Inspection of "fix database migration" - enwikipedia-acc/waca - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — newinternal ( b66232...216d62 )

by Simon

created 2020-05-09 21:44 UTC

Status

Doc Comments +5 added lines, -2 removed lines patch added patch discarded remove patch

@@ -104,7 +104,7 @@  discard block
 block discarded – undo
     }
 
     /**
-     * @param $result
+     * @param string $result
      *
      * @return array
      */
@@ -123,6 +123,9 @@  discard block
 block discarded – undo
         return $data;
     }
 
+    /**
+     * @param string $data
+     */
     private function getYubikeyId($data)
     {
         return substr($data, 0, -32);
@@ -146,7 +149,7 @@  discard block
 block discarded – undo
     }
 
     /**
-     * @param $data
+     * @param string $data
      *
      * @return bool
      */

Please login to merge, or discard this patch.

Indentation +150 added lines, -150 removed lines patch added patch discarded remove patch

@@ -16,154 +16,154 @@
 block discarded – undo
 
 class YubikeyOtpCredentialProvider extends CredentialProviderBase
 {
-    /** @var HttpHelper */
-    private $httpHelper;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
-    {
-        parent::__construct($database, $configuration, 'yubikeyotp');
-        $this->httpHelper = $httpHelper;
-        $this->configuration = $configuration;
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        if (is_array($data)) {
-            return false;
-        }
-
-        $credentialData = $this->getCredentialData($user->getId());
-
-        if ($credentialData === null) {
-            return false;
-        }
-
-        if ($credentialData->getData() !== $this->getYubikeyId($data)) {
-            // different device
-            return false;
-        }
-
-        return $this->verifyToken($data);
-    }
-
-    public function setCredential(User $user, $factor, $data)
-    {
-        $keyId = $this->getYubikeyId($data);
-        $valid = $this->verifyToken($data);
-
-        if (!$valid) {
-            throw new ApplicationLogicException("Provided token is not valid.");
-        }
-
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData($keyId);
-        $storedData->setFactor($factor);
-        $storedData->setVersion(1);
-        $storedData->setPriority(8);
-
-        $storedData->save();
-    }
-
-    /**
-     * Get the Yubikey ID.
-     *
-     * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
-     *
-     * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
-     * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
-     * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
-     *
-     * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
-     * the device, and that will change the serial number too.
-     *
-     * More information about the structure of OTPs can be found here:
-     * https://developers.yubico.com/OTP/OTPs_Explained.html
-     *
-     * @param int $userId
-     *
-     * @return null|string
-     */
-    public function getYubikeyData($userId)
-    {
-        $credential = $this->getCredentialData($userId);
-
-        if ($credential === null) {
-            return null;
-        }
-
-        return $credential->getData();
-    }
-
-    /**
-     * @param $result
-     *
-     * @return array
-     */
-    private function parseYubicoApiResult($result)
-    {
-        $data = array();
-        foreach (explode("\r\n", $result) as $line) {
-            $pos = strpos($line, '=');
-            if ($pos === false) {
-                continue;
-            }
-
-            $data[substr($line, 0, $pos)] = substr($line, $pos + 1);
-        }
-
-        return $data;
-    }
-
-    private function getYubikeyId($data)
-    {
-        return substr($data, 0, -32);
-    }
-
-    private function verifyHmac($apiResponse, $apiKey)
-    {
-        ksort($apiResponse);
-        $signature = $apiResponse['h'];
-        unset($apiResponse['h']);
-
-        $data = array();
-        foreach ($apiResponse as $key => $value) {
-            $data[] = $key . "=" . $value;
-        }
-        $dataString = implode('&', $data);
-
-        $hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
-
-        return $hmac === $signature;
-    }
-
-    /**
-     * @param $data
-     *
-     * @return bool
-     */
-    private function verifyToken($data)
-    {
-        $result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
-            'id'    => $this->configuration->getYubicoApiId(),
-            'otp'   => $data,
-            'nonce' => md5(openssl_random_pseudo_bytes(64)),
-        ));
-
-        $apiResponse = $this->parseYubicoApiResult($result);
-
-        if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
-            return false;
-        }
-
-        return $apiResponse['status'] == 'OK';
-    }
+	/** @var HttpHelper */
+	private $httpHelper;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
+	{
+		parent::__construct($database, $configuration, 'yubikeyotp');
+		$this->httpHelper = $httpHelper;
+		$this->configuration = $configuration;
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		if (is_array($data)) {
+			return false;
+		}
+
+		$credentialData = $this->getCredentialData($user->getId());
+
+		if ($credentialData === null) {
+			return false;
+		}
+
+		if ($credentialData->getData() !== $this->getYubikeyId($data)) {
+			// different device
+			return false;
+		}
+
+		return $this->verifyToken($data);
+	}
+
+	public function setCredential(User $user, $factor, $data)
+	{
+		$keyId = $this->getYubikeyId($data);
+		$valid = $this->verifyToken($data);
+
+		if (!$valid) {
+			throw new ApplicationLogicException("Provided token is not valid.");
+		}
+
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData($keyId);
+		$storedData->setFactor($factor);
+		$storedData->setVersion(1);
+		$storedData->setPriority(8);
+
+		$storedData->save();
+	}
+
+	/**
+	 * Get the Yubikey ID.
+	 *
+	 * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
+	 *
+	 * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
+	 * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
+	 * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
+	 *
+	 * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
+	 * the device, and that will change the serial number too.
+	 *
+	 * More information about the structure of OTPs can be found here:
+	 * https://developers.yubico.com/OTP/OTPs_Explained.html
+	 *
+	 * @param int $userId
+	 *
+	 * @return null|string
+	 */
+	public function getYubikeyData($userId)
+	{
+		$credential = $this->getCredentialData($userId);
+
+		if ($credential === null) {
+			return null;
+		}
+
+		return $credential->getData();
+	}
+
+	/**
+	 * @param $result
+	 *
+	 * @return array
+	 */
+	private function parseYubicoApiResult($result)
+	{
+		$data = array();
+		foreach (explode("\r\n", $result) as $line) {
+			$pos = strpos($line, '=');
+			if ($pos === false) {
+				continue;
+			}
+
+			$data[substr($line, 0, $pos)] = substr($line, $pos + 1);
+		}
+
+		return $data;
+	}
+
+	private function getYubikeyId($data)
+	{
+		return substr($data, 0, -32);
+	}
+
+	private function verifyHmac($apiResponse, $apiKey)
+	{
+		ksort($apiResponse);
+		$signature = $apiResponse['h'];
+		unset($apiResponse['h']);
+
+		$data = array();
+		foreach ($apiResponse as $key => $value) {
+			$data[] = $key . "=" . $value;
+		}
+		$dataString = implode('&', $data);
+
+		$hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
+
+		return $hmac === $signature;
+	}
+
+	/**
+	 * @param $data
+	 *
+	 * @return bool
+	 */
+	private function verifyToken($data)
+	{
+		$result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
+			'id'    => $this->configuration->getYubicoApiId(),
+			'otp'   => $data,
+			'nonce' => md5(openssl_random_pseudo_bytes(64)),
+		));
+
+		$apiResponse = $this->parseYubicoApiResult($result);
+
+		if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
+			return false;
+		}
+
+		return $apiResponse['status'] == 'OK';
+	}
 }

Please login to merge, or discard this patch.

Spacing +1 added lines, -1 removed lines patch added patch discarded remove patch

@@ -136,7 +136,7 @@
 block discarded – undo
 
         $data = array();
         foreach ($apiResponse as $key => $value) {
-            $data[] = $key . "=" . $value;
+            $data[] = $key."=".$value;
         }
         $dataString = implode('&', $data);
 

Please login to merge, or discard this patch.

includes/Security/RoleConfiguration.php 2 patches

Unused Use Statements +5 added lines, -5 removed lines patch added patch discarded remove patch

@@ -16,11 +16,6 @@  discard block
 block discarded – undo
 use Waca\Pages\PageJobQueue;
 use Waca\Pages\PageLog;
 use Waca\Pages\PageMain;
-use Waca\Pages\RequestAction\PageCreateRequest;
-use Waca\Pages\UserAuth\PageChangePassword;
-use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
-use Waca\Pages\UserAuth\PageOAuth;
-use Waca\Pages\UserAuth\PagePreferences;
 use Waca\Pages\PageSearch;
 use Waca\Pages\PageSiteNotice;
 use Waca\Pages\PageTeam;
@@ -30,6 +25,7 @@  discard block
 block discarded – undo
 use Waca\Pages\RequestAction\PageBreakReservation;
 use Waca\Pages\RequestAction\PageCloseRequest;
 use Waca\Pages\RequestAction\PageComment;
+use Waca\Pages\RequestAction\PageCreateRequest;
 use Waca\Pages\RequestAction\PageCustomClose;
 use Waca\Pages\RequestAction\PageDeferRequest;
 use Waca\Pages\RequestAction\PageDropRequest;
@@ -43,6 +39,10 @@  discard block
 block discarded – undo
 use Waca\Pages\Statistics\StatsTemplateStats;
 use Waca\Pages\Statistics\StatsTopCreators;
 use Waca\Pages\Statistics\StatsUsers;
+use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
+use Waca\Pages\UserAuth\PageChangePassword;
+use Waca\Pages\UserAuth\PageOAuth;
+use Waca\Pages\UserAuth\PagePreferences;
 
 class RoleConfiguration
 {

Please login to merge, or discard this patch.

Indentation +344 added lines, -344 removed lines patch added patch discarded remove patch

@@ -46,374 +46,374 @@
 block discarded – undo
 
 class RoleConfiguration
 {
-    const ACCESS_ALLOW = 1;
-    const ACCESS_DENY = -1;
-    const ACCESS_DEFAULT = 0;
-    const MAIN = 'main';
-    const ALL = '*';
-    /**
-     * A map of roles to rights
-     *
-     * For example:
-     *
-     * array(
-     *   'myrole' => array(
-     *       PageMyPage::class => array(
-     *           'edit' => self::ACCESS_ALLOW,
-     *           'create' => self::ACCESS_DENY,
-     *       )
-     *   )
-     * )
-     *
-     * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
-     * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
-     * be the expected result:
-     *
-     * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
-     * - (A,-,-) = A
-     * - (D,-,-) = D
-     * - (A,D,-) = D (deny takes precedence over allow)
-     * - (A,A,A) = A (repetition has no effect)
-     *
-     * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
-     *
-     * @var array
-     */
-    private $roleConfig = array(
-        'public'            => array(
-            /*
+	const ACCESS_ALLOW = 1;
+	const ACCESS_DENY = -1;
+	const ACCESS_DEFAULT = 0;
+	const MAIN = 'main';
+	const ALL = '*';
+	/**
+	 * A map of roles to rights
+	 *
+	 * For example:
+	 *
+	 * array(
+	 *   'myrole' => array(
+	 *       PageMyPage::class => array(
+	 *           'edit' => self::ACCESS_ALLOW,
+	 *           'create' => self::ACCESS_DENY,
+	 *       )
+	 *   )
+	 * )
+	 *
+	 * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
+	 * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
+	 * be the expected result:
+	 *
+	 * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
+	 * - (A,-,-) = A
+	 * - (D,-,-) = D
+	 * - (A,D,-) = D (deny takes precedence over allow)
+	 * - (A,A,A) = A (repetition has no effect)
+	 *
+	 * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
+	 *
+	 * @var array
+	 */
+	private $roleConfig = array(
+		'public'            => array(
+			/*
              * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY.
              *
              * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
              * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
              */
-            '_childRoles'   => array(
-                'publicStats',
-            ),
-            PageTeam::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'loggedIn'          => array(
-            /*
+			'_childRoles'   => array(
+				'publicStats',
+			),
+			PageTeam::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'loggedIn'          => array(
+			/*
              * THIS ROLE IS GRANTED TO ALL LOGGED IN USERS IMPLICITLY.
              *
              * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
              * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
              */
-            '_childRoles'             => array(
-                'public',
-            ),
-            PagePreferences::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageChangePassword::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageMultiFactor::class    => array(
-                self::MAIN          => self::ACCESS_ALLOW,
-                'scratch'           => self::ACCESS_ALLOW,
-                'enableYubikeyOtp'  => self::ACCESS_ALLOW,
-                'disableYubikeyOtp' => self::ACCESS_ALLOW,
-                'enableTotp'        => self::ACCESS_ALLOW,
-                'disableTotp'       => self::ACCESS_ALLOW,
-                'enableU2F'       => self::ACCESS_ALLOW,
-                'disableU2F'       => self::ACCESS_ALLOW,
-            ),
-            PageOAuth::class          => array(
-                'attach' => self::ACCESS_ALLOW,
-                'detach' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'user'              => array(
-            '_description'                       => 'A standard tool user.',
-            '_editableBy'                        => array('admin', 'toolRoot'),
-            '_childRoles'                        => array(
-                'internalStats',
-            ),
-            PageMain::class                      => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageBan::class                       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageEditComment::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageEmailManagement::class           => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-            ),
-            PageExpandedRequestList::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageLog::class                       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageSearch::class                    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageWelcomeTemplateManagement::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'select'   => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-            ),
-            PageViewRequest::class               => array(
-                self::MAIN       => self::ACCESS_ALLOW,
-                'seeAllRequests' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'                        => array(
-                'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
-                'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
-            ),
-            PageCustomClose::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageComment::class                   => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageCloseRequest::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageCreateRequest::class             => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageDeferRequest::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageDropRequest::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageReservation::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageSendToUser::class                => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageBreakReservation::class          => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageJobQueue::class                  => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-                'all'      => self::ACCESS_ALLOW,
-            ),
-            'RequestCreation'                    => array(
-                User::CREATION_MANUAL => self::ACCESS_ALLOW,
-                User::CREATION_OAUTH  => self::ACCESS_ALLOW,
-            ),
-        ),
-        'admin'             => array(
-            '_description'                       => 'A tool administrator.',
-            '_editableBy'                        => array('admin', 'toolRoot'),
-            '_childRoles'                        => array(
-                'user',
-                'requestAdminTools',
-            ),
-            PageEmailManagement::class           => array(
-                'edit'   => self::ACCESS_ALLOW,
-                'create' => self::ACCESS_ALLOW,
-            ),
-            PageSiteNotice::class                => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageUserManagement::class            => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-                'approve'   => self::ACCESS_ALLOW,
-                'decline'   => self::ACCESS_ALLOW,
-                'rename'    => self::ACCESS_ALLOW,
-                'editUser'  => self::ACCESS_ALLOW,
-                'suspend'   => self::ACCESS_ALLOW,
-                'editRoles' => self::ACCESS_ALLOW,
-            ),
-            PageWelcomeTemplateManagement::class => array(
-                'edit'   => self::ACCESS_ALLOW,
-                'delete' => self::ACCESS_ALLOW,
-                'add'    => self::ACCESS_ALLOW,
-            ),
-            PageJobQueue::class                  => array(
-                'acknowledge' => self::ACCESS_ALLOW,
-                'requeue'     => self::ACCESS_ALLOW,
-            ),
-        ),
-        'checkuser'         => array(
-            '_description'            => 'A user with CheckUser access',
-            '_editableBy'             => array('checkuser', 'toolRoot'),
-            '_childRoles'             => array(
-                'user',
-                'requestAdminTools',
-            ),
-            PageUserManagement::class => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-                'suspend'   => self::ACCESS_ALLOW,
-                'editRoles' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'             => array(
-                'seeUserAgentData' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'toolRoot'          => array(
-            '_description' => 'A user with shell access to the servers running the tool',
-            '_editableBy'  => array('toolRoot'),
-            '_childRoles'  => array(
-                'admin',
-                'checkuser',
-            ),
-        ),
-        'botCreation'       => array(
-            '_description'    => 'A user allowed to use the bot to perform account creations',
-            '_editableBy'     => array('admin', 'toolRoot'),
-            '_childRoles'     => array(),
-            'RequestCreation' => array(
-                User::CREATION_BOT => self::ACCESS_ALLOW,
-            ),
-        ),
+			'_childRoles'             => array(
+				'public',
+			),
+			PagePreferences::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageChangePassword::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageMultiFactor::class    => array(
+				self::MAIN          => self::ACCESS_ALLOW,
+				'scratch'           => self::ACCESS_ALLOW,
+				'enableYubikeyOtp'  => self::ACCESS_ALLOW,
+				'disableYubikeyOtp' => self::ACCESS_ALLOW,
+				'enableTotp'        => self::ACCESS_ALLOW,
+				'disableTotp'       => self::ACCESS_ALLOW,
+				'enableU2F'       => self::ACCESS_ALLOW,
+				'disableU2F'       => self::ACCESS_ALLOW,
+			),
+			PageOAuth::class          => array(
+				'attach' => self::ACCESS_ALLOW,
+				'detach' => self::ACCESS_ALLOW,
+			),
+		),
+		'user'              => array(
+			'_description'                       => 'A standard tool user.',
+			'_editableBy'                        => array('admin', 'toolRoot'),
+			'_childRoles'                        => array(
+				'internalStats',
+			),
+			PageMain::class                      => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageBan::class                       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageEditComment::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageEmailManagement::class           => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+			),
+			PageExpandedRequestList::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageLog::class                       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageSearch::class                    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageWelcomeTemplateManagement::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'select'   => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+			),
+			PageViewRequest::class               => array(
+				self::MAIN       => self::ACCESS_ALLOW,
+				'seeAllRequests' => self::ACCESS_ALLOW,
+			),
+			'RequestData'                        => array(
+				'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
+				'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
+			),
+			PageCustomClose::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageComment::class                   => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageCloseRequest::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageCreateRequest::class             => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageDeferRequest::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageDropRequest::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageReservation::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageSendToUser::class                => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageBreakReservation::class          => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageJobQueue::class                  => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+				'all'      => self::ACCESS_ALLOW,
+			),
+			'RequestCreation'                    => array(
+				User::CREATION_MANUAL => self::ACCESS_ALLOW,
+				User::CREATION_OAUTH  => self::ACCESS_ALLOW,
+			),
+		),
+		'admin'             => array(
+			'_description'                       => 'A tool administrator.',
+			'_editableBy'                        => array('admin', 'toolRoot'),
+			'_childRoles'                        => array(
+				'user',
+				'requestAdminTools',
+			),
+			PageEmailManagement::class           => array(
+				'edit'   => self::ACCESS_ALLOW,
+				'create' => self::ACCESS_ALLOW,
+			),
+			PageSiteNotice::class                => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageUserManagement::class            => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+				'approve'   => self::ACCESS_ALLOW,
+				'decline'   => self::ACCESS_ALLOW,
+				'rename'    => self::ACCESS_ALLOW,
+				'editUser'  => self::ACCESS_ALLOW,
+				'suspend'   => self::ACCESS_ALLOW,
+				'editRoles' => self::ACCESS_ALLOW,
+			),
+			PageWelcomeTemplateManagement::class => array(
+				'edit'   => self::ACCESS_ALLOW,
+				'delete' => self::ACCESS_ALLOW,
+				'add'    => self::ACCESS_ALLOW,
+			),
+			PageJobQueue::class                  => array(
+				'acknowledge' => self::ACCESS_ALLOW,
+				'requeue'     => self::ACCESS_ALLOW,
+			),
+		),
+		'checkuser'         => array(
+			'_description'            => 'A user with CheckUser access',
+			'_editableBy'             => array('checkuser', 'toolRoot'),
+			'_childRoles'             => array(
+				'user',
+				'requestAdminTools',
+			),
+			PageUserManagement::class => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+				'suspend'   => self::ACCESS_ALLOW,
+				'editRoles' => self::ACCESS_ALLOW,
+			),
+			'RequestData'             => array(
+				'seeUserAgentData' => self::ACCESS_ALLOW,
+			),
+		),
+		'toolRoot'          => array(
+			'_description' => 'A user with shell access to the servers running the tool',
+			'_editableBy'  => array('toolRoot'),
+			'_childRoles'  => array(
+				'admin',
+				'checkuser',
+			),
+		),
+		'botCreation'       => array(
+			'_description'    => 'A user allowed to use the bot to perform account creations',
+			'_editableBy'     => array('admin', 'toolRoot'),
+			'_childRoles'     => array(),
+			'RequestCreation' => array(
+				User::CREATION_BOT => self::ACCESS_ALLOW,
+			),
+		),
 
