public function testGetGlobalSession()
{
$context = \RequestContext::getMain();
if (!PHPSessionHandler::isInstalled()) {
PHPSessionHandler::install(SessionManager::singleton());
}
$rProp = new \ReflectionProperty(PHPSessionHandler::class, 'instance');
$rProp->setAccessible(true);
$handler = \TestingAccessWrapper::newFromObject($rProp->getValue());
$oldEnable = $handler->enable;
$reset[] = new \Wikimedia\ScopedCallback(function () use($handler, $oldEnable) {
if ($handler->enable) {
session_write_close();
}
$handler->enable = $oldEnable;
});
$reset[] = TestUtils::setSessionManagerSingleton($this->getManager());
$handler->enable = true;
$request = new \FauxRequest();
$context->setRequest($request);
$id = $request->getSession()->getId();
session_id('');
$session = SessionManager::getGlobalSession();
$this->assertSame($id, $session->getId());
session_id('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
$session = SessionManager::getGlobalSession();
$this->assertSame('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', $session->getId());
$this->assertSame('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', $request->getSession()->getId());
session_write_close();
$handler->enable = false;
$request = new \FauxRequest();
$context->setRequest($request);
$id = $request->getSession()->getId();
session_id('');
$session = SessionManager::getGlobalSession();
$this->assertSame($id, $session->getId());
session_id('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
$session = SessionManager::getGlobalSession();
$this->assertSame($id, $session->getId());
$this->assertSame($id, $request->getSession()->getId());
}
/**
* Send cache control HTTP headers
*/
public function sendCacheControl()
{
$response = $this->getRequest()->response();
$config = $this->getConfig();
if ($config->get('UseETag') && $this->mETag) {
$response->header("ETag: {$this->mETag}");
}
$this->addVaryHeader('Cookie');
$this->addAcceptLanguage();
# don't serve compressed data to clients who can't handle it
# maintain different caches for logged-in users and non-logged in ones
$response->header($this->getVaryHeader());
if ($config->get('UseKeyHeader')) {
$response->header($this->getKeyHeader());
}
if ($this->mEnableClientCache) {
if ($config->get('UseSquid') && !SessionManager::getGlobalSession()->isPersistent() && !$this->isPrintable() && $this->mCdnMaxage != 0 && !$this->haveCacheVaryCookies()) {
if ($config->get('UseESI')) {
# We'll purge the proxy cache explicitly, but require end user agents
# to revalidate against the proxy on each visit.
# Surrogate-Control controls our CDN, Cache-Control downstream caches
wfDebug(__METHOD__ . ": proxy caching with ESI; {$this->mLastModified} **", 'private');
# start with a shorter timeout for initial testing
# header( 'Surrogate-Control: max-age=2678400+2678400, content="ESI/1.0"');
$response->header('Surrogate-Control: max-age=' . $config->get('SquidMaxage') . '+' . $this->mCdnMaxage . ', content="ESI/1.0"');
$response->header('Cache-Control: s-maxage=0, must-revalidate, max-age=0');
} else {
# We'll purge the proxy cache for anons explicitly, but require end user agents
# to revalidate against the proxy on each visit.
# IMPORTANT! The CDN needs to replace the Cache-Control header with
# Cache-Control: s-maxage=0, must-revalidate, max-age=0
wfDebug(__METHOD__ . ": local proxy caching; {$this->mLastModified} **", 'private');
# start with a shorter timeout for initial testing
# header( "Cache-Control: s-maxage=2678400, must-revalidate, max-age=0" );
$response->header('Cache-Control: s-maxage=' . $this->mCdnMaxage . ', must-revalidate, max-age=0');
}
} else {
# We do want clients to cache if they can, but they *must* check for updates
# on revisiting the page.
wfDebug(__METHOD__ . ": private caching; {$this->mLastModified} **", 'private');
$response->header('Expires: ' . gmdate('D, d M Y H:i:s', 0) . ' GMT');
$response->header("Cache-Control: private, must-revalidate, max-age=0");
}
if ($this->mLastModified) {
$response->header("Last-Modified: {$this->mLastModified}");
}
} else {
wfDebug(__METHOD__ . ": no caching **", 'private');
# In general, the absence of a last modified header should be enough to prevent
# the client from using its cache. We send a few other things just to make sure.
$response->header('Expires: ' . gmdate('D, d M Y H:i:s', 0) . ' GMT');
$response->header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate');
$response->header('Pragma: no-cache');
}
}
/**
* @param string|null $subPage
*/
public function execute($subPage)
{
$authManager = AuthManager::singleton();
$session = SessionManager::getGlobalSession();
// Session data is used for various things in the authentication process, so we must make
// sure a session cookie or some equivalent mechanism is set.
$session->persist();
$this->load($subPage);
$this->setHeaders();
$this->checkPermissions();
// Make sure it's possible to log in
if (!$this->isSignup() && !$session->canSetUser()) {
throw new ErrorPageError('cannotloginnow-title', 'cannotloginnow-text', [$session->getProvider()->describe(RequestContext::getMain()->getLanguage())]);
}
/*
* In the case where the user is already logged in, and was redirected to
* the login form from a page that requires login, do not show the login
* page. The use case scenario for this is when a user opens a large number
* of tabs, is redirected to the login page on all of them, and then logs
* in on one, expecting all the others to work properly.
*
* However, do show the form if it was visited intentionally (no 'returnto'
* is present). People who often switch between several accounts have grown
* accustomed to this behavior.
*
* Also make an exception when force=<level> is set in the URL, which means the user must
* reauthenticate for security reasons.
*/
if (!$this->isSignup() && !$this->mPosted && !$this->securityLevel && ($this->mReturnTo !== '' || $this->mReturnToQuery !== '') && $this->getUser()->isLoggedIn()) {
$this->successfulAction();
}
// If logging in and not on HTTPS, either redirect to it or offer a link.
global $wgSecureLogin;
if ($this->getRequest()->getProtocol() !== 'https') {
$title = $this->getFullTitle();
$query = $this->getPreservedParams(false) + ['title' => null, $this->mEntryErrorType === 'error' ? 'error' : 'warning' => $this->mEntryError] + $this->getRequest()->getQueryValues();
$url = $title->getFullURL($query, false, PROTO_HTTPS);
if ($wgSecureLogin && !$this->mFromHTTP && wfCanIPUseHTTPS($this->getRequest()->getIP())) {
// Avoid infinite redirect
$url = wfAppendQuery($url, 'fromhttp=1');
$this->getOutput()->redirect($url);
// Since we only do this redir to change proto, always vary
$this->getOutput()->addVaryHeader('X-Forwarded-Proto');
return;
} else {
// A wiki without HTTPS login support should set $wgServer to
// http://somehost, in which case the secure URL generated
// above won't actually start with https://
if (substr($url, 0, 8) === 'https://') {
$this->mSecureLoginUrl = $url;
}
}
}
if (!$this->isActionAllowed($this->authAction)) {
// FIXME how do we explain this to the user? can we handle session loss better?
// messages used: authpage-cannot-login, authpage-cannot-login-continue,
// authpage-cannot-create, authpage-cannot-create-continue
$this->mainLoginForm([], 'authpage-cannot-' . $this->authAction);
return;
}
$status = $this->trySubmit();
if (!$status || !$status->isGood()) {
$this->mainLoginForm($this->authRequests, $status ? $status->getMessage() : '', 'error');
return;
}
/** @var AuthenticationResponse $response */
$response = $status->getValue();
$returnToUrl = $this->getPageTitle('return')->getFullURL($this->getPreservedParams(true), false, PROTO_HTTPS);
switch ($response->status) {
case AuthenticationResponse::PASS:
$this->logAuthResult(true);
$this->proxyAccountCreation = $this->isSignup() && !$this->getUser()->isAnon();
$this->targetUser = User::newFromName($response->username);
if (!$this->proxyAccountCreation && $response->loginRequest && $authManager->canAuthenticateNow()) {
// successful registration; log the user in instantly
$response2 = $authManager->beginAuthentication([$response->loginRequest], $returnToUrl);
if ($response2->status !== AuthenticationResponse::PASS) {
LoggerFactory::getInstance('login')->error('Could not log in after account creation');
$this->successfulAction(true, Status::newFatal('createacct-loginerror'));
break;
}
}
if (!$this->proxyAccountCreation) {
// Ensure that the context user is the same as the session user.
$this->setSessionUserForCurrentRequest();
}
$this->successfulAction(true);
break;
case AuthenticationResponse::FAIL:
// fall through
// fall through
case AuthenticationResponse::RESTART:
unset($this->authForm);
if ($response->status === AuthenticationResponse::FAIL) {
$action = $this->getDefaultAction($subPage);
$messageType = 'error';
} else {
$action = $this->getContinueAction($this->authAction);
$messageType = 'warning';
}
$this->logAuthResult(false, $response->message ? $response->message->getKey() : '-');
$this->loadAuth($subPage, $action, true);
$this->mainLoginForm($this->authRequests, $response->message, $messageType);
break;
case AuthenticationResponse::REDIRECT:
unset($this->authForm);
$this->getOutput()->redirect($response->redirectTarget);
break;
case AuthenticationResponse::UI:
unset($this->authForm);
$this->authAction = $this->isSignup() ? AuthManager::ACTION_CREATE_CONTINUE : AuthManager::ACTION_LOGIN_CONTINUE;
$this->authRequests = $response->neededRequests;
$this->mainLoginForm($response->neededRequests, $response->message, 'warning');
break;
default:
throw new LogicException('invalid AuthenticationResponse');
}
}
/**
* Initialise php session
*
* @deprecated since 1.27, use MediaWiki\Session\SessionManager instead.
* Generally, "using" SessionManager will be calling ->getSessionById() or
* ::getGlobalSession() (depending on whether you were passing $sessionId
* here), then calling $session->persist().
* @param bool|string $sessionId
*/
function wfSetupSession($sessionId = false)
{
wfDeprecated(__FUNCTION__, '1.27');
if ($sessionId) {
session_id($sessionId);
}
$session = SessionManager::getGlobalSession();
$session->persist();
if (session_id() !== $session->getId()) {
session_id($session->getId());
}
MediaWiki\quietCall('session_start');
}
public function testAutoCreateUser()
{
global $wgGroupPermissions;
$that = $this;
\ObjectCache::$instances[__METHOD__] = new \HashBagOStuff();
$this->setMwGlobals(array('wgMainCacheType' => __METHOD__));
$this->stashMwGlobals(array('wgGroupPermissions'));
$wgGroupPermissions['*']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = false;
// Replace the global singleton with one configured for testing
$manager = $this->getManager();
$reset = TestUtils::setSessionManagerSingleton($manager);
$logger = new \TestLogger(true, function ($m) {
if (substr($m, 0, 15) === 'SessionBackend ') {
// Don't care.
return null;
}
$m = str_replace('MediaWiki\\Session\\SessionManager::autoCreateUser: '******'', $m);
$m = preg_replace('/ - from: .*$/', ' - from: XXX', $m);
return $m;
});
$manager->setLogger($logger);
$session = SessionManager::getGlobalSession();
// Can't create an already-existing user
$user = User::newFromName('UTSysop');
$id = $user->getId();
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame($id, $user->getId());
$this->assertSame('UTSysop', $user->getName());
$this->assertSame(array(), $logger->getBuffer());
$logger->clearBuffer();
// Sanity check that creation works at all
$user = User::newFromName('UTSessionAutoCreate1');
$this->assertSame(0, $user->getId(), 'sanity check');
$this->assertTrue($manager->autoCreateUser($user));
$this->assertNotEquals(0, $user->getId());
$this->assertSame('UTSessionAutoCreate1', $user->getName());
$this->assertEquals($user->getId(), User::idFromName('UTSessionAutoCreate1', User::READ_LATEST));
$this->assertSame(array(array(LogLevel::INFO, 'creating new user (UTSessionAutoCreate1) - from: XXX')), $logger->getBuffer());
$logger->clearBuffer();
// Check lack of permissions
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = false;
$user = User::newFromName('UTDoesNotExist');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'user is blocked from this wiki, blacklisting')), $logger->getBuffer());
