enwikipedia-acc /
waca
@@ -11,9 +11,7 @@ |
||
| 11 | 11 | use Waca\DataObjects\Log; |
| 12 | 12 | use Waca\DataObjects\User; |
| 13 | 13 | use Waca\Fragments\NavigationMenuAccessControl; |
| 14 | -use Waca\Helpers\HttpHelper; |
|
| 15 | 14 | use Waca\Helpers\SearchHelpers\LogSearchHelper; |
| 16 | -use Waca\IdentificationVerifier; |
|
| 17 | 15 | use Waca\PdoDatabase; |
| 18 | 16 | use Waca\Security\SecurityManager; |
| 19 | 17 | |
@@ -26,89 +26,89 @@ |
||
| 26 | 26 | */ |
| 27 | 27 | class AccessDeniedException extends ReadableException |
| 28 | 28 | { |
| 29 | - use NavigationMenuAccessControl; |
|
| 30 | - |
|
| 31 | - /** |
|
| 32 | - * @var SecurityManager |
|
| 33 | - */ |
|
| 34 | - private $securityManager; |
|
| 35 | - |
|
| 36 | - /** |
|
| 37 | - * AccessDeniedException constructor. |
|
| 38 | - * |
|
| 39 | - * @param SecurityManager $securityManager |
|
| 40 | - */ |
|
| 41 | - public function __construct(SecurityManager $securityManager = null) |
|
| 42 | - { |
|
| 43 | - $this->securityManager = $securityManager; |
|
| 44 | - } |
|
| 45 | - |
|
| 46 | - public function getReadableError() |
|
| 47 | - { |
|
| 48 | - if (!headers_sent()) { |
|
| 49 | - header("HTTP/1.1 403 Forbidden"); |
|
| 50 | - } |
|
| 51 | - |
|
| 52 | - $this->setUpSmarty(); |
|
| 53 | - |
|
| 54 | - // uck. We should still be able to access the database in this situation though. |
|
| 55 | - $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 56 | - $currentUser = User::getCurrent($database); |
|
| 57 | - $this->assign('currentUser', $currentUser); |
|
| 58 | - $this->assign("loggedIn", (!$currentUser->isCommunityUser())); |
|
| 59 | - |
|
| 60 | - if($this->securityManager !== null) { |
|
| 61 | - $this->setupNavMenuAccess($currentUser); |
|
| 62 | - } |
|
| 63 | - |
|
| 64 | - if ($currentUser->isDeclined()) { |
|
| 65 | - $this->assign('htmlTitle', 'Account Declined'); |
|
| 66 | - $this->assign('declineReason', $this->getLogEntry('Declined', $currentUser, $database)); |
|
| 67 | - |
|
| 68 | - return $this->fetchTemplate("exception/account-declined.tpl"); |
|
| 69 | - } |
|
| 70 | - |
|
| 71 | - if ($currentUser->isSuspended()) { |
|
| 72 | - $this->assign('htmlTitle', 'Account Suspended'); |
|
| 73 | - $this->assign('suspendReason', $this->getLogEntry('Suspended', $currentUser, $database)); |
|
| 74 | - |
|
| 75 | - return $this->fetchTemplate("exception/account-suspended.tpl"); |
|
| 76 | - } |
|
| 77 | - |
|
| 78 | - if ($currentUser->isNewUser()) { |
|
| 79 | - $this->assign('htmlTitle', 'Account Pending'); |
|
| 80 | - |
|
| 81 | - return $this->fetchTemplate("exception/account-new.tpl"); |
|
| 82 | - } |
|
| 83 | - |
|
| 84 | - return $this->fetchTemplate("exception/access-denied.tpl"); |
|
| 85 | - } |
|
| 86 | - |
|
| 87 | - /** |
|
| 88 | - * @param string $action |
|
| 89 | - * @param User $user |
|
| 90 | - * @param PdoDatabase $database |
|
| 91 | - * |
|
| 92 | - * @return null|string |
|
| 93 | - */ |
|
| 94 | - private function getLogEntry($action, User $user, PdoDatabase $database) |
|
| 95 | - { |
|
| 96 | - /** @var Log[] $logs */ |
|
| 97 | - $logs = LogSearchHelper::get($database) |
|
| 98 | - ->byAction($action) |
|
| 99 | - ->byObjectType('User') |
|
| 100 | - ->byObjectId($user->getId()) |
|
| 101 | - ->limit(1) |
|
| 102 | - ->fetch(); |
|
| 103 | - |
|
| 104 | - return $logs[0]->getComment(); |
|
| 105 | - } |
|
| 106 | - |
|
| 107 | - /** |
|
| 108 | - * @return SecurityManager |
|
| 109 | - */ |
|
| 110 | - protected function getSecurityManager() |
|
| 111 | - { |
|
| 112 | - return $this->securityManager; |
|
| 113 | - } |
|
| 29 | + use NavigationMenuAccessControl; |
|
| 30 | + |
|
| 31 | + /** |
|
| 32 | + * @var SecurityManager |
|
| 33 | + */ |
|
| 34 | + private $securityManager; |
|
| 35 | + |
|
| 36 | + /** |
|
| 37 | + * AccessDeniedException constructor. |
|
| 38 | + * |
|
| 39 | + * @param SecurityManager $securityManager |
|
| 40 | + */ |
|
| 41 | + public function __construct(SecurityManager $securityManager = null) |
|
| 42 | + { |
|
| 43 | + $this->securityManager = $securityManager; |
|
| 44 | + } |
|
| 45 | + |
|
| 46 | + public function getReadableError() |
|
| 47 | + { |
|
| 48 | + if (!headers_sent()) { |
|
| 49 | + header("HTTP/1.1 403 Forbidden"); |
|
| 50 | + } |
|
| 51 | + |
|
| 52 | + $this->setUpSmarty(); |
|
| 53 | + |
|
| 54 | + // uck. We should still be able to access the database in this situation though. |
|
| 55 | + $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 56 | + $currentUser = User::getCurrent($database); |
|
| 57 | + $this->assign('currentUser', $currentUser); |
|
| 58 | + $this->assign("loggedIn", (!$currentUser->isCommunityUser())); |
|
| 59 | + |
|
| 60 | + if($this->securityManager !== null) { |
|
| 61 | + $this->setupNavMenuAccess($currentUser); |
|
| 62 | + } |
|
| 63 | + |
|
| 64 | + if ($currentUser->isDeclined()) { |
|
| 65 | + $this->assign('htmlTitle', 'Account Declined'); |
|
| 66 | + $this->assign('declineReason', $this->getLogEntry('Declined', $currentUser, $database)); |
|
| 67 | + |
|
| 68 | + return $this->fetchTemplate("exception/account-declined.tpl"); |
|
| 69 | + } |
|
| 70 | + |
|
| 71 | + if ($currentUser->isSuspended()) { |
|
| 72 | + $this->assign('htmlTitle', 'Account Suspended'); |
|
| 73 | + $this->assign('suspendReason', $this->getLogEntry('Suspended', $currentUser, $database)); |
|
| 74 | + |
|
| 75 | + return $this->fetchTemplate("exception/account-suspended.tpl"); |
|
| 76 | + } |
|
| 77 | + |
|
| 78 | + if ($currentUser->isNewUser()) { |
|
| 79 | + $this->assign('htmlTitle', 'Account Pending'); |
|
| 80 | + |
|
| 81 | + return $this->fetchTemplate("exception/account-new.tpl"); |
|
| 82 | + } |
|
| 83 | + |
|
| 84 | + return $this->fetchTemplate("exception/access-denied.tpl"); |
|
| 85 | + } |
|
| 86 | + |
|
| 87 | + /** |
|
| 88 | + * @param string $action |
|
| 89 | + * @param User $user |
|
| 90 | + * @param PdoDatabase $database |
|
| 91 | + * |
|
| 92 | + * @return null|string |
|
| 93 | + */ |
|
| 94 | + private function getLogEntry($action, User $user, PdoDatabase $database) |
|
| 95 | + { |
|
| 96 | + /** @var Log[] $logs */ |
|
| 97 | + $logs = LogSearchHelper::get($database) |
|
| 98 | + ->byAction($action) |
|
| 99 | + ->byObjectType('User') |
|
| 100 | + ->byObjectId($user->getId()) |
|
| 101 | + ->limit(1) |
|
| 102 | + ->fetch(); |
|
| 103 | + |
|
| 104 | + return $logs[0]->getComment(); |
|
| 105 | + } |
|
| 106 | + |
|
| 107 | + /** |
|
| 108 | + * @return SecurityManager |
|
| 109 | + */ |
|
| 110 | + protected function getSecurityManager() |
|
| 111 | + { |
|
| 112 | + return $this->securityManager; |
|
| 113 | + } |
|
| 114 | 114 | } |
| 115 | 115 | \ No newline at end of file |
@@ -57,7 +57,7 @@ |
||
| 57 | 57 | $this->assign('currentUser', $currentUser); |
| 58 | 58 | $this->assign("loggedIn", (!$currentUser->isCommunityUser())); |
| 59 | 59 | |
| 60 | - if($this->securityManager !== null) { |
|
| 60 | + if ($this->securityManager !== null) { |
|
| 61 | 61 | $this->setupNavMenuAccess($currentUser); |
| 62 | 62 | } |
| 63 | 63 | |
@@ -24,6 +24,10 @@ discard block |
||
| 24 | 24 | |
| 25 | 25 | trait NavigationMenuAccessControl |
| 26 | 26 | { |
| 27 | + /** |
|
| 28 | + * @param string $name |
|
| 29 | + * @param boolean $value |
|
| 30 | + */ |
|
| 27 | 31 | protected abstract function assign($name, $value); |
| 28 | 32 | |
| 29 | 33 | /** |
@@ -32,7 +36,7 @@ discard block |
||
| 32 | 36 | protected abstract function getSecurityManager(); |
| 33 | 37 | |
| 34 | 38 | /** |
| 35 | - * @param $currentUser |
|
| 39 | + * @param \Waca\DataObjects\User $currentUser |
|
| 36 | 40 | */ |
| 37 | 41 | protected function setupNavMenuAccess($currentUser) |
| 38 | 42 | { |
@@ -24,45 +24,45 @@ |
||
| 24 | 24 | |
| 25 | 25 | trait NavigationMenuAccessControl |
| 26 | 26 | { |
| 27 | - protected abstract function assign($name, $value); |
|
| 27 | + protected abstract function assign($name, $value); |
|
| 28 | 28 | |
| 29 | - /** |
|
| 30 | - * @return SecurityManager |
|
| 31 | - */ |
|
| 32 | - protected abstract function getSecurityManager(); |
|
| 29 | + /** |
|
| 30 | + * @return SecurityManager |
|
| 31 | + */ |
|
| 32 | + protected abstract function getSecurityManager(); |
|
| 33 | 33 | |
| 34 | - /** |
|
| 35 | - * @param $currentUser |
|
| 36 | - */ |
|
| 37 | - protected function setupNavMenuAccess($currentUser) |
|
| 38 | - { |
|
| 39 | - $this->assign('nav__canRequests', $this->getSecurityManager() |
|
| 40 | - ->allows(PageMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 34 | + /** |
|
| 35 | + * @param $currentUser |
|
| 36 | + */ |
|
| 37 | + protected function setupNavMenuAccess($currentUser) |
|
| 38 | + { |
|
| 39 | + $this->assign('nav__canRequests', $this->getSecurityManager() |
|
| 40 | + ->allows(PageMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 41 | 41 | |
| 42 | - $this->assign('nav__canLogs', $this->getSecurityManager() |
|
| 43 | - ->allows(PageLog::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 44 | - $this->assign('nav__canUsers', $this->getSecurityManager() |
|
| 45 | - ->allows(StatsUsers::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 46 | - $this->assign('nav__canSearch', $this->getSecurityManager() |
|
| 47 | - ->allows(PageSearch::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 48 | - $this->assign('nav__canStats', $this->getSecurityManager() |
|
| 49 | - ->allows(StatsMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 42 | + $this->assign('nav__canLogs', $this->getSecurityManager() |
|
| 43 | + ->allows(PageLog::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 44 | + $this->assign('nav__canUsers', $this->getSecurityManager() |
|
| 45 | + ->allows(StatsUsers::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 46 | + $this->assign('nav__canSearch', $this->getSecurityManager() |
|
| 47 | + ->allows(PageSearch::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 48 | + $this->assign('nav__canStats', $this->getSecurityManager() |
|
| 49 | + ->allows(StatsMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 50 | 50 | |
| 51 | - $this->assign('nav__canBan', $this->getSecurityManager() |
|
| 52 | - ->allows(PageBan::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 53 | - $this->assign('nav__canEmailMgmt', $this->getSecurityManager() |
|
| 54 | - ->allows(PageEmailManagement::class, RoleConfiguration::MAIN, |
|
| 55 | - $currentUser) === SecurityManager::ALLOWED); |
|
| 56 | - $this->assign('nav__canWelcomeMgmt', $this->getSecurityManager() |
|
| 57 | - ->allows(PageWelcomeTemplateManagement::class, RoleConfiguration::MAIN, |
|
| 58 | - $currentUser) === SecurityManager::ALLOWED); |
|
| 59 | - $this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager() |
|
| 60 | - ->allows(PageSiteNotice::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 61 | - $this->assign('nav__canUserMgmt', $this->getSecurityManager() |
|
| 62 | - ->allows(PageUserManagement::class, RoleConfiguration::MAIN, |
|
| 63 | - $currentUser) === SecurityManager::ALLOWED); |
|
| 51 | + $this->assign('nav__canBan', $this->getSecurityManager() |
|
| 52 | + ->allows(PageBan::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 53 | + $this->assign('nav__canEmailMgmt', $this->getSecurityManager() |
|
| 54 | + ->allows(PageEmailManagement::class, RoleConfiguration::MAIN, |
|
| 55 | + $currentUser) === SecurityManager::ALLOWED); |
|
| 56 | + $this->assign('nav__canWelcomeMgmt', $this->getSecurityManager() |
|
| 57 | + ->allows(PageWelcomeTemplateManagement::class, RoleConfiguration::MAIN, |
|
| 58 | + $currentUser) === SecurityManager::ALLOWED); |
|
| 59 | + $this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager() |
|
| 60 | + ->allows(PageSiteNotice::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 61 | + $this->assign('nav__canUserMgmt', $this->getSecurityManager() |
|
| 62 | + ->allows(PageUserManagement::class, RoleConfiguration::MAIN, |
|
| 63 | + $currentUser) === SecurityManager::ALLOWED); |
|
| 64 | 64 | |
| 65 | - $this->assign('nav__canViewRequest', $this->getSecurityManager() |
|
| 66 | - ->allows(PageViewRequest::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 67 | - } |
|
| 65 | + $this->assign('nav__canViewRequest', $this->getSecurityManager() |
|
| 66 | + ->allows(PageViewRequest::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED); |
|
| 67 | + } |
|
| 68 | 68 | } |
| 69 | 69 | \ No newline at end of file |
@@ -44,6 +44,9 @@ discard block |
||
| 44 | 44 | } |
| 45 | 45 | } |
| 46 | 46 | |
| 47 | + /** |
|
| 48 | + * @return string |
|
| 49 | + */ |
|
| 47 | 50 | protected abstract function getRegistrationTemplate(); |
| 48 | 51 | |
| 49 | 52 | protected function isProtectedPage() |
@@ -70,12 +73,12 @@ discard block |
||
| 70 | 73 | } |
| 71 | 74 | |
| 72 | 75 | /** |
| 73 | - * @param $emailAddress |
|
| 74 | - * @param $password |
|
| 75 | - * @param $username |
|
| 76 | + * @param null|string $emailAddress |
|
| 77 | + * @param null|string $password |
|
| 78 | + * @param null|string $username |
|
| 76 | 79 | * @param $useOAuthSignup |
| 77 | - * @param $confirmationId |
|
| 78 | - * @param $onwikiUsername |
|
| 80 | + * @param null|integer $confirmationId |
|
| 81 | + * @param null|string $onwikiUsername |
|
| 79 | 82 | * |
| 80 | 83 | * @throws ApplicationLogicException |
| 81 | 84 | */ |
@@ -18,202 +18,202 @@ |
||
| 18 | 18 | |
| 19 | 19 | abstract class PageRegisterBase extends InternalPageBase |
| 20 | 20 | { |
| 21 | - /** |
|
| 22 | - * Main function for this page, when no specific actions are called. |
|
| 23 | - */ |
|
| 24 | - protected function main() |
|
| 25 | - { |
|
| 26 | - $useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup(); |
|
| 27 | - |
|
| 28 | - // Dual-mode page |
|
| 29 | - if (WebRequest::wasPosted()) { |
|
| 30 | - $this->validateCSRFToken(); |
|
| 31 | - |
|
| 32 | - try { |
|
| 33 | - $this->handlePost($useOAuthSignup); |
|
| 34 | - } |
|
| 35 | - catch (ApplicationLogicException $ex) { |
|
| 36 | - SessionAlert::error($ex->getMessage()); |
|
| 37 | - $this->redirect('register'); |
|
| 38 | - } |
|
| 39 | - } |
|
| 40 | - else { |
|
| 41 | - $this->assignCSRFToken(); |
|
| 42 | - $this->assign("useOAuthSignup", $useOAuthSignup); |
|
| 43 | - $this->setTemplate($this->getRegistrationTemplate()); |
|
| 44 | - } |
|
| 45 | - } |
|
| 46 | - |
|
| 47 | - protected abstract function getRegistrationTemplate(); |
|
| 48 | - |
|
| 49 | - protected function isProtectedPage() |
|
| 50 | - { |
|
| 51 | - return false; |
|
| 52 | - } |
|
| 53 | - |
|
| 54 | - /** |
|
| 55 | - * @param string $emailAddress |
|
| 56 | - * |
|
| 57 | - * @throws ApplicationLogicException |
|
| 58 | - */ |
|
| 59 | - protected function validateUniqueEmail($emailAddress) |
|
| 60 | - { |
|
| 61 | - $query = 'SELECT COUNT(id) FROM user WHERE email = :email'; |
|
| 62 | - $statement = $this->getDatabase()->prepare($query); |
|
| 63 | - $statement->execute(array(':email' => $emailAddress)); |
|
| 64 | - |
|
| 65 | - if ($statement->fetchColumn() > 0) { |
|
| 66 | - throw new ApplicationLogicException('That email address is already in use on this system.'); |
|
| 67 | - } |
|
| 68 | - |
|
| 69 | - $statement->closeCursor(); |
|
| 70 | - } |
|
| 71 | - |
|
| 72 | - /** |
|
| 73 | - * @param $emailAddress |
|
| 74 | - * @param $password |
|
| 75 | - * @param $username |
|
| 76 | - * @param $useOAuthSignup |
|