-        // Child roles go below this point
-        'publicStats'       => array(
-            '_hidden'               => true,
-            StatsUsers::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'detail'   => self::ACCESS_ALLOW,
-            ),
-            StatsTopCreators::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'internalStats'     => array(
-            '_hidden'                    => true,
-            StatsMain::class             => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsFastCloses::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsInactiveUsers::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsMonthlyStats::class     => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsReservedRequests::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsTemplateStats::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'requestAdminTools' => array(
-            '_hidden'                   => true,
-            PageBan::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'set'      => self::ACCESS_ALLOW,
-                'remove'   => self::ACCESS_ALLOW,
-            ),
-            PageEditComment::class      => array(
-                'editOthers' => self::ACCESS_ALLOW,
-            ),
-            PageBreakReservation::class => array(
-                'force' => self::ACCESS_ALLOW,
-            ),
-            PageCustomClose::class      => array(
-                'skipCcMailingList' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'               => array(
-                'reopenOldRequest'      => self::ACCESS_ALLOW,
-                'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
-                'alwaysSeeHash'         => self::ACCESS_ALLOW,
-                'seeRestrictedComments' => self::ACCESS_ALLOW,
-            ),
-        ),
-    );
-    /** @var array
-     * List of roles which are *exempt* from the identification requirements
-     *
-     * Think twice about adding roles to this list.
-     *
-     * @category Security-Critical
-     */
-    private $identificationExempt = array('public', 'loggedIn');
+		// Child roles go below this point
+		'publicStats'       => array(
+			'_hidden'               => true,
+			StatsUsers::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'detail'   => self::ACCESS_ALLOW,
+			),
+			StatsTopCreators::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'internalStats'     => array(
+			'_hidden'                    => true,
+			StatsMain::class             => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsFastCloses::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsInactiveUsers::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsMonthlyStats::class     => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsReservedRequests::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsTemplateStats::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'requestAdminTools' => array(
+			'_hidden'                   => true,
+			PageBan::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'set'      => self::ACCESS_ALLOW,
+				'remove'   => self::ACCESS_ALLOW,
+			),
+			PageEditComment::class      => array(
+				'editOthers' => self::ACCESS_ALLOW,
+			),
+			PageBreakReservation::class => array(
+				'force' => self::ACCESS_ALLOW,
+			),
+			PageCustomClose::class      => array(
+				'skipCcMailingList' => self::ACCESS_ALLOW,
+			),
+			'RequestData'               => array(
+				'reopenOldRequest'      => self::ACCESS_ALLOW,
+				'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
+				'alwaysSeeHash'         => self::ACCESS_ALLOW,
+				'seeRestrictedComments' => self::ACCESS_ALLOW,
+			),
+		),
+	);
+	/** @var array
+	 * List of roles which are *exempt* from the identification requirements
+	 *
+	 * Think twice about adding roles to this list.
+	 *
+	 * @category Security-Critical
+	 */
+	private $identificationExempt = array('public', 'loggedIn');
 
-    /**
-     * RoleConfiguration constructor.
-     *
-     * @param array $roleConfig           Set to non-null to override the default configuration.
-     * @param array $identificationExempt Set to non-null to override the default configuration.
-     */
-    public function __construct(array $roleConfig = null, array $identificationExempt = null)
-    {
-        if ($roleConfig !== null) {
-            $this->roleConfig = $roleConfig;
-        }
+	/**
+	 * RoleConfiguration constructor.
+	 *
+	 * @param array $roleConfig           Set to non-null to override the default configuration.
+	 * @param array $identificationExempt Set to non-null to override the default configuration.
+	 */
+	public function __construct(array $roleConfig = null, array $identificationExempt = null)
+	{
+		if ($roleConfig !== null) {
+			$this->roleConfig = $roleConfig;
+		}
 
-        if ($identificationExempt !== null) {
-            $this->identificationExempt = $identificationExempt;
-        }
-    }
+		if ($identificationExempt !== null) {
+			$this->identificationExempt = $identificationExempt;
+		}
+	}
 
-    /**
-     * @param array $roles The roles to check
-     *
-     * @return array
-     */
-    public function getApplicableRoles(array $roles)
-    {
-        $available = array();
+	/**
+	 * @param array $roles The roles to check
+	 *
+	 * @return array
+	 */
+	public function getApplicableRoles(array $roles)
+	{
+		$available = array();
 
-        foreach ($roles as $role) {
-            if (!isset($this->roleConfig[$role])) {
-                // wat
-                continue;
-            }
+		foreach ($roles as $role) {
+			if (!isset($this->roleConfig[$role])) {
+				// wat
+				continue;
+			}
 
-            $available[$role] = $this->roleConfig[$role];
+			$available[$role] = $this->roleConfig[$role];
 
-            if (isset($available[$role]['_childRoles'])) {
-                $childRoles = self::getApplicableRoles($available[$role]['_childRoles']);
-                $available = array_merge($available, $childRoles);
+			if (isset($available[$role]['_childRoles'])) {
+				$childRoles = self::getApplicableRoles($available[$role]['_childRoles']);
+				$available = array_merge($available, $childRoles);
 
-                unset($available[$role]['_childRoles']);
-            }
+				unset($available[$role]['_childRoles']);
+			}
 
-            foreach (array('_hidden', '_editableBy', '_description') as $item) {
-                if (isset($available[$role][$item])) {
-                    unset($available[$role][$item]);
-                }
-            }
-        }
+			foreach (array('_hidden', '_editableBy', '_description') as $item) {
+				if (isset($available[$role][$item])) {
+					unset($available[$role][$item]);
+				}
+			}
+		}
 
-        return $available;
-    }
+		return $available;
+	}
 
-    public function getAvailableRoles()
-    {
-        $possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn'));
+	public function getAvailableRoles()
+	{
+		$possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn'));
 
-        $actual = array();
+		$actual = array();
 
-        foreach ($possible as $role) {
-            if (!isset($this->roleConfig[$role]['_hidden'])) {
-                $actual[$role] = array(
-                    'description' => $this->roleConfig[$role]['_description'],
-                    'editableBy'  => $this->roleConfig[$role]['_editableBy'],
-                );
-            }
-        }
+		foreach ($possible as $role) {
+			if (!isset($this->roleConfig[$role]['_hidden'])) {
+				$actual[$role] = array(
+					'description' => $this->roleConfig[$role]['_description'],
+					'editableBy'  => $this->roleConfig[$role]['_editableBy'],
+				);
+			}
+		}
 
-        return $actual;
-    }
+		return $actual;
+	}
 
-    /**
-     * @param string $role
-     *
-     * @return bool
-     */
-    public function roleNeedsIdentification($role)
-    {
-        if (in_array($role, $this->identificationExempt)) {
-            return false;
-        }
+	/**
+	 * @param string $role
+	 *
+	 * @return bool
+	 */
+	public function roleNeedsIdentification($role)
+	{
+		if (in_array($role, $this->identificationExempt)) {
+			return false;
+		}
 
-        return true;
-    }
+		return true;
+	}
 }

Please login to merge, or discard this patch.

includes/WebRequest.php 2 patches

Doc Comments +4 added lines patch added patch discarded remove patch

@@ -513,6 +513,10 @@
 block discarded – undo
         return isset($session['oauthPartialLogin']) ? (int)$session['oauthPartialLogin'] : null;
     }
 
+    /**
+     * @param integer $userId
+     * @param integer $stage
+     */
     public static function setAuthPartialLogin($userId, $stage)
     {
         $session = &self::$globalStateProvider->getSessionSuperGlobal();

Please login to merge, or discard this patch.

