RoleConfiguration::getApplicableRoles() - Code Metrics - Inspection of "Merge branch 'enwikipedia-acc:master' into master" - mdaniels5757/waca - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — master ( dd638d...733d87 )

by Michael

created 2025-05-03 19:46 UTC

RoleConfiguration::getApplicableRoles() A

↳ Parent: Project

Complexity

Conditions	6
Paths	8

Size

Total Lines	27
Code Lines	13

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	0
CRAP Score	42

Importance

Changes

Metric	Value
eloc	13
dl	0
loc	27
ccs	0
cts	0
cp	0
rs	9.2222
c	0
b	0
f	0
cc	6
nc	8
nop	1
crap	42

<?php
/******************************************************************************
 * Wikipedia Account Creation Assistance tool                                 *
 * ACC Development Team. Please see team.json for a list of contributors.     *
 *                                                                            *
 * This is free and unencumbered software released into the public domain.    *
 * Please see LICENSE.md for the full licencing statement.                    *
 ******************************************************************************/

namespace Waca\Security;

use Waca\Helpers\PreferenceManager;
use Waca\Pages\PageBan;
use Waca\Pages\PageDomainManagement;
use Waca\Pages\PageDomainSwitch;
use Waca\Pages\PageEditComment;
use Waca\Pages\PageEmailManagement;
use Waca\Pages\PageErrorLogViewer;
use Waca\Pages\PageExpandedRequestList;
use Waca\Pages\PageFlagComment;
use Waca\Pages\PageJobQueue;
use Waca\Pages\PageListFlaggedComments;
use Waca\Pages\PageLog;
use Waca\Pages\PageMain;
use Waca\Pages\PagePrivacy;
use Waca\Pages\PageQueueManagement;
use Waca\Pages\PageRequestFormManagement;
use Waca\Pages\PageXffDemo;
use Waca\Pages\RequestAction\PageCreateRequest;
use Waca\Pages\RequestAction\PageManuallyConfirm;
use Waca\Pages\UserAuth\PageChangePassword;
use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
use Waca\Pages\UserAuth\PageOAuth;
use Waca\Pages\UserAuth\PagePreferences;
use Waca\Pages\PageSearch;
use Waca\Pages\PageSiteNotice;
use Waca\Pages\PageTeam;
use Waca\Pages\PageUserManagement;
use Waca\Pages\PageViewRequest;
use Waca\Pages\PageWelcomeTemplateManagement;
use Waca\Pages\RequestAction\PageBreakReservation;
use Waca\Pages\RequestAction\PageCloseRequest;
use Waca\Pages\RequestAction\PageComment;
use Waca\Pages\RequestAction\PageCustomClose;
use Waca\Pages\RequestAction\PageDeferRequest;
use Waca\Pages\RequestAction\PageDropRequest;
use Waca\Pages\RequestAction\PageReservation;
use Waca\Pages\RequestAction\PageSendToUser;
use Waca\Pages\Statistics\StatsFastCloses;
use Waca\Pages\Statistics\StatsInactiveUsers;
use Waca\Pages\Statistics\StatsMain;
use Waca\Pages\Statistics\StatsMonthlyStats;
use Waca\Pages\Statistics\StatsReservedRequests;
use Waca\Pages\Statistics\StatsTemplateStats;
use Waca\Pages\Statistics\StatsTopCreators;
use Waca\Pages\Statistics\StatsUsers;
use Waca\Pages\UserAuth\PageUserReactivate;