| 77 | - * @param $confirmationId |
|
| 78 | - * @param $onwikiUsername |
|
| 79 | - * |
|
| 80 | - * @throws ApplicationLogicException |
|
| 81 | - */ |
|
| 82 | - protected function validateRequest( |
|
| 83 | - $emailAddress, |
|
| 84 | - $password, |
|
| 85 | - $username, |
|
| 86 | - $useOAuthSignup, |
|
| 87 | - $confirmationId, |
|
| 88 | - $onwikiUsername |
|
| 89 | - ) { |
|
| 90 | - if (!WebRequest::postBoolean('guidelines')) { |
|
| 91 | - throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.'); |
|
| 92 | - } |
|
| 93 | - |
|
| 94 | - $this->validateGeneralInformation($emailAddress, $password, $username); |
|
| 95 | - $this->validateUniqueEmail($emailAddress); |
|
| 96 | - $this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername); |
|
| 97 | - } |
|
| 98 | - |
|
| 99 | - /** |
|
| 100 | - * @param $useOAuthSignup |
|
| 101 | - * @param $confirmationId |
|
| 102 | - * @param $onwikiUsername |
|
| 103 | - * |
|
| 104 | - * @throws ApplicationLogicException |
|
| 105 | - */ |
|
| 106 | - protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername) |
|
| 107 | - { |
|
| 108 | - if (!$useOAuthSignup) { |
|
| 109 | - if ($confirmationId === null || $confirmationId <= 0) { |
|
| 110 | - throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.'); |
|
| 111 | - } |
|
| 112 | - |
|
| 113 | - if ($onwikiUsername === null) { |
|
| 114 | - throw new ApplicationLogicException('Please specify your on-wiki username.'); |
|
| 115 | - } |
|
| 116 | - } |
|
| 117 | - } |
|
| 118 | - |
|
| 119 | - /** |
|
| 120 | - * @param $emailAddress |
|
| 121 | - * @param $password |
|
| 122 | - * @param $username |
|
| 123 | - * |
|
| 124 | - * @throws ApplicationLogicException |
|
| 125 | - */ |
|
| 126 | - protected function validateGeneralInformation($emailAddress, $password, $username) |
|
| 127 | - { |
|
| 128 | - if ($emailAddress === null) { |
|
| 129 | - throw new ApplicationLogicException('Your email address appears to be invalid!'); |
|
| 130 | - } |
|
| 131 | - |
|
| 132 | - if ($password !== WebRequest::postString('pass2')) { |
|
| 133 | - throw new ApplicationLogicException('Your passwords did not match, please try again.'); |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - if (User::getByUsername($username, $this->getDatabase()) !== false) { |
|
| 137 | - throw new ApplicationLogicException('That username is already in use on this system.'); |
|
| 138 | - } |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - /** |
|
| 142 | - * @param $useOAuthSignup |
|
| 143 | - * |
|
| 144 | - * @throws ApplicationLogicException |
|
| 145 | - * @throws \Exception |
|
| 146 | - */ |
|
| 147 | - protected function handlePost($useOAuthSignup) |
|
| 148 | - { |
|
| 149 | - // Get the data |
|
| 150 | - $emailAddress = WebRequest::postEmail('email'); |
|
| 151 | - $password = WebRequest::postString('pass'); |
|
| 152 | - $username = WebRequest::postString('name'); |
|
| 153 | - |
|
| 154 | - // Only set if OAuth is disabled |
|
| 155 | - $confirmationId = WebRequest::postInt('conf_revid'); |
|
| 156 | - $onwikiUsername = WebRequest::postString('wname'); |
|
| 157 | - |
|
| 158 | - // Do some validation |
|
| 159 | - $this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId, |
|
| 160 | - $onwikiUsername); |
|
| 161 | - |
|
| 162 | - $database = $this->getDatabase(); |
|
| 163 | - |
|
| 164 | - $user = new User(); |
|
| 165 | - $user->setDatabase($database); |
|
| 166 | - |
|
| 167 | - $user->setUsername($username); |
|
| 168 | - $user->setPassword($password); |
|
| 169 | - $user->setEmail($emailAddress); |
|
| 170 | - |
|
| 171 | - if (!$useOAuthSignup) { |
|
| 172 | - $user->setOnWikiName($onwikiUsername); |
|
| 173 | - $user->setConfirmationDiff($confirmationId); |
|
| 174 | - } |
|
| 175 | - |
|
| 176 | - $user->save(); |
|
| 177 | - |
|
| 178 | - $defaultRole = $this->getDefaultRole(); |
|
| 179 | - |
|
| 180 | - $role = new UserRole(); |
|
| 181 | - $role->setDatabase($database); |
|
| 182 | - $role->setUser($user->getId()); |
|
| 183 | - $role->setRole($defaultRole); |
|
| 184 | - $role->save(); |
|
| 185 | - |
|
| 186 | - // Log now to get the signup date. |
|
| 187 | - Logger::newUser($database, $user); |
|
| 188 | - Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array()); |
|
| 189 | - |
|
| 190 | - if ($useOAuthSignup) { |
|
| 191 | - $oauthHelper = $this->getOAuthHelper(); |
|
| 192 | - |
|
| 193 | - $requestToken = $oauthHelper->getRequestToken(); |
|
| 194 | - $user->setOAuthRequestToken($requestToken->key); |
|
| 195 | - $user->setOAuthRequestSecret($requestToken->secret); |
|
| 196 | - $user->save(); |
|
| 197 | - |
|
| 198 | - WebRequest::setPartialLogin($user); |
|
| 199 | - |
|
| 200 | - $this->redirectUrl($oauthHelper->getAuthoriseUrl($requestToken->key)); |
|
| 201 | - } |
|
| 202 | - else { |
|
| 203 | - // only notify if we're not using the oauth signup. |
|
| 204 | - $this->getNotificationHelper()->userNew($user); |
|
| 205 | - WebRequest::setLoggedInUser($user); |
|
| 206 | - $this->redirect('preferences'); |
|
| 207 | - } |
|
| 208 | - } |
|
| 209 | - |
|
| 210 | - protected abstract function getDefaultRole(); |
|
| 211 | - |
|
| 212 | - /** |
|
| 213 | - * Entry point for registration complete |
|
| 214 | - */ |
|
| 215 | - protected function done() |
|
| 216 | - { |
|
| 217 | - $this->setTemplate('registration/alert-registrationcomplete.tpl'); |
|
| 218 | - } |
|
| 21 | + /** |
|
| 22 | + * Main function for this page, when no specific actions are called. |
|
| 23 | + */ |
|
| 24 | + protected function main() |
|
| 25 | + { |
|
| 26 | + $useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup(); |
|
| 27 | + |
|
| 28 | + // Dual-mode page |
|
| 29 | + if (WebRequest::wasPosted()) { |
|
| 30 | + $this->validateCSRFToken(); |
|
| 31 | + |
|
| 32 | + try { |
|
| 33 | + $this->handlePost($useOAuthSignup); |
|
| 34 | + } |
|
| 35 | + catch (ApplicationLogicException $ex) { |
|
| 36 | + SessionAlert::error($ex->getMessage()); |
|
| 37 | + $this->redirect('register'); |
|
| 38 | + } |
|
| 39 | + } |
|
| 40 | + else { |
|
| 41 | + $this->assignCSRFToken(); |
|
| 42 | + $this->assign("useOAuthSignup", $useOAuthSignup); |
|
| 43 | + $this->setTemplate($this->getRegistrationTemplate()); |
|
| 44 | + } |
|
| 45 | + } |
|
| 46 | + |
|
| 47 | + protected abstract function getRegistrationTemplate(); |
|
| 48 | + |
|
| 49 | + protected function isProtectedPage() |
|
| 50 | + { |
|
| 51 | + return false; |
|
| 52 | + } |
|
| 53 | + |
|
| 54 | + /** |
|
| 55 | + * @param string $emailAddress |
|
| 56 | + * |
|
| 57 | + * @throws ApplicationLogicException |
|
| 58 | + */ |
|
| 59 | + protected function validateUniqueEmail($emailAddress) |
|
| 60 | + { |
|
| 61 | + $query = 'SELECT COUNT(id) FROM user WHERE email = :email'; |
|
| 62 | + $statement = $this->getDatabase()->prepare($query); |
|
| 63 | + $statement->execute(array(':email' => $emailAddress)); |
|
| 64 | + |
|
| 65 | + if ($statement->fetchColumn() > 0) { |
|
| 66 | + throw new ApplicationLogicException('That email address is already in use on this system.'); |
|
| 67 | + } |
|
| 68 | + |
|
| 69 | + $statement->closeCursor(); |
|
| 70 | + } |
|
| 71 | + |
|
| 72 | + /** |
|
| 73 | + * @param $emailAddress |
|
| 74 | + * @param $password |
|
| 75 | + * @param $username |
|
| 76 | + * @param $useOAuthSignup |
|
| 77 | + * @param $confirmationId |
|
| 78 | + * @param $onwikiUsername |
|
| 79 | + * |
|
| 80 | + * @throws ApplicationLogicException |
|
| 81 | + */ |
|
| 82 | + protected function validateRequest( |
|
| 83 | + $emailAddress, |
|
| 84 | + $password, |
|
| 85 | + $username, |
|
| 86 | + $useOAuthSignup, |
|
| 87 | + $confirmationId, |
|
| 88 | + $onwikiUsername |
|
| 89 | + ) { |
|
| 90 | + if (!WebRequest::postBoolean('guidelines')) { |
|
| 91 | + throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.'); |
|
| 92 | + } |
|
| 93 | + |
|
| 94 | + $this->validateGeneralInformation($emailAddress, $password, $username); |
|
| 95 | + $this->validateUniqueEmail($emailAddress); |
|
| 96 | + $this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername); |
|
| 97 | + } |
|
| 98 | + |
|
| 99 | + /** |
|
| 100 | + * @param $useOAuthSignup |
|
| 101 | + * @param $confirmationId |
|
| 102 | + * @param $onwikiUsername |
|
| 103 | + * |
|
| 104 | + * @throws ApplicationLogicException |
|
| 105 | + */ |
|
| 106 | + protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername) |
|
| 107 | + { |
|
| 108 | + if (!$useOAuthSignup) { |
|
| 109 | + if ($confirmationId === null || $confirmationId <= 0) { |
|
| 110 | + throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.'); |
|
| 111 | + } |
|
| 112 | + |
|
| 113 | + if ($onwikiUsername === null) { |
|
| 114 | + throw new ApplicationLogicException('Please specify your on-wiki username.'); |
|
| 115 | + } |
|
| 116 | + } |
|
| 117 | + } |
|
| 118 | + |
|
| 119 | + /** |
|
| 120 | + * @param $emailAddress |
|
| 121 | + * @param $password |
|
| 122 | + * @param $username |
|
| 123 | + * |
|
| 124 | + * @throws ApplicationLogicException |
|
| 125 | + */ |
|
| 126 | + protected function validateGeneralInformation($emailAddress, $password, $username) |
|
| 127 | + { |
|
| 128 | + if ($emailAddress === null) { |
|
| 129 | + throw new ApplicationLogicException('Your email address appears to be invalid!'); |
|
| 130 | + } |
|
| 131 | + |
|
| 132 | + if ($password !== WebRequest::postString('pass2')) { |
|
| 133 | + throw new ApplicationLogicException('Your passwords did not match, please try again.'); |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + if (User::getByUsername($username, $this->getDatabase()) !== false) { |
|
| 137 | + throw new ApplicationLogicException('That username is already in use on this system.'); |
|
| 138 | + } |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + /** |
|
| 142 | + * @param $useOAuthSignup |
|
| 143 | + * |
|
| 144 | + * @throws ApplicationLogicException |
|
| 145 | + * @throws \Exception |
|
| 146 | + */ |
|
| 147 | + protected function handlePost($useOAuthSignup) |
|
| 148 | + { |
|
| 149 | + // Get the data |
|
| 150 | + $emailAddress = WebRequest::postEmail('email'); |
|
| 151 | + $password = WebRequest::postString('pass'); |
|
| 152 | + $username = WebRequest::postString('name'); |
|
| 153 | + |
|
| 154 | + // Only set if OAuth is disabled |
|
| 155 | + $confirmationId = WebRequest::postInt('conf_revid'); |
|
| 156 | + $onwikiUsername = WebRequest::postString('wname'); |
|
| 157 | + |
|
| 158 | + // Do some validation |
|
| 159 | + $this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId, |
|
| 160 | + $onwikiUsername); |
|
| 161 | + |
|
| 162 | + $database = $this->getDatabase(); |
|
| 163 | + |
|
| 164 | + $user = new User(); |
|
| 165 | + $user->setDatabase($database); |
|
| 166 | + |
|
| 167 | + $user->setUsername($username); |
|
| 168 | + $user->setPassword($password); |
|
| 169 | + $user->setEmail($emailAddress); |
|
| 170 | + |
|
| 171 | + if (!$useOAuthSignup) { |
|
| 172 | + $user->setOnWikiName($onwikiUsername); |
|
| 173 | + $user->setConfirmationDiff($confirmationId); |
|
| 174 | + } |
|
| 175 | + |
|
| 176 | + $user->save(); |
|
| 177 | + |
|
| 178 | + $defaultRole = $this->getDefaultRole(); |
|
| 179 | + |
|
| 180 | + $role = new UserRole(); |
|
| 181 | + $role->setDatabase($database); |
|
| 182 | + $role->setUser($user->getId()); |
|
| 183 | + $role->setRole($defaultRole); |
|
| 184 | + $role->save(); |
|
| 185 | + |
|
| 186 | + // Log now to get the signup date. |
|
| 187 | + Logger::newUser($database, $user); |
|
| 188 | + Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array()); |
|
| 189 | + |
|
| 190 | + if ($useOAuthSignup) { |
|
| 191 | + $oauthHelper = $this->getOAuthHelper(); |
|
| 192 | + |
|
| 193 | + $requestToken = $oauthHelper->getRequestToken(); |
|
| 194 | + $user->setOAuthRequestToken($requestToken->key); |
|
| 195 | + $user->setOAuthRequestSecret($requestToken->secret); |
|
| 196 | + $user->save(); |
|
| 197 | + |
|
| 198 | + WebRequest::setPartialLogin($user); |
|
| 199 | + |
|
| 200 | + $this->redirectUrl($oauthHelper->getAuthoriseUrl($requestToken->key)); |
|
| 201 | + } |
|
| 202 | + else { |
|
| 203 | + // only notify if we're not using the oauth signup. |
|
| 204 | + $this->getNotificationHelper()->userNew($user); |
|
| 205 | + WebRequest::setLoggedInUser($user); |
|
| 206 | + $this->redirect('preferences'); |
|
| 207 | + } |
|
| 208 | + } |
|
| 209 | + |
|
| 210 | + protected abstract function getDefaultRole(); |
|
| 211 | + |
|
| 212 | + /** |
|
| 213 | + * Entry point for registration complete |
|
| 214 | + */ |
|
| 215 | + protected function done() |
|
| 216 | + { |
|
| 217 | + $this->setTemplate('registration/alert-registrationcomplete.tpl'); |
|
| 218 | + } |
|
| 219 | 219 | } |
@@ -21,14 +21,14 @@ |
||
| 21 | 21 | use Waca\Pages\PageMain; |
| 22 | 22 | use Waca\Pages\PageOAuth; |
| 23 | 23 | use Waca\Pages\PagePreferences; |
| 24 | -use Waca\Pages\Registration\PageRegisterStandard; |
|
| 25 | -use Waca\Pages\Registration\PageRegisterOption; |
|
| 26 | 24 | use Waca\Pages\PageSearch; |
| 27 | 25 | use Waca\Pages\PageSiteNotice; |
| 28 | 26 | use Waca\Pages\PageTeam; |
| 29 | 27 | use Waca\Pages\PageUserManagement; |
| 30 | 28 | use Waca\Pages\PageViewRequest; |
| 31 | 29 | use Waca\Pages\PageWelcomeTemplateManagement; |
| 30 | +use Waca\Pages\Registration\PageRegisterOption; |
|
| 31 | +use Waca\Pages\Registration\PageRegisterStandard; |
|
| 32 | 32 | use Waca\Pages\RequestAction\PageBreakReservation; |
| 33 | 33 | use Waca\Pages\RequestAction\PageCloseRequest; |
| 34 | 34 | use Waca\Pages\RequestAction\PageComment; |
@@ -55,395 +55,395 @@ |
||
| 55 | 55 | */ |
| 56 | 56 | class RequestRouter implements IRequestRouter |
| 57 | 57 | { |
| 58 | - /** |
|
| 59 | - * This is the core routing table for the application. The basic idea is: |
|
| 60 | - * |
|
| 61 | - * array( |
|
| 62 | - * "foo" => |
|
| 63 | - * array( |
|
| 64 | - * "class" => PageFoo::class, |
|
| 65 | - * "actions" => array("bar", "other") |
|
| 66 | - * ), |
|
| 67 | - * ); |
|
| 68 | - * |
|
| 69 | - * Things to note: |
|
| 70 | - * - If no page is requested, we go to PageMain. PageMain can't have actions defined. |
|
| 71 | - * |
|
| 72 | - * - If a page is defined and requested, but no action is requested, go to that page's main() method |
|
| 73 | - * - If a page is defined and requested, and an action is defined and requested, go to that action's method. |
|
| 74 | - * - If a page is defined and requested, and an action NOT defined and requested, go to Page404 and it's main() |
|
| 75 | - * method. |
|
| 76 | - * - If a page is NOT defined and requested, go to Page404 and it's main() method. |
|
| 77 | - * |
|
| 78 | - * - Query parameters are ignored. |
|
| 79 | - * |
|
| 80 | - * The key point here is request routing with validation that this is allowed, before we start hitting the |
|
| 81 | - * filesystem through the AutoLoader, and opening random files. Also, so that we validate the action requested |
|
| 82 | - * before we start calling random methods through the web UI. |
|
| 83 | - * |
|
| 84 | - * Examples: |
|
| 85 | - * /internal.php => returns instance of PageMain, routed to main() |
|
| 86 | - * /internal.php?query => returns instance of PageMain, routed to main() |
|
| 87 | - * /internal.php/foo => returns instance of PageFoo, routed to main() |
|
| 88 | - * /internal.php/foo?query => returns instance of PageFoo, routed to main() |