Indentation +556 added lines, -556 removed lines patch added patch discarded remove patch

@@ -22,560 +22,560 @@
 block discarded – undo
  */
 class WebRequest
 {
-    /**
-     * @var \Waca\Providers\GlobalState\IGlobalStateProvider Provides access to the global state.
-     */
-    private static $globalStateProvider;
-
-    /**
-     * Returns a boolean value if the request was submitted with the HTTP POST method.
-     * @return bool
-     */
-    public static function wasPosted()
-    {
-        return self::method() === 'POST';
-    }
-
-    /**
-     * Gets the HTTP Method used
-     * @return string|null
-     */
-    public static function method()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['REQUEST_METHOD'])) {
-            return $server['REQUEST_METHOD'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Gets a boolean value stating whether the request was served over HTTPS or not.
-     * @return bool
-     */
-    public static function isHttps()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_X_FORWARDED_PROTO'])) {
-            if ($server['HTTP_X_FORWARDED_PROTO'] === 'https') {
-                // Client <=> Proxy is encrypted
-                return true;
-            }
-            else {
-                // Proxy <=> Server link unknown, Client <=> Proxy is not encrypted.
-                return false;
-            }
-        }
-
-        if (isset($server['HTTPS'])) {
-            if ($server['HTTPS'] === 'off') {
-                // ISAPI on IIS breaks the spec. :(
-                return false;
-            }
-
-            if ($server['HTTPS'] !== '') {
-                // Set to a non-empty value
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Gets the path info
-     *
-     * @return array Array of path info segments
-     */
-    public static function pathInfo()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-        if (!isset($server['PATH_INFO'])) {
-            return array();
-        }
-
-        $exploded = explode('/', $server['PATH_INFO']);
-
-        // filter out empty values, and reindex from zero. Notably, the first element is always zero, since it starts
-        // with a /
-        return array_values(array_filter($exploded));
-    }
-
-    /**
-     * Gets the remote address of the web request
-     * @return null|string
-     */
-    public static function remoteAddress()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['REMOTE_ADDR'])) {
-            return $server['REMOTE_ADDR'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Gets the remote address of the web request
-     * @return null|string
-     */
-    public static function httpHost()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_HOST'])) {
-            return $server['HTTP_HOST'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Gets the XFF header contents for the web request
-     * @return null|string
-     */
-    public static function forwardedAddress()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_X_FORWARDED_FOR'])) {
-            return $server['HTTP_X_FORWARDED_FOR'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Sets the global state provider.
-     *
-     * Almost guaranteed this is not the method you want in production code.
-     *
-     * @param \Waca\Providers\GlobalState\IGlobalStateProvider $globalState
-     */
-    public static function setGlobalStateProvider($globalState)
-    {
-        self::$globalStateProvider = $globalState;
-    }
-
-    #region POST variables
-
-    /**
-     * @param string $key
-     *
-     * @return null|string
-     */
-    public static function postString($key)
-    {
-        $post = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $post)) {
-            return null;
-        }
-
-        if ($post[$key] === "") {
-            return null;
-        }
-
-        return (string)$post[$key];
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return null|string
-     */
-    public static function postEmail($key)
-    {
-        $post = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $post)) {
-            return null;
-        }
-
-        $filteredValue = filter_var($post[$key], FILTER_SANITIZE_EMAIL);
-
-        if ($filteredValue === false) {
-            return null;
-        }
-
-        return (string)$filteredValue;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return int|null
-     */
-    public static function postInt($key)
-    {
-        $post = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $post)) {
-            return null;
-        }
-
-        $filteredValue = filter_var($post[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
-        if ($filteredValue === null) {
-            return null;
-        }
-
-        return (int)$filteredValue;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return bool
-     */
-    public static function postBoolean($key)
-    {
-        $get = &self::$globalStateProvider->getPostSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return false;
-        }
-
-        // presence of parameter only
-        if ($get[$key] === "") {
-            return true;
-        }
-
-        if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
-            return false;
-        }
-
-        return true;
-    }
-
-    #endregion
-
-    #region GET variables
-
-    /**
-     * @param string $key
-     *
-     * @return bool
-     */
-    public static function getBoolean($key)
-    {
-        $get = &self::$globalStateProvider->getGetSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return false;
-        }
-
-        // presence of parameter only
-        if ($get[$key] === "") {
-            return true;
-        }
-
-        if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
-            return false;
-        }
-
-        return true;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return int|null
-     */
-    public static function getInt($key)
-    {
-        $get = &self::$globalStateProvider->getGetSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return null;
-        }
-
-        $filteredValue = filter_var($get[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
-
-        if ($filteredValue === null) {
-            return null;
-        }
-
-        return (int)$filteredValue;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return null|string
-     */
-    public static function getString($key)
-    {
-        $get = &self::$globalStateProvider->getGetSuperGlobal();
-        if (!array_key_exists($key, $get)) {
-            return null;
-        }
-
-        if ($get[$key] === "") {
-            return null;
-        }
-
-        return (string)$get[$key];
-    }
-
-    #endregion
-
-    /**
-     * Sets the logged-in user to the specified user.
-     *
-     * @param User $user
-     */
-    public static function setLoggedInUser(User $user)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        $session['userID'] = $user->getId();
-        unset($session['partialLogin']);
-    }
-
-    /**
-     * Sets the post-login redirect
-     */
-    public static function setPostLoginRedirect()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['returnTo'] = self::requestUri();
-    }
-
-    /**
-     * @return string|null
-     */
-    public static function requestUri()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['REQUEST_URI'])) {
-            return $server['REQUEST_URI'];
-        }
-
-        return null;
-    }
-
-    /**
-     * Clears the post-login redirect
-     * @return string
-     */
-    public static function clearPostLoginRedirect()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('returnTo', $session)) {
-            $path = $session['returnTo'];
-            unset($session['returnTo']);
-
-            return $path;
-        }
-
-        return null;
-    }
-
-    /**
-     * @return string|null
-     */
-    public static function serverName()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['SERVER_NAME'])) {
-            return $server['SERVER_NAME'];
-        }
-
-        return null;
-    }
-
-    /**
-     * You probably only want to deal with this through SessionAlert.
-     * @return void
-     */
-    public static function clearSessionAlertData()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('alerts', $session)) {
-            unset($session['alerts']);
-        }
-    }
-
-    /**
-     * You probably only want to deal with this through SessionAlert.
-     *
-     * @return string[]
-     */
-    public static function getSessionAlertData()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('alerts', $session)) {
-            return $session['alerts'];
-        }
-
-        return array();
-    }
-
-    /**
-     * You probably only want to deal with this through SessionAlert.
-     *
-     * @param string[] $data
-     */
-    public static function setSessionAlertData($data)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['alerts'] = $data;
-    }
-
-    /**
-     * You probably only want to deal with this through TokenManager.
-     *
-     * @return string[]
-     */
-    public static function getSessionTokenData()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        if (array_key_exists('tokens', $session)) {
-            return $session['tokens'];
-        }
-
-        return array();
-    }
-
-    /**
-     * You probably only want to deal with this through TokenManager.
-     *
-     * @param string[] $data
-     */
-    public static function setSessionTokenData($data)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['tokens'] = $data;
-    }
-
-    /**
-     * @param string $key
-     *
-     * @return mixed
-     */
-    public static function getSessionContext($key)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        if (!isset($session['context'])) {
-            $session['context'] = array();
-        }
-
-        if (!isset($session['context'][$key])) {
-            return null;
-        }
-
-        return $session['context'][$key];
-    }
-
-    /**
-     * @param string $key
-     * @param mixed  $data
-     */
-    public static function setSessionContext($key, $data)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        if (!isset($session['context'])) {
-            $session['context'] = array();
-        }
-
-        $session['context'][$key] = $data;
-    }
-
-    /**
-     * @return int|null
-     */
-    public static function getSessionUserId()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        return isset($session['userID']) ? (int)$session['userID'] : null;
-    }
-
-    /**
-     * @param User $user
-     */
-    public static function setOAuthPartialLogin(User $user)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['oauthPartialLogin'] = $user->getId();
-    }
-
-    /**
-     * @return int|null
-     */
-    public static function getOAuthPartialLogin()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        return isset($session['oauthPartialLogin']) ? (int)$session['oauthPartialLogin'] : null;
-    }
-
-    public static function setAuthPartialLogin($userId, $stage)
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        $session['authPartialLoginId'] = $userId;
-        $session['authPartialLoginStage'] = $stage;
-    }
-
-    public static function getAuthPartialLogin()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-
-        $userId = isset($session['authPartialLoginId']) ? (int)$session['authPartialLoginId'] : null;
-        $stage = isset($session['authPartialLoginStage']) ? (int)$session['authPartialLoginStage'] : null;
-
-        return array($userId, $stage);
-    }
-
-    public static function clearAuthPartialLogin()
-    {
-        $session = &self::$globalStateProvider->getSessionSuperGlobal();
-        unset($session['authPartialLoginId']);
-        unset($session['authPartialLoginStage']);
-    }
-
-    /**
-     * @return null|string
-     */
-    public static function userAgent()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_USER_AGENT'])) {
-            return $server['HTTP_USER_AGENT'];
-        }
-
-        return null;
-    }
-
-    /**
-     * @return null|string
-     */
-    public static function scriptName()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['SCRIPT_NAME'])) {
-            return $server['SCRIPT_NAME'];
-        }
-
-        return null;
-    }
-
-    /**
-     * @return null|string
-     */
-    public static function origin()
-    {
-        $server = &self::$globalStateProvider->getServerSuperGlobal();
-
-        if (isset($server['HTTP_ORIGIN'])) {
-            return $server['HTTP_ORIGIN'];
-        }
-
-        return null;
-    }
+	/**
+	 * @var \Waca\Providers\GlobalState\IGlobalStateProvider Provides access to the global state.
+	 */
+	private static $globalStateProvider;
+
+	/**
+	 * Returns a boolean value if the request was submitted with the HTTP POST method.
+	 * @return bool
+	 */
+	public static function wasPosted()
+	{
+		return self::method() === 'POST';
+	}
+
+	/**
+	 * Gets the HTTP Method used
+	 * @return string|null
+	 */
+	public static function method()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['REQUEST_METHOD'])) {
+			return $server['REQUEST_METHOD'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Gets a boolean value stating whether the request was served over HTTPS or not.
+	 * @return bool
+	 */
+	public static function isHttps()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_X_FORWARDED_PROTO'])) {
+			if ($server['HTTP_X_FORWARDED_PROTO'] === 'https') {
+				// Client <=> Proxy is encrypted
+				return true;
+			}
+			else {
+				// Proxy <=> Server link unknown, Client <=> Proxy is not encrypted.
+				return false;
+			}
+		}
+
+		if (isset($server['HTTPS'])) {
+			if ($server['HTTPS'] === 'off') {
+				// ISAPI on IIS breaks the spec. :(
+				return false;
+			}
+
+			if ($server['HTTPS'] !== '') {
+				// Set to a non-empty value
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Gets the path info
+	 *
+	 * @return array Array of path info segments
+	 */
+	public static function pathInfo()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+		if (!isset($server['PATH_INFO'])) {
+			return array();
+		}
+
+		$exploded = explode('/', $server['PATH_INFO']);
+
+		// filter out empty values, and reindex from zero. Notably, the first element is always zero, since it starts
+		// with a /
+		return array_values(array_filter($exploded));
+	}
+
+	/**
+	 * Gets the remote address of the web request
+	 * @return null|string
+	 */
+	public static function remoteAddress()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['REMOTE_ADDR'])) {
+			return $server['REMOTE_ADDR'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Gets the remote address of the web request
+	 * @return null|string
+	 */
+	public static function httpHost()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_HOST'])) {
+			return $server['HTTP_HOST'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Gets the XFF header contents for the web request
+	 * @return null|string
+	 */
+	public static function forwardedAddress()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_X_FORWARDED_FOR'])) {
+			return $server['HTTP_X_FORWARDED_FOR'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Sets the global state provider.
+	 *
+	 * Almost guaranteed this is not the method you want in production code.
+	 *
+	 * @param \Waca\Providers\GlobalState\IGlobalStateProvider $globalState
+	 */
+	public static function setGlobalStateProvider($globalState)
+	{
+		self::$globalStateProvider = $globalState;
+	}
+
+	#region POST variables
+
+	/**
+	 * @param string $key
+	 *
+	 * @return null|string
+	 */
+	public static function postString($key)
+	{
+		$post = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $post)) {
+			return null;
+		}
+
+		if ($post[$key] === "") {
+			return null;
+		}
+
+		return (string)$post[$key];
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return null|string
+	 */
+	public static function postEmail($key)
+	{
+		$post = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $post)) {
+			return null;
+		}
+
+		$filteredValue = filter_var($post[$key], FILTER_SANITIZE_EMAIL);
+
+		if ($filteredValue === false) {
+			return null;
+		}
+
+		return (string)$filteredValue;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return int|null
+	 */
+	public static function postInt($key)
+	{
+		$post = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $post)) {
+			return null;
+		}
+
+		$filteredValue = filter_var($post[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+		if ($filteredValue === null) {
+			return null;
+		}
+
+		return (int)$filteredValue;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return bool
+	 */
+	public static function postBoolean($key)
+	{
+		$get = &self::$globalStateProvider->getPostSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return false;
+		}
+
+		// presence of parameter only
+		if ($get[$key] === "") {
+			return true;
+		}
+
+		if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
+			return false;
+		}
+
+		return true;
+	}
+
+	#endregion
+
+	#region GET variables
+
+	/**
+	 * @param string $key
+	 *
+	 * @return bool
+	 */
+	public static function getBoolean($key)
+	{
+		$get = &self::$globalStateProvider->getGetSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return false;
+		}
+
+		// presence of parameter only
+		if ($get[$key] === "") {
+			return true;
+		}
+
+		if (in_array($get[$key], array(false, 'no', 'off', 0, 'false'), true)) {
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return int|null
+	 */
+	public static function getInt($key)
+	{
+		$get = &self::$globalStateProvider->getGetSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return null;
+		}
+
+		$filteredValue = filter_var($get[$key], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+
+		if ($filteredValue === null) {
+			return null;
+		}
+
+		return (int)$filteredValue;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return null|string
+	 */
+	public static function getString($key)
+	{
+		$get = &self::$globalStateProvider->getGetSuperGlobal();
+		if (!array_key_exists($key, $get)) {
+			return null;
+		}
+
+		if ($get[$key] === "") {
+			return null;
+		}
+
+		return (string)$get[$key];
+	}
+
+	#endregion
+
+	/**
+	 * Sets the logged-in user to the specified user.
+	 *
+	 * @param User $user
+	 */
+	public static function setLoggedInUser(User $user)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		$session['userID'] = $user->getId();
+		unset($session['partialLogin']);
+	}
+
+	/**
+	 * Sets the post-login redirect
+	 */
+	public static function setPostLoginRedirect()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['returnTo'] = self::requestUri();
+	}
+
+	/**
+	 * @return string|null
+	 */
+	public static function requestUri()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['REQUEST_URI'])) {
+			return $server['REQUEST_URI'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * Clears the post-login redirect
+	 * @return string
+	 */
+	public static function clearPostLoginRedirect()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('returnTo', $session)) {
+			$path = $session['returnTo'];
+			unset($session['returnTo']);
+
+			return $path;
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return string|null
+	 */
+	public static function serverName()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['SERVER_NAME'])) {
+			return $server['SERVER_NAME'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * You probably only want to deal with this through SessionAlert.
+	 * @return void
+	 */
+	public static function clearSessionAlertData()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('alerts', $session)) {
+			unset($session['alerts']);
+		}
+	}
+
+	/**
+	 * You probably only want to deal with this through SessionAlert.
+	 *
+	 * @return string[]
+	 */
+	public static function getSessionAlertData()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('alerts', $session)) {
+			return $session['alerts'];
+		}
+
+		return array();
+	}
+
+	/**
+	 * You probably only want to deal with this through SessionAlert.
+	 *
+	 * @param string[] $data
+	 */
+	public static function setSessionAlertData($data)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['alerts'] = $data;
+	}
+
+	/**
+	 * You probably only want to deal with this through TokenManager.
+	 *
+	 * @return string[]
+	 */
+	public static function getSessionTokenData()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		if (array_key_exists('tokens', $session)) {
+			return $session['tokens'];
+		}
+
+		return array();
+	}
+
+	/**
+	 * You probably only want to deal with this through TokenManager.
+	 *
+	 * @param string[] $data
+	 */
+	public static function setSessionTokenData($data)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['tokens'] = $data;
+	}
+
+	/**
+	 * @param string $key
+	 *
+	 * @return mixed
+	 */
+	public static function getSessionContext($key)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		if (!isset($session['context'])) {
+			$session['context'] = array();
+		}
+
+		if (!isset($session['context'][$key])) {
+			return null;
+		}
+
+		return $session['context'][$key];
+	}
+
+	/**
+	 * @param string $key
+	 * @param mixed  $data
+	 */
+	public static function setSessionContext($key, $data)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		if (!isset($session['context'])) {
+			$session['context'] = array();
+		}
+
+		$session['context'][$key] = $data;
+	}
+
+	/**
+	 * @return int|null
+	 */
+	public static function getSessionUserId()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		return isset($session['userID']) ? (int)$session['userID'] : null;
+	}
+
+	/**
+	 * @param User $user
+	 */
+	public static function setOAuthPartialLogin(User $user)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['oauthPartialLogin'] = $user->getId();
+	}
+
+	/**
+	 * @return int|null
+	 */
+	public static function getOAuthPartialLogin()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		return isset($session['oauthPartialLogin']) ? (int)$session['oauthPartialLogin'] : null;
+	}
+
+	public static function setAuthPartialLogin($userId, $stage)
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		$session['authPartialLoginId'] = $userId;
+		$session['authPartialLoginStage'] = $stage;
+	}
+
+	public static function getAuthPartialLogin()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+
+		$userId = isset($session['authPartialLoginId']) ? (int)$session['authPartialLoginId'] : null;
+		$stage = isset($session['authPartialLoginStage']) ? (int)$session['authPartialLoginStage'] : null;
+
+		return array($userId, $stage);
+	}
+
+	public static function clearAuthPartialLogin()
+	{
+		$session = &self::$globalStateProvider->getSessionSuperGlobal();
+		unset($session['authPartialLoginId']);
+		unset($session['authPartialLoginStage']);
+	}
+
+	/**
+	 * @return null|string
+	 */
+	public static function userAgent()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_USER_AGENT'])) {
+			return $server['HTTP_USER_AGENT'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return null|string
+	 */
+	public static function scriptName()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['SCRIPT_NAME'])) {
+			return $server['SCRIPT_NAME'];
+		}
+
+		return null;
+	}
+
+	/**
+	 * @return null|string
+	 */
+	public static function origin()
+	{
+		$server = &self::$globalStateProvider->getServerSuperGlobal();
+
+		if (isset($server['HTTP_ORIGIN'])) {
+			return $server['HTTP_ORIGIN'];
+		}
+
+		return null;
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

config.inc.php 2 patches

Indentation +80 added lines, -80 removed lines patch added patch discarded remove patch

