RoleConfiguration::getAvailableRoles() - Code Metrics - Inspection of "Move isIdentified() call from User to SecurityMana..." - enwikipedia-acc/waca - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( c3ec55...6fe0c7 )

by Simon

created 2024-12-27 01:15 UTC

RoleConfiguration::getAvailableRoles() A

↳ Parent: Project

Complexity

Conditions	4
Paths	4

Size

Total Lines	17
Code Lines	9

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	0
CRAP Score	20

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
eloc	9
c	1
b	0
f	0
dl	0
loc	17
ccs	0
cts	4
cp	0
rs	9.9666
cc	4
nc	4
nop	0
crap	20

<?php
/******************************************************************************
 * Wikipedia Account Creation Assistance tool                                 *
 * ACC Development Team. Please see team.json for a list of contributors.     *
 *                                                                            *
 * This is free and unencumbered software released into the public domain.    *
 * Please see LICENSE.md for the full licencing statement.                    *
 ******************************************************************************/

namespace Waca\Security;

use Waca\Helpers\PreferenceManager;
use Waca\Pages\PageBan;
use Waca\Pages\PageDomainManagement;
use Waca\Pages\PageDomainSwitch;
use Waca\Pages\PageEditComment;
use Waca\Pages\PageEmailManagement;
use Waca\Pages\PageErrorLogViewer;
use Waca\Pages\PageExpandedRequestList;
use Waca\Pages\PageFlagComment;
use Waca\Pages\PageJobQueue;
use Waca\Pages\PageListFlaggedComments;
use Waca\Pages\PageLog;
use Waca\Pages\PageMain;
use Waca\Pages\PagePrivacy;
use Waca\Pages\PageQueueManagement;
use Waca\Pages\PageRequestFormManagement;
use Waca\Pages\PageXffDemo;
use Waca\Pages\RequestAction\PageCreateRequest;
use Waca\Pages\RequestAction\PageManuallyConfirm;
use Waca\Pages\UserAuth\PageChangePassword;
use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
use Waca\Pages\UserAuth\PageOAuth;
use Waca\Pages\UserAuth\PagePreferences;
use Waca\Pages\PageSearch;
use Waca\Pages\PageSiteNotice;
use Waca\Pages\PageTeam;
use Waca\Pages\PageUserManagement;
use Waca\Pages\PageViewRequest;
use Waca\Pages\PageWelcomeTemplateManagement;
use Waca\Pages\RequestAction\PageBreakReservation;
use Waca\Pages\RequestAction\PageCloseRequest;
use Waca\Pages\RequestAction\PageComment;
use Waca\Pages\RequestAction\PageCustomClose;
use Waca\Pages\RequestAction\PageDeferRequest;
use Waca\Pages\RequestAction\PageDropRequest;
use Waca\Pages\RequestAction\PageReservation;
use Waca\Pages\RequestAction\PageSendToUser;
use Waca\Pages\Statistics\StatsFastCloses;
use Waca\Pages\Statistics\StatsInactiveUsers;
use Waca\Pages\Statistics\StatsMain;
use Waca\Pages\Statistics\StatsMonthlyStats;
use Waca\Pages\Statistics\StatsReservedRequests;
use Waca\Pages\Statistics\StatsTemplateStats;
use Waca\Pages\Statistics\StatsTopCreators;
use Waca\Pages\Statistics\StatsUsers;