|
| 89 | - * /internal.php/foo/bar => returns instance of PageFoo, routed to bar() |
|
| 90 | - * /internal.php/foo/bar?query => returns instance of PageFoo, routed to bar() |
|
| 91 | - * /internal.php/foo/baz => returns instance of Page404, routed to main() |
|
| 92 | - * /internal.php/foo/baz?query => returns instance of Page404, routed to main() |
|
| 93 | - * /internal.php/bar => returns instance of Page404, routed to main() |
|
| 94 | - * /internal.php/bar?query => returns instance of Page404, routed to main() |
|
| 95 | - * /internal.php/bar/baz => returns instance of Page404, routed to main() |
|
| 96 | - * /internal.php/bar/baz?query => returns instance of Page404, routed to main() |
|
| 97 | - * |
|
| 98 | - * Take care when changing this - a lot of places rely on the array key for redirects and other links. If you need |
|
| 99 | - * to change the key, then you'll likely have to update a lot of files. |
|
| 100 | - * |
|
| 101 | - * @var array |
|
| 102 | - */ |
|
| 103 | - private $routeMap = array( |
|
| 104 | - |
|
| 105 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 106 | - // Login and registration |
|
| 107 | - 'logout' => |
|
| 108 | - array( |
|
| 109 | - 'class' => PageLogout::class, |
|
| 110 | - 'actions' => array(), |
|
| 111 | - ), |
|
| 112 | - 'login' => |
|
| 113 | - array( |
|
| 114 | - 'class' => PageLogin::class, |
|
| 115 | - 'actions' => array(), |
|
| 116 | - ), |
|
| 117 | - 'forgotPassword' => |
|
| 118 | - array( |
|
| 119 | - 'class' => PageForgotPassword::class, |
|
| 120 | - 'actions' => array('reset'), |
|
| 121 | - ), |
|
| 122 | - 'register' => |
|
| 123 | - array( |
|
| 124 | - 'class' => PageRegisterOption::class, |
|
| 125 | - 'actions' => array(), |
|
| 126 | - ), |
|
| 127 | - 'register/standard' => |
|
| 128 | - array( |
|
| 129 | - 'class' => PageRegisterStandard::class, |
|
| 130 | - 'actions' => array('done'), |
|
| 131 | - ), |
|
| 132 | - |
|
| 133 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 134 | - // Discovery |
|
| 135 | - 'search' => |
|
| 136 | - array( |
|
| 137 | - 'class' => PageSearch::class, |
|
| 138 | - 'actions' => array(), |
|
| 139 | - ), |
|
| 140 | - 'logs' => |
|
| 141 | - array( |
|
| 142 | - 'class' => PageLog::class, |
|
| 143 | - 'actions' => array(), |
|
| 144 | - ), |
|
| 145 | - |
|
| 146 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 147 | - // Administration |
|
| 148 | - 'bans' => |
|
| 149 | - array( |
|
| 150 | - 'class' => PageBan::class, |
|
| 151 | - 'actions' => array('set', 'remove'), |
|
| 152 | - ), |
|
| 153 | - 'userManagement' => |
|
| 154 | - array( |
|
| 155 | - 'class' => PageUserManagement::class, |
|
| 156 | - 'actions' => array( |
|
| 157 | - 'approve', |
|
| 158 | - 'decline', |
|
| 159 | - 'rename', |
|
| 160 | - 'editUser', |
|
| 161 | - 'suspend', |
|
| 162 | - 'editRoles', |
|
| 163 | - ), |
|
| 164 | - ), |
|
| 165 | - 'siteNotice' => |
|
| 166 | - array( |
|
| 167 | - 'class' => PageSiteNotice::class, |
|
| 168 | - 'actions' => array(), |
|
| 169 | - ), |
|
| 170 | - 'emailManagement' => |
|
| 171 | - array( |
|
| 172 | - 'class' => PageEmailManagement::class, |
|
| 173 | - 'actions' => array('create', 'edit', 'view'), |
|
| 174 | - ), |
|
| 175 | - |
|
| 176 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 177 | - // Personal preferences |
|
| 178 | - 'preferences' => |
|
| 179 | - array( |
|
| 180 | - 'class' => PagePreferences::class, |
|
| 181 | - 'actions' => array('changePassword'), |
|
| 182 | - ), |
|
| 183 | - 'oauth' => |
|
| 184 | - array( |
|
| 185 | - 'class' => PageOAuth::class, |
|
| 186 | - 'actions' => array('detach', 'attach'), |
|
| 187 | - ), |
|
| 188 | - |
|
| 189 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 190 | - // Welcomer configuration |
|
| 191 | - 'welcomeTemplates' => |
|
| 192 | - array( |
|
| 193 | - 'class' => PageWelcomeTemplateManagement::class, |
|
| 194 | - 'actions' => array('select', 'edit', 'delete', 'add', 'view'), |
|
| 195 | - ), |
|
| 196 | - |
|
| 197 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 198 | - // Statistics |
|
| 199 | - 'statistics' => |
|
| 200 | - array( |
|
| 201 | - 'class' => StatsMain::class, |
|
| 202 | - 'actions' => array(), |
|
| 203 | - ), |
|
| 204 | - 'statistics/fastCloses' => |
|
| 205 | - array( |
|
| 206 | - 'class' => StatsFastCloses::class, |
|
| 207 | - 'actions' => array(), |
|
| 208 | - ), |
|
| 209 | - 'statistics/inactiveUsers' => |
|
| 210 | - array( |
|
| 211 | - 'class' => StatsInactiveUsers::class, |
|
| 212 | - 'actions' => array(), |
|
| 213 | - ), |
|
| 214 | - 'statistics/monthlyStats' => |
|
| 215 | - array( |
|
| 216 | - 'class' => StatsMonthlyStats::class, |
|
| 217 | - 'actions' => array(), |
|
| 218 | - ), |
|
| 219 | - 'statistics/reservedRequests' => |
|
| 220 | - array( |
|
| 221 | - 'class' => StatsReservedRequests::class, |
|
| 222 | - 'actions' => array(), |
|
| 223 | - ), |
|
| 224 | - 'statistics/templateStats' => |
|
| 225 | - array( |
|
| 226 | - 'class' => StatsTemplateStats::class, |
|
| 227 | - 'actions' => array(), |
|
| 228 | - ), |
|
| 229 | - 'statistics/topCreators' => |
|
| 230 | - array( |
|
| 231 | - 'class' => StatsTopCreators::class, |
|
| 232 | - 'actions' => array(), |
|
| 233 | - ), |
|
| 234 | - 'statistics/users' => |
|
| 235 | - array( |
|
| 236 | - 'class' => StatsUsers::class, |
|
| 237 | - 'actions' => array('detail'), |
|
| 238 | - ), |
|
| 239 | - |
|
| 240 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 241 | - // Zoom page |
|
| 242 | - 'viewRequest' => |
|
| 243 | - array( |
|
| 244 | - 'class' => PageViewRequest::class, |
|
| 245 | - 'actions' => array(), |
|
| 246 | - ), |
|
| 247 | - 'viewRequest/reserve' => |
|
| 248 | - array( |
|
| 249 | - 'class' => PageReservation::class, |
|
| 250 | - 'actions' => array(), |
|
| 251 | - ), |
|
| 252 | - 'viewRequest/breakReserve' => |
|
| 253 | - array( |
|
| 254 | - 'class' => PageBreakReservation::class, |
|
| 255 | - 'actions' => array(), |
|
| 256 | - ), |
|
| 257 | - 'viewRequest/defer' => |
|
| 258 | - array( |
|
| 259 | - 'class' => PageDeferRequest::class, |
|
| 260 | - 'actions' => array(), |
|
| 261 | - ), |
|
| 262 | - 'viewRequest/comment' => |
|
| 263 | - array( |
|
| 264 | - 'class' => PageComment::class, |
|
| 265 | - 'actions' => array(), |
|
| 266 | - ), |
|
| 267 | - 'viewRequest/sendToUser' => |
|
| 268 | - array( |
|
| 269 | - 'class' => PageSendToUser::class, |
|
| 270 | - 'actions' => array(), |
|
| 271 | - ), |
|
| 272 | - 'viewRequest/close' => |
|
| 273 | - array( |
|
| 274 | - 'class' => PageCloseRequest::class, |
|
| 275 | - 'actions' => array(), |
|
| 276 | - ), |
|
| 277 | - 'viewRequest/drop' => |
|
| 278 | - array( |
|
| 279 | - 'class' => PageDropRequest::class, |
|
| 280 | - 'actions' => array(), |
|
| 281 | - ), |
|
| 282 | - 'viewRequest/custom' => |
|
| 283 | - array( |
|
| 284 | - 'class' => PageCustomClose::class, |
|
| 285 | - 'actions' => array(), |
|
| 286 | - ), |
|
| 287 | - 'editComment' => |
|
| 288 | - array( |
|
| 289 | - 'class' => PageEditComment::class, |
|
| 290 | - 'actions' => array(), |
|
| 291 | - ), |
|
| 292 | - |
|
| 293 | - ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 294 | - // Misc stuff |
|
| 295 | - 'team' => |
|
| 296 | - array( |
|
| 297 | - 'class' => PageTeam::class, |
|
| 298 | - 'actions' => array(), |
|
| 299 | - ), |
|
| 300 | - 'requestList' => |
|
| 301 | - array( |
|
| 302 | - 'class' => PageExpandedRequestList::class, |
|
| 303 | - 'actions' => array(), |
|
| 304 | - ), |
|
| 305 | - ); |
|
| 306 | - |
|
| 307 | - /** |
|
| 308 | - * @return IRoutedTask |
|
| 309 | - * @throws Exception |
|
| 310 | - */ |
|
| 311 | - final public function route() |
|
| 312 | - { |
|
| 313 | - $pathInfo = WebRequest::pathInfo(); |
|
| 314 | - |
|
| 315 | - list($pageClass, $action) = $this->getRouteFromPath($pathInfo); |
|
| 316 | - |
|
| 317 | - /** @var IRoutedTask $page */ |
|
| 318 | - $page = new $pageClass(); |
|
| 319 | - |
|
| 320 | - // Dynamic creation, so we've got to be careful here. We can't use built-in language type protection, so |
|
| 321 | - // let's use our own. |
|
| 322 | - if (!($page instanceof IRoutedTask)) { |
|
| 323 | - throw new Exception('Expected a page, but this is not a page.'); |
|
| 324 | - } |
|
| 325 | - |
|
| 326 | - // OK, I'm happy at this point that we know we're running a page, and we know it's probably what we want if it |
|
| 327 | - // inherits PageBase and has been created from the routing map. |
|
| 328 | - $page->setRoute($action); |
|
| 329 | - |
|
| 330 | - return $page; |
|
| 331 | - } |
|
| 332 | - |
|
| 333 | - /** |
|
| 334 | - * @param $pathInfo |
|
| 335 | - * |
|
| 336 | - * @return array |
|
| 337 | - */ |
|
| 338 | - protected function getRouteFromPath($pathInfo) |
|
| 339 | - { |
|
| 340 | - if (count($pathInfo) === 0) { |
|
| 341 | - // No pathInfo, so no page to load. Load the main page. |
|
| 342 | - return $this->getDefaultRoute(); |
|
| 343 | - } |
|
| 344 | - elseif (count($pathInfo) === 1) { |
|
| 345 | - // Exactly one path info segment, it's got to be a page. |
|
| 346 | - $classSegment = $pathInfo[0]; |
|
| 347 | - |
|
| 348 | - return $this->routeSinglePathSegment($classSegment); |
|
| 349 | - } |
|
| 350 | - |
|
| 351 | - // OK, we have two or more segments now. |
|
| 352 | - if (count($pathInfo) > 2) { |
|
| 353 | - // Let's handle more than two, and collapse it down into two. |
|
| 354 | - $requestedAction = array_pop($pathInfo); |
|
| 355 | - $classSegment = implode('/', $pathInfo); |
|
| 356 | - } |
|
| 357 | - else { |
|
| 358 | - // Two path info segments. |
|
| 359 | - $classSegment = $pathInfo[0]; |
|
| 360 | - $requestedAction = $pathInfo[1]; |
|
| 361 | - } |
|
| 362 | - |
|
| 363 | - $routeMap = $this->routePathSegments($classSegment, $requestedAction); |
|
| 364 | - |
|
| 365 | - if ($routeMap[0] === Page404::class) { |
|
| 366 | - $routeMap = $this->routeSinglePathSegment($classSegment . '/' . $requestedAction); |
|
| 367 | - } |
|
| 368 | - |
|
| 369 | - return $routeMap; |
|
| 370 | - } |
|
| 371 | - |
|
| 372 | - /** |
|
| 373 | - * @param $classSegment |
|
| 374 | - * |
|
| 375 | - * @return array |
|
| 376 | - */ |
|
| 377 | - final protected function routeSinglePathSegment($classSegment) |
|
| 378 | - { |
|
| 379 | - $routeMap = $this->getRouteMap(); |
|
| 380 | - if (array_key_exists($classSegment, $routeMap)) { |
|
| 381 | - // Route exists, but we don't have an action in path info, so default to main. |
|
| 382 | - $pageClass = $routeMap[$classSegment]['class']; |
|
| 383 | - $action = 'main'; |
|
| 384 | - |
|
| 385 | - return array($pageClass, $action); |
|
| 386 | - } |
|
| 387 | - else { |
|
| 388 | - // Doesn't exist in map. Fall back to 404 |
|
| 389 | - $pageClass = Page404::class; |
|
| 390 | - $action = "main"; |
|
| 391 | - |
|
| 392 | - return array($pageClass, $action); |
|
| 393 | - } |
|
| 394 | - } |
|
| 395 | - |
|
| 396 | - /** |
|
| 397 | - * @param $classSegment |
|
| 398 | - * @param $requestedAction |
|
| 399 | - * |
|
| 400 | - * @return array |
|
| 401 | - */ |
|
| 402 | - final protected function routePathSegments($classSegment, $requestedAction) |
|
| 403 | - { |
|
| 404 | - $routeMap = $this->getRouteMap(); |
|
| 405 | - if (array_key_exists($classSegment, $routeMap)) { |
|
| 406 | - // Route exists, but we don't have an action in path info, so default to main. |
|
| 407 | - |
|
| 408 | - if (isset($routeMap[$classSegment]['actions']) |
|
| 409 | - && array_search($requestedAction, $routeMap[$classSegment]['actions']) !== false |
|
| 410 | - ) { |
|
| 411 | - // Action exists in allowed action list. Allow both the page and the action |
|
| 412 | - $pageClass = $routeMap[$classSegment]['class']; |
|
| 413 | - $action = $requestedAction; |
|
| 414 | - |
|
| 415 | - return array($pageClass, $action); |
|
| 416 | - } |
|
| 417 | - else { |
|
| 418 | - // Valid page, invalid action. 404 our way out. |
|
| 419 | - $pageClass = Page404::class; |
|
| 420 | - $action = 'main'; |
|
| 421 | - |
|
| 422 | - return array($pageClass, $action); |
|
| 423 | - } |
|
| 424 | - } |
|
| 425 | - else { |
|
| 426 | - // Class doesn't exist in map. Fall back to 404 |
|
| 427 | - $pageClass = Page404::class; |
|
| 428 | - $action = 'main'; |
|
| 429 | - |
|
| 430 | - return array($pageClass, $action); |
|
| 431 | - } |
|
| 432 | - } |
|
| 433 | - |
|
| 434 | - /** |
|
| 435 | - * @return array |
|
| 436 | - */ |
|
| 437 | - protected function getRouteMap() |
|
| 438 | - { |
|
| 439 | - return $this->routeMap; |
|
| 440 | - } |
|
| 441 | - |
|
| 442 | - /** |
|
| 443 | - * @return callable |
|
| 444 | - */ |
|
| 445 | - protected function getDefaultRoute() |
|
| 446 | - { |
|
| 447 | - return array(PageMain::class, "main"); |
|
| 448 | - } |
|
| 58 | + /** |
|
| 59 | + * This is the core routing table for the application. The basic idea is: |
|
| 60 | + * |
|
| 61 | + * array( |
|
| 62 | + * "foo" => |
|
| 63 | + * array( |
|
| 64 | + * "class" => PageFoo::class, |
|
| 65 | + * "actions" => array("bar", "other") |
|
| 66 | + * ), |
|
| 67 | + * ); |
|
| 68 | + * |
|
| 69 | + * Things to note: |
|
| 70 | + * - If no page is requested, we go to PageMain. PageMain can't have actions defined. |
|
| 71 | + * |
|
| 72 | + * - If a page is defined and requested, but no action is requested, go to that page's main() method |
|
| 73 | + * - If a page is defined and requested, and an action is defined and requested, go to that action's method. |
|
| 74 | + * - If a page is defined and requested, and an action NOT defined and requested, go to Page404 and it's main() |
|
| 75 | + * method. |
|
| 76 | + * - If a page is NOT defined and requested, go to Page404 and it's main() method. |
|
| 77 | + * |
|
| 78 | + * - Query parameters are ignored. |
|
| 79 | + * |
|
| 80 | + * The key point here is request routing with validation that this is allowed, before we start hitting the |
|
| 81 | + * filesystem through the AutoLoader, and opening random files. Also, so that we validate the action requested |
|
| 82 | + * before we start calling random methods through the web UI. |
|
| 83 | + * |
|
| 84 | + * Examples: |
|
| 85 | + * /internal.php => returns instance of PageMain, routed to main() |
|
| 86 | + * /internal.php?query => returns instance of PageMain, routed to main() |
|
| 87 | + * /internal.php/foo => returns instance of PageFoo, routed to main() |
|
| 88 | + * /internal.php/foo?query => returns instance of PageFoo, routed to main() |
|
| 89 | + * /internal.php/foo/bar => returns instance of PageFoo, routed to bar() |
|
| 90 | + * /internal.php/foo/bar?query => returns instance of PageFoo, routed to bar() |
|
| 91 | + * /internal.php/foo/baz => returns instance of Page404, routed to main() |
|
| 92 | + * /internal.php/foo/baz?query => returns instance of Page404, routed to main() |
|
| 93 | + * /internal.php/bar => returns instance of Page404, routed to main() |
|
| 94 | + * /internal.php/bar?query => returns instance of Page404, routed to main() |
|
| 95 | + * /internal.php/bar/baz => returns instance of Page404, routed to main() |
|
| 96 | + * /internal.php/bar/baz?query => returns instance of Page404, routed to main() |
|
| 97 | + * |
|
| 98 | + * Take care when changing this - a lot of places rely on the array key for redirects and other links. If you need |
|