@@ -200,24 +200,24 @@  discard block
 block discarded – undo
 
 // request states
 $availableRequestStates = array(
-    'Open'          => array(
-        'defertolog' => 'users', // don't change or you'll break old logs
-        'deferto'    => 'users',
-        'header'     => 'Open requests',
-        'api'        => "open",
-    ),
-    'Flagged users' => array(
-        'defertolog' => 'flagged users', // don't change or you'll break old logs
-        'deferto'    => 'flagged users',
-        'header'     => 'Flagged user needed',
-        'api'        => "admin",
-    ),
-    'Checkuser'     => array(
-        'defertolog' => 'checkusers', // don't change or you'll break old logs
-        'deferto'    => 'checkusers',
-        'header'     => 'Checkuser needed',
-        'api'        => "checkuser",
-    ),
+	'Open'          => array(
+		'defertolog' => 'users', // don't change or you'll break old logs
+		'deferto'    => 'users',
+		'header'     => 'Open requests',
+		'api'        => "open",
+	),
+	'Flagged users' => array(
+		'defertolog' => 'flagged users', // don't change or you'll break old logs
+		'deferto'    => 'flagged users',
+		'header'     => 'Flagged user needed',
+		'api'        => "admin",
+	),
+	'Checkuser'     => array(
+		'defertolog' => 'checkusers', // don't change or you'll break old logs
+		'deferto'    => 'checkusers',
+		'header'     => 'Checkuser needed',
+		'api'        => "checkuser",
+	),
 );
 
 $defaultRequestStateKey = 'Open';
@@ -264,21 +264,21 @@  discard block
 block discarded – undo
 require_once('config.local.inc.php');
 
 $cDatabaseConfig = array(
-    "acc"           => array(
-        "dsrcname" => "mysql:host=" . $toolserver_host . ";dbname=" . $toolserver_database,
-        "username" => $toolserver_username,
-        "password" => $toolserver_password,
-    ),
-    "wikipedia"     => array(
-        "dsrcname" => "mysql:host=" . $antispoof_host . ";dbname=" . $antispoof_db,
-        "username" => $toolserver_username,
-        "password" => $toolserver_password,
-    ),
-    "notifications" => array(
-        "dsrcname" => "mysql:host=" . $toolserver_notification_dbhost . ";dbname=" . $toolserver_notification_database,
-        "username" => $notifications_username,
-        "password" => $notifications_password,
-    ),
+	"acc"           => array(
+		"dsrcname" => "mysql:host=" . $toolserver_host . ";dbname=" . $toolserver_database,
+		"username" => $toolserver_username,
+		"password" => $toolserver_password,
+	),
+	"wikipedia"     => array(
+		"dsrcname" => "mysql:host=" . $antispoof_host . ";dbname=" . $antispoof_db,
+		"username" => $toolserver_username,
+		"password" => $toolserver_password,
+	),
+	"notifications" => array(
+		"dsrcname" => "mysql:host=" . $toolserver_notification_dbhost . ";dbname=" . $toolserver_notification_database,
+		"username" => $notifications_username,
+		"password" => $notifications_password,
+	),
 );
 
 // //Keep the included files from being executed.
@@ -290,18 +290,18 @@  discard block
 block discarded – undo
 ini_set('user_agent', $toolUserAgent);
 
 foreach (array(
-    "mbstring", // unicode and stuff
-    "pdo",
-    "pdo_mysql", // new database module
-    "session",
-    "date",
-    "pcre", // core stuff
-    "curl", // mediawiki api access etc
-    "openssl", // token generation
+	"mbstring", // unicode and stuff
+	"pdo",
+	"pdo_mysql", // new database module
+	"session",
+	"date",
+	"pcre", // core stuff
+	"curl", // mediawiki api access etc
+	"openssl", // token generation
 ) as $x) {
-    if (!extension_loaded($x)) {
-        die("extension $x is required.");
-    }
+	if (!extension_loaded($x)) {
+		die("extension $x is required.");
+	}
 }
 
 // Set up the AutoLoader
@@ -328,39 +328,39 @@  discard block
 block discarded – undo
 $siteConfiguration = new \Waca\SiteConfiguration();
 
 $siteConfiguration->setBaseUrl($baseurl)
-    ->setFilePath(__DIR__)
-    ->setDebuggingTraceEnabled($enableErrorTrace)
-    ->setForceIdentification($forceIdentification)
-    ->setIdentificationCacheExpiry($identificationCacheExpiry)
-    ->setMediawikiScriptPath($mediawikiScriptPath)
-    ->setMediawikiWebServiceEndpoint($mediawikiWebServiceEndpoint)
-    ->setMetaWikimediaWebServiceEndpoint($metaWikimediaWebServiceEndpoint)
-    ->setEnforceOAuth($enforceOAuth)
-    ->setEmailConfirmationEnabled($enableEmailConfirm == 1)
-    ->setEmailConfirmationExpiryDays($emailConfirmationExpiryDays)
-    ->setMiserModeLimit($requestLimitShowOnly)
-    ->setRequestStates($availableRequestStates)
-    ->setSquidList($squidIpList)
-    ->setDefaultCreatedTemplateId($createdid)
-    ->setDefaultRequestStateKey($defaultRequestStateKey)
-    ->setUseStrictTransportSecurity($strictTransportSecurityExpiry)
-    ->setUserAgent($toolUserAgent)
-    ->setCurlDisableVerifyPeer($curlDisableSSLVerifyPeer)
-    ->setUseOAuthSignup($useOauthSignup)
-    ->setOAuthBaseUrl($oauthBaseUrl)
-    ->setOAuthConsumerToken($oauthConsumerToken)
-    ->setOAuthConsumerSecret($oauthSecretToken)
-    ->setOauthMediaWikiCanonicalServer($oauthMediaWikiCanonicalServer)
-    ->setDataClearInterval($dataclear_interval)
-    ->setXffTrustedHostsFile($xff_trusted_hosts_file)
-    ->setIrcNotificationsEnabled($ircBotNotificationsEnabled == 1)
-    ->setIrcNotificationType($ircBotNotificationType)
-    ->setIrcNotificationsInstance($whichami)
-    ->setTitleBlacklistEnabled($enableTitleblacklist == 1)
-    ->setTorExitPaths(array_merge(gethostbynamel('en.wikipedia.org'), gethostbynamel('accounts.wmflabs.org')))
-    ->setCreationBotUsername($creationBotUsername)
-    ->setCreationBotPassword($creationBotPassword)
-    ->setCurlCookieJar($curlCookieJar)
-    ->setYubicoApiId($yubicoApiId)
-    ->setYubicoApiKey($yubicoApiKey)
-    ->setTotpEncryptionKey($totpEncryptionKey);
+	->setFilePath(__DIR__)
+	->setDebuggingTraceEnabled($enableErrorTrace)
+	->setForceIdentification($forceIdentification)
+	->setIdentificationCacheExpiry($identificationCacheExpiry)
+	->setMediawikiScriptPath($mediawikiScriptPath)
+	->setMediawikiWebServiceEndpoint($mediawikiWebServiceEndpoint)
+	->setMetaWikimediaWebServiceEndpoint($metaWikimediaWebServiceEndpoint)
+	->setEnforceOAuth($enforceOAuth)
+	->setEmailConfirmationEnabled($enableEmailConfirm == 1)
+	->setEmailConfirmationExpiryDays($emailConfirmationExpiryDays)
+	->setMiserModeLimit($requestLimitShowOnly)
+	->setRequestStates($availableRequestStates)
+	->setSquidList($squidIpList)
+	->setDefaultCreatedTemplateId($createdid)
+	->setDefaultRequestStateKey($defaultRequestStateKey)
+	->setUseStrictTransportSecurity($strictTransportSecurityExpiry)
+	->setUserAgent($toolUserAgent)
+	->setCurlDisableVerifyPeer($curlDisableSSLVerifyPeer)
+	->setUseOAuthSignup($useOauthSignup)
+	->setOAuthBaseUrl($oauthBaseUrl)
+	->setOAuthConsumerToken($oauthConsumerToken)
+	->setOAuthConsumerSecret($oauthSecretToken)
+	->setOauthMediaWikiCanonicalServer($oauthMediaWikiCanonicalServer)
+	->setDataClearInterval($dataclear_interval)
+	->setXffTrustedHostsFile($xff_trusted_hosts_file)
+	->setIrcNotificationsEnabled($ircBotNotificationsEnabled == 1)
+	->setIrcNotificationType($ircBotNotificationType)
+	->setIrcNotificationsInstance($whichami)
+	->setTitleBlacklistEnabled($enableTitleblacklist == 1)
+	->setTorExitPaths(array_merge(gethostbynamel('en.wikipedia.org'), gethostbynamel('accounts.wmflabs.org')))
+	->setCreationBotUsername($creationBotUsername)
+	->setCreationBotPassword($creationBotPassword)
+	->setCurlCookieJar($curlCookieJar)
+	->setYubicoApiId($yubicoApiId)
+	->setYubicoApiKey($yubicoApiKey)
+	->setTotpEncryptionKey($totpEncryptionKey);

Please login to merge, or discard this patch.

Spacing +9 added lines, -9 removed lines patch added patch discarded remove patch

@@ -130,7 +130,7 @@  discard block
 block discarded – undo
 
 $BUbasefile = "backup"; // The basefile's name.
 $BUdir = "/home/project/a/c/c/acc/backups"; // The directory where backups should be stored.
-$BUmonthdir = $BUdir . "/monthly"; // The directory where monthly backups should be stored.
+$BUmonthdir = $BUdir."/monthly"; // The directory where monthly backups should be stored.
 $BUdumper = "/opt/ts/mysql/5.1/bin/mysqldump --defaults-file=~/.my.cnf p_acc_live"; // Add parameters here if they are needed.
 $BUgzip = "/usr/bin/gzip"; // Add the gzip parameters here if needed.
 $BUtar = "/bin/tar -cvf"; // Add the tar parameters here if needed.
@@ -246,7 +246,7 @@  discard block
 block discarded – undo
 $curlDisableSSLVerifyPeer = false;
 
 // Change this to be outside the web directory.
-$curlCookieJar = __DIR__ . '/../cookies.txt';
+$curlCookieJar = __DIR__.'/../cookies.txt';
 
 $yubicoApiId = 0;
 $yubicoApiKey = "";
@@ -265,17 +265,17 @@  discard block
 block discarded – undo
 
 $cDatabaseConfig = array(
     "acc"           => array(
-        "dsrcname" => "mysql:host=" . $toolserver_host . ";dbname=" . $toolserver_database,
+        "dsrcname" => "mysql:host=".$toolserver_host.";dbname=".$toolserver_database,
         "username" => $toolserver_username,
         "password" => $toolserver_password,
     ),
     "wikipedia"     => array(
-        "dsrcname" => "mysql:host=" . $antispoof_host . ";dbname=" . $antispoof_db,
+        "dsrcname" => "mysql:host=".$antispoof_host.";dbname=".$antispoof_db,
         "username" => $toolserver_username,
         "password" => $toolserver_password,
     ),
     "notifications" => array(
-        "dsrcname" => "mysql:host=" . $toolserver_notification_dbhost . ";dbname=" . $toolserver_notification_database,
+        "dsrcname" => "mysql:host=".$toolserver_notification_dbhost.";dbname=".$toolserver_notification_database,
         "username" => $notifications_username,
         "password" => $notifications_password,
     ),
@@ -305,13 +305,13 @@  discard block
 block discarded – undo
 }
 
 // Set up the AutoLoader
-require_once(__DIR__ . "/includes/AutoLoader.php");
+require_once(__DIR__."/includes/AutoLoader.php");
 spl_autoload_register('Waca\\AutoLoader::load');
-require_once(__DIR__ . '/vendor/autoload.php');
+require_once(__DIR__.'/vendor/autoload.php');
 
 // Extra includes which are just plain awkward wherever they are.
-require_once(__DIR__ . '/lib/mediawiki-extensions-OAuth/lib/OAuth.php');
-require_once(__DIR__ . '/lib/mediawiki-extensions-OAuth/lib/JWT.php');
+require_once(__DIR__.'/lib/mediawiki-extensions-OAuth/lib/OAuth.php');
+require_once(__DIR__.'/lib/mediawiki-extensions-OAuth/lib/JWT.php');
 
 // Crap that's needed for libraries. >:(
 /**

Please login to merge, or discard this patch.

includes/Pages/UserAuth/MultiFactor/PageMultiFactor.php 3 patches

Braces +4 added lines, -2 removed lines patch added patch discarded remove patch

@@ -229,7 +229,8 @@  discard block
 block discarded – undo
         $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
     }
 
-    protected function enableU2F() {
+    protected function enableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 
@@ -336,7 +337,8 @@  discard block
 block discarded – undo
         }
     }
 
-    protected function disableU2F() {
+    protected function disableU2F()
+    {
         $database = $this->getDatabase();
         $currentUser = User::getCurrent($database);
 

Please login to merge, or discard this patch.