final class RoleConfiguration extends RoleConfigurationBase
{
    /**
     * A map of roles to rights
     *
     * For example:
     *
     * array(
     *   'myRole' => array(
     *       PageMyPage::class => array(
     *           'edit' => self::ACCESS_ALLOW,
     *           'create' => self::ACCESS_DENY,
     *       )
     *   )
     * )
     *
     * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
     * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
     * be the expected result:
     *
     * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
     * - (A,-,-) = A
     * - (D,-,-) = D
     * - (A,D,-) = D (deny takes precedence over allow)
     * - (A,A,A) = A (repetition has no effect)
     *
     * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
     *
     * @var array
     * @category Security-Critical
     */
    private static array $productionRoleConfig = array(
        'public'            => array(
            /*
             * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY.
             *
             * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
             * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
             */
            '_childRoles'   => array(
                'publicStats',
            ),
            PageTeam::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageXffDemo::class        => array(
                self::MAIN  => self::ACCESS_ALLOW,
            ),
            PagePrivacy::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            )
        ),
        'loggedIn'          => array(
            /*
             * THIS ROLE IS GRANTED TO ALL LOGGED-IN USERS IMPLICITLY.
             *
             * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
             * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
             */
            '_childRoles'             => array(
                'public',
            ),
            PagePreferences::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
                'refreshOAuth' => self::ACCESS_ALLOW,
            ),
            PageChangePassword::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageMultiFactor::class    => array(
                self::MAIN          => self::ACCESS_ALLOW,
                'scratch'           => self::ACCESS_ALLOW,
                'enableYubikeyOtp'  => self::ACCESS_ALLOW,
                'enableTotp'        => self::ACCESS_ALLOW,
                // allow a user to disable this even when they're not allowed to enable it
                'disableYubikeyOtp' => self::ACCESS_ALLOW,
                'disableTotp'       => self::ACCESS_ALLOW,
            ),
            PageOAuth::class          => array(
                'attach' => self::ACCESS_ALLOW,
                'detach' => self::ACCESS_ALLOW,
            ),
            PageDomainSwitch::class   => array(
                self::MAIN => self::ACCESS_ALLOW
            )
        ),
        'user'              => array(
            /*
             * THIS ROLE IS GRANTED TO APPROVED AND IDENTIFIED LOGGED-IN USERS IMPLICITLY.
             */
            '_childRoles'                        => array(
                'internalStats',
            ),
            PageMain::class                      => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageBan::class                       => array(
                self::MAIN => self::ACCESS_ALLOW,
                'show'     => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'user' => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'ip' => self::ACCESS_ALLOW,
                'name' => self::ACCESS_ALLOW,
            ),
            PageEditComment::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageEmailManagement::class           => array(
                self::MAIN => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
            ),
            PageExpandedRequestList::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageLog::class                       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageSearch::class                    => array(
                self::MAIN => self::ACCESS_ALLOW,
                'byName'   => self::ACCESS_ALLOW,
                'byEmail'  => self::ACCESS_ALLOW,
                'byIp'     => self::ACCESS_ALLOW,
                'allowNonConfirmed' => self::ACCESS_ALLOW,
            ),
            PageWelcomeTemplateManagement::class => array(
                self::MAIN => self::ACCESS_ALLOW,
                'select'   => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
            ),
            PageViewRequest::class               => array(
                self::MAIN       => self::ACCESS_ALLOW,
                'seeAllRequests' => self::ACCESS_ALLOW,
            ),
            'RequestData'                        => array(
                'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
                'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
                'seeRelatedRequests'         => self::ACCESS_ALLOW,
            ),
            PageCustomClose::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageComment::class                   => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageFlagComment::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageCloseRequest::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageCreateRequest::class             => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageDeferRequest::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageDropRequest::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageReservation::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageSendToUser::class                => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageBreakReservation::class          => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageJobQueue::class                  => array(
                self::MAIN    => self::ACCESS_ALLOW,
                'view'        => self::ACCESS_ALLOW,
                'all'         => self::ACCESS_ALLOW,
                'acknowledge' => self::ACCESS_ALLOW,
                'cancel'      => self::ACCESS_ALLOW
            ),
            PageDomainManagement::class          => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageRequestFormManagement::class     => array(
                self::MAIN => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
                'preview'  => self::ACCESS_ALLOW,
            ),
            'RequestCreation'                    => array(
                PreferenceManager::CREATION_MANUAL => self::ACCESS_ALLOW,
                PreferenceManager::CREATION_OAUTH  => self::ACCESS_ALLOW,
            ),
            'GlobalInfo'                         => array(
                'viewSiteNotice' => self::ACCESS_ALLOW,
                'viewOnlineUsers' => self::ACCESS_ALLOW,
            ),
        ),
        'admin'             => array(
            '_description'                       => 'A tool administrator.',
            '_editableBy'                        => array('admin', 'toolRoot'),
            '_childRoles'                        => array(
                'user',
                'requestAdminTools',
            ),
            PageEmailManagement::class           => array(
                'edit'   => self::ACCESS_ALLOW,
                'create' => self::ACCESS_ALLOW,
            ),
            PageSiteNotice::class                => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageUserManagement::class            => array(
                self::MAIN  => self::ACCESS_ALLOW,
                'approve'   => self::ACCESS_ALLOW,
                'decline'   => self::ACCESS_ALLOW,
                'rename'    => self::ACCESS_ALLOW,
                'editUser'  => self::ACCESS_ALLOW,
                'suspend'   => self::ACCESS_ALLOW,
                'editRoles' => self::ACCESS_ALLOW,
            ),
            PageSearch::class                    => array(
                'byComment' => self::ACCESS_ALLOW,
            ),
            PageManuallyConfirm::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageWelcomeTemplateManagement::class => array(
                'edit'   => self::ACCESS_ALLOW,
                'delete' => self::ACCESS_ALLOW,
                'add'    => self::ACCESS_ALLOW,
            ),
            PageJobQueue::class                  => array(
                'acknowledge' => self::ACCESS_ALLOW,
                'requeue'     => self::ACCESS_ALLOW,
                'cancel'      => self::ACCESS_ALLOW,
            ),
            'RequestData'               => array(
                'reopenClearedRequest'  => self::ACCESS_ALLOW,
            ),
            PageQueueManagement::class           => array(
                self::MAIN => self::ACCESS_ALLOW,
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageRequestFormManagement::class     => array(
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageDomainManagement::class          => array(
                'edit'     => self::ACCESS_ALLOW,
            ),
        ),
        'checkuser'         => array(
            '_description'            => 'A user with CheckUser access',
            '_editableBy'             => array('checkuser', 'steward', 'toolRoot'),
            '_childRoles'             => array(
                'user',
                'requestAdminTools',
            ),
            PageUserManagement::class => array(
                self::MAIN  => self::ACCESS_ALLOW,
                'suspend'   => self::ACCESS_ALLOW,
                'editRoles' => self::ACCESS_ALLOW,
            ),
            'RequestData'             => array(
                'seeUserAgentData'      => self::ACCESS_ALLOW,
                'seeCheckuserComments'  => self::ACCESS_ALLOW,
                'createLocalAccount'    => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'useragent' => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'checkuser' => self::ACCESS_ALLOW,
            ),
        ),
        'steward'         => array(
            '_description'  => 'A user with Steward access',
            '_editableBy'   => array('steward', 'toolRoot'),
            '_globalOnly'   => true,
            '_childRoles'   => array(
                'user',
                'checkuser',
            ),
            'BanType'                   => array(
                'ip-largerange' => self::ACCESS_ALLOW,
                'global'        => self::ACCESS_ALLOW,
            ),
        ),
        'toolRoot'          => array(
            '_description' => 'A user with shell access to the servers running the tool',
            '_editableBy'  => array('toolRoot'),
            '_globalOnly'  => true,
            '_childRoles'  => array(
                'admin',
            ),
            'BanType'                   => array(
                'ip-largerange' => self::ACCESS_ALLOW,
                'global'        => self::ACCESS_ALLOW,
            ),
            PageDomainManagement::class => array(
                self::MAIN => self::ACCESS_ALLOW,
                'editAll'  => self::ACCESS_ALLOW,
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageErrorLogViewer::class => array(
                self::MAIN      => self::ACCESS_ALLOW,
                'view'          => self::ACCESS_ALLOW,
                'remove'        => self::ACCESS_ALLOW,
            ),
        ),
        'botCreation'       => array(
            '_hidden'         => true,
            '_description'    => 'A user allowed to use the bot to perform account creations',
            '_editableBy'     => array('admin', 'toolRoot'),
            '_childRoles'     => array(),
            'RequestCreation' => array(
                PreferenceManager::CREATION_BOT => self::ACCESS_ALLOW,
            ),
        ),

        // Child roles go below this point
        'publicStats'       => array(
            '_hidden'               => true,
            StatsUsers::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
                'detail'   => self::ACCESS_ALLOW,
            ),
            StatsTopCreators::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsMonthlyStats::class     => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
        ),
        'internalStats'     => array(
            '_hidden'                    => true,
            StatsMain::class             => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsFastCloses::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsInactiveUsers::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsReservedRequests::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsTemplateStats::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
        ),
        'requestAdminTools' => array(
            '_hidden'                   => true,
            PageBan::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
                'set'      => self::ACCESS_ALLOW,
                'remove'   => self::ACCESS_ALLOW,
                'replace'  => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'ip' => self::ACCESS_ALLOW,
                'email' => self::ACCESS_ALLOW,
                'name' => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'user' => self::ACCESS_ALLOW,
                'admin' => self::ACCESS_ALLOW,
            ),
            PageEditComment::class      => array(
                'editOthers' => self::ACCESS_ALLOW,
            ),
            PageBreakReservation::class => array(
                'force' => self::ACCESS_ALLOW,
            ),
            PageCustomClose::class      => array(
                'skipCcMailingList' => self::ACCESS_ALLOW,
            ),
            PageFlagComment::class      => array(
                'unflag'   => self::ACCESS_ALLOW,
            ),
            PageListFlaggedComments::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            'RequestData'               => array(
                'reopenOldRequest'      => self::ACCESS_ALLOW,
                'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
                'alwaysSeeHash'         => self::ACCESS_ALLOW,
                'seeRestrictedComments' => self::ACCESS_ALLOW,
            ),
        ),
    );

    /** @var array
     * List of roles which are *exempt* from the identification requirements
     *
     * Think twice about adding roles to this list.
     *
     * @category Security-Critical
     */
    private static array $productionIdentificationExempt = array('public', 'loggedIn');

    public function __construct()
    {
        parent::__construct(self::$productionRoleConfig, self::$productionIdentificationExempt);
    }
}


1		<?php
2		/******************************************************************************
3		* Wikipedia Account Creation Assistance tool *
4		* ACC Development Team. Please see team.json for a list of contributors. *
5		* *
6		* This is free and unencumbered software released into the public domain. *
7		* Please see LICENSE.md for the full licencing statement. *
8		******************************************************************************/
9
10		namespace Waca\Security;
11
12		use Waca\Helpers\PreferenceManager;
13		use Waca\Pages\PageBan;
14		use Waca\Pages\PageDomainManagement;
15		use Waca\Pages\PageDomainSwitch;
16		use Waca\Pages\PageEditComment;
17		use Waca\Pages\PageEmailManagement;
18		use Waca\Pages\PageErrorLogViewer;
19		use Waca\Pages\PageExpandedRequestList;
20		use Waca\Pages\PageFlagComment;
21		use Waca\Pages\PageJobQueue;
22		use Waca\Pages\PageListFlaggedComments;
23		use Waca\Pages\PageLog;
24		use Waca\Pages\PageMain;
25		use Waca\Pages\PagePrivacy;
26		use Waca\Pages\PageQueueManagement;
27		use Waca\Pages\PageRequestFormManagement;
28		use Waca\Pages\PageXffDemo;
29		use Waca\Pages\RequestAction\PageCreateRequest;
30		use Waca\Pages\RequestAction\PageManuallyConfirm;
31		use Waca\Pages\UserAuth\PageChangePassword;
32		use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
33		use Waca\Pages\UserAuth\PageOAuth;
34		use Waca\Pages\UserAuth\PagePreferences;
35		use Waca\Pages\PageSearch;
36		use Waca\Pages\PageSiteNotice;
37		use Waca\Pages\PageTeam;
38		use Waca\Pages\PageUserManagement;
39		use Waca\Pages\PageViewRequest;
40		use Waca\Pages\PageWelcomeTemplateManagement;
41		use Waca\Pages\RequestAction\PageBreakReservation;
42		use Waca\Pages\RequestAction\PageCloseRequest;
43		use Waca\Pages\RequestAction\PageComment;
44		use Waca\Pages\RequestAction\PageCustomClose;
45		use Waca\Pages\RequestAction\PageDeferRequest;
46		use Waca\Pages\RequestAction\PageDropRequest;
47		use Waca\Pages\RequestAction\PageReservation;
48		use Waca\Pages\RequestAction\PageSendToUser;
49		use Waca\Pages\Statistics\StatsFastCloses;
50		use Waca\Pages\Statistics\StatsInactiveUsers;
51		use Waca\Pages\Statistics\StatsMain;
52		use Waca\Pages\Statistics\StatsMonthlyStats;
53		use Waca\Pages\Statistics\StatsReservedRequests;
54		use Waca\Pages\Statistics\StatsTemplateStats;
55		use Waca\Pages\Statistics\StatsTopCreators;
56		use Waca\Pages\Statistics\StatsUsers;
57
58		final class RoleConfiguration extends RoleConfigurationBase
59		{
60		/**
61		* A map of roles to rights
62		*
63		* For example:
64		*
65		* array(
66		* 'myRole' => array(
67		* PageMyPage::class => array(
68		* 'edit' => self::ACCESS_ALLOW,
69		* 'create' => self::ACCESS_DENY,
70		* )
71		* )
72		* )
73		*
74		* Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
75		* DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
76		* be the expected result:
77		*
78		* - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
79		* - (A,-,-) = A
80		* - (D,-,-) = D
81		* - (A,D,-) = D (deny takes precedence over allow)
82		* - (A,A,A) = A (repetition has no effect)
83		*
84		* The public role is special, and is applied to all users automatically. Avoid using deny on this role.
85		*
86		* @var array
87		* @category Security-Critical
88		*/
89		private static array $productionRoleConfig = array(
90		'public' => array(
91		/*