| 99 | + * to change the key, then you'll likely have to update a lot of files. |
|
| 100 | + * |
|
| 101 | + * @var array |
|
| 102 | + */ |
|
| 103 | + private $routeMap = array( |
|
| 104 | + |
|
| 105 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 106 | + // Login and registration |
|
| 107 | + 'logout' => |
|
| 108 | + array( |
|
| 109 | + 'class' => PageLogout::class, |
|
| 110 | + 'actions' => array(), |
|
| 111 | + ), |
|
| 112 | + 'login' => |
|
| 113 | + array( |
|
| 114 | + 'class' => PageLogin::class, |
|
| 115 | + 'actions' => array(), |
|
| 116 | + ), |
|
| 117 | + 'forgotPassword' => |
|
| 118 | + array( |
|
| 119 | + 'class' => PageForgotPassword::class, |
|
| 120 | + 'actions' => array('reset'), |
|
| 121 | + ), |
|
| 122 | + 'register' => |
|
| 123 | + array( |
|
| 124 | + 'class' => PageRegisterOption::class, |
|
| 125 | + 'actions' => array(), |
|
| 126 | + ), |
|
| 127 | + 'register/standard' => |
|
| 128 | + array( |
|
| 129 | + 'class' => PageRegisterStandard::class, |
|
| 130 | + 'actions' => array('done'), |
|
| 131 | + ), |
|
| 132 | + |
|
| 133 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 134 | + // Discovery |
|
| 135 | + 'search' => |
|
| 136 | + array( |
|
| 137 | + 'class' => PageSearch::class, |
|
| 138 | + 'actions' => array(), |
|
| 139 | + ), |
|
| 140 | + 'logs' => |
|
| 141 | + array( |
|
| 142 | + 'class' => PageLog::class, |
|
| 143 | + 'actions' => array(), |
|
| 144 | + ), |
|
| 145 | + |
|
| 146 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 147 | + // Administration |
|
| 148 | + 'bans' => |
|
| 149 | + array( |
|
| 150 | + 'class' => PageBan::class, |
|
| 151 | + 'actions' => array('set', 'remove'), |
|
| 152 | + ), |
|
| 153 | + 'userManagement' => |
|
| 154 | + array( |
|
| 155 | + 'class' => PageUserManagement::class, |
|
| 156 | + 'actions' => array( |
|
| 157 | + 'approve', |
|
| 158 | + 'decline', |
|
| 159 | + 'rename', |
|
| 160 | + 'editUser', |
|
| 161 | + 'suspend', |
|
| 162 | + 'editRoles', |
|
| 163 | + ), |
|
| 164 | + ), |
|
| 165 | + 'siteNotice' => |
|
| 166 | + array( |
|
| 167 | + 'class' => PageSiteNotice::class, |
|
| 168 | + 'actions' => array(), |
|
| 169 | + ), |
|
| 170 | + 'emailManagement' => |
|
| 171 | + array( |
|
| 172 | + 'class' => PageEmailManagement::class, |
|
| 173 | + 'actions' => array('create', 'edit', 'view'), |
|
| 174 | + ), |
|
| 175 | + |
|
| 176 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 177 | + // Personal preferences |
|
| 178 | + 'preferences' => |
|
| 179 | + array( |
|
| 180 | + 'class' => PagePreferences::class, |
|
| 181 | + 'actions' => array('changePassword'), |
|
| 182 | + ), |
|
| 183 | + 'oauth' => |
|
| 184 | + array( |
|
| 185 | + 'class' => PageOAuth::class, |
|
| 186 | + 'actions' => array('detach', 'attach'), |
|
| 187 | + ), |
|
| 188 | + |
|
| 189 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 190 | + // Welcomer configuration |
|
| 191 | + 'welcomeTemplates' => |
|
| 192 | + array( |
|
| 193 | + 'class' => PageWelcomeTemplateManagement::class, |
|
| 194 | + 'actions' => array('select', 'edit', 'delete', 'add', 'view'), |
|
| 195 | + ), |
|
| 196 | + |
|
| 197 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 198 | + // Statistics |
|
| 199 | + 'statistics' => |
|
| 200 | + array( |
|
| 201 | + 'class' => StatsMain::class, |
|
| 202 | + 'actions' => array(), |
|
| 203 | + ), |
|
| 204 | + 'statistics/fastCloses' => |
|
| 205 | + array( |
|
| 206 | + 'class' => StatsFastCloses::class, |
|
| 207 | + 'actions' => array(), |
|
| 208 | + ), |
|
| 209 | + 'statistics/inactiveUsers' => |
|
| 210 | + array( |
|
| 211 | + 'class' => StatsInactiveUsers::class, |
|
| 212 | + 'actions' => array(), |
|
| 213 | + ), |
|
| 214 | + 'statistics/monthlyStats' => |
|
| 215 | + array( |
|
| 216 | + 'class' => StatsMonthlyStats::class, |
|
| 217 | + 'actions' => array(), |
|
| 218 | + ), |
|
| 219 | + 'statistics/reservedRequests' => |
|
| 220 | + array( |
|
| 221 | + 'class' => StatsReservedRequests::class, |
|
| 222 | + 'actions' => array(), |
|
| 223 | + ), |
|
| 224 | + 'statistics/templateStats' => |
|
| 225 | + array( |
|
| 226 | + 'class' => StatsTemplateStats::class, |
|
| 227 | + 'actions' => array(), |
|
| 228 | + ), |
|
| 229 | + 'statistics/topCreators' => |
|
| 230 | + array( |
|
| 231 | + 'class' => StatsTopCreators::class, |
|
| 232 | + 'actions' => array(), |
|
| 233 | + ), |
|
| 234 | + 'statistics/users' => |
|
| 235 | + array( |
|
| 236 | + 'class' => StatsUsers::class, |
|
| 237 | + 'actions' => array('detail'), |
|
| 238 | + ), |
|
| 239 | + |
|
| 240 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 241 | + // Zoom page |
|
| 242 | + 'viewRequest' => |
|
| 243 | + array( |
|
| 244 | + 'class' => PageViewRequest::class, |
|
| 245 | + 'actions' => array(), |
|
| 246 | + ), |
|
| 247 | + 'viewRequest/reserve' => |
|
| 248 | + array( |
|
| 249 | + 'class' => PageReservation::class, |
|
| 250 | + 'actions' => array(), |
|
| 251 | + ), |
|
| 252 | + 'viewRequest/breakReserve' => |
|
| 253 | + array( |
|
| 254 | + 'class' => PageBreakReservation::class, |
|
| 255 | + 'actions' => array(), |
|
| 256 | + ), |
|
| 257 | + 'viewRequest/defer' => |
|
| 258 | + array( |
|
| 259 | + 'class' => PageDeferRequest::class, |
|
| 260 | + 'actions' => array(), |
|
| 261 | + ), |
|
| 262 | + 'viewRequest/comment' => |
|
| 263 | + array( |
|
| 264 | + 'class' => PageComment::class, |
|
| 265 | + 'actions' => array(), |
|
| 266 | + ), |
|
| 267 | + 'viewRequest/sendToUser' => |
|
| 268 | + array( |
|
| 269 | + 'class' => PageSendToUser::class, |
|
| 270 | + 'actions' => array(), |
|
| 271 | + ), |
|
| 272 | + 'viewRequest/close' => |
|
| 273 | + array( |
|
| 274 | + 'class' => PageCloseRequest::class, |
|
| 275 | + 'actions' => array(), |
|
| 276 | + ), |
|
| 277 | + 'viewRequest/drop' => |
|
| 278 | + array( |
|
| 279 | + 'class' => PageDropRequest::class, |
|
| 280 | + 'actions' => array(), |
|
| 281 | + ), |
|
| 282 | + 'viewRequest/custom' => |
|
| 283 | + array( |
|
| 284 | + 'class' => PageCustomClose::class, |
|
| 285 | + 'actions' => array(), |
|
| 286 | + ), |
|
| 287 | + 'editComment' => |
|
| 288 | + array( |
|
| 289 | + 'class' => PageEditComment::class, |
|
| 290 | + 'actions' => array(), |
|
| 291 | + ), |
|
| 292 | + |
|
| 293 | + ////////////////////////////////////////////////////////////////////////////////////////////////// |
|
| 294 | + // Misc stuff |
|
| 295 | + 'team' => |
|
| 296 | + array( |
|
| 297 | + 'class' => PageTeam::class, |
|
| 298 | + 'actions' => array(), |
|
| 299 | + ), |
|
| 300 | + 'requestList' => |
|
| 301 | + array( |
|
| 302 | + 'class' => PageExpandedRequestList::class, |
|
| 303 | + 'actions' => array(), |
|
| 304 | + ), |
|
| 305 | + ); |
|
| 306 | + |
|
| 307 | + /** |
|
| 308 | + * @return IRoutedTask |
|
| 309 | + * @throws Exception |
|
| 310 | + */ |
|
| 311 | + final public function route() |
|
| 312 | + { |
|
| 313 | + $pathInfo = WebRequest::pathInfo(); |
|
| 314 | + |
|
| 315 | + list($pageClass, $action) = $this->getRouteFromPath($pathInfo); |
|
| 316 | + |
|
| 317 | + /** @var IRoutedTask $page */ |
|
| 318 | + $page = new $pageClass(); |
|
| 319 | + |
|
| 320 | + // Dynamic creation, so we've got to be careful here. We can't use built-in language type protection, so |
|
| 321 | + // let's use our own. |
|
| 322 | + if (!($page instanceof IRoutedTask)) { |
|
| 323 | + throw new Exception('Expected a page, but this is not a page.'); |
|
| 324 | + } |
|
| 325 | + |
|
| 326 | + // OK, I'm happy at this point that we know we're running a page, and we know it's probably what we want if it |
|
| 327 | + // inherits PageBase and has been created from the routing map. |
|
| 328 | + $page->setRoute($action); |
|
| 329 | + |
|
| 330 | + return $page; |
|
| 331 | + } |
|
| 332 | + |
|
| 333 | + /** |
|
| 334 | + * @param $pathInfo |
|
| 335 | + * |
|
| 336 | + * @return array |
|
| 337 | + */ |
|
| 338 | + protected function getRouteFromPath($pathInfo) |
|
| 339 | + { |
|
| 340 | + if (count($pathInfo) === 0) { |
|
| 341 | + // No pathInfo, so no page to load. Load the main page. |
|
| 342 | + return $this->getDefaultRoute(); |
|
| 343 | + } |
|
| 344 | + elseif (count($pathInfo) === 1) { |
|
| 345 | + // Exactly one path info segment, it's got to be a page. |
|
| 346 | + $classSegment = $pathInfo[0]; |
|
| 347 | + |
|
| 348 | + return $this->routeSinglePathSegment($classSegment); |
|
| 349 | + } |
|
| 350 | + |
|
| 351 | + // OK, we have two or more segments now. |
|
| 352 | + if (count($pathInfo) > 2) { |
|
| 353 | + // Let's handle more than two, and collapse it down into two. |
|
| 354 | + $requestedAction = array_pop($pathInfo); |
|
| 355 | + $classSegment = implode('/', $pathInfo); |
|
| 356 | + } |
|
| 357 | + else { |
|
| 358 | + // Two path info segments. |
|
| 359 | + $classSegment = $pathInfo[0]; |
|
| 360 | + $requestedAction = $pathInfo[1]; |
|
| 361 | + } |
|
| 362 | + |
|
| 363 | + $routeMap = $this->routePathSegments($classSegment, $requestedAction); |
|
| 364 | + |
|
| 365 | + if ($routeMap[0] === Page404::class) { |
|
| 366 | + $routeMap = $this->routeSinglePathSegment($classSegment . '/' . $requestedAction); |
|
| 367 | + } |
|
| 368 | + |
|
| 369 | + return $routeMap; |
|
| 370 | + } |
|
| 371 | + |
|
| 372 | + /** |
|
| 373 | + * @param $classSegment |
|
| 374 | + * |
|
| 375 | + * @return array |
|
| 376 | + */ |
|
| 377 | + final protected function routeSinglePathSegment($classSegment) |
|
| 378 | + { |
|
| 379 | + $routeMap = $this->getRouteMap(); |
|
| 380 | + if (array_key_exists($classSegment, $routeMap)) { |
|
| 381 | + // Route exists, but we don't have an action in path info, so default to main. |
|
| 382 | + $pageClass = $routeMap[$classSegment]['class']; |
|
| 383 | + $action = 'main'; |
|
| 384 | + |
|
| 385 | + return array($pageClass, $action); |
|
| 386 | + } |
|
| 387 | + else { |
|
| 388 | + // Doesn't exist in map. Fall back to 404 |
|
| 389 | + $pageClass = Page404::class; |
|
| 390 | + $action = "main"; |
|
| 391 | + |
|
| 392 | + return array($pageClass, $action); |
|
| 393 | + } |
|
| 394 | + } |
|
| 395 | + |
|
| 396 | + /** |
|
| 397 | + * @param $classSegment |
|
| 398 | + * @param $requestedAction |
|
| 399 | + * |
|
| 400 | + * @return array |
|
| 401 | + */ |
|
| 402 | + final protected function routePathSegments($classSegment, $requestedAction) |
|
| 403 | + { |
|
| 404 | + $routeMap = $this->getRouteMap(); |
|
| 405 | + if (array_key_exists($classSegment, $routeMap)) { |
|
| 406 | + // Route exists, but we don't have an action in path info, so default to main. |
|
| 407 | + |
|
| 408 | + if (isset($routeMap[$classSegment]['actions']) |
|
| 409 | + && array_search($requestedAction, $routeMap[$classSegment]['actions']) !== false |
|
| 410 | + ) { |
|
| 411 | + // Action exists in allowed action list. Allow both the page and the action |
|
| 412 | + $pageClass = $routeMap[$classSegment]['class']; |
|
| 413 | + $action = $requestedAction; |
|
| 414 | + |
|
| 415 | + return array($pageClass, $action); |
|
| 416 | + } |
|
| 417 | + else { |
|
| 418 | + // Valid page, invalid action. 404 our way out. |
|
| 419 | + $pageClass = Page404::class; |
|
| 420 | + $action = 'main'; |
|
| 421 | + |
|
| 422 | + return array($pageClass, $action); |
|
| 423 | + } |
|
| 424 | + } |
|
| 425 | + else { |
|
| 426 | + // Class doesn't exist in map. Fall back to 404 |
|
| 427 | + $pageClass = Page404::class; |
|
| 428 | + $action = 'main'; |
|
| 429 | + |
|
| 430 | + return array($pageClass, $action); |
|
| 431 | + } |
|
| 432 | + } |
|
| 433 | + |
|
| 434 | + /** |
|
| 435 | + * @return array |
|
| 436 | + */ |
|
| 437 | + protected function getRouteMap() |
|
| 438 | + { |
|
| 439 | + return $this->routeMap; |
|
| 440 | + } |
|
| 441 | + |
|
| 442 | + /** |
|
| 443 | + * @return callable |
|
| 444 | + */ |
|
| 445 | + protected function getDefaultRoute() |
|
| 446 | + { |
|
| 447 | + return array(PageMain::class, "main"); |
|
| 448 | + } |
|
| 449 | 449 | } |
@@ -14,200 +14,200 @@ |
||
| 14 | 14 | |
| 15 | 15 | final class SecurityManager |
| 16 | 16 | { |
| 17 | - const ALLOWED = 1; |
|
| 18 | - const ERROR_NOT_IDENTIFIED = 2; |
|
| 19 | - const ERROR_DENIED = 3; |
|
| 20 | - /** @var IdentificationVerifier */ |
|
| 21 | - private $identificationVerifier; |
|
| 22 | - /** |
|
| 23 | - * @var RoleConfiguration |
|
| 24 | - */ |
|
| 25 | - private $roleConfiguration; |
|
| 26 | - |
|
| 27 | - /** |
|
| 28 | - * SecurityManager constructor. |
|
| 29 | - * |
|
| 30 | - * @param IdentificationVerifier $identificationVerifier |
|
| 31 | - * @param RoleConfiguration $roleConfiguration |
|
| 32 | - */ |
|
| 33 | - public function __construct( |
|
| 34 | - IdentificationVerifier $identificationVerifier, |
|
| 35 | - RoleConfiguration $roleConfiguration |
|
| 36 | - ) { |
|
| 37 | - $this->identificationVerifier = $identificationVerifier; |
|
| 38 | - $this->roleConfiguration = $roleConfiguration; |
|
| 39 | - } |
|
| 40 | - |
|
| 41 | - /** |
|
| 42 | - * Tests if a user is allowed to perform an action. |
|
| 43 | - * |
|
| 44 | - * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure |
|
| 45 | - * that a user should have access to something. |
|
| 46 | - * |
|
| 47 | - * @param string $page |
|
| 48 | - * @param string $route |
|
| 49 | - * @param User $user |
|
| 50 | - * |
|
| 51 | - * @return int |
|
| 52 | - * |
|
| 53 | - * @category Security-Critical |
|
| 54 | - */ |
|
| 55 | - public function allows($page, $route, User $user) |
|
| 56 | - { |
|
| 57 | - $this->getActiveRoles($user, $activeRoles, $inactiveRoles); |
|
| 58 | - |
|
| 59 | - $availableRights = $this->flattenRoles($activeRoles); |
|
| 60 | - $testResult = $this->findResult($availableRights, $page, $route); |
|
| 61 | - |
|
| 62 | - if ($testResult !== null) { |
|
| 63 | - // We got a firm result here, so just return it. |
|
| 64 | - return $testResult; |
|
| 65 | - } |
|
| 66 | - |
|
| 67 | - // No firm result yet, so continue testing the inactive roles so we can give a better error. |
|
| 68 | - $inactiveRights = $this->flattenRoles($inactiveRoles); |
|
| 69 | - $testResult = $this->findResult($inactiveRights, $page, $route); |
|
| 70 | - |
|
| 71 | - if ($testResult === self::ALLOWED) { |
|
| 72 | - // The user is allowed to access this, but their role is inactive. |
|
| 73 | - return self::ERROR_NOT_IDENTIFIED; |
|
| 74 | - } |
|
| 75 | - |
|
| 76 | - // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied. |
|
| 77 | - return self::ERROR_DENIED; |
|
| 78 | - } |
|
| 79 | - |
|
| 80 | - /** |
|
| 81 | - * @param array $pseudoRole The role (flattened) to check |
|
| 82 | - * @param string $page The page class to check |
|
| 83 | - * @param string $route The page route to check |
|
| 84 | - * |
|
| 85 | - * @return int|null |
|
| 86 | - */ |
|
| 87 | - private function findResult($pseudoRole, $page, $route) |
|
| 88 | - { |
|
| 89 | - if (isset($pseudoRole[$page])) { |
|
| 90 | - // check for deny on catch-all route |
|
| 91 | - if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 92 | - if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) { |
|
| 93 | - return self::ERROR_DENIED; |
|
| 94 | - } |
|
| 95 | - } |
|
| 96 | - |
|
| 97 | - // check normal route |
|
| 98 | - if (isset($pseudoRole[$page][$route])) { |
|
| 99 | - if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) { |
|
| 100 | - return self::ERROR_DENIED; |
|
| 101 | - } |
|
| 102 | - |