Indentation +372 added lines, -372 removed lines patch added patch discarded remove patch

@@ -26,239 +26,239 @@  discard block
 block discarded – undo
 
 class PageMultiFactor extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
-            $this->getHttpHelper());
-        $this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
-        $this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
-        $this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
-
-        $this->setTemplate('mfa/mfa.tpl');
-    }
-
-    protected function enableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-            $otp = WebRequest::postString('otp');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                try {
-                    $otpCredentialProvider->setCredential($currentUser, 2, $otp);
-                    SessionAlert::success('Enabled YubiKey OTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-                }
-                catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
-                }
-
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableYubikey.tpl');
-        }
-    }
-
-    protected function disableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        $factorType = 'YubiKey OTP';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function enableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
-
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-
-                    $provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
-
-                    $renderer = new Svg();
-                    $renderer->setHeight(256);
-                    $renderer->setWidth(256);
-                    $writer = new Writer($renderer);
-                    $svg = $writer->writeString($provisioningUrl);
-
-                    $this->assign('svg', $svg);
-                    $this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
-
-                    $this->assignCSRFToken();
-                    $this->setTemplate('mfa/enableTotpEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-                    $otp = WebRequest::postString('otp');
-                    $result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
-
-                    if ($result) {
-                        SessionAlert::success('Enabled TOTP.');
-
-                        $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                            $scratchProvider->setCredential($currentUser, 2, null);
-                            $tokens = $scratchProvider->getTokens();
-                            $this->assign('tokens', $tokens);
-                            $this->setTemplate('mfa/regenScratchTokens.tpl');
-                            return;
-                        }
-                    }
-                    else {
-                        $otpCredentialProvider->deleteCredential($currentUser);
-                        SessionAlert::error('Error enabling TOTP: invalid token provided');
-                    }
-
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
+			$this->getHttpHelper());
+		$this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
+		$this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$u2fCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('u2fEnrolled', $u2fCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
+		$this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
+
+		$this->setTemplate('mfa/mfa.tpl');
+	}
+
+	protected function enableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+			$otp = WebRequest::postString('otp');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				try {
+					$otpCredentialProvider->setCredential($currentUser, 2, $otp);
+					SessionAlert::success('Enabled YubiKey OTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+				}
+				catch (ApplicationLogicException $ex) {
+					SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+				}
+
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableYubikey.tpl');
+		}
+	}
+
+	protected function disableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-                    return;
-                }
-            }
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		$factorType = 'YubiKey OTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
+	protected function enableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
+
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
+
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+
+					$provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
+
+					$renderer = new Svg();
+					$renderer->setHeight(256);
+					$renderer->setWidth(256);
+					$writer = new Writer($renderer);
+					$svg = $writer->writeString($provisioningUrl);
+
+					$this->assign('svg', $svg);
+					$this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
+
+					$this->assignCSRFToken();
+					$this->setTemplate('mfa/enableTotpEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+					$otp = WebRequest::postString('otp');
+					$result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
+
+					if ($result) {
+						SessionAlert::success('Enabled TOTP.');
+
+						$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+						if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+							$scratchProvider->setCredential($currentUser, 2, null);
+							$tokens = $scratchProvider->getTokens();
+							$this->assign('tokens', $tokens);
+							$this->setTemplate('mfa/regenScratchTokens.tpl');
+							return;
+						}
+					}
+					else {
+						$otpCredentialProvider->deleteCredential($currentUser);
+						SessionAlert::error('Error enabling TOTP: invalid token provided');
+					}
+
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableTotpAuth.tpl');
+		}
+	}
+
+	protected function disableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'TOTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
 
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableTotpAuth.tpl');
-        }
-    }
+	protected function enableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
 
-    protected function disableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
 
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
 
-        $factorType = 'TOTP';
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
 
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
 
-    protected function enableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
 
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+					$this->assignCSRFToken();
 
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-                    $this->assignCSRFToken();
-
-                    list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
-
-                    $u2fRequest =json_encode($data);
-                    $u2fSigns = json_encode($reqs);
-
-                    $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-                    $this->setTailScript(<<<JS
+					list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
+
+					$u2fRequest =json_encode($data);
+					$u2fSigns = json_encode($reqs);
+
+					$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+					$this->setTailScript(<<<JS
 var request = ${u2fRequest};
 var signs = ${u2fSigns};
 
@@ -277,153 +277,153 @@  discard block
 block discarded – undo
 	form.submit();
 });
 JS
-                    );
-
-                    $this->setTemplate('mfa/enableU2FEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-
-                    $request = json_decode(WebRequest::postString('u2fRequest'));
-                    $u2fData = json_decode(WebRequest::postString('u2fData'));
-
-                    $otpCredentialProvider->enable($currentUser, $request, $u2fData);
-
-                    SessionAlert::success('Enabled TOTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableU2FAuth.tpl');
-        }
-    }
-
-    protected function disableU2F() {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
-
-        $factorType = 'U2F';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function scratch()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $otpCredentialProvider = new ScratchTokenCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->setCredential($currentUser, 2, null);
-                $tokens = $otpCredentialProvider->getTokens();
-                $this->assign('tokens', $tokens);
-                $this->setTemplate('mfa/regenScratchTokens.tpl');
-            }
-            else {
-                SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/regenScratchAuth.tpl');
-        }
-    }
-
-    /**
-     * @param PdoDatabase         $database
-     * @param User                $currentUser
-     * @param ICredentialProvider $otpCredentialProvider
-     * @param string              $factorType
-     *
-     * @throws ApplicationLogicException
-     */
-    private function deleteCredential(
-        PdoDatabase $database,
-        User $currentUser,
-        ICredentialProvider $otpCredentialProvider,
-        $factorType
-    ) {
-        if (WebRequest::wasPosted()) {
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $this->validateCSRFToken();
-
-            $password = WebRequest::postString('password');
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->assign('otpType', $factorType);
-            $this->setTemplate('mfa/disableOtp.tpl');
-        }
-    }
+					);
+
+					$this->setTemplate('mfa/enableU2FEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+
+					$request = json_decode(WebRequest::postString('u2fRequest'));
+					$u2fData = json_decode(WebRequest::postString('u2fData'));
+
+					$otpCredentialProvider->enable($currentUser, $request, $u2fData);
+
+					SessionAlert::success('Enabled TOTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableU2FAuth.tpl');
+		}
+	}
+
+	protected function disableU2F() {
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new U2FCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'U2F';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function scratch()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$otpCredentialProvider = new ScratchTokenCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->setCredential($currentUser, 2, null);
+				$tokens = $otpCredentialProvider->getTokens();
+				$this->assign('tokens', $tokens);
+				$this->setTemplate('mfa/regenScratchTokens.tpl');
+			}
+			else {
+				SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/regenScratchAuth.tpl');
+		}
+	}
+
+	/**
+	 * @param PdoDatabase         $database
+	 * @param User                $currentUser
+	 * @param ICredentialProvider $otpCredentialProvider
+	 * @param string              $factorType
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function deleteCredential(
+		PdoDatabase $database,
+		User $currentUser,
+		ICredentialProvider $otpCredentialProvider,
+		$factorType
+	) {
+		if (WebRequest::wasPosted()) {
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$this->validateCSRFToken();
+
+			$password = WebRequest::postString('password');
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->deleteCredential($currentUser);
+				SessionAlert::success('Disabled ' . $factorType . '.');
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->assign('otpType', $factorType);
+			$this->setTemplate('mfa/disableOtp.tpl');
+		}
+	}
 }

Please login to merge, or discard this patch.

Spacing +7 added lines, -7 removed lines patch added patch discarded remove patch

@@ -78,7 +78,7 @@  discard block
 block discarded – undo
                     SessionAlert::success('Enabled YubiKey OTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens();
                         $this->assign('tokens', $tokens);
@@ -87,7 +87,7 @@  discard block
 block discarded – undo
                     }
                 }
                 catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+                    SessionAlert::error('Error enabling YubiKey OTP: '.$ex->getMessage());
                 }
 
                 $this->redirect('multiFactor');
@@ -178,7 +178,7 @@  discard block
 block discarded – undo
                         SessionAlert::success('Enabled TOTP.');
 
                         $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                        if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                             $scratchProvider->setCredential($currentUser, 2, null);
                             $tokens = $scratchProvider->getTokens();
                             $this->assign('tokens', $tokens);
@@ -254,7 +254,7 @@  discard block
 block discarded – undo
 
                     list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
 
-                    $u2fRequest =json_encode($data);
+                    $u2fRequest = json_encode($data);
                     $u2fSigns = json_encode($reqs);
 
                     $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
@@ -303,7 +303,7 @@  discard block
 block discarded – undo
                     SessionAlert::success('Enabled TOTP.');
 
                     $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
                         $scratchProvider->setCredential($currentUser, 2, null);
                         $tokens = $scratchProvider->getTokens();
                         $this->assign('tokens', $tokens);
@@ -407,11 +407,11 @@  discard block
 block discarded – undo
 
             if ($result) {
                 $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
+                SessionAlert::success('Disabled '.$factorType.'.');
                 $this->redirect('multiFactor');
             }
             else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+                SessionAlert::error('Error disabling '.$factorType.' - invalid credentials.');
                 $this->redirect('multiFactor');
             }
         }

Please login to merge, or discard this patch.

includes/Pages/UserAuth/PageOAuthCallback.php 1 patch

Indentation +75 added lines, -75 removed lines patch added patch discarded remove patch

@@ -17,90 +17,90 @@
 block discarded – undo
 
 class PageOAuthCallback extends InternalPageBase
 {
-    /**
-     * @return bool
-     */
-    protected function isProtectedPage()
-    {
-        // This page is critical to ensuring OAuth functionality is operational.
-        return false;
-    }
+	/**
+	 * @return bool
+	 */
+	protected function isProtectedPage()
+	{
+		// This page is critical to ensuring OAuth functionality is operational.
+		return false;
+	}
 
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        // This should never get hit except by URL manipulation.
-        $this->redirect('');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		// This should never get hit except by URL manipulation.
+		$this->redirect('');
+	}
 
-    /**
-     * Registered endpoint for the account creation callback.
-     *
-     * If this ever gets hit, something is wrong somewhere.
-     */
-    protected function create()
-    {
-        throw new Exception('OAuth account creation endpoint triggered.');
-    }
+	/**
+	 * Registered endpoint for the account creation callback.
+	 *
+	 * If this ever gets hit, something is wrong somewhere.
+	 */
+	protected function create()
+	{
+		throw new Exception('OAuth account creation endpoint triggered.');
+	}
 
-    /**
-     * Callback entry point
-     */
-    protected function authorise()
-    {
-        $oauthToken = WebRequest::getString('oauth_token');
-        $oauthVerifier = WebRequest::getString('oauth_verifier');
+	/**
+	 * Callback entry point
+	 */
+	protected function authorise()
+	{
+		$oauthToken = WebRequest::getString('oauth_token');
+		$oauthVerifier = WebRequest::getString('oauth_verifier');
 
-        $this->doCallbackValidation($oauthToken, $oauthVerifier);
+		$this->doCallbackValidation($oauthToken, $oauthVerifier);
 
-        $database = $this->getDatabase();
+		$database = $this->getDatabase();
 
-        $user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
-        $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+		$user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
+		$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
 
-        try {
-            $oauth->completeHandshake($oauthVerifier);
-        }
-        catch (CurlException $ex) {
-            throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
-        }
+		try {
+			$oauth->completeHandshake($oauthVerifier);
+		}
+		catch (CurlException $ex) {
+			throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
+		}
 
-        // OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
-        // login to a full login
-        if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
-            WebRequest::setLoggedInUser($user);
-        }
+		// OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
+		// login to a full login
+		if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
+			WebRequest::setLoggedInUser($user);
+		}
 
-        // My thinking is there are three cases here:
-        //   a) new user => redirect to prefs - it's the only thing they can access other than stats
-        //   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
-        //   c) existing user logging in => redirect to wherever they came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null && !$user->isNewUser()) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            $this->redirect('preferences', null, null, 'internal.php');
-        }
-    }
+		// My thinking is there are three cases here:
+		//   a) new user => redirect to prefs - it's the only thing they can access other than stats
+		//   b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
+		//   c) existing user logging in => redirect to wherever they came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null && !$user->isNewUser()) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			$this->redirect('preferences', null, null, 'internal.php');
+		}
+	}
 
-    /**
-     * @param string $oauthToken
-     * @param string $oauthVerifier
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doCallbackValidation($oauthToken, $oauthVerifier)
-    {
-        if ($oauthToken === null) {
-            throw new ApplicationLogicException('No token provided');
-        }
+	/**
+	 * @param string $oauthToken
+	 * @param string $oauthVerifier
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doCallbackValidation($oauthToken, $oauthVerifier)
+	{
+		if ($oauthToken === null) {
+			throw new ApplicationLogicException('No token provided');
+		}
 
-        if ($oauthVerifier === null) {
-            throw new ApplicationLogicException('No oauth verifier provided.');
-        }
-    }
+		if ($oauthVerifier === null) {
+			throw new ApplicationLogicException('No oauth verifier provided.');
+		}
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

includes/Pages/UserAuth/Login/PagePasswordLogin.php 2 patches

Indentation +27 added lines, -27 removed lines patch added patch discarded remove patch

@@ -13,31 +13,31 @@
 block discarded – undo
 
 class PagePasswordLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-        if($partialId !== null && $partialStage > 1) {
-            $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-            $statement = $this->getDatabase()->prepare($sql);
-            $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
-            $nextStage = $statement->fetchColumn();
-            $statement->closeCursor();
-
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-            return;
-        }
-
-        $this->setTemplate('login/password.tpl');
-    }
-
-    protected function getProviderCredentials()
-    {
-        $password = WebRequest::postString("password");
-        if ($password === null || $password === "") {
-            throw new ApplicationLogicException("No password specified");
-        }
-
-        return $password;
-    }
+	protected function providerSpecificSetup()
+	{
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+		if($partialId !== null && $partialStage > 1) {
+			$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+			$statement = $this->getDatabase()->prepare($sql);
+			$statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
+			$nextStage = $statement->fetchColumn();
+			$statement->closeCursor();
+
+			$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+			return;
+		}
+
+		$this->setTemplate('login/password.tpl');
+	}
+
+	protected function getProviderCredentials()
+	{
+		$password = WebRequest::postString("password");
+		if ($password === null || $password === "") {
+			throw new ApplicationLogicException("No password specified");
+		}
+
+		return $password;
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

Spacing +2 added lines, -2 removed lines patch added patch discarded remove patch

@@ -17,14 +17,14 @@
 block discarded – undo
     {
         list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
 
-        if($partialId !== null && $partialStage > 1) {
+        if ($partialId !== null && $partialStage > 1) {
             $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
             $statement = $this->getDatabase()->prepare($sql);
             $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
             $nextStage = $statement->fetchColumn();
             $statement->closeCursor();
 
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
+            $this->redirect("login/".$this->nextPageMap[$nextStage]);
             return;
         }
 

Please login to merge, or discard this patch.