final class RoleConfiguration extends RoleConfigurationBase
{
    /**
     * A map of roles to rights
     *
     * For example:
     *
     * array(
     *   'myRole' => array(
     *       PageMyPage::class => array(
     *           'edit' => self::ACCESS_ALLOW,
     *           'create' => self::ACCESS_DENY,
     *       )
     *   )
     * )
     *
     * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
     * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
     * be the expected result:
     *
     * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
     * - (A,-,-) = A
     * - (D,-,-) = D
     * - (A,D,-) = D (deny takes precedence over allow)
     * - (A,A,A) = A (repetition has no effect)
     *
     * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
     *
     * @var array
     * @category Security-Critical
     */
    private static array $productionRoleConfig = array(
        'public'            => array(
            /*
             * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY.
             *
             * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
             * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
             */
            '_childRoles'   => array(
                'publicStats',
            ),
            PageTeam::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageXffDemo::class        => array(
                self::MAIN  => self::ACCESS_ALLOW,
            ),
            PagePrivacy::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            )
        ),
        'loggedIn'          => array(
            /*
             * THIS ROLE IS GRANTED TO ALL LOGGED-IN USERS IMPLICITLY.
             *
             * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
             * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
             */
            '_childRoles'             => array(
                'public',
            ),
            PagePreferences::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
                'refreshOAuth' => self::ACCESS_ALLOW,
            ),
            PageChangePassword::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageMultiFactor::class    => array(
                self::MAIN          => self::ACCESS_ALLOW,
                'scratch'           => self::ACCESS_ALLOW,
                'enableYubikeyOtp'  => self::ACCESS_ALLOW,
                'enableTotp'        => self::ACCESS_ALLOW,
                // allow a user to disable this even when they're not allowed to enable it
                'disableYubikeyOtp' => self::ACCESS_ALLOW,
                'disableTotp'       => self::ACCESS_ALLOW,
            ),
            PageOAuth::class          => array(
                'attach' => self::ACCESS_ALLOW,
                'detach' => self::ACCESS_ALLOW,
            ),
            PageDomainSwitch::class   => array(
                self::MAIN => self::ACCESS_ALLOW
            ),
            PageUserReactivate::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            'UserData'                => array(
                'accountLogSelf' => self::ACCESS_ALLOW,
            ),
        ),
        'user'              => array(
            /*
             * THIS ROLE IS GRANTED TO APPROVED AND IDENTIFIED LOGGED-IN USERS IMPLICITLY.
             */
            '_childRoles'                        => array(
                'internalStats',
            ),
            PageUserReactivate::class => array(
                // only non-approved users should be able to access this
                self::MAIN => self::ACCESS_DENY,
            ),
            PageMain::class                      => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageBan::class                       => array(
                self::MAIN => self::ACCESS_ALLOW,
                'show'     => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'user' => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'ip' => self::ACCESS_ALLOW,
                'name' => self::ACCESS_ALLOW,
            ),
            PageEditComment::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageEmailManagement::class           => array(
                self::MAIN => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
            ),
            PageExpandedRequestList::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageLog::class                       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageSearch::class                    => array(
                self::MAIN => self::ACCESS_ALLOW,
                'byName'   => self::ACCESS_ALLOW,
                'byEmail'  => self::ACCESS_ALLOW,
                'byIp'     => self::ACCESS_ALLOW,
                'allowNonConfirmed' => self::ACCESS_ALLOW,
            ),
            PageWelcomeTemplateManagement::class => array(
                self::MAIN => self::ACCESS_ALLOW,
                'select'   => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
            ),
            PageViewRequest::class               => array(
                self::MAIN       => self::ACCESS_ALLOW,
                'seeAllRequests' => self::ACCESS_ALLOW,
            ),
            'RequestData'                        => array(
                'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
                'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
                'seeRelatedRequests'         => self::ACCESS_ALLOW,
            ),
            PageCustomClose::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageComment::class                   => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageFlagComment::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageCloseRequest::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageCreateRequest::class             => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageDeferRequest::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageDropRequest::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageReservation::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageSendToUser::class                => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageBreakReservation::class          => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageJobQueue::class                  => array(