|
| 103 | - if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 104 | - return self::ALLOWED; |
|
| 105 | - } |
|
| 106 | - } |
|
| 107 | - |
|
| 108 | - // check for allowed on catch-all route |
|
| 109 | - if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 110 | - if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 111 | - return self::ALLOWED; |
|
| 112 | - } |
|
| 113 | - } |
|
| 114 | - } |
|
| 115 | - |
|
| 116 | - // return indeterminate result |
|
| 117 | - return null; |
|
| 118 | - } |
|
| 119 | - |
|
| 120 | - /** |
|
| 121 | - * Takes an array of roles and flattens the values to a single set. |
|
| 122 | - * |
|
| 123 | - * @param array $activeRoles |
|
| 124 | - * |
|
| 125 | - * @return array |
|
| 126 | - */ |
|
| 127 | - private function flattenRoles($activeRoles) |
|
| 128 | - { |
|
| 129 | - $result = array(); |
|
| 130 | - |
|
| 131 | - $roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles); |
|
| 132 | - |
|
| 133 | - // Iterate over every page in every role |
|
| 134 | - foreach ($roleConfig as $role) { |
|
| 135 | - foreach ($role as $page => $pageRights) { |
|
| 136 | - // Create holder in result for this page |
|
| 137 | - if (!isset($result[$page])) { |
|
| 138 | - $result[$page] = array(); |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - foreach ($pageRights as $action => $permission) { |
|
| 142 | - // Deny takes precedence, so if it's set, don't change it. |
|
| 143 | - if (isset($result[$page][$action])) { |
|
| 144 | - if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) { |
|
| 145 | - continue; |
|
| 146 | - } |
|
| 147 | - } |
|
| 148 | - |
|
| 149 | - if ($permission === RoleConfiguration::ACCESS_DEFAULT) { |
|
| 150 | - // Configured to do precisely nothing. |
|
| 151 | - continue; |
|
| 152 | - } |
|
| 153 | - |
|
| 154 | - $result[$page][$action] = $permission; |
|
| 155 | - } |
|
| 156 | - } |
|
| 157 | - } |
|
| 158 | - |
|
| 159 | - return $result; |
|
| 160 | - } |
|
| 161 | - |
|
| 162 | - /** |
|
| 163 | - * @param User $user |
|
| 164 | - * @param array $activeRoles |
|
| 165 | - * @param array $inactiveRoles |
|
| 166 | - */ |
|
| 167 | - public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles) |
|
| 168 | - { |
|
| 169 | - // Default to the community user here, because the main user is logged out |
|
| 170 | - $identified = false; |
|
| 171 | - $userRoles = array('public'); |
|
| 172 | - |
|
| 173 | - // if we're not the community user, get our real rights. |
|
| 174 | - if (!$user->isCommunityUser()) { |
|
| 175 | - // Check the user's status - only active users are allowed the effects of roles |
|
| 176 | - |
|
| 177 | - $userRoles[] = 'loggedIn'; |
|
| 178 | - |
|
| 179 | - if ($user->isActive()) { |
|
| 180 | - $ur = UserRole::getForUser($user->getId(), $user->getDatabase()); |
|
| 181 | - |
|
| 182 | - // NOTE: public is still in this array. |
|
| 183 | - foreach ($ur as $r) { |
|
| 184 | - $userRoles[] = $r->getRole(); |
|
| 185 | - } |
|
| 186 | - |
|
| 187 | - $identified = $user->isIdentified($this->identificationVerifier); |
|
| 188 | - } |
|
| 189 | - } |
|
| 190 | - |
|
| 191 | - $activeRoles = array(); |
|
| 192 | - $inactiveRoles = array(); |
|
| 193 | - |
|
| 194 | - /** @var string $v */ |
|
| 195 | - foreach ($userRoles as $v) { |
|
| 196 | - if ($this->roleConfiguration->roleNeedsIdentification($v)) { |
|
| 197 | - if ($identified) { |
|
| 198 | - $activeRoles[] = $v; |
|
| 199 | - } |
|
| 200 | - else { |
|
| 201 | - $inactiveRoles[] = $v; |
|
| 202 | - } |
|
| 203 | - } |
|
| 204 | - else { |
|
| 205 | - $activeRoles[] = $v; |
|
| 206 | - } |
|
| 207 | - } |
|
| 208 | - } |
|
| 209 | - |
|
| 210 | - public function getRoleConfiguration(){ |
|
| 211 | - return $this->roleConfiguration; |
|
| 212 | - } |
|
| 17 | + const ALLOWED = 1; |
|
| 18 | + const ERROR_NOT_IDENTIFIED = 2; |
|
| 19 | + const ERROR_DENIED = 3; |
|
| 20 | + /** @var IdentificationVerifier */ |
|
| 21 | + private $identificationVerifier; |
|
| 22 | + /** |
|
| 23 | + * @var RoleConfiguration |
|
| 24 | + */ |
|
| 25 | + private $roleConfiguration; |
|
| 26 | + |
|
| 27 | + /** |
|
| 28 | + * SecurityManager constructor. |
|
| 29 | + * |
|
| 30 | + * @param IdentificationVerifier $identificationVerifier |
|
| 31 | + * @param RoleConfiguration $roleConfiguration |
|
| 32 | + */ |
|
| 33 | + public function __construct( |
|
| 34 | + IdentificationVerifier $identificationVerifier, |
|
| 35 | + RoleConfiguration $roleConfiguration |
|
| 36 | + ) { |
|
| 37 | + $this->identificationVerifier = $identificationVerifier; |
|
| 38 | + $this->roleConfiguration = $roleConfiguration; |
|
| 39 | + } |
|
| 40 | + |
|
| 41 | + /** |
|
| 42 | + * Tests if a user is allowed to perform an action. |
|
| 43 | + * |
|
| 44 | + * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure |
|
| 45 | + * that a user should have access to something. |
|
| 46 | + * |
|
| 47 | + * @param string $page |
|
| 48 | + * @param string $route |
|
| 49 | + * @param User $user |
|
| 50 | + * |
|
| 51 | + * @return int |
|
| 52 | + * |
|
| 53 | + * @category Security-Critical |
|
| 54 | + */ |
|
| 55 | + public function allows($page, $route, User $user) |
|
| 56 | + { |
|
| 57 | + $this->getActiveRoles($user, $activeRoles, $inactiveRoles); |
|
| 58 | + |
|
| 59 | + $availableRights = $this->flattenRoles($activeRoles); |
|
| 60 | + $testResult = $this->findResult($availableRights, $page, $route); |
|
| 61 | + |
|
| 62 | + if ($testResult !== null) { |
|
| 63 | + // We got a firm result here, so just return it. |
|
| 64 | + return $testResult; |
|
| 65 | + } |
|
| 66 | + |
|
| 67 | + // No firm result yet, so continue testing the inactive roles so we can give a better error. |
|
| 68 | + $inactiveRights = $this->flattenRoles($inactiveRoles); |
|
| 69 | + $testResult = $this->findResult($inactiveRights, $page, $route); |
|
| 70 | + |
|
| 71 | + if ($testResult === self::ALLOWED) { |
|
| 72 | + // The user is allowed to access this, but their role is inactive. |
|
| 73 | + return self::ERROR_NOT_IDENTIFIED; |
|
| 74 | + } |
|
| 75 | + |
|
| 76 | + // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied. |
|
| 77 | + return self::ERROR_DENIED; |
|
| 78 | + } |
|
| 79 | + |
|
| 80 | + /** |
|
| 81 | + * @param array $pseudoRole The role (flattened) to check |
|
| 82 | + * @param string $page The page class to check |
|
| 83 | + * @param string $route The page route to check |
|
| 84 | + * |
|
| 85 | + * @return int|null |
|
| 86 | + */ |
|
| 87 | + private function findResult($pseudoRole, $page, $route) |
|
| 88 | + { |
|
| 89 | + if (isset($pseudoRole[$page])) { |
|
| 90 | + // check for deny on catch-all route |
|
| 91 | + if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 92 | + if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) { |
|
| 93 | + return self::ERROR_DENIED; |
|
| 94 | + } |
|
| 95 | + } |
|
| 96 | + |
|
| 97 | + // check normal route |
|
| 98 | + if (isset($pseudoRole[$page][$route])) { |
|
| 99 | + if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) { |
|
| 100 | + return self::ERROR_DENIED; |
|
| 101 | + } |
|
| 102 | + |
|
| 103 | + if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 104 | + return self::ALLOWED; |
|
| 105 | + } |
|
| 106 | + } |
|
| 107 | + |
|
| 108 | + // check for allowed on catch-all route |
|
| 109 | + if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 110 | + if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 111 | + return self::ALLOWED; |
|
| 112 | + } |
|
| 113 | + } |
|
| 114 | + } |
|
| 115 | + |
|
| 116 | + // return indeterminate result |
|
| 117 | + return null; |
|
| 118 | + } |
|
| 119 | + |
|
| 120 | + /** |
|
| 121 | + * Takes an array of roles and flattens the values to a single set. |
|
| 122 | + * |
|
| 123 | + * @param array $activeRoles |
|
| 124 | + * |
|
| 125 | + * @return array |
|
| 126 | + */ |
|
| 127 | + private function flattenRoles($activeRoles) |
|
| 128 | + { |
|
| 129 | + $result = array(); |
|
| 130 | + |
|
| 131 | + $roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles); |
|
| 132 | + |
|
| 133 | + // Iterate over every page in every role |
|
| 134 | + foreach ($roleConfig as $role) { |
|
| 135 | + foreach ($role as $page => $pageRights) { |
|
| 136 | + // Create holder in result for this page |
|
| 137 | + if (!isset($result[$page])) { |
|
| 138 | + $result[$page] = array(); |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + foreach ($pageRights as $action => $permission) { |
|
| 142 | + // Deny takes precedence, so if it's set, don't change it. |
|
| 143 | + if (isset($result[$page][$action])) { |
|
| 144 | + if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) { |
|
| 145 | + continue; |
|
| 146 | + } |
|
| 147 | + } |
|
| 148 | + |
|
| 149 | + if ($permission === RoleConfiguration::ACCESS_DEFAULT) { |
|
| 150 | + // Configured to do precisely nothing. |
|
| 151 | + continue; |
|
| 152 | + } |
|
| 153 | + |
|
| 154 | + $result[$page][$action] = $permission; |
|
| 155 | + } |
|
| 156 | + } |
|
| 157 | + } |
|
| 158 | + |
|
| 159 | + return $result; |
|
| 160 | + } |
|
| 161 | + |
|
| 162 | + /** |
|
| 163 | + * @param User $user |
|
| 164 | + * @param array $activeRoles |
|
| 165 | + * @param array $inactiveRoles |
|
| 166 | + */ |
|
| 167 | + public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles) |
|
| 168 | + { |
|
| 169 | + // Default to the community user here, because the main user is logged out |
|
| 170 | + $identified = false; |
|
| 171 | + $userRoles = array('public'); |
|
| 172 | + |
|
| 173 | + // if we're not the community user, get our real rights. |
|
| 174 | + if (!$user->isCommunityUser()) { |
|
| 175 | + // Check the user's status - only active users are allowed the effects of roles |
|
| 176 | + |
|
| 177 | + $userRoles[] = 'loggedIn'; |
|
| 178 | + |
|
| 179 | + if ($user->isActive()) { |
|
| 180 | + $ur = UserRole::getForUser($user->getId(), $user->getDatabase()); |
|
| 181 | + |
|
| 182 | + // NOTE: public is still in this array. |
|
| 183 | + foreach ($ur as $r) { |
|
| 184 | + $userRoles[] = $r->getRole(); |
|
| 185 | + } |
|
| 186 | + |
|
| 187 | + $identified = $user->isIdentified($this->identificationVerifier); |
|
| 188 | + } |
|
| 189 | + } |
|
| 190 | + |
|
| 191 | + $activeRoles = array(); |
|
| 192 | + $inactiveRoles = array(); |
|
| 193 | + |
|
| 194 | + /** @var string $v */ |
|
| 195 | + foreach ($userRoles as $v) { |
|
| 196 | + if ($this->roleConfiguration->roleNeedsIdentification($v)) { |
|
| 197 | + if ($identified) { |
|
| 198 | + $activeRoles[] = $v; |
|
| 199 | + } |
|
| 200 | + else { |
|
| 201 | + $inactiveRoles[] = $v; |
|
| 202 | + } |
|
| 203 | + } |
|
| 204 | + else { |
|
| 205 | + $activeRoles[] = $v; |
|
| 206 | + } |
|
| 207 | + } |
|
| 208 | + } |
|
| 209 | + |
|
| 210 | + public function getRoleConfiguration(){ |
|
| 211 | + return $this->roleConfiguration; |
|
| 212 | + } |
|
| 213 | 213 | } |
@@ -207,7 +207,7 @@ |
||
| 207 | 207 | } |
| 208 | 208 | } |
| 209 | 209 | |
| 210 | - public function getRoleConfiguration(){ |
|
| 210 | + public function getRoleConfiguration() { |
|
| 211 | 211 | return $this->roleConfiguration; |
| 212 | 212 | } |
| 213 | 213 | } |
@@ -207,7 +207,8 @@ |
||
| 207 | 207 | } |
| 208 | 208 | } |
| 209 | 209 | |
| 210 | - public function getRoleConfiguration(){ |
|
| 210 | + public function getRoleConfiguration() |
|
| 211 | + { |
|
| 211 | 212 | return $this->roleConfiguration; |
| 212 | 213 | } |
| 213 | 214 | } |
@@ -41,338 +41,338 @@ |
||
| 41 | 41 | |
| 42 | 42 | class RoleConfiguration |
| 43 | 43 | { |
| 44 | - const ACCESS_ALLOW = 1; |
|
| 45 | - const ACCESS_DENY = -1; |
|
| 46 | - const ACCESS_DEFAULT = 0; |
|
| 47 | - const MAIN = 'main'; |
|
| 48 | - const ALL = '*'; |
|
| 49 | - /** |
|
| 50 | - * A map of roles to rights |
|
| 51 | - * |
|
| 52 | - * For example: |
|
| 53 | - * |
|
| 54 | - * array( |
|
| 55 | - * 'myrole' => array( |
|
| 56 | - * PageMyPage::class => array( |
|
| 57 | - * 'edit' => self::ACCESS_ALLOW, |
|
| 58 | - * 'create' => self::ACCESS_DENY, |
|
| 59 | - * ) |
|
| 60 | - * ) |
|
| 61 | - * ) |
|
| 62 | - * |
|
| 63 | - * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by |
|
| 64 | - * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should |
|
| 65 | - * be the expected result: |
|
| 66 | - * |
|
| 67 | - * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial) |
|
| 68 | - * - (A,-,-) = A |
|
| 69 | - * - (D,-,-) = D |
|
| 70 | - * - (A,D,-) = D (deny takes precedence over allow) |
|
| 71 | - * - (A,A,A) = A (repetition has no effect) |
|
| 72 | - * |
|
| 73 | - * The public role is special, and is applied to all users automatically. Avoid using deny on this role. |
|
| 74 | - * |
|
| 75 | - * @var array |
|
| 76 | - */ |
|
| 77 | - private $roleConfig = array( |
|
| 78 | - 'public' => array( |
|
| 79 | - /* |
|
| 44 | + const ACCESS_ALLOW = 1; |
|
| 45 | + const ACCESS_DENY = -1; |
|
| 46 | + const ACCESS_DEFAULT = 0; |
|
| 47 | + const MAIN = 'main'; |
|
| 48 | + const ALL = '*'; |
|
| 49 | + /** |
|
| 50 | + * A map of roles to rights |
|
| 51 | + * |
|
| 52 | + * For example: |
|
| 53 | + * |
|
| 54 | + * array( |
|
| 55 | + * 'myrole' => array( |
|
| 56 | + * PageMyPage::class => array( |
|
| 57 | + * 'edit' => self::ACCESS_ALLOW, |
|
| 58 | + * 'create' => self::ACCESS_DENY, |
|
| 59 | + * ) |
|
| 60 | + * ) |
|
| 61 | + * ) |
|
| 62 | + * |
|
| 63 | + * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by |
|
| 64 | + * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should |
|
| 65 | + * be the expected result: |
|
| 66 | + * |
|
| 67 | + * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial) |
|
| 68 | + * - (A,-,-) = A |
|
| 69 | + * - (D,-,-) = D |
|
| 70 | + * - (A,D,-) = D (deny takes precedence over allow) |
|
| 71 | + * - (A,A,A) = A (repetition has no effect) |
|
| 72 | + * |
|
| 73 | + * The public role is special, and is applied to all users automatically. Avoid using deny on this role. |
|
| 74 | + * |
|
| 75 | + * @var array |
|
| 76 | + */ |
|
| 77 | + private $roleConfig = array( |
|
| 78 | + 'public' => array( |
|
| 79 | + /* |
|
| 80 | 80 | * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY. |
| 81 | 81 | * |
| 82 | 82 | * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE. |
| 83 | 83 | * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE. |
| 84 | 84 | */ |
| 85 | - '_childRoles' => array( |
|
| 86 | - 'publicStats', |
|
| 87 | - ), |
|
| 88 | - PageOAuth::class => array( |
|
| 89 | - 'callback' => self::ACCESS_ALLOW, |
|
| 90 | - ), |
|
| 91 | - PageTeam::class => array( |
|
| 92 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 93 | - ), |
|
| 94 | - ), |
|
| 95 | - 'loggedIn' => array( |
|
| 96 | - /* |
|
| 85 | + '_childRoles' => array( |
|
| 86 | + 'publicStats', |
|
| 87 | + ), |
|
| 88 | + PageOAuth::class => array( |
|
| 89 | + 'callback' => self::ACCESS_ALLOW, |
|
| 90 | + ), |
|
| 91 | + PageTeam::class => array( |
|
| 92 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 93 | + ), |
|
| 94 | + ), |
|
| 95 | + 'loggedIn' => array( |
|
| 96 | + /* |
|
| 97 | 97 | * THIS ROLE IS GRANTED TO ALL LOGGED IN USERS IMPLICITLY. |
| 98 | 98 | * |
| 99 | 99 | * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE. |
| 100 | 100 | * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE. |
| 101 | 101 | */ |
| 102 | - '_childRoles' => array( |
|
| 103 | - 'public', |
|
| 104 | - ), |
|
| 105 | - PagePreferences::class => array( |
|
| 106 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 107 | - 'changePassword' => self::ACCESS_ALLOW, |
|
| 108 | - ), |
|
| 109 | - PageOAuth::class => array( |
|
| 110 | - 'attach' => self::ACCESS_ALLOW, |
|
| 111 | - 'detach' => self::ACCESS_ALLOW, |
|
| 112 | - ), |
|
| 113 | - ), |
|
| 114 | - 'user' => array( |
|
| 115 | - '_description' => 'A standard tool user.', |
|
| 116 | - '_editableBy' => array('admin', 'toolRoot'), |
|
| 117 | - '_childRoles' => array( |
|
| 118 | - 'internalStats', |
|
| 119 | - ), |
|
| 120 | - PageMain::class => array( |
|
| 121 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 122 | - ), |
|
| 123 | - PageBan::class => array( |
|
| 124 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 125 | - ), |
|
| 126 | - PageEditComment::class => array( |
|
| 127 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 128 | - ), |
|
| 129 | - PageEmailManagement::class => array( |
|
| 130 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 131 | - 'view' => self::ACCESS_ALLOW, |
|
| 132 | - ), |
|
| 133 | - PageExpandedRequestList::class => array( |
|
| 134 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 135 | - ), |
|
| 136 | - PageLog::class => array( |
|
| 137 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 138 | - ), |
|
| 139 | - PageSearch::class => array( |
|
| 140 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 141 | - ), |
|
| 142 | - PageWelcomeTemplateManagement::class => array( |
|
| 143 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 144 | - 'select' => self::ACCESS_ALLOW, |
|
| 145 | - 'view' => self::ACCESS_ALLOW, |
|
| 146 | - ), |
|
| 147 | - PageViewRequest::class => array( |
|
| 148 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 149 | - ), |
|
| 150 | - 'RequestData' => array( |
|
| 151 | - 'seePrivateDataWhenReserved' => self::ACCESS_ALLOW, |
|
| 152 | - 'seePrivateDataWithHash' => self::ACCESS_ALLOW, |
|
| 153 | - ), |
|
| 154 | - PageCustomClose::class => array( |
|
| 155 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 156 | - ), |
|
| 157 | - PageComment::class => array( |
|
| 158 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 159 | - ), |
|
| 160 | - PageCloseRequest::class => array( |
|
| 161 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 162 | - ), |
|
| 163 | - PageDeferRequest::class => array( |
|
| 164 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 165 | - ), |
|
| 166 | - PageDropRequest::class => array( |
|
| 167 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 168 | - ), |
|
| 169 | - PageReservation::class => array( |
|
| 170 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 171 | - ), |
|
| 172 | - PageSendToUser::class => array( |
|
| 173 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 174 | - ), |
|
| 175 | - PageBreakReservation::class => array( |
|
| 176 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 177 | - ), |
|
| 102 | + '_childRoles' => array( |
|
| 103 | + 'public', |
|
| 104 | + ), |
|
| 105 | + PagePreferences::class => array( |
|
| 106 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 107 | + 'changePassword' => self::ACCESS_ALLOW, |
|
| 108 | + ), |
|
| 109 | + PageOAuth::class => array( |
|
| 110 | + 'attach' => self::ACCESS_ALLOW, |
|
| 111 | + 'detach' => self::ACCESS_ALLOW, |
|
| 112 | + ), |
|
| 113 | + ), |
|
| 114 | + 'user' => array( |
|
| 115 | + '_description' => 'A standard tool user.', |
|
| 116 | + '_editableBy' => array('admin', 'toolRoot'), |
|
| 117 | + '_childRoles' => array( |
|
| 118 | + 'internalStats', |
|
| 119 | + ), |
|
| 120 | + PageMain::class => array( |
|
| 121 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 122 | + ), |
|
| 123 | + PageBan::class => array( |
|
| 124 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 125 | + ), |
|
| 126 | + PageEditComment::class => array( |
|
| 127 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 128 | + ), |
|
| 129 | + PageEmailManagement::class => array( |
|
| 130 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 131 | + 'view' => self::ACCESS_ALLOW, |
|
| 132 | + ), |
|
| 133 | + PageExpandedRequestList::class => array( |
|
| 134 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 135 | + ), |
|
| 136 | + PageLog::class => array( |
|
| 137 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 138 | + ), |
|
| 139 | + PageSearch::class => array( |
|
| 140 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 141 | + ), |
|
| 142 | + PageWelcomeTemplateManagement::class => array( |
|
| 143 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 144 | + 'select' => self::ACCESS_ALLOW, |
|
| 145 | + 'view' => self::ACCESS_ALLOW, |
|
| 146 | + ), |
|
| 147 | + PageViewRequest::class => array( |
|
| 148 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 149 | + ), |
|
| 150 | + 'RequestData' => array( |
|
| 151 | + 'seePrivateDataWhenReserved' => self::ACCESS_ALLOW, |
|
| 152 | + 'seePrivateDataWithHash' => self::ACCESS_ALLOW, |
|
| 153 | + ), |
|
| 154 | + PageCustomClose::class => array( |
|
| 155 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 156 | + ), |
|
| 157 | + PageComment::class => array( |
|
| 158 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 159 | + ), |
|
| 160 | + PageCloseRequest::class => array( |
|
| 161 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 162 | + ), |
|
| 163 | + PageDeferRequest::class => array( |
|
| 164 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 165 | + ), |
|
| 166 | + PageDropRequest::class => array( |
|
| 167 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 168 | + ), |
|
| 169 | + PageReservation::class => array( |
|
| 170 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 171 | + ), |
|
| 172 | + PageSendToUser::class => array( |
|
| 173 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 174 | + ), |
|
| 175 | + PageBreakReservation::class => array( |
|
| 176 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 177 | + ), |
|
| 178 | 178 | |
| 179 | - ), |
|
| 180 | - 'admin' => array( |
|
| 181 | - '_description' => 'A tool administrator.', |
|
| 182 | - '_editableBy' => array('admin', 'toolRoot'), |
|
| 183 | - '_childRoles' => array( |
|
| 184 | - 'user', 'requestAdminTools', |
|
| 185 | - ), |
|
| 186 | - PageEmailManagement::class => array( |
|
| 187 | - 'edit' => self::ACCESS_ALLOW, |
|
| 188 | - 'create' => self::ACCESS_ALLOW, |
|
| 189 | - ), |
|
| 190 | - PageSiteNotice::class => array( |
|
| 191 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 192 | - ), |
|
| 193 | - PageUserManagement::class => array( |
|
| 194 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 195 | - 'approve' => self::ACCESS_ALLOW, |
|
| 196 | - 'decline' => self::ACCESS_ALLOW, |
|
| 197 | - 'rename' => self::ACCESS_ALLOW, |
|
| 198 | - 'editUser' => self::ACCESS_ALLOW, |
|
| 199 | - 'suspend' => self::ACCESS_ALLOW, |
|
| 200 | - 'editRoles' => self::ACCESS_ALLOW, |
|
| 201 | - ), |
|
| 202 | - PageWelcomeTemplateManagement::class => array( |
|
| 203 | - 'edit' => self::ACCESS_ALLOW, |
|
| 204 | - 'delete' => self::ACCESS_ALLOW, |
|
| 205 | - 'add' => self::ACCESS_ALLOW, |
|
| 206 | - ), |
|
| 207 | - ), |
|
| 208 | - 'checkuser' => array( |
|
| 209 | - '_description' => 'A user with CheckUser access', |
|
| 210 | - '_editableBy' => array('checkuser', 'toolRoot'), |
|
| 211 | - '_childRoles' => array( |
|
| 212 | - 'user', 'requestAdminTools', |
|
| 213 | - ), |
|
| 214 | - PageUserManagement::class => array( |
|
| 215 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 216 | - 'suspend' => self::ACCESS_ALLOW, |
|
| 217 | - 'editRoles' => self::ACCESS_ALLOW, |
|
| 218 | - ), |
|
| 219 | - 'RequestData' => array( |
|
| 220 | - 'seeUserAgentData' => self::ACCESS_ALLOW, |
|
| 221 | - ), |
|
| 222 | - ), |
|
| 223 | - 'toolRoot' => array( |
|
| 224 | - '_description' => 'A user with shell access to the servers running the tool', |
|
| 225 | - '_editableBy' => array('toolRoot'), |
|
| 226 | - '_childRoles' => array( |
|
| 227 | - 'admin', 'checkuser', |
|
| 228 | - ), |
|
| 229 | - ), |
|
| 179 | + ), |
|
| 180 | + 'admin' => array( |
|
| 181 | + '_description' => 'A tool administrator.', |
|
| 182 | + '_editableBy' => array('admin', 'toolRoot'), |
|
| 183 | + '_childRoles' => array( |
|
| 184 | + 'user', 'requestAdminTools', |
|
| 185 | + ), |
|
| 186 | + PageEmailManagement::class => array( |
|
| 187 | + 'edit' => self::ACCESS_ALLOW, |
|
| 188 | + 'create' => self::ACCESS_ALLOW, |
|
| 189 | + ), |
|
| 190 | + PageSiteNotice::class => array( |
|
| 191 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 192 | + ), |
|
| 193 | + PageUserManagement::class => array( |
|
| 194 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 195 | + 'approve' => self::ACCESS_ALLOW, |
|
| 196 | + 'decline' => self::ACCESS_ALLOW, |
|
| 197 | + 'rename' => self::ACCESS_ALLOW, |
|
| 198 | + 'editUser' => self::ACCESS_ALLOW, |
|
| 199 | + 'suspend' => self::ACCESS_ALLOW, |
|
| 200 | + 'editRoles' => self::ACCESS_ALLOW, |
|
| 201 | + ), |
|
| 202 | + PageWelcomeTemplateManagement::class => array( |
|
| 203 | + 'edit' => self::ACCESS_ALLOW, |
|
| 204 | + 'delete' => self::ACCESS_ALLOW, |
|
| 205 | + 'add' => self::ACCESS_ALLOW, |
|
| 206 | + ), |
|
| 207 | + ), |
|
| 208 | + 'checkuser' => array( |
|
| 209 | + '_description' => 'A user with CheckUser access', |
|
| 210 | + '_editableBy' => array('checkuser', 'toolRoot'), |
|
| 211 | + '_childRoles' => array( |
|
| 212 | + 'user', 'requestAdminTools', |
|
| 213 | + ), |
|
| 214 | + PageUserManagement::class => array( |
|
| 215 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 216 | + 'suspend' => self::ACCESS_ALLOW, |
|
| 217 | + 'editRoles' => self::ACCESS_ALLOW, |
|
| 218 | + ), |
|
| 219 | + 'RequestData' => array( |
|
| 220 | + 'seeUserAgentData' => self::ACCESS_ALLOW, |
|
| 221 | + ), |
|
| 222 | + ), |
|
| 223 | + 'toolRoot' => array( |
|
| 224 | + '_description' => 'A user with shell access to the servers running the tool', |
|
| 225 | + '_editableBy' => array('toolRoot'), |
|
| 226 | + '_childRoles' => array( |
|
| 227 | + 'admin', 'checkuser', |
|
| 228 | + ), |
|
| 229 | + ), |
|
| 230 | 230 | |
| 231 | - // Child roles go below this point |
|
| 232 | - 'publicStats' => array( |
|
| 233 | - '_hidden' => true, |
|
| 234 | - StatsUsers::class => array( |
|
| 235 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 236 | - 'detail' => self::ACCESS_ALLOW, |
|
| 237 | - ), |
|
| 238 | - StatsTopCreators::class => array( |
|
| 239 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 240 | - ), |
|
| 241 | - ), |
|
| 242 | - 'internalStats' => array( |
|
| 243 | - '_hidden' => true, |
|
| 244 | - StatsMain::class => array( |
|
| 245 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 246 | - ), |
|
| 247 | - StatsFastCloses::class => array( |
|
| 248 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 249 | - ), |
|
| 250 | - StatsInactiveUsers::class => array( |
|
| 251 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 252 | - ), |
|
| 253 | - StatsMonthlyStats::class => array( |
|
| 254 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 255 | - ), |
|
| 256 | - StatsReservedRequests::class => array( |
|
| 257 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 258 | - ), |
|
| 259 | - StatsTemplateStats::class => array( |
|
| 260 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 261 | - ), |
|
| 262 | - ), |
|
| 263 | - 'requestAdminTools' => array( |
|
| 264 | - '_hidden' => true, |
|
| 265 | - PageBan::class => array( |
|
| 266 | - self::MAIN => self::ACCESS_ALLOW, |
|
| 267 | - 'set' => self::ACCESS_ALLOW, |
|
| 268 | - 'remove' => self::ACCESS_ALLOW, |
|
| 269 | - ), |
|
| 270 | - PageEditComment::class => array( |
|
| 271 | - 'editOthers' => self::ACCESS_ALLOW, |
|
| 272 | - ), |
|
| 273 | - PageBreakReservation::class => array( |
|
| 274 | - 'force' => self::ACCESS_ALLOW, |
|
| 275 | - ), |
|
| 276 | - PageCustomClose::class => array( |
|
| 277 | - 'skipCcMailingList' => self::ACCESS_ALLOW, |
|
| 278 | - ), |
|
| 279 | - 'RequestData' => array( |
|
| 280 | - 'reopenOldRequest' => self::ACCESS_ALLOW, |
|
| 281 | - 'alwaysSeePrivateData' => self::ACCESS_ALLOW, |
|
| 282 | - 'alwaysSeeHash' => self::ACCESS_ALLOW, |
|
| 283 | - 'seeRestrictedComments' => self::ACCESS_ALLOW, |
|
| 284 | - ), |
|
| 285 | - ), |
|
| 286 | - ); |
|
| 287 | - /** @var array |
|
| 288 | - * List of roles which are *exempt* from the identification requirements |
|
| 289 | - * |
|
| 290 | - * Think twice about adding roles to this list. |
|
| 291 | - * |
|
| 292 | - * @category Security-Critical |
|
| 293 | - */ |
|
| 294 | - private $identificationExempt = array('public', 'loggedIn'); |
|
| 231 | + // Child roles go below this point |
|
| 232 | + 'publicStats' => array( |
|
| 233 | + '_hidden' => true, |
|
| 234 | + StatsUsers::class => array( |
|
| 235 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 236 | + 'detail' => self::ACCESS_ALLOW, |
|
| 237 | + ), |
|
| 238 | + StatsTopCreators::class => array( |
|
| 239 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 240 | + ), |
|
| 241 | + ), |
|
| 242 | + 'internalStats' => array( |
|
| 243 | + '_hidden' => true, |
|
| 244 | + StatsMain::class => array( |
|
| 245 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 246 | + ), |
|
| 247 | + StatsFastCloses::class => array( |
|
| 248 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 249 | + ), |
|
| 250 | + StatsInactiveUsers::class => array( |
|
| 251 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 252 | + ), |
|
| 253 | + StatsMonthlyStats::class => array( |
|
| 254 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 255 | + ), |
|
| 256 | + StatsReservedRequests::class => array( |
|
| 257 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 258 | + ), |
|
| 259 | + StatsTemplateStats::class => array( |
|
| 260 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 261 | + ), |
|
| 262 | + ), |
|
| 263 | + 'requestAdminTools' => array( |
|
| 264 | + '_hidden' => true, |
|
| 265 | + PageBan::class => array( |
|
| 266 | + self::MAIN => self::ACCESS_ALLOW, |
|
| 267 | + 'set' => self::ACCESS_ALLOW, |
|
| 268 | + 'remove' => self::ACCESS_ALLOW, |
|
| 269 | + ), |
|
| 270 | + PageEditComment::class => array( |
|
| 271 | + 'editOthers' => self::ACCESS_ALLOW, |
|
| 272 | + ), |
|
| 273 | + PageBreakReservation::class => array( |
|
| 274 | + 'force' => self::ACCESS_ALLOW, |
|
| 275 | + ), |
|
| 276 | + PageCustomClose::class => array( |
|
| 277 | + 'skipCcMailingList' => self::ACCESS_ALLOW, |
|
| 278 | + ), |
|
| 279 | + 'RequestData' => array( |
|
| 280 | + 'reopenOldRequest' => self::ACCESS_ALLOW, |
|
| 281 | + 'alwaysSeePrivateData' => self::ACCESS_ALLOW, |
|
| 282 | + 'alwaysSeeHash' => self::ACCESS_ALLOW, |
|
| 283 | + 'seeRestrictedComments' => self::ACCESS_ALLOW, |
|
| 284 | + ), |
|
| 285 | + ), |
|
| 286 | + ); |
|
| 287 | + /** @var array |
|
| 288 | + * List of roles which are *exempt* from the identification requirements |
|
| 289 | + * |
|
| 290 | + * Think twice about adding roles to this list. |
|
| 291 | + * |
|
| 292 | + * @category Security-Critical |
|
| 293 | + */ |
|
| 294 | + private $identificationExempt = array('public', 'loggedIn'); |
|
| 295 | 295 | |
| 296 | - /** |
|
| 297 | - * RoleConfiguration constructor. |
|
| 298 | - * |
|
| 299 | - * @param array $roleConfig Set to non-null to override the default configuration. |
|
| 300 | - * @param array $identificationExempt Set to non-null to override the default configuration. |
|
| 301 | - */ |
|
| 302 | - public function __construct(array $roleConfig = null, array $identificationExempt = null) |
|
| 303 | - { |
|
| 304 | - if ($roleConfig !== null) { |
|
| 305 | - $this->roleConfig = $roleConfig; |
|
| 306 | - } |
|
| 296 | + /** |
|
| 297 | + * RoleConfiguration constructor. |
|
| 298 | + * |
|
| 299 | + * @param array $roleConfig Set to non-null to override the default configuration. |
|
| 300 | + * @param array $identificationExempt Set to non-null to override the default configuration. |
|
| 301 | + */ |
|
| 302 | + public function __construct(array $roleConfig = null, array $identificationExempt = null) |
|
| 303 | + { |
|
| 304 | + if ($roleConfig !== null) { |
|
| 305 | + $this->roleConfig = $roleConfig; |
|
| 306 | + } |
|
| 307 | 307 | |
| 308 | - if ($identificationExempt !== null) { |
|
| 309 | - $this->identificationExempt = $identificationExempt; |
|
| 310 | - } |
|
| 311 | - } |
|
| 308 | + if ($identificationExempt !== null) { |
|
| 309 | + $this->identificationExempt = $identificationExempt; |
|
| 310 | + } |
|
| 311 | + } |
|
| 312 | 312 | |
| 313 | - /** |
|
| 314 | - * @param array $roles The roles to check |
|
| 315 | - * |
|
| 316 | - * @return array |
|
| 317 | - */ |
|
| 318 | - public function getApplicableRoles(array $roles) |
|
| 319 | - { |
|
| 320 | - $available = array(); |
|
| 313 | + /** |
|
| 314 | + * @param array $roles The roles to check |
|
| 315 | + * |
|
| 316 | + * @return array |
|
| 317 | + */ |
|
| 318 | + public function getApplicableRoles(array $roles) |
|
| 319 | + { |
|
| 320 | + $available = array(); |
|
| 321 | 321 | |
| 322 | - foreach ($roles as $role) { |
|
| 323 | - if (!isset($this->roleConfig[$role])) { |
|
| 324 | - // wat |
|
| 325 | - continue; |
|
| 326 | - } |
|
| 322 | + foreach ($roles as $role) { |
|
| 323 | + if (!isset($this->roleConfig[$role])) { |
|
| 324 | + // wat |
|
| 325 | + continue; |
|
| 326 | + } |
|
| 327 | 327 | |
| 328 | - $available[$role] = $this->roleConfig[$role]; |
|
| 328 | + $available[$role] = $this->roleConfig[$role]; |
|
| 329 | 329 | |
| 330 | - if (isset($available[$role]['_childRoles'])) { |
|
| 331 | - $childRoles = self::getApplicableRoles($available[$role]['_childRoles']); |
|
| 332 | - $available = array_merge($available, $childRoles); |
|
| 330 | + if (isset($available[$role]['_childRoles'])) { |
|
| 331 | + $childRoles = self::getApplicableRoles($available[$role]['_childRoles']); |
|
| 332 | + $available = array_merge($available, $childRoles); |
|
| 333 | 333 | |
| 334 | - unset($available[$role]['_childRoles']); |
|
| 335 | - } |
|
| 334 | + unset($available[$role]['_childRoles']); |
|
| 335 | + } |
|
| 336 | 336 | |
| 337 | - foreach (array('_hidden', '_editableBy', '_description') as $item) { |
|
| 338 | - if (isset($available[$role][$item])) { |
|
| 339 | - unset($available[$role][$item]); |
|
| 340 | - } |
|
| 341 | - } |
|
| 342 | - } |
|
| 337 | + foreach (array('_hidden', '_editableBy', '_description') as $item) { |
|
| 338 | + if (isset($available[$role][$item])) { |
|
| 339 | + unset($available[$role][$item]); |
|
| 340 | + } |
|
| 341 | + } |
|
| 342 | + } |
|
| 343 | 343 | |
| 344 | - return $available; |
|
| 345 | - } |
|
| 344 | + return $available; |
|
| 345 | + } |
|
| 346 | 346 | |
| 347 | - public function getAvailableRoles() |
|
| 348 | - { |
|
| 349 | - $possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn')); |
|
| 347 | + public function getAvailableRoles() |
|
| 348 | + { |
|
| 349 | + $possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn')); |
|
| 350 | 350 | |
| 351 | - $actual = array(); |
|
| 351 | + $actual = array(); |
|
| 352 | 352 | |
| 353 | - foreach ($possible as $role) { |
|
| 354 | - if (!isset($this->roleConfig[$role]['_hidden'])) { |
|
| 355 | - $actual[$role] = array( |
|
| 356 | - 'description' => $this->roleConfig[$role]['_description'], |
|
| 357 | - 'editableBy' => $this->roleConfig[$role]['_editableBy'], |
|
| 358 | - ); |
|
| 359 | - } |
|
| 360 | - } |
|
| 353 | + foreach ($possible as $role) { |
|
| 354 | + if (!isset($this->roleConfig[$role]['_hidden'])) { |
|
| 355 | + $actual[$role] = array( |
|
| 356 | + 'description' => $this->roleConfig[$role]['_description'], |
|
| 357 | + 'editableBy' => $this->roleConfig[$role]['_editableBy'], |
|
| 358 | + ); |
|
| 359 | + } |
|
| 360 | + } |
|
| 361 | 361 | |
| 362 | - return $actual; |
|
| 363 | - } |
|
| 362 | + return $actual; |
|
| 363 | + } |
|
| 364 | 364 | |
| 365 | - /** |
|
| 366 | - * @param string $role |
|
| 367 | - * |
|
| 368 | - * @return bool |
|
| 369 | - */ |
|
| 370 | - public function roleNeedsIdentification($role) |
|
| 371 | - { |
|
| 372 | - if (in_array($role, $this->identificationExempt)) { |
|
| 373 | - return false; |
|
| 374 | - } |
|
| 365 | + /** |
|
| 366 | + * @param string $role |
|
| 367 | + * |
|
| 368 | + * @return bool |
|
| 369 | + */ |
|
| 370 | + public function roleNeedsIdentification($role) |
|
| 371 | + { |
|
| 372 | + if (in_array($role, $this->identificationExempt)) { |
|
| 373 | + return false; |
|
| 374 | + } |
|
| 375 | 375 | |
| 376 | - return true; |
|
| 377 | - } |
|
| 376 | + return true; |
|
| 377 | + } |
|
| 378 | 378 | } |
@@ -30,222 +30,222 @@ |
||
| 30 | 30 | */ |
| 31 | 31 | class WebStart extends ApplicationBase |
| 32 | 32 | { |
| 33 | - /** |
|
| 34 | - * @var IRequestRouter $requestRouter The request router to use. Note that different entry points have different |
|
| 35 | - * routers and hence different URL mappings |
|
| 36 | - */ |
|
| 37 | - private $requestRouter; |
|
| 38 | - /** |
|
| 39 | - * @var bool $isPublic Determines whether to use public interface objects or internal interface objects |
|
| 40 | - */ |
|
| 41 | - private $isPublic = false; |
|
| 42 | - |
|
| 43 | - /** |
|
| 44 | - * WebStart constructor. |
|
| 45 | - * |
|
| 46 | - * @param SiteConfiguration $configuration The site configuration |
|
| 47 | - * @param IRequestRouter $router The request router to use |
|
| 48 | - */ |
|
| 49 | - public function __construct(SiteConfiguration $configuration, IRequestRouter $router) |
|
| 50 | - { |
|
| 51 | - parent::__construct($configuration); |
|
| 52 | - |
|
| 53 | - $this->requestRouter = $router; |
|
| 54 | - } |
|
| 55 | - |
|
| 56 | - /** |
|
| 57 | - * @param ITask $page |
|
| 58 | - * @param SiteConfiguration $siteConfiguration |
|
| 59 | - * @param PdoDatabase $database |
|
| 60 | - * @param PdoDatabase $notificationsDatabase |
|
| 61 | - * |
|
| 62 | - * @return void |
|
| 63 | - */ |
|
| 64 | - protected function setupHelpers( |
|
| 65 | - ITask $page, |
|
| 66 | - SiteConfiguration $siteConfiguration, |
|
| 67 | - PdoDatabase $database, |
|
| 68 | - PdoDatabase $notificationsDatabase = null |
|
| 69 | - ) { |
|
| 70 | - parent::setupHelpers($page, $siteConfiguration, $database, $notificationsDatabase); |
|
| 71 | - |
|
| 72 | - if ($page instanceof PageBase) { |
|
| 73 | - $page->setTokenManager(new TokenManager()); |
|
| 74 | - |
|
| 75 | - if ($page instanceof InternalPageBase) { |
|
| 76 | - $page->setTypeAheadHelper(new TypeAheadHelper()); |
|
| 77 | - |
|
| 78 | - $identificationVerifier = new IdentificationVerifier($page->getHttpHelper(), $siteConfiguration, |
|
| 79 | - $database); |
|
| 80 | - $page->setIdentificationVerifier($identificationVerifier); |
|
| 81 | - |
|
| 82 | - $page->setSecurityManager(new SecurityManager($identificationVerifier, new RoleConfiguration())); |
|
| 83 | - |
|
| 84 | - if ($siteConfiguration->getTitleBlacklistEnabled()) { |
|
| 85 | - $page->setBlacklistHelper(new FakeBlacklistHelper()); |
|
| 86 | - } |
|
| 87 | - else { |
|
| 88 | - $page->setBlacklistHelper(new BlacklistHelper($page->getHttpHelper(), |
|
| 89 | - $siteConfiguration->getMediawikiWebServiceEndpoint())); |
|
| 90 | - } |
|
| 91 | - } |
|
| 92 | - } |
|
| 93 | - } |
|
| 94 | - |
|
| 95 | - /** |
|
| 96 | - * Application entry point. |
|
| 97 | - * |
|
| 98 | - * Sets up the environment and runs the application, performing any global cleanup operations when done. |
|
| 99 | - */ |
|
| 100 | - public function run() |
|
| 101 | - { |
|
| 102 | - try { |
|
| 103 | - if ($this->setupEnvironment()) { |
|
| 104 | - $this->main(); |
|
| 105 | - } |
|
| 106 | - } |
|
| 107 | - catch (EnvironmentException $ex) { |
|
| 108 | - ob_end_clean(); |
|
| 109 | - print Offline::getOfflineMessage($this->isPublic(), $ex->getMessage()); |
|
| 110 | - } |
|
| 111 | - catch (ReadableException $ex) { |
|
| 112 | - ob_end_clean(); |
|
| 113 | - print $ex->getReadableError(); |
|
| 114 | - } |
|
| 115 | - finally { |
|
| 116 | - $this->cleanupEnvironment(); |
|
| 117 | - } |
|
| 118 | - } |
|
| 119 | - |
|
| 120 | - /** |
|
| 121 | - * Environment setup |
|
| 122 | - * |
|
| 123 | - * This method initialises the tool environment. If the tool cannot be initialised correctly, it will return false |
|
| 124 | - * and shut down prematurely. |
|
| 125 | - * |
|
| 126 | - * @return bool |
|
| 127 | - * @throws EnvironmentException |
|
| 128 | - */ |
|
| 129 | - protected function setupEnvironment() |
|
| 130 | - { |
|
| 131 | - // initialise global exception handler |
|
| 132 | - set_exception_handler(array(ExceptionHandler::class, 'exceptionHandler')); |
|
| 133 | - set_error_handler(array(ExceptionHandler::class, 'errorHandler'), E_RECOVERABLE_ERROR); |
|
| 134 | - |
|
| 135 | - // start output buffering if necessary |
|
| 136 | - if (ob_get_level() === 0) { |
|
| 137 | - ob_start(); |
|
| 138 | - } |
|
| 139 | - |
|
| 140 | - // initialise super-global providers |
|
| 141 | - WebRequest::setGlobalStateProvider(new GlobalStateProvider()); |
|
| 142 | - |
|
| 143 | - if (Offline::isOffline()) { |
|
| 144 | - print Offline::getOfflineMessage($this->isPublic()); |
|
| 145 | - ob_end_flush(); |
|
| 146 | - |
|
| 147 | - return false; |
|
| 148 | - } |
|
| 149 | - |
|
| 150 | - // Call parent setup |
|
| 151 | - if (!parent::setupEnvironment()) { |
|
| 152 | - return false; |
|
| 153 | - } |
|
| 154 | - |
|
| 155 | - // Start up sessions |
|
| 156 | - Session::start(); |
|
| 157 | - |
|
| 158 | - // Check the user is allowed to be logged in still. This must be before we call any user-loading functions and |
|
| 159 | - // get the current user cached. |
|
| 160 | - // I'm not sure if this function call being here is particularly a good thing, but it's part of starting up a |
|
| 161 | - // session I suppose. |
|
| 162 | - $this->checkForceLogout(); |
|
| 163 | - |
|
| 164 | - // environment initialised! |
|
| 165 | - return true; |
|
| 166 | - } |
|
| 167 | - |
|
| 168 | - /** |
|
| 169 | - * Main application logic |
|
| 170 | - */ |
|
| 171 | - protected function main() |
|
| 172 | - { |
|
| 173 | - // Get the right route for the request |
|
| 174 | - $page = $this->requestRouter->route(); |
|
| 175 | - |
|
| 176 | - $siteConfiguration = $this->getConfiguration(); |
|
| 177 | - $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 178 | - |
|
| 179 | - if ($siteConfiguration->getIrcNotificationsEnabled()) { |
|
| 180 | - $notificationsDatabase = PdoDatabase::getDatabaseConnection('notifications'); |
|
| 181 | - } |
|
| 182 | - else { |
|
| 183 | - // @todo federated table here? |
|
| 184 | - $notificationsDatabase = $database; |
|
| 185 | - } |
|
| 186 | - |
|
| 187 | - $this->setupHelpers($page, $siteConfiguration, $database, $notificationsDatabase); |
|
| 188 | - |
|
| 189 | - /* @todo Remove this global statement! It's here for User.php, which does far more than it should. */ |
|
| 190 | - global $oauthHelper; |
|
| 191 | - $oauthHelper = $page->getOAuthHelper(); |
|
| 192 | - |
|
| 193 | - /* @todo Remove this global statement! It's here for Request.php, which does far more than it should. */ |
|
| 194 | - global $globalXffTrustProvider; |
|
| 195 | - $globalXffTrustProvider = $page->getXffTrustProvider(); |
|
| 196 | - |
|
| 197 | - // run the route code for the request. |
|
| 198 | - $page->execute(); |
|
| 199 | - } |
|
| 200 | - |
|
| 201 | - /** |
|
| 202 | - * Any cleanup tasks should go here |
|
| 203 | - * |
|
| 204 | - * Note that we need to be very careful here, as exceptions may have been thrown and handled. |
|
| 205 | - * This should *only* be for cleaning up, no logic should go here. |
|
| 206 | - */ |
|
| 207 | - protected function cleanupEnvironment() |
|
| 208 | - { |
|
| 209 | - // Clean up anything we splurged after sending the page. |
|
| 210 | - if (ob_get_level() > 0) { |
|
| 211 | - for ($i = ob_get_level(); $i > 0; $i--) { |
|
| 212 | - ob_end_clean(); |
|
| 213 | - } |
|
| 214 | - } |
|
| 215 | - } |
|
| 216 | - |
|
| 217 | - private function checkForceLogout() |
|
| 218 | - { |
|
| 219 | - $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 220 | - |
|
| 221 | - $sessionUserId = WebRequest::getSessionUserId(); |
|
| 222 | - iF ($sessionUserId === null) { |
|
| 223 | - return; |
|
| 224 | - } |
|
| 225 | - |
|
| 226 | - // Note, User::getCurrent() caches it's result, which we *really* don't want to trigger. |
|
| 227 | - $currentUser = User::getById($sessionUserId, $database); |
|
| 228 | - |
|
| 229 | - if ($currentUser === false) { |
|
| 230 | - // Umm... this user has a session cookie with a userId set, but no user exists... |
|
| 231 | - Session::restart(); |
|
| 232 | - } |
|
| 233 | - |
|
| 234 | - if ($currentUser->getForceLogout()) { |
|
| 235 | - Session::restart(); |
|
| 236 | - |
|
| 237 | - $currentUser->setForceLogout(false); |
|
| 238 | - $currentUser->save(); |
|
| 239 | - } |
|
| 240 | - } |
|
| 241 | - |
|
| 242 | - public function isPublic() |
|
| 243 | - { |
|
| 244 | - return $this->isPublic; |
|
| 245 | - } |
|
| 246 | - |
|
| 247 | - public function setPublic($isPublic) |
|
| 248 | - { |
|
| 249 | - $this->isPublic = $isPublic; |
|
| 250 | - } |
|
| 33 | + /** |
|
| 34 | + * @var IRequestRouter $requestRouter The request router to use. Note that different entry points have different |
|
| 35 | + * routers and hence different URL mappings |
|
| 36 | + */ |
|
| 37 | + private $requestRouter; |
|
| 38 | + /** |
|
| 39 | + * @var bool $isPublic Determines whether to use public interface objects or internal interface objects |
|
| 40 | + */ |
|
| 41 | + private $isPublic = false; |
|
| 42 | + |
|
| 43 | + /** |
|
| 44 | + * WebStart constructor. |
|
| 45 | + * |
|
| 46 | + * @param SiteConfiguration $configuration The site configuration |
|
| 47 | + * @param IRequestRouter $router The request router to use |
|
| 48 | + */ |
|
| 49 | + public function __construct(SiteConfiguration $configuration, IRequestRouter $router) |
|
| 50 | + { |
|
| 51 | + parent::__construct($configuration); |
|
| 52 | + |
|
| 53 | + $this->requestRouter = $router; |
|
| 54 | + } |
|
| 55 | + |
|
| 56 | + /** |
|
| 57 | + * @param ITask $page |
|
| 58 | + * @param SiteConfiguration $siteConfiguration |
|
| 59 | + * @param PdoDatabase $database |
|
| 60 | + * @param PdoDatabase $notificationsDatabase |
|
| 61 | + * |
|
| 62 | + * @return void |
|
| 63 | + */ |
|
| 64 | + protected function setupHelpers( |
|
| 65 | + ITask $page, |
|
| 66 | + SiteConfiguration $siteConfiguration, |
|
| 67 | + PdoDatabase $database, |
|
| 68 | + PdoDatabase $notificationsDatabase = null |
|
| 69 | + ) { |
|
| 70 | + parent::setupHelpers($page, $siteConfiguration, $database, $notificationsDatabase); |