includes/Pages/UserAuth/Login/PageU2FLogin.php 1 patch

Indentation +22 added lines, -22 removed lines patch added patch discarded remove patch

@@ -14,20 +14,20 @@  discard block
 block discarded – undo
 
 class PageU2FLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->assign('showSignIn', false);
-        $this->setTemplate('login/u2f.tpl');
+	protected function providerSpecificSetup()
+	{
+		$this->assign('showSignIn', false);
+		$this->setTemplate('login/u2f.tpl');
 
-        if ($this->partialUser === null) {
-            throw new ApplicationLogicException("U2F cannot be first-stage authentication");
-        }
+		if ($this->partialUser === null) {
+			throw new ApplicationLogicException("U2F cannot be first-stage authentication");
+		}
 
-        $u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
-        $authData = json_encode($u2f->getAuthenticationData($this->partialUser));
+		$u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
+		$authData = json_encode($u2f->getAuthenticationData($this->partialUser));
 
-        $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
-        $this->setTailScript(<<<JS
+		$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
+		$this->setTailScript(<<<JS
 var request = ${authData};
 console.log("starting sign");
 u2f.sign(request, function(data) {
@@ -44,19 +44,19 @@  discard block
 block discarded – undo
                 form.submit();
             });
 JS
-        );
+		);
 
-    }
+	}
 
-    protected function getProviderCredentials()
-    {
-        $authenticate = WebRequest::postString("authenticate");
-        $request = WebRequest::postString("request");
+	protected function getProviderCredentials()
+	{
+		$authenticate = WebRequest::postString("authenticate");
+		$request = WebRequest::postString("request");
 
-        if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
-              throw new ApplicationLogicException("No authentication specified");
-        }
+		if ($authenticate === null || $authenticate === "" || $request === null || $request === "") {
+			  throw new ApplicationLogicException("No authentication specified");
+		}
 
-        return array(json_decode($authenticate), json_decode($request), 'u2f');
-    }
+		return array(json_decode($authenticate), json_decode($request), 'u2f');
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

includes/Pages/UserAuth/Login/PageOtpLogin.php 1 patch

Indentation +12 added lines, -12 removed lines patch added patch discarded remove patch

@@ -13,18 +13,18 @@
 block discarded – undo
 
 class PageOtpLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        $this->setTemplate('login/otp.tpl');
-    }
+	protected function providerSpecificSetup()
+	{
+		$this->setTemplate('login/otp.tpl');
+	}
 
-    protected function getProviderCredentials()
-    {
-        $otp = WebRequest::postString("otp");
-        if ($otp === null || $otp === "") {
-            throw new ApplicationLogicException("No one-time code specified");
-        }
+	protected function getProviderCredentials()
+	{
+		$otp = WebRequest::postString("otp");
+		if ($otp === null || $otp === "") {
+			throw new ApplicationLogicException("No one-time code specified");
+		}
 
-        return $otp;
-    }
+		return $otp;
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

		@@ -136,7 +136,7 @@
		block discarded – undo
136	136
137	137	$data = array();
138	138	foreach ($apiResponse as $key => $value) {
139		- $data[] = $key . "=" . $value;
	139	+ $data[] = $key."=".$value;
140	140	}
141	141	$dataString = implode('&', $data);
142	142

		@@ -513,6 +513,10 @@
		block discarded – undo
513	513	return isset($session['oauthPartialLogin']) ? (int)$session['oauthPartialLogin'] : null;
514	514	}
515	515
	516	+ /**
	517	+ * @param integer $userId
	518	+ * @param integer $stage
	519	+ */
516	520	public static function setAuthPartialLogin($userId, $stage)
517	521	{
518	522	$session = &self::$globalStateProvider->getSessionSuperGlobal();

		@@ -130,7 +130,7 @@ discard block
		block discarded – undo
130	130
131	131	$BUbasefile = "backup"; // The basefile's name.
132	132	$BUdir = "/home/project/a/c/c/acc/backups"; // The directory where backups should be stored.
133		-$BUmonthdir = $BUdir . "/monthly"; // The directory where monthly backups should be stored.
	133	+$BUmonthdir = $BUdir."/monthly"; // The directory where monthly backups should be stored.
134	134	$BUdumper = "/opt/ts/mysql/5.1/bin/mysqldump --defaults-file=~/.my.cnf p_acc_live"; // Add parameters here if they are needed.
135	135	$BUgzip = "/usr/bin/gzip"; // Add the gzip parameters here if needed.
136	136	$BUtar = "/bin/tar -cvf"; // Add the tar parameters here if needed.
		@@ -246,7 +246,7 @@ discard block
		block discarded – undo
246	246	$curlDisableSSLVerifyPeer = false;
247	247
248	248	// Change this to be outside the web directory.
249		-$curlCookieJar = __DIR__ . '/../cookies.txt';
	249	+$curlCookieJar = __DIR__.'/../cookies.txt';
250	250
251	251	$yubicoApiId = 0;
252	252	$yubicoApiKey = "";
		@@ -265,17 +265,17 @@ discard block
		block discarded – undo
265	265
266	266	$cDatabaseConfig = array(
267	267	"acc" => array(
268		- "dsrcname" => "mysql:host=" . $toolserver_host . ";dbname=" . $toolserver_database,
	268	+ "dsrcname" => "mysql:host=".$toolserver_host.";dbname=".$toolserver_database,
269	269	"username" => $toolserver_username,
270	270	"password" => $toolserver_password,
271	271	),
272	272	"wikipedia" => array(
273		- "dsrcname" => "mysql:host=" . $antispoof_host . ";dbname=" . $antispoof_db,
	273	+ "dsrcname" => "mysql:host=".$antispoof_host.";dbname=".$antispoof_db,
274	274	"username" => $toolserver_username,
275	275	"password" => $toolserver_password,
276	276	),
277	277	"notifications" => array(
278		- "dsrcname" => "mysql:host=" . $toolserver_notification_dbhost . ";dbname=" . $toolserver_notification_database,
	278	+ "dsrcname" => "mysql:host=".$toolserver_notification_dbhost.";dbname=".$toolserver_notification_database,
279	279	"username" => $notifications_username,
280	280	"password" => $notifications_password,
281	281	),
		@@ -305,13 +305,13 @@ discard block
		block discarded – undo
305	305	}
306	306
307	307	// Set up the AutoLoader
308		-require_once(__DIR__ . "/includes/AutoLoader.php");
	308	+require_once(__DIR__."/includes/AutoLoader.php");
309	309	spl_autoload_register('Waca\\AutoLoader::load');
310		-require_once(__DIR__ . '/vendor/autoload.php');
	310	+require_once(__DIR__.'/vendor/autoload.php');
311	311
312	312	// Extra includes which are just plain awkward wherever they are.
313		-require_once(__DIR__ . '/lib/mediawiki-extensions-OAuth/lib/OAuth.php');
314		-require_once(__DIR__ . '/lib/mediawiki-extensions-OAuth/lib/JWT.php');
	313	+require_once(__DIR__.'/lib/mediawiki-extensions-OAuth/lib/OAuth.php');
	314	+require_once(__DIR__.'/lib/mediawiki-extensions-OAuth/lib/JWT.php');
315	315
316	316	// Crap that's needed for libraries. >:(
317	317	/**

		@@ -78,7 +78,7 @@ discard block
		block discarded – undo
78	78	SessionAlert::success('Enabled YubiKey OTP.');
79	79
80	80	$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
81		- if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
	81	+ if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
82	82	$scratchProvider->setCredential($currentUser, 2, null);
83	83	$tokens = $scratchProvider->getTokens();
84	84	$this->assign('tokens', $tokens);
		@@ -87,7 +87,7 @@ discard block
		block discarded – undo
87	87	}
88	88	}
89	89	catch (ApplicationLogicException $ex) {
90		- SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
	90	+ SessionAlert::error('Error enabling YubiKey OTP: '.$ex->getMessage());
91	91	}
92	92
93	93	$this->redirect('multiFactor');
		@@ -178,7 +178,7 @@ discard block
		block discarded – undo
178	178	SessionAlert::success('Enabled TOTP.');
179	179
180	180	$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
181		- if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
	181	+ if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
182	182	$scratchProvider->setCredential($currentUser, 2, null);
183	183	$tokens = $scratchProvider->getTokens();
184	184	$this->assign('tokens', $tokens);
		@@ -254,7 +254,7 @@ discard block
		block discarded – undo
254	254
255	255	list($data, $reqs) = $otpCredentialProvider->getRegistrationData();
256	256
257		- $u2fRequest =json_encode($data);
	257	+ $u2fRequest = json_encode($data);
258	258	$u2fSigns = json_encode($reqs);
259	259
260	260	$this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
		@@ -303,7 +303,7 @@ discard block
		block discarded – undo
303	303	SessionAlert::success('Enabled TOTP.');
304	304
305	305	$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
306		- if($scratchProvider->getRemaining($currentUser->getId()) < 3) {
	306	+ if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
307	307	$scratchProvider->setCredential($currentUser, 2, null);
308	308	$tokens = $scratchProvider->getTokens();
309	309	$this->assign('tokens', $tokens);
		@@ -407,11 +407,11 @@ discard block
		block discarded – undo
407	407
408	408	if ($result) {
409	409	$otpCredentialProvider->deleteCredential($currentUser);
410		- SessionAlert::success('Disabled ' . $factorType . '.');
	410	+ SessionAlert::success('Disabled '.$factorType.'.');
411	411	$this->redirect('multiFactor');
412	412	}
413	413	else {
414		- SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
	414	+ SessionAlert::error('Error disabling '.$factorType.' - invalid credentials.');
415	415	$this->redirect('multiFactor');
416	416	}
417	417	}

		@@ -104,7 +104,7 @@ discard block
		block discarded – undo
104	104	}
105	105
106	106	/**
107		- * @param $result
	107	+ * @param string $result
108	108	*
109	109	* @return array
110	110	*/
		@@ -123,6 +123,9 @@ discard block
		block discarded – undo
123	123	return $data;
124	124	}
125	125
	126	+ /**
	127	+ * @param string $data
	128	+ */
126	129	private function getYubikeyId($data)
127	130	{
128	131	return substr($data, 0, -32);
		@@ -146,7 +149,7 @@ discard block
		block discarded – undo
146	149	}
147	150
148	151	/**
149		- * @param $data
	152	+ * @param string $data
150	153	*
151	154	* @return bool
152	155	*/

		@@ -16,154 +16,154 @@
		block discarded – undo
16	16
17	17	class YubikeyOtpCredentialProvider extends CredentialProviderBase
18	18	{
19		- /** @var HttpHelper */
20		- private $httpHelper;
21		- /**
22		- * @var SiteConfiguration
23		- */
24		- private $configuration;
25		-
26		- public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
27		- {
28		- parent::__construct($database, $configuration, 'yubikeyotp');
29		- $this->httpHelper = $httpHelper;
30		- $this->configuration = $configuration;
31		- }
32		-
33		- public function authenticate(User $user, $data)
34		- {
35		- if (is_array($data)) {
36		- return false;
37		- }
38		-
39		- $credentialData = $this->getCredentialData($user->getId());
40		-
41		- if ($credentialData === null) {
42		- return false;
43		- }
44		-
45		- if ($credentialData->getData() !== $this->getYubikeyId($data)) {
46		- // different device
47		- return false;
48		- }
49		-
50		- return $this->verifyToken($data);
51		- }
52		-
53		- public function setCredential(User $user, $factor, $data)
54		- {
55		- $keyId = $this->getYubikeyId($data);
56		- $valid = $this->verifyToken($data);
57		-
58		- if (!$valid) {
59		- throw new ApplicationLogicException("Provided token is not valid.");
60		- }
61		-
62		- $storedData = $this->getCredentialData($user->getId());
63		-
64		- if ($storedData === null) {
65		- $storedData = $this->createNewCredential($user);
66		- }
67		-
68		- $storedData->setData($keyId);
69		- $storedData->setFactor($factor);
70		- $storedData->setVersion(1);
71		- $storedData->setPriority(8);
72		-
73		- $storedData->save();
74		- }
75		-
76		- /**
77		- * Get the Yubikey ID.
78		- *
79		- * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
80		- *
81		- * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
82		- * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
83		- * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
84		- *
85		- * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
86		- * the device, and that will change the serial number too.
87		- *
88		- * More information about the structure of OTPs can be found here:
89		- * https://developers.yubico.com/OTP/OTPs_Explained.html
90		- *
91		- * @param int $userId
92		- *
93		- * @return null\|string
94		- */
95		- public function getYubikeyData($userId)
96		- {
97		- $credential = $this->getCredentialData($userId);
98		-
99		- if ($credential === null) {
100		- return null;
101		- }
102		-
103		- return $credential->getData();
104		- }
105		-
106		- /**
107		- * @param $result
108		- *
109		- * @return array
110		- */
111		- private function parseYubicoApiResult($result)
112		- {
113		- $data = array();
114		- foreach (explode("\r\n", $result) as $line) {
115		- $pos = strpos($line, '=');
116		- if ($pos === false) {
117		- continue;
118		- }
119		-
120		- $data[substr($line, 0, $pos)] = substr($line, $pos + 1);
121		- }
122		-
123		- return $data;
124		- }
125		-
126		- private function getYubikeyId($data)
127		- {
128		- return substr($data, 0, -32);
129		- }
130		-
131		- private function verifyHmac($apiResponse, $apiKey)
132		- {
133		- ksort($apiResponse);
134		- $signature = $apiResponse['h'];
135		- unset($apiResponse['h']);
136		-
137		- $data = array();
138		- foreach ($apiResponse as $key => $value) {
139		- $data[] = $key . "=" . $value;
140		- }
141		- $dataString = implode('&', $data);
142		-
143		- $hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
144		-
145		- return $hmac === $signature;
146		- }
147		-
148		- /**
149		- * @param $data
150		- *
151		- * @return bool
152		- */
153		- private function verifyToken($data)
154		- {
155		- $result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
156		- 'id' => $this->configuration->getYubicoApiId(),
157		- 'otp' => $data,
158		- 'nonce' => md5(openssl_random_pseudo_bytes(64)),
159		- ));
160		-
161		- $apiResponse = $this->parseYubicoApiResult($result);
162		-
163		- if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
164		- return false;
165		- }
166		-
167		- return $apiResponse['status'] == 'OK';
168		- }
	19	+ /** @var HttpHelper */
	20	+ private $httpHelper;
	21	+ /**
	22	+ * @var SiteConfiguration
	23	+ */
	24	+ private $configuration;
	25	+
	26	+ public function __construct(PdoDatabase $database, SiteConfiguration $configuration, HttpHelper $httpHelper)
	27	+ {
	28	+ parent::__construct($database, $configuration, 'yubikeyotp');
	29	+ $this->httpHelper = $httpHelper;
	30	+ $this->configuration = $configuration;
	31	+ }
	32	+
	33	+ public function authenticate(User $user, $data)
	34	+ {
	35	+ if (is_array($data)) {
	36	+ return false;
	37	+ }
	38	+
	39	+ $credentialData = $this->getCredentialData($user->getId());
	40	+
	41	+ if ($credentialData === null) {
	42	+ return false;
	43	+ }
	44	+
	45	+ if ($credentialData->getData() !== $this->getYubikeyId($data)) {
	46	+ // different device
	47	+ return false;
	48	+ }
	49	+
	50	+ return $this->verifyToken($data);
	51	+ }
	52	+
	53	+ public function setCredential(User $user, $factor, $data)
	54	+ {
	55	+ $keyId = $this->getYubikeyId($data);
	56	+ $valid = $this->verifyToken($data);
	57	+
	58	+ if (!$valid) {
	59	+ throw new ApplicationLogicException("Provided token is not valid.");
	60	+ }
	61	+
	62	+ $storedData = $this->getCredentialData($user->getId());
	63	+
	64	+ if ($storedData === null) {
	65	+ $storedData = $this->createNewCredential($user);
	66	+ }
	67	+
	68	+ $storedData->setData($keyId);
	69	+ $storedData->setFactor($factor);
	70	+ $storedData->setVersion(1);
	71	+ $storedData->setPriority(8);
	72	+
	73	+ $storedData->save();
	74	+ }
	75	+
	76	+ /**
	77	+ * Get the Yubikey ID.
	78	+ *
	79	+ * This looks like it's just dumping the "password" that's stored in the database, but it's actually fine.
	80	+ *
	81	+ * We only store the "serial number" of the Yubikey - if we get a validated (by webservice) token prefixed with the
	82	+ * serial number, that's a successful OTP authentication. Thus, retrieving the stored data is just retrieving the
	83	+ * yubikey's serial number (in modhex format), since the actual security credentials are stored on the device.
	84	+ *
	85	+ * Note that the serial number is actually the credential serial number - it's possible to regenerate the keys on
	86	+ * the device, and that will change the serial number too.
	87	+ *
	88	+ * More information about the structure of OTPs can be found here:
	89	+ * https://developers.yubico.com/OTP/OTPs_Explained.html
	90	+ *
	91	+ * @param int $userId
	92	+ *
	93	+ * @return null\|string
	94	+ */
	95	+ public function getYubikeyData($userId)
	96	+ {
	97	+ $credential = $this->getCredentialData($userId);
	98	+
	99	+ if ($credential === null) {
	100	+ return null;
	101	+ }
	102	+
	103	+ return $credential->getData();
	104	+ }
	105	+
	106	+ /**
	107	+ * @param $result
	108	+ *
	109	+ * @return array
	110	+ */
	111	+ private function parseYubicoApiResult($result)
	112	+ {
	113	+ $data = array();
	114	+ foreach (explode("\r\n", $result) as $line) {
	115	+ $pos = strpos($line, '=');
	116	+ if ($pos === false) {
	117	+ continue;
	118	+ }
	119	+
	120	+ $data[substr($line, 0, $pos)] = substr($line, $pos + 1);
	121	+ }
	122	+
	123	+ return $data;
	124	+ }
	125	+
	126	+ private function getYubikeyId($data)
	127	+ {
	128	+ return substr($data, 0, -32);
	129	+ }
	130	+
	131	+ private function verifyHmac($apiResponse, $apiKey)
	132	+ {
	133	+ ksort($apiResponse);
	134	+ $signature = $apiResponse['h'];
	135	+ unset($apiResponse['h']);
	136	+
	137	+ $data = array();
	138	+ foreach ($apiResponse as $key => $value) {
	139	+ $data[] = $key . "=" . $value;
	140	+ }
	141	+ $dataString = implode('&', $data);
	142	+
	143	+ $hmac = base64_encode(hash_hmac('sha1', $dataString, base64_decode($apiKey), true));
	144	+
	145	+ return $hmac === $signature;
	146	+ }
	147	+
	148	+ /**
	149	+ * @param $data
	150	+ *
	151	+ * @return bool
	152	+ */
	153	+ private function verifyToken($data)
	154	+ {
	155	+ $result = $this->httpHelper->get('https://api.yubico.com/wsapi/2.0/verify', array(
	156	+ 'id' => $this->configuration->getYubicoApiId(),
	157	+ 'otp' => $data,
	158	+ 'nonce' => md5(openssl_random_pseudo_bytes(64)),
	159	+ ));
	160	+
	161	+ $apiResponse = $this->parseYubicoApiResult($result);
	162	+
	163	+ if (!$this->verifyHmac($apiResponse, $this->configuration->getYubicoApiKey())) {
	164	+ return false;
	165	+ }
	166	+
	167	+ return $apiResponse['status'] == 'OK';
	168	+ }
169	169	}