92		* THIS ROLE IS GRANTED TO ALL LOGGED OUT USERS IMPLICITLY.
93		*
94		* USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
95		* DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
96		*/
97		'_childRoles' => array(
98		'publicStats',
99		),
100		PageTeam::class => array(
101		self::MAIN => self::ACCESS_ALLOW,
102		),
103		PageXffDemo::class => array(
104		self::MAIN => self::ACCESS_ALLOW,
105		),
106		PagePrivacy::class => array(
107		self::MAIN => self::ACCESS_ALLOW,
108		)
109		),
110		'loggedIn' => array(
111		/*
112		* THIS ROLE IS GRANTED TO ALL LOGGED-IN USERS IMPLICITLY.
113		*
114		* USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
115		* DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
116		*/
117		'_childRoles' => array(
118		'public',
119		),
120		PagePreferences::class => array(
121		self::MAIN => self::ACCESS_ALLOW,
122		'refreshOAuth' => self::ACCESS_ALLOW,
123		),
124		PageChangePassword::class => array(
125		self::MAIN => self::ACCESS_ALLOW,
126		),
127		PageMultiFactor::class => array(
128		self::MAIN => self::ACCESS_ALLOW,
129		'scratch' => self::ACCESS_ALLOW,
130		'enableYubikeyOtp' => self::ACCESS_ALLOW,
131		'enableTotp' => self::ACCESS_ALLOW,
132		// allow a user to disable this even when they're not allowed to enable it
133		'disableYubikeyOtp' => self::ACCESS_ALLOW,
134		'disableTotp' => self::ACCESS_ALLOW,
135		),
136		PageOAuth::class => array(
137		'attach' => self::ACCESS_ALLOW,
138		'detach' => self::ACCESS_ALLOW,
139		),
140		PageDomainSwitch::class => array(
141		self::MAIN => self::ACCESS_ALLOW
142		)
143		),
144		'user' => array(
145		/*
146		* THIS ROLE IS GRANTED TO APPROVED AND IDENTIFIED LOGGED-IN USERS IMPLICITLY.
147		*/
148		'_childRoles' => array(
149		'internalStats',
150		),
151		PageMain::class => array(
152		self::MAIN => self::ACCESS_ALLOW,
153		),
154		PageBan::class => array(
155		self::MAIN => self::ACCESS_ALLOW,
156		'show' => self::ACCESS_ALLOW,
157		),
158		'BanVisibility' => array(
159		'user' => self::ACCESS_ALLOW,
160		),
161		'BanType' => array(
162		'ip' => self::ACCESS_ALLOW,
163		'name' => self::ACCESS_ALLOW,
164		),
165		PageEditComment::class => array(
166		self::MAIN => self::ACCESS_ALLOW,
167		),
168		PageEmailManagement::class => array(
169		self::MAIN => self::ACCESS_ALLOW,
170		'view' => self::ACCESS_ALLOW,
171		),
172		PageExpandedRequestList::class => array(
173		self::MAIN => self::ACCESS_ALLOW,
174		),
175		PageLog::class => array(
176		self::MAIN => self::ACCESS_ALLOW,
177		),
178		PageSearch::class => array(
179		self::MAIN => self::ACCESS_ALLOW,
180		'byName' => self::ACCESS_ALLOW,
181		'byEmail' => self::ACCESS_ALLOW,
182		'byIp' => self::ACCESS_ALLOW,
183		'allowNonConfirmed' => self::ACCESS_ALLOW,
184		),
185		PageWelcomeTemplateManagement::class => array(
186		self::MAIN => self::ACCESS_ALLOW,
187		'select' => self::ACCESS_ALLOW,
188		'view' => self::ACCESS_ALLOW,
189		),
190		PageViewRequest::class => array(
191		self::MAIN => self::ACCESS_ALLOW,
192		'seeAllRequests' => self::ACCESS_ALLOW,
193		),
194		'RequestData' => array(
195		'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
196		'seePrivateDataWithHash' => self::ACCESS_ALLOW,
197		'seeRelatedRequests' => self::ACCESS_ALLOW,
198		),
199		PageCustomClose::class => array(
200		self::MAIN => self::ACCESS_ALLOW,
201		),
202		PageComment::class => array(
203		self::MAIN => self::ACCESS_ALLOW,
204		),
205		PageFlagComment::class => array(
206		self::MAIN => self::ACCESS_ALLOW,
207		),
208		PageCloseRequest::class => array(
209		self::MAIN => self::ACCESS_ALLOW,
210		),
211		PageCreateRequest::class => array(
212		self::MAIN => self::ACCESS_ALLOW,
213		),
214		PageDeferRequest::class => array(
215		self::MAIN => self::ACCESS_ALLOW,
216		),
217		PageDropRequest::class => array(