                self::MAIN    => self::ACCESS_ALLOW,
                'view'        => self::ACCESS_ALLOW,
                'all'         => self::ACCESS_ALLOW,
                'acknowledge' => self::ACCESS_ALLOW,
                'cancel'      => self::ACCESS_ALLOW
            ),
            PageDomainManagement::class          => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageRequestFormManagement::class     => array(
                self::MAIN => self::ACCESS_ALLOW,
                'view'     => self::ACCESS_ALLOW,
                'preview'  => self::ACCESS_ALLOW,
            ),
            'RequestCreation'                    => array(
                PreferenceManager::CREATION_MANUAL => self::ACCESS_ALLOW,
                PreferenceManager::CREATION_OAUTH  => self::ACCESS_ALLOW,
            ),
            'GlobalInfo'                         => array(
                'viewSiteNotice' => self::ACCESS_ALLOW,
                'viewOnlineUsers' => self::ACCESS_ALLOW,
            ),
        ),
        'admin'             => array(
            '_description'                       => 'A tool administrator.',
            '_editableBy'                        => array('admin', 'toolRoot'),
            '_childRoles'                        => array(
                'user',
                'requestAdminTools',
            ),
            PageEmailManagement::class           => array(
                'edit'   => self::ACCESS_ALLOW,
                'create' => self::ACCESS_ALLOW,
            ),
            PageSiteNotice::class                => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageUserManagement::class            => array(
                self::MAIN   => self::ACCESS_ALLOW,
                'approve'    => self::ACCESS_ALLOW,
                'deactivate' => self::ACCESS_ALLOW,
                'rename'     => self::ACCESS_ALLOW,
                'editUser'   => self::ACCESS_ALLOW,
                'editRoles'  => self::ACCESS_ALLOW,
            ),
            PageSearch::class                    => array(
                'byComment' => self::ACCESS_ALLOW,
            ),
            PageManuallyConfirm::class               => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            PageWelcomeTemplateManagement::class => array(
                'edit'   => self::ACCESS_ALLOW,
                'delete' => self::ACCESS_ALLOW,
                'add'    => self::ACCESS_ALLOW,
            ),
            PageJobQueue::class                  => array(
                'acknowledge' => self::ACCESS_ALLOW,
                'requeue'     => self::ACCESS_ALLOW,
                'cancel'      => self::ACCESS_ALLOW,
            ),
            'RequestData'               => array(
                'reopenClearedRequest'  => self::ACCESS_ALLOW,
            ),
            PageQueueManagement::class           => array(
                self::MAIN => self::ACCESS_ALLOW,
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageRequestFormManagement::class     => array(
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageDomainManagement::class          => array(
                'edit'     => self::ACCESS_ALLOW,
            ),
            'UserData'                           => array(
                'accountLog' => self::ACCESS_ALLOW,
            ),
        ),
        'checkuser'         => array(
            '_description'            => 'A user with CheckUser access',
            '_editableBy'             => array('checkuser', 'steward', 'toolRoot'),
            '_childRoles'             => array(
                'user',
                'requestAdminTools',
            ),
            PageUserManagement::class => array(
                self::MAIN   => self::ACCESS_ALLOW,
                'deactivate' => self::ACCESS_ALLOW,
                'editRoles'  => self::ACCESS_ALLOW,
            ),
            'RequestData'             => array(
                'seeUserAgentData'      => self::ACCESS_ALLOW,
                'seeCheckuserComments'  => self::ACCESS_ALLOW,
                'createLocalAccount'    => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'useragent' => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'checkuser' => self::ACCESS_ALLOW,
            ),
            'UserData'                           => array(
                'accountLog' => self::ACCESS_ALLOW,
            ),
        ),
        'steward'         => array(
            '_description'  => 'A user with Steward access',
            '_editableBy'   => array('steward', 'toolRoot'),
            '_globalOnly'   => true,
            '_childRoles'   => array(
                'user',
                'checkuser',
            ),
            'BanType'                   => array(
                'ip-largerange' => self::ACCESS_ALLOW,
                'global'        => self::ACCESS_ALLOW,
            ),
        ),
        'toolRoot'          => array(
            '_description' => 'A user with shell access to the servers running the tool',
            '_editableBy'  => array('toolRoot'),
            '_globalOnly'  => true,
            '_childRoles'  => array(
                'admin',
            ),
            'BanType'                   => array(
                'ip-largerange' => self::ACCESS_ALLOW,
                'global'        => self::ACCESS_ALLOW,
            ),
            PageDomainManagement::class => array(
                self::MAIN => self::ACCESS_ALLOW,
                'editAll'  => self::ACCESS_ALLOW,
                'edit'     => self::ACCESS_ALLOW,
                'create'   => self::ACCESS_ALLOW,
            ),
            PageErrorLogViewer::class => array(
                self::MAIN      => self::ACCESS_ALLOW,
                'view'          => self::ACCESS_ALLOW,
                'remove'        => self::ACCESS_ALLOW,
            ),
        ),
        'botCreation'       => array(
            '_hidden'         => true,
            '_description'    => 'A user allowed to use the bot to perform account creations',
            '_editableBy'     => array('admin', 'toolRoot'),
            '_childRoles'     => array(),
            'RequestCreation' => array(
                PreferenceManager::CREATION_BOT => self::ACCESS_ALLOW,
            ),
        ),

        // Child roles go below this point
        'publicStats'       => array(
            '_hidden'               => true,
            StatsUsers::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
                'detail'   => self::ACCESS_ALLOW,
            ),
            StatsTopCreators::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsMonthlyStats::class     => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
        ),
        'internalStats'     => array(
            '_hidden'                    => true,
            StatsMain::class             => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsFastCloses::class       => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsInactiveUsers::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsReservedRequests::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            StatsTemplateStats::class    => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
        ),
        'requestAdminTools' => array(
            '_hidden'                   => true,
            PageBan::class              => array(
                self::MAIN => self::ACCESS_ALLOW,
                'set'      => self::ACCESS_ALLOW,
                'remove'   => self::ACCESS_ALLOW,
                'replace'  => self::ACCESS_ALLOW,
            ),
            'BanType'                   => array(
                'ip' => self::ACCESS_ALLOW,
                'email' => self::ACCESS_ALLOW,
                'name' => self::ACCESS_ALLOW,
            ),
            'BanVisibility'             => array(
                'user' => self::ACCESS_ALLOW,
                'admin' => self::ACCESS_ALLOW,
            ),
            PageEditComment::class      => array(
                'editOthers' => self::ACCESS_ALLOW,
            ),
            PageBreakReservation::class => array(
                'force' => self::ACCESS_ALLOW,
            ),
            PageCustomClose::class      => array(
                'skipCcMailingList' => self::ACCESS_ALLOW,
            ),
            PageFlagComment::class      => array(
                'unflag'   => self::ACCESS_ALLOW,
            ),
            PageListFlaggedComments::class => array(
                self::MAIN => self::ACCESS_ALLOW,
            ),
            'RequestData'               => array(
                'reopenOldRequest'      => self::ACCESS_ALLOW,
                'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
                'alwaysSeeHash'         => self::ACCESS_ALLOW,
                'seeRestrictedComments' => self::ACCESS_ALLOW,
            ),
        ),
    );

    /** @var array
     * List of roles which are *exempt* from the identification requirements
     *
     * Think twice about adding roles to this list.
     *
     * @category Security-Critical
     */
    private static array $productionIdentificationExempt = array('public', 'loggedIn');

    public function __construct()
    {
        parent::__construct(self::$productionRoleConfig, self::$productionIdentificationExempt);
    }
}


1		<?php
2		/******************************************************************************
3		* Wikipedia Account Creation Assistance tool *
4		* ACC Development Team. Please see team.json for a list of contributors. *
5		* *
6		* This is free and unencumbered software released into the public domain. *
7		* Please see LICENSE.md for the full licencing statement. *
8		******************************************************************************/
9
10		namespace Waca\Security;
11
12		use Waca\Helpers\PreferenceManager;
13		use Waca\Pages\PageBan;
14		use Waca\Pages\PageDomainManagement;
15		use Waca\Pages\PageDomainSwitch;
16		use Waca\Pages\PageEditComment;
17		use Waca\Pages\PageEmailManagement;
18		use Waca\Pages\PageErrorLogViewer;
19		use Waca\Pages\PageExpandedRequestList;
20		use Waca\Pages\PageFlagComment;
21		use Waca\Pages\PageJobQueue;
22		use Waca\Pages\PageListFlaggedComments;
23		use Waca\Pages\PageLog;
24		use Waca\Pages\PageMain;
25		use Waca\Pages\PagePrivacy;
26		use Waca\Pages\PageQueueManagement;
27		use Waca\Pages\PageRequestFormManagement;
28		use Waca\Pages\PageXffDemo;
29		use Waca\Pages\RequestAction\PageCreateRequest;
30		use Waca\Pages\RequestAction\PageManuallyConfirm;
31		use Waca\Pages\UserAuth\PageChangePassword;
32		use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
33		use Waca\Pages\UserAuth\PageOAuth;
34		use Waca\Pages\UserAuth\PagePreferences;
35		use Waca\Pages\PageSearch;
36		use Waca\Pages\PageSiteNotice;
37		use Waca\Pages\PageTeam;
38		use Waca\Pages\PageUserManagement;
39		use Waca\Pages\PageViewRequest;
40		use Waca\Pages\PageWelcomeTemplateManagement;
41		use Waca\Pages\RequestAction\PageBreakReservation;
42		use Waca\Pages\RequestAction\PageCloseRequest;
43		use Waca\Pages\RequestAction\PageComment;
44		use Waca\Pages\RequestAction\PageCustomClose;
45		use Waca\Pages\RequestAction\PageDeferRequest;
46		use Waca\Pages\RequestAction\PageDropRequest;
47		use Waca\Pages\RequestAction\PageReservation;
48		use Waca\Pages\RequestAction\PageSendToUser;
49		use Waca\Pages\Statistics\StatsFastCloses;
50		use Waca\Pages\Statistics\StatsInactiveUsers;
51		use Waca\Pages\Statistics\StatsMain;
52		use Waca\Pages\Statistics\StatsMonthlyStats;
53		use Waca\Pages\Statistics\StatsReservedRequests;
54		use Waca\Pages\Statistics\StatsTemplateStats;
55		use Waca\Pages\Statistics\StatsTopCreators;
56		use Waca\Pages\Statistics\StatsUsers;
57		use Waca\Pages\UserAuth\PageUserReactivate;
58
59		final class RoleConfiguration extends RoleConfigurationBase
60		{
61		/**
62		* A map of roles to rights
63		*
64		* For example:
65		*
66		* array(
67		* 'myRole' => array(
68		* PageMyPage::class => array(
69		* 'edit' => self::ACCESS_ALLOW,
70		* 'create' => self::ACCESS_DENY,
71		* )
72		* )
73		* )
74		*
75		* Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
76		* DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
77		* be the expected result:
78		*
79		* - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
80		* - (A,-,-) = A
81		* - (D,-,-) = D
82		* - (A,D,-) = D (deny takes precedence over allow)
83		* - (A,A,A) = A (repetition has no effect)
84		*
85		* The public role is special, and is applied to all users automatically. Avoid using deny on this role.
86		*
87		* @var array
88		* @category Security-Critical
89		*/
90		private static array $productionRoleConfig = array(
91		'public' => array(
92		/*
93		* THIS ROLE IS GRANTED TO ALL LOGGED OUT USERS IMPLICITLY.
94		*