		@@ -16,11 +16,6 @@ discard block
		block discarded – undo
16	16	use Waca\Pages\PageJobQueue;
17	17	use Waca\Pages\PageLog;
18	18	use Waca\Pages\PageMain;
19		-use Waca\Pages\RequestAction\PageCreateRequest;
20		-use Waca\Pages\UserAuth\PageChangePassword;
21		-use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
22		-use Waca\Pages\UserAuth\PageOAuth;
23		-use Waca\Pages\UserAuth\PagePreferences;
24	19	use Waca\Pages\PageSearch;
25	20	use Waca\Pages\PageSiteNotice;
26	21	use Waca\Pages\PageTeam;
		@@ -30,6 +25,7 @@ discard block
		block discarded – undo
30	25	use Waca\Pages\RequestAction\PageBreakReservation;
31	26	use Waca\Pages\RequestAction\PageCloseRequest;
32	27	use Waca\Pages\RequestAction\PageComment;
	28	+use Waca\Pages\RequestAction\PageCreateRequest;
33	29	use Waca\Pages\RequestAction\PageCustomClose;
34	30	use Waca\Pages\RequestAction\PageDeferRequest;
35	31	use Waca\Pages\RequestAction\PageDropRequest;
		@@ -43,6 +39,10 @@ discard block
		block discarded – undo
43	39	use Waca\Pages\Statistics\StatsTemplateStats;
44	40	use Waca\Pages\Statistics\StatsTopCreators;
45	41	use Waca\Pages\Statistics\StatsUsers;
	42	+use Waca\Pages\UserAuth\MultiFactor\PageMultiFactor;
	43	+use Waca\Pages\UserAuth\PageChangePassword;
	44	+use Waca\Pages\UserAuth\PageOAuth;
	45	+use Waca\Pages\UserAuth\PagePreferences;
46	46
47	47	class RoleConfiguration
48	48	{

		@@ -200,24 +200,24 @@ discard block
		block discarded – undo
200	200
201	201	// request states
202	202	$availableRequestStates = array(
203		- 'Open' => array(
204		- 'defertolog' => 'users', // don't change or you'll break old logs
205		- 'deferto' => 'users',
206		- 'header' => 'Open requests',
207		- 'api' => "open",
208		- ),
209		- 'Flagged users' => array(
210		- 'defertolog' => 'flagged users', // don't change or you'll break old logs
211		- 'deferto' => 'flagged users',
212		- 'header' => 'Flagged user needed',
213		- 'api' => "admin",
214		- ),
215		- 'Checkuser' => array(
216		- 'defertolog' => 'checkusers', // don't change or you'll break old logs
217		- 'deferto' => 'checkusers',
218		- 'header' => 'Checkuser needed',
219		- 'api' => "checkuser",
220		- ),
	203	+ 'Open' => array(
	204	+ 'defertolog' => 'users', // don't change or you'll break old logs
	205	+ 'deferto' => 'users',
	206	+ 'header' => 'Open requests',
	207	+ 'api' => "open",
	208	+ ),
	209	+ 'Flagged users' => array(
	210	+ 'defertolog' => 'flagged users', // don't change or you'll break old logs
	211	+ 'deferto' => 'flagged users',
	212	+ 'header' => 'Flagged user needed',
	213	+ 'api' => "admin",
	214	+ ),
	215	+ 'Checkuser' => array(
	216	+ 'defertolog' => 'checkusers', // don't change or you'll break old logs
	217	+ 'deferto' => 'checkusers',
	218	+ 'header' => 'Checkuser needed',
	219	+ 'api' => "checkuser",
	220	+ ),
221	221	);
222	222
223	223	$defaultRequestStateKey = 'Open';
		@@ -264,21 +264,21 @@ discard block
		block discarded – undo
264	264	require_once('config.local.inc.php');
265	265
266	266	$cDatabaseConfig = array(
267		- "acc" => array(
268		- "dsrcname" => "mysql:host=" . $toolserver_host . ";dbname=" . $toolserver_database,
269		- "username" => $toolserver_username,
270		- "password" => $toolserver_password,
271		- ),
272		- "wikipedia" => array(
273		- "dsrcname" => "mysql:host=" . $antispoof_host . ";dbname=" . $antispoof_db,
274		- "username" => $toolserver_username,
275		- "password" => $toolserver_password,
276		- ),
277		- "notifications" => array(
278		- "dsrcname" => "mysql:host=" . $toolserver_notification_dbhost . ";dbname=" . $toolserver_notification_database,
279		- "username" => $notifications_username,
280		- "password" => $notifications_password,
281		- ),
	267	+ "acc" => array(
	268	+ "dsrcname" => "mysql:host=" . $toolserver_host . ";dbname=" . $toolserver_database,
	269	+ "username" => $toolserver_username,
	270	+ "password" => $toolserver_password,
	271	+ ),
	272	+ "wikipedia" => array(
	273	+ "dsrcname" => "mysql:host=" . $antispoof_host . ";dbname=" . $antispoof_db,
	274	+ "username" => $toolserver_username,
	275	+ "password" => $toolserver_password,
	276	+ ),
	277	+ "notifications" => array(
	278	+ "dsrcname" => "mysql:host=" . $toolserver_notification_dbhost . ";dbname=" . $toolserver_notification_database,
	279	+ "username" => $notifications_username,
	280	+ "password" => $notifications_password,
	281	+ ),
282	282	);
283	283
284	284	// //Keep the included files from being executed.
		@@ -290,18 +290,18 @@ discard block
		block discarded – undo
290	290	ini_set('user_agent', $toolUserAgent);
291	291
292	292	foreach (array(
293		- "mbstring", // unicode and stuff
294		- "pdo",
295		- "pdo_mysql", // new database module
296		- "session",
297		- "date",
298		- "pcre", // core stuff
299		- "curl", // mediawiki api access etc
300		- "openssl", // token generation
	293	+ "mbstring", // unicode and stuff
	294	+ "pdo",
	295	+ "pdo_mysql", // new database module
	296	+ "session",
	297	+ "date",
	298	+ "pcre", // core stuff
	299	+ "curl", // mediawiki api access etc
	300	+ "openssl", // token generation
301	301	) as $x) {
302		- if (!extension_loaded($x)) {
303		- die("extension $x is required.");
304		- }
	302	+ if (!extension_loaded($x)) {
	303	+ die("extension $x is required.");
	304	+ }
305	305	}
306	306
307	307	// Set up the AutoLoader
		@@ -328,39 +328,39 @@ discard block
		block discarded – undo
328	328	$siteConfiguration = new \Waca\SiteConfiguration();
329	329
330	330	$siteConfiguration->setBaseUrl($baseurl)
331		- ->setFilePath(__DIR__)
332		- ->setDebuggingTraceEnabled($enableErrorTrace)
333		- ->setForceIdentification($forceIdentification)
334		- ->setIdentificationCacheExpiry($identificationCacheExpiry)
335		- ->setMediawikiScriptPath($mediawikiScriptPath)
336		- ->setMediawikiWebServiceEndpoint($mediawikiWebServiceEndpoint)
337		- ->setMetaWikimediaWebServiceEndpoint($metaWikimediaWebServiceEndpoint)
338		- ->setEnforceOAuth($enforceOAuth)
339		- ->setEmailConfirmationEnabled($enableEmailConfirm == 1)
340		- ->setEmailConfirmationExpiryDays($emailConfirmationExpiryDays)
341		- ->setMiserModeLimit($requestLimitShowOnly)
342		- ->setRequestStates($availableRequestStates)
343		- ->setSquidList($squidIpList)
344		- ->setDefaultCreatedTemplateId($createdid)
345		- ->setDefaultRequestStateKey($defaultRequestStateKey)
346		- ->setUseStrictTransportSecurity($strictTransportSecurityExpiry)
347		- ->setUserAgent($toolUserAgent)
348		- ->setCurlDisableVerifyPeer($curlDisableSSLVerifyPeer)
349		- ->setUseOAuthSignup($useOauthSignup)
350		- ->setOAuthBaseUrl($oauthBaseUrl)
351		- ->setOAuthConsumerToken($oauthConsumerToken)
352		- ->setOAuthConsumerSecret($oauthSecretToken)
353		- ->setOauthMediaWikiCanonicalServer($oauthMediaWikiCanonicalServer)
354		- ->setDataClearInterval($dataclear_interval)
355		- ->setXffTrustedHostsFile($xff_trusted_hosts_file)
356		- ->setIrcNotificationsEnabled($ircBotNotificationsEnabled == 1)
357		- ->setIrcNotificationType($ircBotNotificationType)
358		- ->setIrcNotificationsInstance($whichami)
359		- ->setTitleBlacklistEnabled($enableTitleblacklist == 1)
360		- ->setTorExitPaths(array_merge(gethostbynamel('en.wikipedia.org'), gethostbynamel('accounts.wmflabs.org')))
361		- ->setCreationBotUsername($creationBotUsername)
362		- ->setCreationBotPassword($creationBotPassword)
363		- ->setCurlCookieJar($curlCookieJar)
364		- ->setYubicoApiId($yubicoApiId)
365		- ->setYubicoApiKey($yubicoApiKey)
366		- ->setTotpEncryptionKey($totpEncryptionKey);
	331	+ ->setFilePath(__DIR__)
	332	+ ->setDebuggingTraceEnabled($enableErrorTrace)
	333	+ ->setForceIdentification($forceIdentification)
	334	+ ->setIdentificationCacheExpiry($identificationCacheExpiry)
	335	+ ->setMediawikiScriptPath($mediawikiScriptPath)
	336	+ ->setMediawikiWebServiceEndpoint($mediawikiWebServiceEndpoint)
	337	+ ->setMetaWikimediaWebServiceEndpoint($metaWikimediaWebServiceEndpoint)
	338	+ ->setEnforceOAuth($enforceOAuth)
	339	+ ->setEmailConfirmationEnabled($enableEmailConfirm == 1)
	340	+ ->setEmailConfirmationExpiryDays($emailConfirmationExpiryDays)
	341	+ ->setMiserModeLimit($requestLimitShowOnly)
	342	+ ->setRequestStates($availableRequestStates)
	343	+ ->setSquidList($squidIpList)
	344	+ ->setDefaultCreatedTemplateId($createdid)
	345	+ ->setDefaultRequestStateKey($defaultRequestStateKey)
	346	+ ->setUseStrictTransportSecurity($strictTransportSecurityExpiry)
	347	+ ->setUserAgent($toolUserAgent)
	348	+ ->setCurlDisableVerifyPeer($curlDisableSSLVerifyPeer)
	349	+ ->setUseOAuthSignup($useOauthSignup)
	350	+ ->setOAuthBaseUrl($oauthBaseUrl)
	351	+ ->setOAuthConsumerToken($oauthConsumerToken)
	352	+ ->setOAuthConsumerSecret($oauthSecretToken)
	353	+ ->setOauthMediaWikiCanonicalServer($oauthMediaWikiCanonicalServer)
	354	+ ->setDataClearInterval($dataclear_interval)
	355	+ ->setXffTrustedHostsFile($xff_trusted_hosts_file)
	356	+ ->setIrcNotificationsEnabled($ircBotNotificationsEnabled == 1)
	357	+ ->setIrcNotificationType($ircBotNotificationType)
	358	+ ->setIrcNotificationsInstance($whichami)
	359	+ ->setTitleBlacklistEnabled($enableTitleblacklist == 1)
	360	+ ->setTorExitPaths(array_merge(gethostbynamel('en.wikipedia.org'), gethostbynamel('accounts.wmflabs.org')))
	361	+ ->setCreationBotUsername($creationBotUsername)
	362	+ ->setCreationBotPassword($creationBotPassword)
	363	+ ->setCurlCookieJar($curlCookieJar)
	364	+ ->setYubicoApiId($yubicoApiId)
	365	+ ->setYubicoApiKey($yubicoApiKey)
	366	+ ->setTotpEncryptionKey($totpEncryptionKey);