$logger->clearBuffer();
// Check other permission
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$user = User::newFromName('UTSessionAutoCreate2');
$this->assertSame(0, $user->getId(), 'sanity check');
$this->assertTrue($manager->autoCreateUser($user));
$this->assertNotEquals(0, $user->getId());
$this->assertSame('UTSessionAutoCreate2', $user->getName());
$this->assertEquals($user->getId(), User::idFromName('UTSessionAutoCreate2', User::READ_LATEST));
$this->assertSame(array(array(LogLevel::INFO, 'creating new user (UTSessionAutoCreate2) - from: XXX')), $logger->getBuffer());
$logger->clearBuffer();
// Test account-creation block
$anon = new User();
$block = new \Block(array('address' => $anon->getName(), 'user' => $id, 'reason' => __METHOD__, 'expiry' => time() + 100500, 'createAccount' => true));
$block->insert();
$this->assertInstanceOf('Block', $anon->isBlockedFromCreateAccount(), 'sanity check');
$reset2 = new \ScopedCallback(array($block, 'delete'));
$user = User::newFromName('UTDoesNotExist');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
\ScopedCallback::consume($reset2);
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'user is blocked from this wiki, blacklisting')), $logger->getBuffer());
$logger->clearBuffer();
// Sanity check that creation still works
$user = User::newFromName('UTSessionAutoCreate3');
$this->assertSame(0, $user->getId(), 'sanity check');
$this->assertTrue($manager->autoCreateUser($user));
$this->assertNotEquals(0, $user->getId());
$this->assertSame('UTSessionAutoCreate3', $user->getName());
$this->assertEquals($user->getId(), User::idFromName('UTSessionAutoCreate3', User::READ_LATEST));
$this->assertSame(array(array(LogLevel::INFO, 'creating new user (UTSessionAutoCreate3) - from: XXX')), $logger->getBuffer());
$logger->clearBuffer();
// Test prevention by AuthPlugin
global $wgAuth;
$oldWgAuth = $wgAuth;
$mockWgAuth = $this->getMock('AuthPlugin', array('autoCreate'));
$mockWgAuth->expects($this->once())->method('autoCreate')->will($this->returnValue(false));
$this->setMwGlobals(array('wgAuth' => $mockWgAuth));
$user = User::newFromName('UTDoesNotExist');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$this->setMwGlobals(array('wgAuth' => $oldWgAuth));
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'denied by AuthPlugin')), $logger->getBuffer());
$logger->clearBuffer();
// Test prevention by wfReadOnly()
$this->setMwGlobals(array('wgReadOnly' => 'Because'));
$user = User::newFromName('UTDoesNotExist');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$this->setMwGlobals(array('wgReadOnly' => false));
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'denied by wfReadOnly()')), $logger->getBuffer());
$logger->clearBuffer();
// Test prevention by a previous session
$session->set('MWSession::AutoCreateBlacklist', 'test');
$user = User::newFromName('UTDoesNotExist');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'blacklisted in session (test)')), $logger->getBuffer());
$logger->clearBuffer();
// Test uncreatable name
$user = User::newFromName('UTDoesNotExist@');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist@', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'Invalid username, blacklisting')), $logger->getBuffer());
$logger->clearBuffer();
// Test AbortAutoAccount hook
$mock = $this->getMock(__CLASS__, array('onAbortAutoAccount'));
$mock->expects($this->once())->method('onAbortAutoAccount')->will($this->returnCallback(function (User $user, &$msg) {
$msg = 'No way!';
return false;
}));
$this->mergeMwGlobalArrayValue('wgHooks', array('AbortAutoAccount' => array($mock)));
$user = User::newFromName('UTDoesNotExist');
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$this->mergeMwGlobalArrayValue('wgHooks', array('AbortAutoAccount' => array()));
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'denied by hook: No way!')), $logger->getBuffer());
$logger->clearBuffer();
// Test AbortAutoAccount hook screwing up the name
$mock = $this->getMock('stdClass', array('onAbortAutoAccount'));
$mock->expects($this->once())->method('onAbortAutoAccount')->will($this->returnCallback(function (User $user) {
$user->setName('UTDoesNotExistEither');
}));
$this->mergeMwGlobalArrayValue('wgHooks', array('AbortAutoAccount' => array($mock)));
try {
$user = User::newFromName('UTDoesNotExist');
$manager->autoCreateUser($user);
$this->fail('Expected exception not thrown');
} catch (\UnexpectedValueException $ex) {
$this->assertSame('AbortAutoAccount hook tried to change the user name', $ex->getMessage());
}
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertNotSame('UTDoesNotExistEither', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$this->assertEquals(0, User::idFromName('UTDoesNotExistEither', User::READ_LATEST));
$this->mergeMwGlobalArrayValue('wgHooks', array('AbortAutoAccount' => array()));
$session->clear();
$this->assertSame(array(), $logger->getBuffer());
$logger->clearBuffer();
// Test for "exception backoff"
$user = User::newFromName('UTDoesNotExist');
$cache = \ObjectCache::getLocalClusterInstance();
$backoffKey = wfMemcKey('MWSession', 'autocreate-failed', md5($user->getName()));
$cache->set($backoffKey, 1, 60 * 10);
$this->assertFalse($manager->autoCreateUser($user));
$this->assertSame(0, $user->getId());
$this->assertNotSame('UTDoesNotExist', $user->getName());
$this->assertEquals(0, User::idFromName('UTDoesNotExist', User::READ_LATEST));
$cache->delete($backoffKey);
$session->clear();
$this->assertSame(array(array(LogLevel::DEBUG, 'denied by prior creation attempt failures')), $logger->getBuffer());
$logger->clearBuffer();
// Sanity check that creation still works, and test completion hook
$cb = $this->callback(function (User $user) use($that) {
$that->assertNotEquals(0, $user->getId());
$that->assertSame('UTSessionAutoCreate4', $user->getName());
$that->assertEquals($user->getId(), User::idFromName('UTSessionAutoCreate4', User::READ_LATEST));
return true;
});
$mock = $this->getMock('stdClass', array('onAuthPluginAutoCreate', 'onLocalUserCreated'));
$mock->expects($this->once())->method('onAuthPluginAutoCreate')->with($cb);
$mock->expects($this->once())->method('onLocalUserCreated')->with($cb, $this->identicalTo(true));
$this->mergeMwGlobalArrayValue('wgHooks', array('AuthPluginAutoCreate' => array($mock), 'LocalUserCreated' => array($mock)));
$user = User::newFromName('UTSessionAutoCreate4');
$this->assertSame(0, $user->getId(), 'sanity check');
$this->assertTrue($manager->autoCreateUser($user));
$this->assertNotEquals(0, $user->getId());
$this->assertSame('UTSessionAutoCreate4', $user->getName());
$this->assertEquals($user->getId(), User::idFromName('UTSessionAutoCreate4', User::READ_LATEST));
$this->mergeMwGlobalArrayValue('wgHooks', array('AuthPluginAutoCreate' => array(), 'LocalUserCreated' => array()));
$this->assertSame(array(array(LogLevel::INFO, 'creating new user (UTSessionAutoCreate4) - from: XXX')), $logger->getBuffer());
$logger->clearBuffer();
}
/**
* Initialise php session
*
* @deprecated since 1.27, use MediaWiki\\Session\\SessionManager instead.
* Generally, "using" SessionManager will be calling ->getSessionById() or
* ::getGlobalSession() (depending on whether you were passing $sessionId
* here), then calling $session->persist().