95		* USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
96		* DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
97		*/
98		'_childRoles' => array(
99		'publicStats',
100		),
101		PageTeam::class => array(
102		self::MAIN => self::ACCESS_ALLOW,
103		),
104		PageXffDemo::class => array(
105		self::MAIN => self::ACCESS_ALLOW,
106		),
107		PagePrivacy::class => array(
108		self::MAIN => self::ACCESS_ALLOW,
109		)
110		),
111		'loggedIn' => array(
112		/*
113		* THIS ROLE IS GRANTED TO ALL LOGGED-IN USERS IMPLICITLY.
114		*
115		* USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
116		* DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
117		*/
118		'_childRoles' => array(
119		'public',
120		),
121		PagePreferences::class => array(
122		self::MAIN => self::ACCESS_ALLOW,
123		'refreshOAuth' => self::ACCESS_ALLOW,
124		),
125		PageChangePassword::class => array(
126		self::MAIN => self::ACCESS_ALLOW,
127		),
128		PageMultiFactor::class => array(
129		self::MAIN => self::ACCESS_ALLOW,
130		'scratch' => self::ACCESS_ALLOW,
131		'enableYubikeyOtp' => self::ACCESS_ALLOW,
132		'enableTotp' => self::ACCESS_ALLOW,
133		// allow a user to disable this even when they're not allowed to enable it
134		'disableYubikeyOtp' => self::ACCESS_ALLOW,
135		'disableTotp' => self::ACCESS_ALLOW,
136		),
137		PageOAuth::class => array(
138		'attach' => self::ACCESS_ALLOW,
139		'detach' => self::ACCESS_ALLOW,
140		),
141		PageDomainSwitch::class => array(
142		self::MAIN => self::ACCESS_ALLOW
143		),
144		PageUserReactivate::class => array(
145		self::MAIN => self::ACCESS_ALLOW,
146		),
147		'UserData' => array(
148		'accountLogSelf' => self::ACCESS_ALLOW,
149		),
150		),
151		'user' => array(
152		/*
153		* THIS ROLE IS GRANTED TO APPROVED AND IDENTIFIED LOGGED-IN USERS IMPLICITLY.
154		*/
155		'_childRoles' => array(
156		'internalStats',
157		),
158		PageUserReactivate::class => array(
159		// only non-approved users should be able to access this
160		self::MAIN => self::ACCESS_DENY,
161		),
162		PageMain::class => array(
163		self::MAIN => self::ACCESS_ALLOW,
164		),
165		PageBan::class => array(
166		self::MAIN => self::ACCESS_ALLOW,
167		'show' => self::ACCESS_ALLOW,
168		),
169		'BanVisibility' => array(
170		'user' => self::ACCESS_ALLOW,
171		),
172		'BanType' => array(
173		'ip' => self::ACCESS_ALLOW,
174		'name' => self::ACCESS_ALLOW,
175		),
176		PageEditComment::class => array(
177		self::MAIN => self::ACCESS_ALLOW,
178		),
179		PageEmailManagement::class => array(
180		self::MAIN => self::ACCESS_ALLOW,
181		'view' => self::ACCESS_ALLOW,
182		),
183		PageExpandedRequestList::class => array(
184		self::MAIN => self::ACCESS_ALLOW,
185		),
186		PageLog::class => array(
187		self::MAIN => self::ACCESS_ALLOW,
188		),
189		PageSearch::class => array(
190		self::MAIN => self::ACCESS_ALLOW,
191		'byName' => self::ACCESS_ALLOW,
192		'byEmail' => self::ACCESS_ALLOW,
193		'byIp' => self::ACCESS_ALLOW,
194		'allowNonConfirmed' => self::ACCESS_ALLOW,
195		),
196		PageWelcomeTemplateManagement::class => array(
197		self::MAIN => self::ACCESS_ALLOW,
198		'select' => self::ACCESS_ALLOW,
199		'view' => self::ACCESS_ALLOW,
200		),
201		PageViewRequest::class => array(
202		self::MAIN => self::ACCESS_ALLOW,
203		'seeAllRequests' => self::ACCESS_ALLOW,
204		),
205		'RequestData' => array(
206		'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
207		'seePrivateDataWithHash' => self::ACCESS_ALLOW,
208		'seeRelatedRequests' => self::ACCESS_ALLOW,
209		),
210		PageCustomClose::class => array(
211		self::MAIN => self::ACCESS_ALLOW,
212		),
213		PageComment::class => array(
214		self::MAIN => self::ACCESS_ALLOW,
215		),
216		PageFlagComment::class => array(
217		self::MAIN => self::ACCESS_ALLOW,
218		),
219		PageCloseRequest::class => array(
220		self::MAIN => self::ACCESS_ALLOW,
221		),
222		PageCreateRequest::class => array(
223		self::MAIN => self::ACCESS_ALLOW,
224		),