		@@ -229,7 +229,8 @@ discard block
		block discarded – undo
229	229	$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
230	230	}
231	231
232		- protected function enableU2F() {
	232	+ protected function enableU2F()
	233	+ {
233	234	$database = $this->getDatabase();
234	235	$currentUser = User::getCurrent($database);
235	236
		@@ -336,7 +337,8 @@ discard block
		block discarded – undo
336	337	}
337	338	}
338	339
339		- protected function disableU2F() {
	340	+ protected function disableU2F()
	341	+ {
340	342	$database = $this->getDatabase();
341	343	$currentUser = User::getCurrent($database);
342	344

		@@ -17,90 +17,90 @@
		block discarded – undo
17	17
18	18	class PageOAuthCallback extends InternalPageBase
19	19	{
20		- /**
21		- * @return bool
22		- */
23		- protected function isProtectedPage()
24		- {
25		- // This page is critical to ensuring OAuth functionality is operational.
26		- return false;
27		- }
	20	+ /**
	21	+ * @return bool
	22	+ */
	23	+ protected function isProtectedPage()
	24	+ {
	25	+ // This page is critical to ensuring OAuth functionality is operational.
	26	+ return false;
	27	+ }
28	28
29		- /**
30		- * Main function for this page, when no specific actions are called.
31		- * @return void
32		- */
33		- protected function main()
34		- {
35		- // This should never get hit except by URL manipulation.
36		- $this->redirect('');
37		- }
	29	+ /**
	30	+ * Main function for this page, when no specific actions are called.
	31	+ * @return void
	32	+ */
	33	+ protected function main()
	34	+ {
	35	+ // This should never get hit except by URL manipulation.
	36	+ $this->redirect('');
	37	+ }
38	38
39		- /**
40		- * Registered endpoint for the account creation callback.
41		- *
42		- * If this ever gets hit, something is wrong somewhere.
43		- */
44		- protected function create()
45		- {
46		- throw new Exception('OAuth account creation endpoint triggered.');
47		- }
	39	+ /**
	40	+ * Registered endpoint for the account creation callback.
	41	+ *
	42	+ * If this ever gets hit, something is wrong somewhere.
	43	+ */
	44	+ protected function create()
	45	+ {
	46	+ throw new Exception('OAuth account creation endpoint triggered.');
	47	+ }
48	48
49		- /**
50		- * Callback entry point
51		- */
52		- protected function authorise()
53		- {
54		- $oauthToken = WebRequest::getString('oauth_token');
55		- $oauthVerifier = WebRequest::getString('oauth_verifier');
	49	+ /**
	50	+ * Callback entry point
	51	+ */
	52	+ protected function authorise()
	53	+ {
	54	+ $oauthToken = WebRequest::getString('oauth_token');
	55	+ $oauthVerifier = WebRequest::getString('oauth_verifier');
56	56
57		- $this->doCallbackValidation($oauthToken, $oauthVerifier);
	57	+ $this->doCallbackValidation($oauthToken, $oauthVerifier);
58	58
59		- $database = $this->getDatabase();
	59	+ $database = $this->getDatabase();
60	60
61		- $user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
62		- $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
	61	+ $user = OAuthUserHelper::findUserByRequestToken($oauthToken, $database);
	62	+ $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
63	63
64		- try {
65		- $oauth->completeHandshake($oauthVerifier);
66		- }
67		- catch (CurlException $ex) {
68		- throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
69		- }
	64	+ try {
	65	+ $oauth->completeHandshake($oauthVerifier);
	66	+ }
	67	+ catch (CurlException $ex) {
	68	+ throw new ApplicationLogicException($ex->getMessage(), 0, $ex);
	69	+ }
70	70
71		- // OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
72		- // login to a full login
73		- if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
74		- WebRequest::setLoggedInUser($user);
75		- }
	71	+ // OK, we're the same session that just did a partial login that was redirected to OAuth. Let's upgrade the
	72	+ // login to a full login
	73	+ if (WebRequest::getOAuthPartialLogin() === $user->getId()) {
	74	+ WebRequest::setLoggedInUser($user);
	75	+ }
76	76
77		- // My thinking is there are three cases here:
78		- // a) new user => redirect to prefs - it's the only thing they can access other than stats
79		- // b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
80		- // c) existing user logging in => redirect to wherever they came from
81		- $redirectDestination = WebRequest::clearPostLoginRedirect();
82		- if ($redirectDestination !== null && !$user->isNewUser()) {
83		- $this->redirectUrl($redirectDestination);
84		- }
85		- else {
86		- $this->redirect('preferences', null, null, 'internal.php');
87		- }
88		- }
	77	+ // My thinking is there are three cases here:
	78	+ // a) new user => redirect to prefs - it's the only thing they can access other than stats
	79	+ // b) existing user hit the connect button in prefs => redirect to prefs since it's where they were
	80	+ // c) existing user logging in => redirect to wherever they came from
	81	+ $redirectDestination = WebRequest::clearPostLoginRedirect();
	82	+ if ($redirectDestination !== null && !$user->isNewUser()) {
	83	+ $this->redirectUrl($redirectDestination);
	84	+ }
	85	+ else {
	86	+ $this->redirect('preferences', null, null, 'internal.php');
	87	+ }
	88	+ }
89	89
90		- /**
91		- * @param string $oauthToken
92		- * @param string $oauthVerifier
93		- *
94		- * @throws ApplicationLogicException
95		- */
96		- private function doCallbackValidation($oauthToken, $oauthVerifier)
97		- {
98		- if ($oauthToken === null) {
99		- throw new ApplicationLogicException('No token provided');
100		- }
	90	+ /**
	91	+ * @param string $oauthToken
	92	+ * @param string $oauthVerifier
	93	+ *
	94	+ * @throws ApplicationLogicException
	95	+ */
	96	+ private function doCallbackValidation($oauthToken, $oauthVerifier)
	97	+ {
	98	+ if ($oauthToken === null) {
	99	+ throw new ApplicationLogicException('No token provided');
	100	+ }
101	101
102		- if ($oauthVerifier === null) {
103		- throw new ApplicationLogicException('No oauth verifier provided.');
104		- }
105		- }
	102	+ if ($oauthVerifier === null) {
	103	+ throw new ApplicationLogicException('No oauth verifier provided.');
	104	+ }
	105	+ }
106	106	}
107	107	\ No newline at end of file

		@@ -13,31 +13,31 @@
		block discarded – undo
13	13
14	14	class PagePasswordLogin extends LoginCredentialPageBase
15	15	{
16		- protected function providerSpecificSetup()
17		- {
18		- list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
19		-
20		- if($partialId !== null && $partialStage > 1) {
21		- $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
22		- $statement = $this->getDatabase()->prepare($sql);
23		- $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
24		- $nextStage = $statement->fetchColumn();
25		- $statement->closeCursor();
26		-
27		- $this->redirect("login/" . $this->nextPageMap[$nextStage]);
28		- return;
29		- }
30		-
31		- $this->setTemplate('login/password.tpl');
32		- }
33		-
34		- protected function getProviderCredentials()
35		- {
36		- $password = WebRequest::postString("password");
37		- if ($password === null \|\| $password === "") {
38		- throw new ApplicationLogicException("No password specified");
39		- }
40		-
41		- return $password;
42		- }
	16	+ protected function providerSpecificSetup()
	17	+ {
	18	+ list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
	19	+
	20	+ if($partialId !== null && $partialStage > 1) {
	21	+ $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
	22	+ $statement = $this->getDatabase()->prepare($sql);
	23	+ $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
	24	+ $nextStage = $statement->fetchColumn();
	25	+ $statement->closeCursor();
	26	+
	27	+ $this->redirect("login/" . $this->nextPageMap[$nextStage]);
	28	+ return;
	29	+ }
	30	+
	31	+ $this->setTemplate('login/password.tpl');
	32	+ }
	33	+
	34	+ protected function getProviderCredentials()
	35	+ {
	36	+ $password = WebRequest::postString("password");
	37	+ if ($password === null \|\| $password === "") {
	38	+ throw new ApplicationLogicException("No password specified");
	39	+ }
	40	+
	41	+ return $password;
	42	+ }
43	43	}
44	44	\ No newline at end of file

		@@ -17,14 +17,14 @@
		block discarded – undo
17	17	{
18	18	list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
19	19
20		- if($partialId !== null && $partialStage > 1) {
	20	+ if ($partialId !== null && $partialStage > 1) {
21	21	$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
22	22	$statement = $this->getDatabase()->prepare($sql);
23	23	$statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
24	24	$nextStage = $statement->fetchColumn();
25	25	$statement->closeCursor();
26	26
27		- $this->redirect("login/" . $this->nextPageMap[$nextStage]);
	27	+ $this->redirect("login/".$this->nextPageMap[$nextStage]);
28	28	return;
29	29	}
30	30

		@@ -14,20 +14,20 @@ discard block
		block discarded – undo
14	14
15	15	class PageU2FLogin extends LoginCredentialPageBase
16	16	{
17		- protected function providerSpecificSetup()
18		- {
19		- $this->assign('showSignIn', false);
20		- $this->setTemplate('login/u2f.tpl');
	17	+ protected function providerSpecificSetup()
	18	+ {
	19	+ $this->assign('showSignIn', false);
	20	+ $this->setTemplate('login/u2f.tpl');
21	21
22		- if ($this->partialUser === null) {
23		- throw new ApplicationLogicException("U2F cannot be first-stage authentication");
24		- }
	22	+ if ($this->partialUser === null) {
	23	+ throw new ApplicationLogicException("U2F cannot be first-stage authentication");
	24	+ }
25	25
26		- $u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
27		- $authData = json_encode($u2f->getAuthenticationData($this->partialUser));
	26	+ $u2f = new U2FCredentialProvider($this->getDatabase(), $this->getSiteConfiguration());
	27	+ $authData = json_encode($u2f->getAuthenticationData($this->partialUser));
28	28
29		- $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
30		- $this->setTailScript(<<<JS
	29	+ $this->addJs('/vendor/yubico/u2flib-server/examples/assets/u2f-api.js');
	30	+ $this->setTailScript(<<<JS
31	31	var request = ${authData};
32	32	console.log("starting sign");
33	33	u2f.sign(request, function(data) {
		@@ -44,19 +44,19 @@ discard block
		block discarded – undo
44	44	form.submit();
45	45	});
46	46	JS
47		- );
	47	+ );
48	48
49		- }
	49	+ }
50	50
51		- protected function getProviderCredentials()
52		- {
53		- $authenticate = WebRequest::postString("authenticate");
54		- $request = WebRequest::postString("request");
	51	+ protected function getProviderCredentials()
	52	+ {
	53	+ $authenticate = WebRequest::postString("authenticate");
	54	+ $request = WebRequest::postString("request");
55	55
56		- if ($authenticate === null \|\| $authenticate === "" \|\| $request === null \|\| $request === "") {
57		- throw new ApplicationLogicException("No authentication specified");
58		- }
	56	+ if ($authenticate === null \|\| $authenticate === "" \|\| $request === null \|\| $request === "") {
	57	+ throw new ApplicationLogicException("No authentication specified");
	58	+ }
59	59
60		- return array(json_decode($authenticate), json_decode($request), 'u2f');
61		- }
	60	+ return array(json_decode($authenticate), json_decode($request), 'u2f');
	61	+ }
62	62	}
63	63	\ No newline at end of file

		@@ -13,18 +13,18 @@
		block discarded – undo
13	13
14	14	class PageOtpLogin extends LoginCredentialPageBase
15	15	{
16		- protected function providerSpecificSetup()
17		- {
18		- $this->setTemplate('login/otp.tpl');
19		- }
	16	+ protected function providerSpecificSetup()
	17	+ {
	18	+ $this->setTemplate('login/otp.tpl');
	19	+ }
20	20
21		- protected function getProviderCredentials()
22		- {
23		- $otp = WebRequest::postString("otp");
24		- if ($otp === null \|\| $otp === "") {
25		- throw new ApplicationLogicException("No one-time code specified");
26		- }
	21	+ protected function getProviderCredentials()
	22	+ {
	23	+ $otp = WebRequest::postString("otp");
	24	+ if ($otp === null \|\| $otp === "") {
	25	+ throw new ApplicationLogicException("No one-time code specified");
	26	+ }
27	27
28		- return $otp;
29		- }
	28	+ return $otp;
	29	+ }
30	30	}
31	31	\ No newline at end of file

enwikipedia-acc / waca

Push — newinternal ( b66232...216d62 )

Status

Category

Doc Comments +5 added lines, -2 removed lines patch added patch discarded remove patch

Indentation +150 added lines, -150 removed lines patch added patch discarded remove patch

Spacing +1 added lines, -1 removed lines patch added patch discarded remove patch

Unused Use Statements +5 added lines, -5 removed lines patch added patch discarded remove patch

Indentation +344 added lines, -344 removed lines patch added patch discarded remove patch

Doc Comments +4 added lines patch added patch discarded remove patch

Indentation +556 added lines, -556 removed lines patch added patch discarded remove patch

Indentation +80 added lines, -80 removed lines patch added patch discarded remove patch

Spacing +9 added lines, -9 removed lines patch added patch discarded remove patch

Braces +4 added lines, -2 removed lines patch added patch discarded remove patch

Indentation +372 added lines, -372 removed lines patch added patch discarded remove patch

Spacing +7 added lines, -7 removed lines patch added patch discarded remove patch

Indentation +75 added lines, -75 removed lines patch added patch discarded remove patch

Indentation +27 added lines, -27 removed lines patch added patch discarded remove patch

Spacing +2 added lines, -2 removed lines patch added patch discarded remove patch

Indentation +22 added lines, -22 removed lines patch added patch discarded remove patch

Indentation +12 added lines, -12 removed lines patch added patch discarded remove patch