApiTasksUserManager.php", + "BSApiChangeableGroupStore": "includes/api/BSApiChangeableGroupStore.php", "SpecialUserManager": "includes/specials/SpecialUserManager.class.php" }, "ResourceModules": { diff --git a/UserManager/i18n/en.json b/UserManager/i18n/en.json index 16e7716..1a1bba1 100644 --- a/UserManager/i18n/en.json +++ b/UserManager/i18n/en.json @@ -45,5 +45,7 @@ "bs-usermanager-titledisableuser": "Disable user", "bs-usermanager-titleenableuser": "Enable user", "usermanager": "User manager", - "action-usermanager-viewspecialpage": "view specialpage \"User manager\"" + "action-usermanager-viewspecialpage": "view specialpage \"User manager\"", + "bs-usermanager-group-add-not-allowed": "You are not allowed to add users to group $1", + "bs-usermanager-group-remove-not-allowed": "You are not allowed to remove users from group $1" } diff --git a/UserManager/i18n/qqq.json b/UserManager/i18n/qqq.json index f294e61..dc05c35 100644 --- a/UserManager/i18n/qqq.json +++ b/UserManager/i18n/qqq.json @@ -46,5 +46,7 @@ "bs-usermanager-titledisableuser": "Window title for disable user", "bs-usermanager-titleenableuser": "Window title for enable user", "usermanager": "Page title for special page of user manager", - "action-usermanager-viewspecialpage": "Label for denied page access, with name of special page" + "action-usermanager-viewspecialpage": "Label for denied page access, with name of special page", + "bs-usermanager-group-add-not-allowed": "Error message in [{{canonicalurl:Special:WikiAdmin|mode=UserManager}} Special:WikiAdmin?mode=UserManager] when trying to add a user to a restricted group\n\n* $1 is the name of the restricted group", + "bs-usermanager-group-remove-not-allowed": "Error message in [{{canonicalurl:Special:WikiAdmin|mode=UserManager}} Special:WikiAdmin?mode=UserManager] when trying to remove a user from a restricted group\n\n* $1 is the name of the restricted group" } diff --git a/UserManager/includes/api/BSApiChangeableGroupStore.php b/UserManager/includes/api/BSApiChangeableGroupStore.php new file mode 100644 index 0000000..3b691a9 --- /dev/null +++ b/UserManager/includes/api/BSApiChangeableGroupStore.php @@ -0,0 +1,57 @@ +<?php +/** + * This class serves as a backend for the usermanager group store. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * This file is part of BlueSpice for MediaWiki + * For further information visit http://bluespice.com + * + * @author Markus Glaser <gla...@hallowelt.com> + * @package Bluespice_Extensions + * @copyright Copyright (C) 2016 Hallo Welt! GmbH, All rights reserved. + * @license http://www.gnu.org/copyleft/gpl.html GNU Public License v2 or later + * + * Example request parameters of an ExtJS store + */ +class BSApiChangeableGroupStore extends BSApiGroupStore { + /** + * @param string $sQuery Potential query provided by ExtJS component. + * This is some kind of preliminary filtering. Subclass has to decide if + * and how to process it + * @return array - Full list of of data objects. Filters, paging, sorting + * will be done by the base class + */ + protected function makeData( $sQuery = '' ) { + $aData = parent::makeData( $sQuery ); + $aChangeableData = array(); + $aChangeableGroups = $this->getUser()->changeableGroups(); + $aChangeableGroupsMerged = array_unique( array_merge( + $aChangeableGroups['add'], + $aChangeableGroups['add-self'], + $aChangeableGroups['remove'], + $aChangeableGroups['remove-self'] + )); + + foreach ( $aData as $aGroupDef ) { + if( !in_array( $aGroupDef->group_name, $aChangeableGroupsMerged ) ) { + continue; + } + $aChangeableData[] = $aGroupDef; + } + + return $aChangeableData; + } +} \ No newline at end of file diff --git a/UserManager/resources/BS.UserManager/panel/Manager.js b/UserManager/resources/BS.UserManager/panel/Manager.js index 8ed19b7..b9e82de 100644 --- a/UserManager/resources/BS.UserManager/panel/Manager.js +++ b/UserManager/resources/BS.UserManager/panel/Manager.js @@ -37,7 +37,7 @@ }); this.strGroups = Ext.create( 'BS.store.BSApi', { - apiAction: 'bs-group-store', + apiAction: 'bs-usermanager-group-store', fields: ['group_name', 'additional_group', 'displayname'], proxy: { extraParams: { -- To view, visit https://gerrit.wikimedia.org/r/309030 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id22866cd190aa25c9725d6212d537e808557f39d Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/BlueSpiceExtensions Gerrit-Branch: master Gerrit-Owner: Mglaser <gla...@hallowelt.biz> Gerrit-Reviewer: Dvogel hallowelt <daniel.vo...@hallowelt.com> Gerrit-Reviewer: Ljonka <l.verhovs...@gmail.com> Gerrit-Reviewer: Pwirth <wi...@hallowelt.biz> Gerrit-Reviewer: Raimond Spekking <raimond.spekk...@gmail.com> Gerrit-Reviewer: Robert Vogel <vo...@hallowelt.biz> Gerrit-Reviewer: Siebrand <siebr...@kitano.nl> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits