RoleConfiguration::getApplicableRoles() - Code Metrics - Inspection of "Add a decent set of unit tests for SecurityManager" - enwikipedia-acc/waca - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — multiproject/local-access ( 5353e5 )

by Simon

created 2023-10-03 22:07 UTC

RoleConfiguration::getApplicableRoles() A

↳ Parent: Project

Complexity

Conditions	6
Paths	8

Size

Total Lines	27
Code Lines	13

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
eloc	13
dl	0
loc	27
rs	9.2222
c	0
b	0
f	0
cc	6
nc	8
nop	1

<?php
/******************************************************************************
 * Wikipedia Account Creation Assistance tool                                 *
 *                                                                            *
 * All code in this file is released into the public domain by the ACC        *
 * Development Team. Please see team.json for a list of contributors.         *
 ******************************************************************************/

namespace Waca\Security;

use Waca\Helpers\PreferenceManager;
use Waca\Pages\PageBan;
use Waca\Pages\PageDomainManagement;
use Waca\Pages\PageDomainSwitch;
use Waca\Pages\PageEditComment;
use Waca\Pages\PageEmailManagement;
use Waca\Pages\PageErrorLogViewer;
use Waca\Pages\PageExpandedRequestList;
use Waca\Pages\PageFlagComment;
use Waca\Pages\PageJobQueue;
use Waca\Pages\PageListFlaggedComments;
use Waca\Pages\PageLog;
use Waca\Pages\PageMain;
use Waca\Pages\PageQueueManagement;
use Waca\Pages\PageRequestFormManagement;
use Waca\Pages\PageXffDemo;
use Waca\Pages\RequestAction\PageCreateRequest;
use Waca\Pages\RequestAction\PageManuallyConfirm;
use Waca\Pages\UserAuth\PageChangePassword;
use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
use Waca\Pages\UserAuth\PageOAuth;
use Waca\Pages\UserAuth\PagePreferences;
use Waca\Pages\PageSearch;
use Waca\Pages\PageSiteNotice;
use Waca\Pages\PageTeam;
use Waca\Pages\PageUserManagement;
use Waca\Pages\PageViewRequest;
use Waca\Pages\PageWelcomeTemplateManagement;
use Waca\Pages\RequestAction\PageBreakReservation;
use Waca\Pages\RequestAction\PageCloseRequest;
use Waca\Pages\RequestAction\PageComment;
use Waca\Pages\RequestAction\PageCustomClose;
use Waca\Pages\RequestAction\PageDeferRequest;
use Waca\Pages\RequestAction\PageDropRequest;
use Waca\Pages\RequestAction\PageReservation;
use Waca\Pages\RequestAction\PageSendToUser;
use Waca\Pages\Statistics\StatsFastCloses;
use Waca\Pages\Statistics\StatsInactiveUsers;
use Waca\Pages\Statistics\StatsMain;
use Waca\Pages\Statistics\StatsMonthlyStats;
use Waca\Pages\Statistics\StatsReservedRequests;
use Waca\Pages\Statistics\StatsTemplateStats;
use Waca\Pages\Statistics\StatsTopCreators;
use Waca\Pages\Statistics\StatsUsers;