225		PageDeferRequest::class => array(
226		self::MAIN => self::ACCESS_ALLOW,
227		),
228		PageDropRequest::class => array(
229		self::MAIN => self::ACCESS_ALLOW,
230		),
231		PageReservation::class => array(
232		self::MAIN => self::ACCESS_ALLOW,
233		),
234		PageSendToUser::class => array(
235		self::MAIN => self::ACCESS_ALLOW,
236		),
237		PageBreakReservation::class => array(
238		self::MAIN => self::ACCESS_ALLOW,
239		),
240		PageJobQueue::class => array(
241		self::MAIN => self::ACCESS_ALLOW,
242		'view' => self::ACCESS_ALLOW,
243		'all' => self::ACCESS_ALLOW,
244		'acknowledge' => self::ACCESS_ALLOW,
245		'cancel' => self::ACCESS_ALLOW
246		),
247		PageDomainManagement::class => array(
248		self::MAIN => self::ACCESS_ALLOW,
249		),
250		PageRequestFormManagement::class => array(
251		self::MAIN => self::ACCESS_ALLOW,
252		'view' => self::ACCESS_ALLOW,
253		'preview' => self::ACCESS_ALLOW,
254		),
255		'RequestCreation' => array(
256		PreferenceManager::CREATION_MANUAL => self::ACCESS_ALLOW,
257		PreferenceManager::CREATION_OAUTH => self::ACCESS_ALLOW,
258		),
259		'GlobalInfo' => array(
260		'viewSiteNotice' => self::ACCESS_ALLOW,
261		'viewOnlineUsers' => self::ACCESS_ALLOW,
262		),
263		),
264		'admin' => array(
265		'_description' => 'A tool administrator.',
266		'_editableBy' => array('admin', 'toolRoot'),
267		'_childRoles' => array(
268		'user',
269		'requestAdminTools',
270		),
271		PageEmailManagement::class => array(
272		'edit' => self::ACCESS_ALLOW,
273		'create' => self::ACCESS_ALLOW,
274		),
275		PageSiteNotice::class => array(
276		self::MAIN => self::ACCESS_ALLOW,
277		),
278		PageUserManagement::class => array(
279		self::MAIN => self::ACCESS_ALLOW,
280		'approve' => self::ACCESS_ALLOW,
281		'deactivate' => self::ACCESS_ALLOW,
282		'rename' => self::ACCESS_ALLOW,
283		'editUser' => self::ACCESS_ALLOW,
284		'editRoles' => self::ACCESS_ALLOW,
285		),
286		PageSearch::class => array(
287		'byComment' => self::ACCESS_ALLOW,
288		),
289		PageManuallyConfirm::class => array(
290		self::MAIN => self::ACCESS_ALLOW,
291		),
292		PageWelcomeTemplateManagement::class => array(
293		'edit' => self::ACCESS_ALLOW,
294		'delete' => self::ACCESS_ALLOW,
295		'add' => self::ACCESS_ALLOW,
296		),
297		PageJobQueue::class => array(
298		'acknowledge' => self::ACCESS_ALLOW,
299		'requeue' => self::ACCESS_ALLOW,
300		'cancel' => self::ACCESS_ALLOW,
301		),
302		'RequestData' => array(
303		'reopenClearedRequest' => self::ACCESS_ALLOW,
304		),
305		PageQueueManagement::class => array(
306		self::MAIN => self::ACCESS_ALLOW,
307		'edit' => self::ACCESS_ALLOW,
308		'create' => self::ACCESS_ALLOW,
309		),
310		PageRequestFormManagement::class => array(
311		'edit' => self::ACCESS_ALLOW,
312		'create' => self::ACCESS_ALLOW,
313		),
314		PageDomainManagement::class => array(
315		'edit' => self::ACCESS_ALLOW,
316		),
317		'UserData' => array(
318		'accountLog' => self::ACCESS_ALLOW,
319		),
320		),
321		'checkuser' => array(
322		'_description' => 'A user with CheckUser access',
323		'_editableBy' => array('checkuser', 'steward', 'toolRoot'),
324		'_childRoles' => array(
325		'user',
326		'requestAdminTools',
327		),
328		PageUserManagement::class => array(
329		self::MAIN => self::ACCESS_ALLOW,
330		'deactivate' => self::ACCESS_ALLOW,
331		'editRoles' => self::ACCESS_ALLOW,
332		),
333		'RequestData' => array(
334		'seeUserAgentData' => self::ACCESS_ALLOW,
335		'seeCheckuserComments' => self::ACCESS_ALLOW,
336		'createLocalAccount' => self::ACCESS_ALLOW,
337		),
338		'BanType' => array(
339		'useragent' => self::ACCESS_ALLOW,
340		),
341		'BanVisibility' => array(
342		'checkuser' => self::ACCESS_ALLOW,
343		),
344		'UserData' => array(
345		'accountLog' => self::ACCESS_ALLOW,
346		),
347		),
348		'steward' => array(
349		'_description' => 'A user with Steward access',
350		'_editableBy' => array('steward', 'toolRoot'),
351		'_globalOnly' => true,