218		self::MAIN => self::ACCESS_ALLOW,
219		),
220		PageReservation::class => array(
221		self::MAIN => self::ACCESS_ALLOW,
222		),
223		PageSendToUser::class => array(
224		self::MAIN => self::ACCESS_ALLOW,
225		),
226		PageBreakReservation::class => array(
227		self::MAIN => self::ACCESS_ALLOW,
228		),
229		PageJobQueue::class => array(
230		self::MAIN => self::ACCESS_ALLOW,
231		'view' => self::ACCESS_ALLOW,
232		'all' => self::ACCESS_ALLOW,
233		'acknowledge' => self::ACCESS_ALLOW,
234		'cancel' => self::ACCESS_ALLOW
235		),
236		PageDomainManagement::class => array(
237		self::MAIN => self::ACCESS_ALLOW,
238		),
239		PageRequestFormManagement::class => array(
240		self::MAIN => self::ACCESS_ALLOW,
241		'view' => self::ACCESS_ALLOW,
242		'preview' => self::ACCESS_ALLOW,
243		),
244		'RequestCreation' => array(
245		PreferenceManager::CREATION_MANUAL => self::ACCESS_ALLOW,
246		PreferenceManager::CREATION_OAUTH => self::ACCESS_ALLOW,
247		),
248		'GlobalInfo' => array(
249		'viewSiteNotice' => self::ACCESS_ALLOW,
250		'viewOnlineUsers' => self::ACCESS_ALLOW,
251		),
252		),
253		'admin' => array(
254		'_description' => 'A tool administrator.',
255		'_editableBy' => array('admin', 'toolRoot'),
256		'_childRoles' => array(
257		'user',
258		'requestAdminTools',
259		),
260		PageEmailManagement::class => array(
261		'edit' => self::ACCESS_ALLOW,
262		'create' => self::ACCESS_ALLOW,
263		),
264		PageSiteNotice::class => array(
265		self::MAIN => self::ACCESS_ALLOW,
266		),
267		PageUserManagement::class => array(
268		self::MAIN => self::ACCESS_ALLOW,
269		'approve' => self::ACCESS_ALLOW,
270		'decline' => self::ACCESS_ALLOW,
271		'rename' => self::ACCESS_ALLOW,
272		'editUser' => self::ACCESS_ALLOW,
273		'suspend' => self::ACCESS_ALLOW,
274		'editRoles' => self::ACCESS_ALLOW,
275		),
276		PageSearch::class => array(
277		'byComment' => self::ACCESS_ALLOW,
278		),
279		PageManuallyConfirm::class => array(
280		self::MAIN => self::ACCESS_ALLOW,
281		),
282		PageWelcomeTemplateManagement::class => array(
283		'edit' => self::ACCESS_ALLOW,
284		'delete' => self::ACCESS_ALLOW,
285		'add' => self::ACCESS_ALLOW,
286		),
287		PageJobQueue::class => array(
288		'acknowledge' => self::ACCESS_ALLOW,
289		'requeue' => self::ACCESS_ALLOW,
290		'cancel' => self::ACCESS_ALLOW,
291		),
292		'RequestData' => array(
293		'reopenClearedRequest' => self::ACCESS_ALLOW,
294		),
295		PageQueueManagement::class => array(
296		self::MAIN => self::ACCESS_ALLOW,
297		'edit' => self::ACCESS_ALLOW,
298		'create' => self::ACCESS_ALLOW,
299		),
300		PageRequestFormManagement::class => array(
301		'edit' => self::ACCESS_ALLOW,
302		'create' => self::ACCESS_ALLOW,
303		),
304		PageDomainManagement::class => array(
305		'edit' => self::ACCESS_ALLOW,
306		),
307		),
308		'checkuser' => array(
309		'_description' => 'A user with CheckUser access',
310		'_editableBy' => array('checkuser', 'steward', 'toolRoot'),
311		'_childRoles' => array(
312		'user',
313		'requestAdminTools',
314		),
315		PageUserManagement::class => array(
316		self::MAIN => self::ACCESS_ALLOW,
317		'suspend' => self::ACCESS_ALLOW,
318		'editRoles' => self::ACCESS_ALLOW,
319		),
320		'RequestData' => array(
321		'seeUserAgentData' => self::ACCESS_ALLOW,
322		'seeCheckuserComments' => self::ACCESS_ALLOW,
323		'createLocalAccount' => self::ACCESS_ALLOW,
324		),
325		'BanType' => array(
326		'useragent' => self::ACCESS_ALLOW,
327		),
328		'BanVisibility' => array(
329		'checkuser' => self::ACCESS_ALLOW,
330		),
331		),
332		'steward' => array(
333		'_description' => 'A user with Steward access',
334		'_editableBy' => array('steward', 'toolRoot'),
335		'_globalOnly' => true,
336		'_childRoles' => array(
337		'user',
338		'checkuser',
339		),
340		'BanType' => array(
341		'ip-largerange' => self::ACCESS_ALLOW,