final class RoleConfiguration extends RoleConfigurationBase
{
    /**
     * A map of roles to rights
     *
     * For example:
     *
     * array(
     *   'myRole' => array(
     *       PageMyPage::class => array(
     *           'edit' => self::ACCESS_ALLOW,
     *           'create' => self::ACCESS_DENY,
     *       )
     *   )
     * )
     *
     * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
     * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
     * be the expected result:
     *
     * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
     * - (A,-,-) = A
     * - (D,-,-) = D
     * - (A,D,-) = D (deny takes precedence over allow)
     * - (A,A,A) = A (repetition has no effect)
     *
     * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
     *
     * @var array
     * @category Security-Critical
     */
    private static array $productionRoleConfig = array(
        'public'            => array(
            /*
             * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY.
             *
             * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
             * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
             */
            '_childRoles'   => array(
                'publicStats',
            ),
            PageTeam::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageXffDemo::class        => array(
                self::MAIN  => self::ACCESS_ALLOW,
            )
        ),
        'loggedIn'          => array(
            /*
             * THIS ROLE IS GRANTED TO ALL LOGGED-IN USERS IMPLICITLY.
             *
             * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
             * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
             */
            '_childRoles'             => array(
                'public',
            ),
            PagePreferences::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
                'refreshOAuth' => self::ACCESS_ALLOW,
            ),
            PageChangePassword::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageMultiFactor::class    => array(
                self::MAIN          => self::ACCESS_ALLOW,
                'scratch'           => self::ACCESS_ALLOW,
                'enableYubikeyOtp'  => self::ACCESS_ALLOW,
                'enableTotp'        => self::ACCESS_ALLOW,
                // allow a user to disable this even when they're not allowed to enable it
                'disableYubikeyOtp' => self::ACCESS_ALLOW,
                'disableTotp'       => self::ACCESS_ALLOW,
            ),
            PageOAuth::class          => array(
                'attach' => self::ACCESS_ALLOW,
                'detach' => self::ACCESS_ALLOW,
            ),
            PageDomainSwitch::class   => array(
                self::MAIN => self::ACCESS_ALLOW
            )
        ),
        'user'              => array(
            /*
             * THIS ROLE IS GRANTED TO APPROVED AND IDENTIFIED LOGGED-IN USERS IMPLICITLY.
             */
            '_childRoles'                        => array(
                'internalStats',
            ),
            PageMain::class                      => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageBan::class                       => array(
                self::MAIN => self::ACCESS_ALLOW,
                'show'     => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'user' => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'ip' => self::ACCESS_ALLOW,
                'name' => self::ACCESS_ALLOW,
            ),
            PageEditComment::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageEmailManagement::class           => array(
                self::MAIN => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
            ),
            PageExpandedRequestList::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageLog::class                       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageSearch::class                    => array(
                self::MAIN => self::ACCESS_ALLOW,
                'byName'   => self::ACCESS_ALLOW,
                'byEmail'  => self::ACCESS_ALLOW,
                'byIp'     => self::ACCESS_ALLOW,
                'allowNonConfirmed' => self::ACCESS_ALLOW,
            ),
            PageWelcomeTemplateManagement::class => array(
                self::MAIN => self::ACCESS_ALLOW,
                'select'   => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
            ),
            PageViewRequest::class               => array(
                self::MAIN       => self::ACCESS_ALLOW,
                'seeAllRequests' => self::ACCESS_ALLOW,
            ),
            'RequestData'                        => array(
                'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
                'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
                'seeRelatedRequests'         => self::ACCESS_ALLOW,
            ),
            PageCustomClose::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageComment::class                   => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageFlagComment::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageCloseRequest::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageCreateRequest::class             => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageDeferRequest::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageDropRequest::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageReservation::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageSendToUser::class                => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageBreakReservation::class          => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageJobQueue::class                  => array(
                self::MAIN    => self::ACCESS_ALLOW,