352		'_childRoles' => array(
353		'user',
354		'checkuser',
355		),
356		'BanType' => array(
357		'ip-largerange' => self::ACCESS_ALLOW,
358		'global' => self::ACCESS_ALLOW,
359		),
360		),
361		'toolRoot' => array(
362	6	'_description' => 'A user with shell access to the servers running the tool',
363		'_editableBy' => array('toolRoot'),
364	6	'_globalOnly' => true,
365	4	'_childRoles' => array(
366		'admin',
367		),
368	6	'BanType' => array(
369	4	'ip-largerange' => self::ACCESS_ALLOW,
370		'global' => self::ACCESS_ALLOW,
371	6	),
372		PageDomainManagement::class => array(
373		self::MAIN => self::ACCESS_ALLOW,
374		'editAll' => self::ACCESS_ALLOW,
375		'edit' => self::ACCESS_ALLOW,
376		'create' => self::ACCESS_ALLOW,
377		),
378	3	PageErrorLogViewer::class => array(
379		self::MAIN => self::ACCESS_ALLOW,
380	3	'view' => self::ACCESS_ALLOW,
381		'remove' => self::ACCESS_ALLOW,
382	3	),
383	3	),
384		'botCreation' => array(
385	1	'_hidden' => true,
386		'_description' => 'A user allowed to use the bot to perform account creations',
387		'_editableBy' => array('admin', 'toolRoot'),
388	3	'_childRoles' => array(),
389		'RequestCreation' => array(
390	3	PreferenceManager::CREATION_BOT => self::ACCESS_ALLOW,
391	1	),
392	1	),
393
394	1	// Child roles go below this point
395		'publicStats' => array(
396		'_hidden' => true,
397	3	StatsUsers::class => array(
398	3	self::MAIN => self::ACCESS_ALLOW,
399		'detail' => self::ACCESS_ALLOW,
400		),
401		StatsTopCreators::class => array(
402		self::MAIN => self::ACCESS_ALLOW,
403		),
404	3	StatsMonthlyStats::class => array(
405		self::MAIN => self::ACCESS_ALLOW,
406		),
407	1	),
408		'internalStats' => array(
409	1	'_hidden' => true,
410		StatsMain::class => array(
411	1	self::MAIN => self::ACCESS_ALLOW,
412		),
413	1	StatsFastCloses::class => array(
414	1	self::MAIN => self::ACCESS_ALLOW,
415	1	),
416	1	StatsInactiveUsers::class => array(
417	1	self::MAIN => self::ACCESS_ALLOW,
418		),
419		StatsReservedRequests::class => array(
420		self::MAIN => self::ACCESS_ALLOW,
421		),
422	1	StatsTemplateStats::class => array(
423		self::MAIN => self::ACCESS_ALLOW,
424		),
425		),
426		'requestAdminTools' => array(
427		'_hidden' => true,
428		PageBan::class => array(
429		self::MAIN => self::ACCESS_ALLOW,
430		'set' => self::ACCESS_ALLOW,
431		'remove' => self::ACCESS_ALLOW,
432		'replace' => self::ACCESS_ALLOW,
433		),
434		'BanType' => array(
435		'ip' => self::ACCESS_ALLOW,
436		'email' => self::ACCESS_ALLOW,
437		'name' => self::ACCESS_ALLOW,
438		),
439		'BanVisibility' => array(
440		'user' => self::ACCESS_ALLOW,
441		'admin' => self::ACCESS_ALLOW,
442		),
443		PageEditComment::class => array(
444		'editOthers' => self::ACCESS_ALLOW,
445		),
446		PageBreakReservation::class => array(
447		'force' => self::ACCESS_ALLOW,
448		),
449		PageCustomClose::class => array(
450		'skipCcMailingList' => self::ACCESS_ALLOW,
451		),
452		PageFlagComment::class => array(
453		'unflag' => self::ACCESS_ALLOW,
454		),
455		PageListFlaggedComments::class => array(
456		self::MAIN => self::ACCESS_ALLOW,
457		),
458		'RequestData' => array(
459		'reopenOldRequest' => self::ACCESS_ALLOW,
460		'alwaysSeePrivateData' => self::ACCESS_ALLOW,
461		'alwaysSeeHash' => self::ACCESS_ALLOW,
462		'seeRestrictedComments' => self::ACCESS_ALLOW,
463		),
464		),
465		);
466
467		/** @var array
468		* List of roles which are exempt from the identification requirements
469		*
470		* Think twice about adding roles to this list.
471		*
472		* @category Security-Critical
473		*/
474		private static array $productionIdentificationExempt = array('public', 'loggedIn');
475
476		public function __construct()
477		{
478		parent::__construct(self::$productionRoleConfig, self::$productionIdentificationExempt);
479		}
480		}
481

mdaniels5757 / waca

Push — master ( dd638d...733d87 )

RoleConfiguration::getApplicableRoles() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like