342		'global' => self::ACCESS_ALLOW,
343		),
344		),
345		'toolRoot' => array(
346		'_description' => 'A user with shell access to the servers running the tool',
347		'_editableBy' => array('toolRoot'),
348		'_globalOnly' => true,
349		'_childRoles' => array(
350		'admin',
351		),
352		'BanType' => array(
353		'ip-largerange' => self::ACCESS_ALLOW,
354		'global' => self::ACCESS_ALLOW,
355		),
356		PageDomainManagement::class => array(
357		self::MAIN => self::ACCESS_ALLOW,
358		'editAll' => self::ACCESS_ALLOW,
359		'edit' => self::ACCESS_ALLOW,
360		'create' => self::ACCESS_ALLOW,
361		),
362		PageErrorLogViewer::class => array(
363		self::MAIN => self::ACCESS_ALLOW,
364		'view' => self::ACCESS_ALLOW,
365		'remove' => self::ACCESS_ALLOW,
366		),
367		),
368		'botCreation' => array(
369		'_hidden' => true,
370		'_description' => 'A user allowed to use the bot to perform account creations',
371		'_editableBy' => array('admin', 'toolRoot'),
372		'_childRoles' => array(),
373		'RequestCreation' => array(
374		PreferenceManager::CREATION_BOT => self::ACCESS_ALLOW,
375		),
376		),
377
378		// Child roles go below this point
379		'publicStats' => array(
380		'_hidden' => true,
381		StatsUsers::class => array(
382		self::MAIN => self::ACCESS_ALLOW,
383		'detail' => self::ACCESS_ALLOW,
384		),
385		StatsTopCreators::class => array(
386		self::MAIN => self::ACCESS_ALLOW,
387		),
388		StatsMonthlyStats::class => array(
389		self::MAIN => self::ACCESS_ALLOW,
390		),
391		),
392		'internalStats' => array(
393		'_hidden' => true,
394		StatsMain::class => array(
395		self::MAIN => self::ACCESS_ALLOW,
396		),
397		StatsFastCloses::class => array(
398		self::MAIN => self::ACCESS_ALLOW,
399		),
400		StatsInactiveUsers::class => array(
401		self::MAIN => self::ACCESS_ALLOW,
402		),
403		StatsReservedRequests::class => array(
404		self::MAIN => self::ACCESS_ALLOW,
405		),
406		StatsTemplateStats::class => array(
407		self::MAIN => self::ACCESS_ALLOW,
408		),
409		),
410		'requestAdminTools' => array(
411		'_hidden' => true,
412		PageBan::class => array(
413		self::MAIN => self::ACCESS_ALLOW,
414		'set' => self::ACCESS_ALLOW,
415		'remove' => self::ACCESS_ALLOW,
416		'replace' => self::ACCESS_ALLOW,
417		),
418		'BanType' => array(
419		'ip' => self::ACCESS_ALLOW,
420		'email' => self::ACCESS_ALLOW,
421		'name' => self::ACCESS_ALLOW,
422		),
423		'BanVisibility' => array(
424		'user' => self::ACCESS_ALLOW,
425		'admin' => self::ACCESS_ALLOW,
426		),
427		PageEditComment::class => array(
428		'editOthers' => self::ACCESS_ALLOW,
429		),
430		PageBreakReservation::class => array(
431		'force' => self::ACCESS_ALLOW,
432		),
433		PageCustomClose::class => array(
434		'skipCcMailingList' => self::ACCESS_ALLOW,
435		),
436		PageFlagComment::class => array(
437		'unflag' => self::ACCESS_ALLOW,
438		),
439		PageListFlaggedComments::class => array(
440		self::MAIN => self::ACCESS_ALLOW,
441		),
442		'RequestData' => array(
443		'reopenOldRequest' => self::ACCESS_ALLOW,
444		'alwaysSeePrivateData' => self::ACCESS_ALLOW,
445		'alwaysSeeHash' => self::ACCESS_ALLOW,
446	6	'seeRestrictedComments' => self::ACCESS_ALLOW,
447		),
448	6	),
449	4	);
450
451		/** @var array
452	6	* List of roles which are exempt from the identification requirements
453	4	*
454		* Think twice about adding roles to this list.
455		*
456		* @category Security-Critical
457		*/
458		private static array $productionIdentificationExempt = array('public', 'loggedIn');
459
460		public function __construct()
461		{
462	3	parent::__construct(self::$productionRoleConfig, self::$productionIdentificationExempt);
463		}
464		}
465

enwikipedia-acc / waca

Push — master ( c3ec55...6fe0c7 )

RoleConfiguration::getAvailableRoles() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like