                'view'        => self::ACCESS_ALLOW,
                'all'         => self::ACCESS_ALLOW,
                'acknowledge' => self::ACCESS_ALLOW,
                'cancel'      => self::ACCESS_ALLOW
            ),
            PageDomainManagement::class          => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageRequestFormManagement::class     => array(
                self::MAIN => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
                'preview'  => self::ACCESS_ALLOW,
            ),
            'RequestCreation'                    => array(
                PreferenceManager::CREATION_MANUAL => self::ACCESS_ALLOW,
                PreferenceManager::CREATION_OAUTH  => self::ACCESS_ALLOW,
            ),
            'GlobalInfo'                         => array(
                'viewSiteNotice' => self::ACCESS_ALLOW,
                'viewOnlineUsers' => self::ACCESS_ALLOW,
            ),
        ),
        'admin'             => array(
            '_description'                       => 'A tool administrator.',
            '_editableBy'                        => array('admin', 'toolRoot'),
            '_childRoles'                        => array(
                'user',
                'requestAdminTools',
            ),
            PageEmailManagement::class           => array(
                'edit'   => self::ACCESS_ALLOW,
                'create' => self::ACCESS_ALLOW,
            ),
            PageSiteNotice::class                => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageUserManagement::class            => array(
                self::MAIN  => self::ACCESS_ALLOW,
                'approve'   => self::ACCESS_ALLOW,
                'decline'   => self::ACCESS_ALLOW,
                'rename'    => self::ACCESS_ALLOW,
                'editUser'  => self::ACCESS_ALLOW,
                'suspend'   => self::ACCESS_ALLOW,
                'editRoles' => self::ACCESS_ALLOW,
            ),
            PageSearch::class                    => array(
                'byComment' => self::ACCESS_ALLOW,
            ),
            PageManuallyConfirm::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageWelcomeTemplateManagement::class => array(
                'edit'   => self::ACCESS_ALLOW,
                'delete' => self::ACCESS_ALLOW,
                'add'    => self::ACCESS_ALLOW,
            ),
            PageJobQueue::class                  => array(
                'acknowledge' => self::ACCESS_ALLOW,
                'requeue'     => self::ACCESS_ALLOW,
                'cancel'      => self::ACCESS_ALLOW,
            ),
            'RequestData'               => array(
                'reopenClearedRequest'  => self::ACCESS_ALLOW,
            ),
            PageQueueManagement::class           => array(
                self::MAIN => self::ACCESS_ALLOW,
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageRequestFormManagement::class     => array(
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageDomainManagement::class          => array(
                'edit'     => self::ACCESS_ALLOW,
            ),
        ),
        'checkuser'         => array(
            '_description'            => 'A user with CheckUser access',
            '_editableBy'             => array('checkuser', 'steward', 'toolRoot'),
            '_childRoles'             => array(
                'user',
                'requestAdminTools',
            ),
            PageUserManagement::class => array(
                self::MAIN  => self::ACCESS_ALLOW,
                'suspend'   => self::ACCESS_ALLOW,
                'editRoles' => self::ACCESS_ALLOW,
            ),
            'RequestData'             => array(
                'seeUserAgentData'      => self::ACCESS_ALLOW,
                'seeCheckuserComments'  => self::ACCESS_ALLOW,
                'createLocalAccount'    => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'useragent' => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'checkuser' => self::ACCESS_ALLOW,
            ),
        ),
        'steward'         => array(
            '_description'  => 'A user with Steward access',
            '_editableBy'   => array('steward', 'toolRoot'),
            '_globalOnly'   => true,
            '_childRoles'   => array(
                'user',
                'checkuser',
            ),
            'BanType'                   => array(
                'ip-largerange' => self::ACCESS_ALLOW,
                'global'        => self::ACCESS_ALLOW,
            ),
        ),
        'toolRoot'          => array(
            '_description' => 'A user with shell access to the servers running the tool',
            '_editableBy'  => array('toolRoot'),
            '_globalOnly'  => true,
            '_childRoles'  => array(
                'admin',
            ),
            'BanType'                   => array(
                'ip-largerange' => self::ACCESS_ALLOW,
                'global'        => self::ACCESS_ALLOW,
            ),
            PageDomainManagement::class => array(
                self::MAIN => self::ACCESS_ALLOW,
                'editAll'  => self::ACCESS_ALLOW,
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageErrorLogViewer::class => array(
                self::MAIN      => self::ACCESS_ALLOW,
                'view'          => self::ACCESS_ALLOW,
                'remove'        => self::ACCESS_ALLOW,
            ),
        ),
        'botCreation'       => array(
            '_hidden'         => true,
            '_description'    => 'A user allowed to use the bot to perform account creations',
            '_editableBy'     => array('admin', 'toolRoot'),
            '_childRoles'     => array(),
            'RequestCreation' => array(
                PreferenceManager::CREATION_BOT => self::ACCESS_ALLOW,
            ),
        ),

        // Child roles go below this point
        'publicStats'       => array(
            '_hidden'               => true,
            StatsUsers::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
                'detail'   => self::ACCESS_ALLOW,
            ),
            StatsTopCreators::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsMonthlyStats::class     => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
        ),
        'internalStats'     => array(
            '_hidden'                    => true,
            StatsMain::class             => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsFastCloses::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsInactiveUsers::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsReservedRequests::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsTemplateStats::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
        ),
        'requestAdminTools' => array(
            '_hidden'                   => true,
            PageBan::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
                'set'      => self::ACCESS_ALLOW,
                'remove'   => self::ACCESS_ALLOW,
                'replace'  => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'ip' => self::ACCESS_ALLOW,
                'email' => self::ACCESS_ALLOW,
                'name' => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'user' => self::ACCESS_ALLOW,
                'admin' => self::ACCESS_ALLOW,
            ),
            PageEditComment::class      => array(
                'editOthers' => self::ACCESS_ALLOW,
            ),
            PageBreakReservation::class => array(
                'force' => self::ACCESS_ALLOW,
            ),
            PageCustomClose::class      => array(
                'skipCcMailingList' => self::ACCESS_ALLOW,
            ),
            PageFlagComment::class      => array(
                'unflag'   => self::ACCESS_ALLOW,
            ),
            PageListFlaggedComments::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            'RequestData'               => array(
                'reopenOldRequest'      => self::ACCESS_ALLOW,
                'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
                'alwaysSeeHash'         => self::ACCESS_ALLOW,
                'seeRestrictedComments' => self::ACCESS_ALLOW,
            ),
        ),
    );

    /** @var array
     * List of roles which are *exempt* from the identification requirements
     *
     * Think twice about adding roles to this list.
     *
     * @category Security-Critical
     */
    private static array $productionIdentificationExempt = array('public', 'loggedIn');

    public function __construct()
    {
        parent::__construct(self::$productionRoleConfig, self::$productionIdentificationExempt);
    }
}


1			<?php
2			/******************************************************************************
3			* Wikipedia Account Creation Assistance tool *
4			* *
5			* All code in this file is released into the public domain by the ACC *
6			* Development Team. Please see team.json for a list of contributors. *
7			******************************************************************************/
8
9			namespace Waca\Security;
10
11			use Waca\Helpers\PreferenceManager;
12			use Waca\Pages\PageBan;
13			use Waca\Pages\PageDomainManagement;
14			use Waca\Pages\PageDomainSwitch;
15			use Waca\Pages\PageEditComment;
16			use Waca\Pages\PageEmailManagement;
17			use Waca\Pages\PageErrorLogViewer;
18			use Waca\Pages\PageExpandedRequestList;
19			use Waca\Pages\PageFlagComment;
20			use Waca\Pages\PageJobQueue;
21			use Waca\Pages\PageListFlaggedComments;
22			use Waca\Pages\PageLog;
23			use Waca\Pages\PageMain;
24			use Waca\Pages\PageQueueManagement;
25			use Waca\Pages\PageRequestFormManagement;
26			use Waca\Pages\PageXffDemo;
27			use Waca\Pages\RequestAction\PageCreateRequest;
28			use Waca\Pages\RequestAction\PageManuallyConfirm;
29			use Waca\Pages\UserAuth\PageChangePassword;
30			use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
31			use Waca\Pages\UserAuth\PageOAuth;
32			use Waca\Pages\UserAuth\PagePreferences;
33			use Waca\Pages\PageSearch;
34			use Waca\Pages\PageSiteNotice;
35			use Waca\Pages\PageTeam;
36			use Waca\Pages\PageUserManagement;
37			use Waca\Pages\PageViewRequest;
38			use Waca\Pages\PageWelcomeTemplateManagement;
39			use Waca\Pages\RequestAction\PageBreakReservation;
40			use Waca\Pages\RequestAction\PageCloseRequest;
41			use Waca\Pages\RequestAction\PageComment;
42			use Waca\Pages\RequestAction\PageCustomClose;
43			use Waca\Pages\RequestAction\PageDeferRequest;
44			use Waca\Pages\RequestAction\PageDropRequest;
45			use Waca\Pages\RequestAction\PageReservation;
46			use Waca\Pages\RequestAction\PageSendToUser;
47			use Waca\Pages\Statistics\StatsFastCloses;
48			use Waca\Pages\Statistics\StatsInactiveUsers;
49			use Waca\Pages\Statistics\StatsMain;
50			use Waca\Pages\Statistics\StatsMonthlyStats;
51			use Waca\Pages\Statistics\StatsReservedRequests;
52			use Waca\Pages\Statistics\StatsTemplateStats;
53			use Waca\Pages\Statistics\StatsTopCreators;
54			use Waca\Pages\Statistics\StatsUsers;
55
56			final class RoleConfiguration extends RoleConfigurationBase
57			{
58			/**
59			* A map of roles to rights
60			*
61			* For example:
62			*
63			* array(
64			* 'myRole' => array(
65			* PageMyPage::class => array(
66			* 'edit' => self::ACCESS_ALLOW,
67			* 'create' => self::ACCESS_DENY,
68			* )
69			* )
70			* )
71			*
72			* Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
73			* DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
74			* be the expected result:
75			*
76			* - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
77			* - (A,-,-) = A
78			* - (D,-,-) = D
79			* - (A,D,-) = D (deny takes precedence over allow)
80			* - (A,A,A) = A (repetition has no effect)
81			*
82			* The public role is special, and is applied to all users automatically. Avoid using deny on this role.
83			*
84			* @var array
85			* @category Security-Critical
86			*/
87			private static array $productionRoleConfig = array(
88			'public' => array(
89			/*
90			* THIS ROLE IS GRANTED TO ALL LOGGED OUT USERS IMPLICITLY.
91			*
92			* USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
93			* DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
94			*/
95			'_childRoles' => array(
96			'publicStats',
97			),
98			PageTeam::class => array(
99			self::MAIN => self::ACCESS_ALLOW,
100			),
101			PageXffDemo::class => array(
102			self::MAIN => self::ACCESS_ALLOW,
103			)
104			),
105			'loggedIn' => array(
106			/*
107			* THIS ROLE IS GRANTED TO ALL LOGGED-IN USERS IMPLICITLY.
108			*
109			* USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
110			* DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
111			*/
112			'_childRoles' => array(
113			'public',
114			),
115			PagePreferences::class => array(
116			self::MAIN => self::ACCESS_ALLOW,
117			'refreshOAuth' => self::ACCESS_ALLOW,
118			),
119			PageChangePassword::class => array(
120			self::MAIN => self::ACCESS_ALLOW,
121			),
122			PageMultiFactor::class => array(
123			self::MAIN => self::ACCESS_ALLOW,
124			'scratch' => self::ACCESS_ALLOW,
125			'enableYubikeyOtp' => self::ACCESS_ALLOW,
126			'enableTotp' => self::ACCESS_ALLOW,
127			// allow a user to disable this even when they're not allowed to enable it
128			'disableYubikeyOtp' => self::ACCESS_ALLOW,
129			'disableTotp' => self::ACCESS_ALLOW,
130			),
131			PageOAuth::class => array(
132			'attach' => self::ACCESS_ALLOW,
133			'detach' => self::ACCESS_ALLOW,
134			),
135			PageDomainSwitch::class => array(
136			self::MAIN => self::ACCESS_ALLOW
137			)
138			),
139			'user' => array(
140			/*
141			* THIS ROLE IS GRANTED TO APPROVED AND IDENTIFIED LOGGED-IN USERS IMPLICITLY.
142			*/
143			'_childRoles' => array(
144			'internalStats',
145			),
146			PageMain::class => array(
147			self::MAIN => self::ACCESS_ALLOW,
148			),
149			PageBan::class => array(
150			self::MAIN => self::ACCESS_ALLOW,
151			'show' => self::ACCESS_ALLOW,
152			),
153			'BanVisibility' => array(
154			'user' => self::ACCESS_ALLOW,
155			),
156			'BanType' => array(
157			'ip' => self::ACCESS_ALLOW,
158			'name' => self::ACCESS_ALLOW,
159			),
160			PageEditComment::class => array(
161			self::MAIN => self::ACCESS_ALLOW,
162			),
163			PageEmailManagement::class => array(
164			self::MAIN => self::ACCESS_ALLOW,
165			'view' => self::ACCESS_ALLOW,
166			),
167			PageExpandedRequestList::class => array(
168			self::MAIN => self::ACCESS_ALLOW,
169			),
170			PageLog::class => array(
171			self::MAIN => self::ACCESS_ALLOW,
172			),
173			PageSearch::class => array(
174			self::MAIN => self::ACCESS_ALLOW,
175			'byName' => self::ACCESS_ALLOW,
176			'byEmail' => self::ACCESS_ALLOW,
177			'byIp' => self::ACCESS_ALLOW,
178			'allowNonConfirmed' => self::ACCESS_ALLOW,
179			),
180			PageWelcomeTemplateManagement::class => array(
181			self::MAIN => self::ACCESS_ALLOW,
182			'select' => self::ACCESS_ALLOW,
183			'view' => self::ACCESS_ALLOW,
184			),
185			PageViewRequest::class => array(
186			self::MAIN => self::ACCESS_ALLOW,
187			'seeAllRequests' => self::ACCESS_ALLOW,
188			),
189			'RequestData' => array(
190			'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
191			'seePrivateDataWithHash' => self::ACCESS_ALLOW,
192			'seeRelatedRequests' => self::ACCESS_ALLOW,
193			),
194			PageCustomClose::class => array(
195			self::MAIN => self::ACCESS_ALLOW,
196			),
197			PageComment::class => array(
198			self::MAIN => self::ACCESS_ALLOW,
199			),
200			PageFlagComment::class => array(
201			self::MAIN => self::ACCESS_ALLOW,
202			),
203			PageCloseRequest::class => array(
204			self::MAIN => self::ACCESS_ALLOW,
205			),
206			PageCreateRequest::class => array(
207			self::MAIN => self::ACCESS_ALLOW,
208			),
209			PageDeferRequest::class => array(
210			self::MAIN => self::ACCESS_ALLOW,
211			),
212			PageDropRequest::class => array(
213			self::MAIN => self::ACCESS_ALLOW,
214			),
215			PageReservation::class => array(
216			self::MAIN => self::ACCESS_ALLOW,
217			),
218			PageSendToUser::class => array(
219			self::MAIN => self::ACCESS_ALLOW,
220			),
221			PageBreakReservation::class => array(
222			self::MAIN => self::ACCESS_ALLOW,
223			),
224			PageJobQueue::class => array(
225			self::MAIN => self::ACCESS_ALLOW,
226			'view' => self::ACCESS_ALLOW,
227			'all' => self::ACCESS_ALLOW,
228			'acknowledge' => self::ACCESS_ALLOW,
229			'cancel' => self::ACCESS_ALLOW
230			),
231			PageDomainManagement::class => array(
232			self::MAIN => self::ACCESS_ALLOW,
233			),
234			PageRequestFormManagement::class => array(
235			self::MAIN => self::ACCESS_ALLOW,
236			'view' => self::ACCESS_ALLOW,
237			'preview' => self::ACCESS_ALLOW,
238			),
239			'RequestCreation' => array(
240			PreferenceManager::CREATION_MANUAL => self::ACCESS_ALLOW,
241			PreferenceManager::CREATION_OAUTH => self::ACCESS_ALLOW,
242			),
243			'GlobalInfo' => array(
244			'viewSiteNotice' => self::ACCESS_ALLOW,
245			'viewOnlineUsers' => self::ACCESS_ALLOW,
246			),
247			),
248			'admin' => array(
249			'_description' => 'A tool administrator.',
250			'_editableBy' => array('admin', 'toolRoot'),
251			'_childRoles' => array(
252			'user',
253			'requestAdminTools',
254			),
255			PageEmailManagement::class => array(
256			'edit' => self::ACCESS_ALLOW,
257			'create' => self::ACCESS_ALLOW,
258			),
259			PageSiteNotice::class => array(
260			self::MAIN => self::ACCESS_ALLOW,
261			),
262			PageUserManagement::class => array(
263			self::MAIN => self::ACCESS_ALLOW,
264			'approve' => self::ACCESS_ALLOW,
265			'decline' => self::ACCESS_ALLOW,
266			'rename' => self::ACCESS_ALLOW,
267			'editUser' => self::ACCESS_ALLOW,
268			'suspend' => self::ACCESS_ALLOW,
269			'editRoles' => self::ACCESS_ALLOW,
270			),
271			PageSearch::class => array(
272			'byComment' => self::ACCESS_ALLOW,
273			),
274			PageManuallyConfirm::class => array(
275			self::MAIN => self::ACCESS_ALLOW,
276			),
277			PageWelcomeTemplateManagement::class => array(
278			'edit' => self::ACCESS_ALLOW,
279			'delete' => self::ACCESS_ALLOW,
280			'add' => self::ACCESS_ALLOW,
281			),
282			PageJobQueue::class => array(
283			'acknowledge' => self::ACCESS_ALLOW,
284			'requeue' => self::ACCESS_ALLOW,
285			'cancel' => self::ACCESS_ALLOW,
286			),
287			'RequestData' => array(
288			'reopenClearedRequest' => self::ACCESS_ALLOW,
289			),
290			PageQueueManagement::class => array(
291			self::MAIN => self::ACCESS_ALLOW,
292			'edit' => self::ACCESS_ALLOW,
293			'create' => self::ACCESS_ALLOW,
294			),
295			PageRequestFormManagement::class => array(
296			'edit' => self::ACCESS_ALLOW,
297			'create' => self::ACCESS_ALLOW,
298			),
299			PageDomainManagement::class => array(
300			'edit' => self::ACCESS_ALLOW,
301			),
302			),
303			'checkuser' => array(
304			'_description' => 'A user with CheckUser access',
305			'_editableBy' => array('checkuser', 'steward', 'toolRoot'),
306			'_childRoles' => array(
307			'user',
308			'requestAdminTools',
309			),
310			PageUserManagement::class => array(
311			self::MAIN => self::ACCESS_ALLOW,
312			'suspend' => self::ACCESS_ALLOW,
313			'editRoles' => self::ACCESS_ALLOW,
314			),
315			'RequestData' => array(
316			'seeUserAgentData' => self::ACCESS_ALLOW,
317			'seeCheckuserComments' => self::ACCESS_ALLOW,
318			'createLocalAccount' => self::ACCESS_ALLOW,
319			),
320			'BanType' => array(
321			'useragent' => self::ACCESS_ALLOW,
322			),
323			'BanVisibility' => array(
324			'checkuser' => self::ACCESS_ALLOW,
325			),
326			),
327			'steward' => array(
328			'_description' => 'A user with Steward access',
329			'_editableBy' => array('steward', 'toolRoot'),
330			'_globalOnly' => true,
331			'_childRoles' => array(
332			'user',
333			'checkuser',
334			),
335			'BanType' => array(
336			'ip-largerange' => self::ACCESS_ALLOW,
337			'global' => self::ACCESS_ALLOW,
338			),
339			),
340			'toolRoot' => array(
341			'_description' => 'A user with shell access to the servers running the tool',
342			'_editableBy' => array('toolRoot'),
343			'_globalOnly' => true,
344			'_childRoles' => array(
345			'admin',
346			),
347			'BanType' => array(
348			'ip-largerange' => self::ACCESS_ALLOW,
349			'global' => self::ACCESS_ALLOW,
350			),
351			PageDomainManagement::class => array(
352			self::MAIN => self::ACCESS_ALLOW,
353			'editAll' => self::ACCESS_ALLOW,
354			'edit' => self::ACCESS_ALLOW,
355			'create' => self::ACCESS_ALLOW,
356			),
357			PageErrorLogViewer::class => array(
358			self::MAIN => self::ACCESS_ALLOW,
359			'view' => self::ACCESS_ALLOW,
360			'remove' => self::ACCESS_ALLOW,
361			),
362			),
363			'botCreation' => array(
364			'_hidden' => true,
365			'_description' => 'A user allowed to use the bot to perform account creations',
366			'_editableBy' => array('admin', 'toolRoot'),
367			'_childRoles' => array(),
368			'RequestCreation' => array(
369			PreferenceManager::CREATION_BOT => self::ACCESS_ALLOW,
370			),
371			),
372
373			// Child roles go below this point
374			'publicStats' => array(
375			'_hidden' => true,
376			StatsUsers::class => array(
377			self::MAIN => self::ACCESS_ALLOW,
378			'detail' => self::ACCESS_ALLOW,
379			),
380			StatsTopCreators::class => array(
381			self::MAIN => self::ACCESS_ALLOW,
382			),
383			StatsMonthlyStats::class => array(
384			self::MAIN => self::ACCESS_ALLOW,
385			),
386			),
387			'internalStats' => array(
388			'_hidden' => true,
389			StatsMain::class => array(
390			self::MAIN => self::ACCESS_ALLOW,
391			),
392			StatsFastCloses::class => array(
393			self::MAIN => self::ACCESS_ALLOW,
394			),
395			StatsInactiveUsers::class => array(
396			self::MAIN => self::ACCESS_ALLOW,
397			),
398			StatsReservedRequests::class => array(
399			self::MAIN => self::ACCESS_ALLOW,
400			),
401			StatsTemplateStats::class => array(
402			self::MAIN => self::ACCESS_ALLOW,
403			),
404			),
405			'requestAdminTools' => array(
406			'_hidden' => true,
407			PageBan::class => array(
408			self::MAIN => self::ACCESS_ALLOW,
409			'set' => self::ACCESS_ALLOW,
410			'remove' => self::ACCESS_ALLOW,
411			'replace' => self::ACCESS_ALLOW,
412			),
413			'BanType' => array(
414			'ip' => self::ACCESS_ALLOW,
415			'email' => self::ACCESS_ALLOW,
416			'name' => self::ACCESS_ALLOW,
417			),
418			'BanVisibility' => array(
419			'user' => self::ACCESS_ALLOW,
420			'admin' => self::ACCESS_ALLOW,
421			),
422			PageEditComment::class => array(
423			'editOthers' => self::ACCESS_ALLOW,
424			),
425			PageBreakReservation::class => array(
426			'force' => self::ACCESS_ALLOW,
427			),
428			PageCustomClose::class => array(
429			'skipCcMailingList' => self::ACCESS_ALLOW,
430			),
431			PageFlagComment::class => array(
432			'unflag' => self::ACCESS_ALLOW,
433			),
434			PageListFlaggedComments::class => array(
435			self::MAIN => self::ACCESS_ALLOW,
436			),
437			'RequestData' => array(
438			'reopenOldRequest' => self::ACCESS_ALLOW,
439			'alwaysSeePrivateData' => self::ACCESS_ALLOW,
440			'alwaysSeeHash' => self::ACCESS_ALLOW,
441			'seeRestrictedComments' => self::ACCESS_ALLOW,
442			),
443			),
444			);
445
446			/** @var array
447			* List of roles which are exempt from the identification requirements
448			*
449			* Think twice about adding roles to this list.
450			*
451			* @category Security-Critical
452			*/
453			private static array $productionIdentificationExempt = array('public', 'loggedIn');
454
455			public function __construct()
456			{
457			parent::__construct(self::$productionRoleConfig, self::$productionIdentificationExempt);
458			}
459			}
460

enwikipedia-acc / waca

Push — multiproject/local-access ( 5353e5 )

RoleConfiguration::getApplicableRoles() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like