* @param bool|string $sessionId
*/
function wfSetupSession($sessionId = false)
{
wfDeprecated(__FUNCTION__, '1.27');
// If they're calling this, they probably want our session management even
// if NO_SESSION was set for Setup.php.
if (!MediaWiki\Session\PHPSessionHandler::isInstalled()) {
MediaWiki\Session\PHPSessionHandler::install(SessionManager::singleton());
}
if ($sessionId) {
session_id($sessionId);
}
$session = SessionManager::getGlobalSession();
$session->persist();
if (session_id() !== $session->getId()) {
session_id($session->getId());
}
MediaWiki\quietCall('session_cache_limiter', 'private, must-revalidate');
MediaWiki\quietCall('session_start');
}
/**
* Renew the user's session id, using strong entropy
*/
private function renewSessionId()
{
global $wgSecureLogin, $wgCookieSecure;
if ($wgSecureLogin && !$this->mStickHTTPS) {
$wgCookieSecure = false;
}
SessionManager::getGlobalSession()->resetId();
}
/**
* For backwards compatibility, open the PHP session when the global
* session is persisted
*/
private function checkPHPSession()
{
if (!$this->checkPHPSessionRecursionGuard) {
$this->checkPHPSessionRecursionGuard = true;
$reset = new \ScopedCallback(function () {
$this->checkPHPSessionRecursionGuard = false;
});
if ($this->usePhpSessionHandling && session_id() === '' && PHPSessionHandler::isEnabled() && SessionManager::getGlobalSession()->getId() === (string) $this->id) {
$this->logger->debug('SessionBackend "{session}" Taking over PHP session', ['session' => $this->id]);
session_id((string) $this->id);
\MediaWiki\quietCall('session_start');
}
}
}
/**
* For backwards compatibility, open the PHP session when the global
* session is persisted
*/
private function checkPHPSession()
{
if (!$this->checkPHPSessionRecursionGuard) {
$this->checkPHPSessionRecursionGuard = true;
$ref =& $this->checkPHPSessionRecursionGuard;
$reset = new \ScopedCallback(function () use(&$ref) {
$ref = false;
});
if ($this->usePhpSessionHandling && session_id() === '' && PHPSessionHandler::isEnabled() && SessionManager::getGlobalSession()->getId() === (string) $this->id) {
$this->logger->debug("SessionBackend {$this->id}: Taking over PHP session");
session_id((string) $this->id);
\MediaWiki\quietCall('session_cache_limiter', 'private, must-revalidate');
\MediaWiki\quietCall('session_start');
}
}
}
/**
* This should kill the session as hard as possible.
* It will leave the cookie behind, but everything it could possibly
* reference will be gone.
*/
public function session_killAllEverything()
{
if ($this->isBatchProcessor()) {
return;
}
SessionManager::getGlobalSession()->clear();
}
static function setupSession($sessionId = false)
{
SessionManager::getGlobalSession()->persist();
}
/**
* Check if all users may be assumed to have the given permission
*
* We generally assume so if the right is granted to '*' and isn't revoked
* on any group. It doesn't attempt to take grants or other extension
* limitations on rights into account in the general case, though, as that
* would require it to always return false and defeat the purpose.
* Specifically, session-based rights restrictions (such as OAuth or bot
* passwords) are applied based on the current session.
*
* @since 1.22
* @param string $right Right to check
* @return bool
*/
public static function isEveryoneAllowed($right)
{
global $wgGroupPermissions, $wgRevokePermissions;
static $cache = array();
// Use the cached results, except in unit tests which rely on
// being able change the permission mid-request
if (isset($cache[$right]) && !defined('MW_PHPUNIT_TEST')) {
return $cache[$right];
}
if (!isset($wgGroupPermissions['*'][$right]) || !$wgGroupPermissions['*'][$right]) {
$cache[$right] = false;
return false;
}
// If it's revoked anywhere, then everyone doesn't have it
foreach ($wgRevokePermissions as $rights) {
if (isset($rights[$right]) && $rights[$right]) {
$cache[$right] = false;
return false;
}
}
// Remove any rights that aren't allowed to the global-session user
$allowedRights = SessionManager::getGlobalSession()->getAllowedUserRights();
if ($allowedRights !== null && !in_array($right, $allowedRights, true)) {
$cache[$right] = false;
return false;
}
// Allow extensions to say false
if (!Hooks::run('UserIsEveryoneAllowed', array($right))) {
$cache[$right] = false;
return false;
}
$cache[$right] = true;
return true;
}
public function __construct()
{
/** @var SessionProvider $provider */
$provider = SessionManager::getGlobalSession()->getProvider();
$this->expiration = $provider->getRememberUserDuration();
}