|
| 71 | + |
|
| 72 | + if ($page instanceof PageBase) { |
|
| 73 | + $page->setTokenManager(new TokenManager()); |
|
| 74 | + |
|
| 75 | + if ($page instanceof InternalPageBase) { |
|
| 76 | + $page->setTypeAheadHelper(new TypeAheadHelper()); |
|
| 77 | + |
|
| 78 | + $identificationVerifier = new IdentificationVerifier($page->getHttpHelper(), $siteConfiguration, |
|
| 79 | + $database); |
|
| 80 | + $page->setIdentificationVerifier($identificationVerifier); |
|
| 81 | + |
|
| 82 | + $page->setSecurityManager(new SecurityManager($identificationVerifier, new RoleConfiguration())); |
|
| 83 | + |
|
| 84 | + if ($siteConfiguration->getTitleBlacklistEnabled()) { |
|
| 85 | + $page->setBlacklistHelper(new FakeBlacklistHelper()); |
|
| 86 | + } |
|
| 87 | + else { |
|
| 88 | + $page->setBlacklistHelper(new BlacklistHelper($page->getHttpHelper(), |
|
| 89 | + $siteConfiguration->getMediawikiWebServiceEndpoint())); |
|
| 90 | + } |
|
| 91 | + } |
|
| 92 | + } |
|
| 93 | + } |
|
| 94 | + |
|
| 95 | + /** |
|
| 96 | + * Application entry point. |
|
| 97 | + * |
|
| 98 | + * Sets up the environment and runs the application, performing any global cleanup operations when done. |
|
| 99 | + */ |
|
| 100 | + public function run() |
|
| 101 | + { |
|
| 102 | + try { |
|
| 103 | + if ($this->setupEnvironment()) { |
|
| 104 | + $this->main(); |
|
| 105 | + } |
|
| 106 | + } |
|
| 107 | + catch (EnvironmentException $ex) { |
|
| 108 | + ob_end_clean(); |
|
| 109 | + print Offline::getOfflineMessage($this->isPublic(), $ex->getMessage()); |
|
| 110 | + } |
|
| 111 | + catch (ReadableException $ex) { |
|
| 112 | + ob_end_clean(); |
|
| 113 | + print $ex->getReadableError(); |
|
| 114 | + } |
|
| 115 | + finally { |
|
| 116 | + $this->cleanupEnvironment(); |
|
| 117 | + } |
|
| 118 | + } |
|
| 119 | + |
|
| 120 | + /** |
|
| 121 | + * Environment setup |
|
| 122 | + * |
|
| 123 | + * This method initialises the tool environment. If the tool cannot be initialised correctly, it will return false |
|
| 124 | + * and shut down prematurely. |
|
| 125 | + * |
|
| 126 | + * @return bool |
|
| 127 | + * @throws EnvironmentException |
|
| 128 | + */ |
|
| 129 | + protected function setupEnvironment() |
|
| 130 | + { |
|
| 131 | + // initialise global exception handler |
|
| 132 | + set_exception_handler(array(ExceptionHandler::class, 'exceptionHandler')); |
|
| 133 | + set_error_handler(array(ExceptionHandler::class, 'errorHandler'), E_RECOVERABLE_ERROR); |
|
| 134 | + |
|
| 135 | + // start output buffering if necessary |
|
| 136 | + if (ob_get_level() === 0) { |
|
| 137 | + ob_start(); |
|
| 138 | + } |
|
| 139 | + |
|
| 140 | + // initialise super-global providers |
|
| 141 | + WebRequest::setGlobalStateProvider(new GlobalStateProvider()); |
|
| 142 | + |
|
| 143 | + if (Offline::isOffline()) { |
|
| 144 | + print Offline::getOfflineMessage($this->isPublic()); |
|
| 145 | + ob_end_flush(); |
|
| 146 | + |
|
| 147 | + return false; |
|
| 148 | + } |
|
| 149 | + |
|
| 150 | + // Call parent setup |
|
| 151 | + if (!parent::setupEnvironment()) { |
|
| 152 | + return false; |
|
| 153 | + } |
|
| 154 | + |
|
| 155 | + // Start up sessions |
|
| 156 | + Session::start(); |
|
| 157 | + |
|
| 158 | + // Check the user is allowed to be logged in still. This must be before we call any user-loading functions and |
|
| 159 | + // get the current user cached. |
|
| 160 | + // I'm not sure if this function call being here is particularly a good thing, but it's part of starting up a |
|
| 161 | + // session I suppose. |
|
| 162 | + $this->checkForceLogout(); |
|
| 163 | + |
|
| 164 | + // environment initialised! |
|
| 165 | + return true; |
|
| 166 | + } |
|
| 167 | + |
|
| 168 | + /** |
|
| 169 | + * Main application logic |
|
| 170 | + */ |
|
| 171 | + protected function main() |
|
| 172 | + { |
|
| 173 | + // Get the right route for the request |
|
| 174 | + $page = $this->requestRouter->route(); |
|
| 175 | + |
|
| 176 | + $siteConfiguration = $this->getConfiguration(); |
|
| 177 | + $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 178 | + |
|
| 179 | + if ($siteConfiguration->getIrcNotificationsEnabled()) { |
|
| 180 | + $notificationsDatabase = PdoDatabase::getDatabaseConnection('notifications'); |
|
| 181 | + } |
|
| 182 | + else { |
|
| 183 | + // @todo federated table here? |
|
| 184 | + $notificationsDatabase = $database; |
|
| 185 | + } |
|
| 186 | + |
|
| 187 | + $this->setupHelpers($page, $siteConfiguration, $database, $notificationsDatabase); |
|
| 188 | + |
|
| 189 | + /* @todo Remove this global statement! It's here for User.php, which does far more than it should. */ |
|
| 190 | + global $oauthHelper; |
|
| 191 | + $oauthHelper = $page->getOAuthHelper(); |
|
| 192 | + |
|
| 193 | + /* @todo Remove this global statement! It's here for Request.php, which does far more than it should. */ |
|
| 194 | + global $globalXffTrustProvider; |
|
| 195 | + $globalXffTrustProvider = $page->getXffTrustProvider(); |
|
| 196 | + |
|
| 197 | + // run the route code for the request. |
|
| 198 | + $page->execute(); |
|
| 199 | + } |
|
| 200 | + |
|
| 201 | + /** |
|
| 202 | + * Any cleanup tasks should go here |
|
| 203 | + * |
|
| 204 | + * Note that we need to be very careful here, as exceptions may have been thrown and handled. |
|
| 205 | + * This should *only* be for cleaning up, no logic should go here. |
|
| 206 | + */ |
|
| 207 | + protected function cleanupEnvironment() |
|
| 208 | + { |
|
| 209 | + // Clean up anything we splurged after sending the page. |
|
| 210 | + if (ob_get_level() > 0) { |
|
| 211 | + for ($i = ob_get_level(); $i > 0; $i--) { |
|
| 212 | + ob_end_clean(); |
|
| 213 | + } |
|
| 214 | + } |
|
| 215 | + } |
|
| 216 | + |
|
| 217 | + private function checkForceLogout() |
|
| 218 | + { |
|
| 219 | + $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 220 | + |
|
| 221 | + $sessionUserId = WebRequest::getSessionUserId(); |
|
| 222 | + iF ($sessionUserId === null) { |
|
| 223 | + return; |
|
| 224 | + } |
|
| 225 | + |
|
| 226 | + // Note, User::getCurrent() caches it's result, which we *really* don't want to trigger. |
|
| 227 | + $currentUser = User::getById($sessionUserId, $database); |
|
| 228 | + |
|
| 229 | + if ($currentUser === false) { |
|
| 230 | + // Umm... this user has a session cookie with a userId set, but no user exists... |
|
| 231 | + Session::restart(); |
|
| 232 | + } |
|
| 233 | + |
|
| 234 | + if ($currentUser->getForceLogout()) { |
|
| 235 | + Session::restart(); |
|
| 236 | + |
|
| 237 | + $currentUser->setForceLogout(false); |
|
| 238 | + $currentUser->save(); |
|
| 239 | + } |
|
| 240 | + } |
|
| 241 | + |
|
| 242 | + public function isPublic() |
|
| 243 | + { |
|
| 244 | + return $this->isPublic; |
|
| 245 | + } |
|
| 246 | + |
|
| 247 | + public function setPublic($isPublic) |
|
| 248 | + { |
|
| 249 | + $this->isPublic = $isPublic; |
|
| 250 | + } |
|
| 251 | 251 | } |
@@ -22,225 +22,225 @@ |
||
| 22 | 22 | |
| 23 | 23 | abstract class InternalPageBase extends PageBase |
| 24 | 24 | { |
| 25 | - use NavigationMenuAccessControl; |
|
| 26 | - |
|
| 27 | - /** @var IdentificationVerifier */ |
|
| 28 | - private $identificationVerifier; |
|
| 29 | - /** @var ITypeAheadHelper */ |
|
| 30 | - private $typeAheadHelper; |
|
| 31 | - /** @var SecurityManager */ |
|
| 32 | - private $securityManager; |
|
| 33 | - /** @var IBlacklistHelper */ |
|
| 34 | - private $blacklistHelper; |
|
| 35 | - |
|
| 36 | - /** |
|
| 37 | - * @return ITypeAheadHelper |
|
| 38 | - */ |
|
| 39 | - public function getTypeAheadHelper() |
|
| 40 | - { |
|
| 41 | - return $this->typeAheadHelper; |
|
| 42 | - } |
|
| 43 | - |
|
| 44 | - /** |
|
| 45 | - * Sets up the internal IdentificationVerifier instance. Intended to be called from WebStart::setupHelpers(). |
|
| 46 | - * |
|
| 47 | - * @param IdentificationVerifier $identificationVerifier |
|
| 48 | - * |
|
| 49 | - * @return void |
|
| 50 | - */ |
|
| 51 | - public function setIdentificationVerifier(IdentificationVerifier $identificationVerifier) |
|
| 52 | - { |
|
| 53 | - $this->identificationVerifier = $identificationVerifier; |
|
| 54 | - } |
|
| 55 | - |
|
| 56 | - /** |
|
| 57 | - * @param ITypeAheadHelper $typeAheadHelper |
|
| 58 | - */ |
|
| 59 | - public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper) |
|
| 60 | - { |
|
| 61 | - $this->typeAheadHelper = $typeAheadHelper; |
|
| 62 | - } |
|
| 63 | - |
|
| 64 | - /** |
|
| 65 | - * Runs the page code |
|
| 66 | - * |
|
| 67 | - * @throws Exception |
|
| 68 | - * @category Security-Critical |
|
| 69 | - */ |
|
| 70 | - final public function execute() |
|
| 71 | - { |
|
| 72 | - if ($this->getRouteName() === null) { |
|
| 73 | - throw new Exception("Request is unrouted."); |
|
| 74 | - } |
|
| 75 | - |
|
| 76 | - if ($this->getSiteConfiguration() === null) { |
|
| 77 | - throw new Exception("Page has no configuration!"); |
|
| 78 | - } |
|
| 79 | - |
|
| 80 | - $this->setupPage(); |
|
| 81 | - |
|
| 82 | - $this->touchUserLastActive(); |
|
| 83 | - |
|
| 84 | - $currentUser = User::getCurrent($this->getDatabase()); |
|
| 85 | - |
|
| 86 | - // Hey, this is also a security barrier, in addition to the below. Separated out for readability. |
|
| 87 | - if (!$this->isProtectedPage()) { |
|
| 88 | - // This page is /not/ a protected page, as such we can just run it. |
|
| 89 | - $this->runPage(); |
|
| 90 | - |
|
| 91 | - return; |
|
| 92 | - } |
|
| 93 | - |
|
| 94 | - // Security barrier. |
|
| 95 | - // |
|
| 96 | - // This code essentially doesn't care if the user is logged in or not, as the security manager hides all that |
|
| 97 | - // away for us |
|
| 98 | - $securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser); |
|
| 99 | - if ($securityResult === SecurityManager::ALLOWED) { |
|
| 100 | - // We're allowed to run the page, so let's run it. |
|
| 101 | - $this->runPage(); |
|
| 102 | - } |
|
| 103 | - else { |
|
| 104 | - $this->handleAccessDenied($securityResult); |
|
| 105 | - |
|
| 106 | - // Send the headers |
|
| 107 | - $this->sendResponseHeaders(); |
|
| 108 | - } |
|
| 109 | - } |
|
| 110 | - |
|
| 111 | - /** |
|
| 112 | - * Performs final tasks needed before rendering the page. |
|
| 113 | - */ |
|
| 114 | - final public function finalisePage() |
|
| 115 | - { |
|
| 116 | - parent::finalisePage(); |
|
| 117 | - |
|
| 118 | - $this->assign('typeAheadBlock', $this->getTypeAheadHelper()->getTypeAheadScriptBlock()); |
|
| 119 | - |
|
| 120 | - $database = $this->getDatabase(); |
|
| 121 | - |
|
| 122 | - $currentUser = User::getCurrent($database); |
|
| 123 | - if (!$currentUser->isCommunityUser()) { |
|
| 124 | - $sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);'; |
|
| 125 | - $statement = $database->query($sql); |
|
| 126 | - $activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class); |
|
| 127 | - $this->assign('onlineusers', $activeUsers); |
|
| 128 | - } |
|
| 129 | - |
|
| 130 | - $this->setupNavMenuAccess($currentUser); |
|
| 131 | - } |
|
| 132 | - |
|
| 133 | - /** |
|
| 134 | - * Configures whether the page respects roles or not. You probably want this to return true. |
|
| 135 | - * |
|
| 136 | - * Set to false for public pages. You probably want this to return true. |
|
| 137 | - * |
|
| 138 | - * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything |
|
| 139 | - * on this page, so you probably want this to return true. |
|
| 140 | - * |
|
| 141 | - * @return bool |
|
| 142 | - * @category Security-Critical |
|
| 143 | - */ |
|
| 144 | - protected function isProtectedPage() |
|
| 145 | - { |
|
| 146 | - return true; |
|
| 147 | - } |
|
| 148 | - |
|
| 149 | - protected function handleAccessDenied($denyReason) |
|
| 150 | - { |
|
| 151 | - $currentUser = User::getCurrent($this->getDatabase()); |
|
| 152 | - |
|
| 153 | - // Not allowed to access this resource. |
|
| 154 | - // Firstly, let's check if we're even logged in. |
|
| 155 | - if ($currentUser->isCommunityUser()) { |
|
| 156 | - // Not logged in, redirect to login page |
|
| 157 | - WebRequest::setPostLoginRedirect(); |
|
| 158 | - $this->redirect("login"); |
|
| 159 | - |
|
| 160 | - return; |
|
| 161 | - } |
|
| 162 | - else { |
|
| 163 | - // Decide whether this was a rights failure, or an identification failure. |
|
| 164 | - |
|
| 165 | - if ($denyReason === SecurityManager::ERROR_NOT_IDENTIFIED) { |
|
| 166 | - // Not identified |
|
| 167 | - throw new NotIdentifiedException($this->getSecurityManager()); |
|
| 168 | - } |
|
| 169 | - elseif ($denyReason === SecurityManager::ERROR_DENIED) { |
|
| 170 | - // Nope, plain old access denied |
|
| 171 | - throw new AccessDeniedException($this->getSecurityManager()); |
|
| 172 | - } |
|
| 173 | - else { |
|
| 174 | - throw new Exception('Unknown response from security manager.'); |
|
| 175 | - } |
|
| 176 | - } |
|
| 177 | - } |
|
| 178 | - |
|
| 179 | - /** |
|
| 180 | - * Tests the security barrier for a specified action. |
|
| 181 | - * |
|
| 182 | - * Don't use within templates |
|
| 183 | - * |
|
| 184 | - * @param string $action |
|
| 185 | - * |
|
| 186 | - * @param User $user |
|
| 187 | - * @param null|string $pageName |
|
| 188 | - * |
|
| 189 | - * @return bool |
|
| 190 | - * @category Security-Critical |
|
| 191 | - */ |
|
| 192 | - final public function barrierTest($action, User $user, $pageName = null) |
|
| 193 | - { |
|
| 194 | - $page = get_called_class(); |
|
| 195 | - if ($pageName !== null) { |
|
| 196 | - $page = $pageName; |
|
| 197 | - } |
|
| 198 | - |
|
| 199 | - $securityResult = $this->getSecurityManager()->allows($page, $action, $user); |
|
| 200 | - |
|
| 201 | - return $securityResult === SecurityManager::ALLOWED; |
|
| 202 | - } |
|
| 203 | - |
|
| 204 | - /** |
|
| 205 | - * Updates the lastactive timestamp |
|
| 206 | - */ |
|
| 207 | - private function touchUserLastActive() |
|
| 208 | - { |
|
| 209 | - if (WebRequest::getSessionUserId() !== null) { |
|
| 210 | - $query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;'; |
|
| 211 | - $this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId())); |
|
| 212 | - } |
|
| 213 | - } |
|
| 214 | - |
|
| 215 | - /** |
|
| 216 | - * @return SecurityManager |
|
| 217 | - */ |
|
| 218 | - public function getSecurityManager() |
|
| 219 | - { |
|
| 220 | - return $this->securityManager; |
|
| 221 | - } |
|
| 222 | - |
|
| 223 | - /** |
|
| 224 | - * @param SecurityManager $securityManager |
|
| 225 | - */ |
|
| 226 | - public function setSecurityManager(SecurityManager $securityManager) |
|
| 227 | - { |
|
| 228 | - $this->securityManager = $securityManager; |
|
| 229 | - } |
|
| 230 | - |
|
| 231 | - /** |
|
| 232 | - * @return IBlacklistHelper |
|
| 233 | - */ |
|
| 234 | - public function getBlacklistHelper() |
|
| 235 | - { |
|
| 236 | - return $this->blacklistHelper; |
|
| 237 | - } |
|
| 238 | - |
|
| 239 | - /** |
|
| 240 | - * @param IBlacklistHelper $blacklistHelper |
|
| 241 | - */ |
|
| 242 | - public function setBlacklistHelper(IBlacklistHelper $blacklistHelper) |
|
| 243 | - { |
|
| 244 | - $this->blacklistHelper = $blacklistHelper; |
|
| 245 | - } |
|
| 25 | + use NavigationMenuAccessControl; |
|
| 26 | + |
|
| 27 | + /** @var IdentificationVerifier */ |
|
| 28 | + private $identificationVerifier; |
|
| 29 | + /** @var ITypeAheadHelper */ |
|
| 30 | + private $typeAheadHelper; |
|
| 31 | + /** @var SecurityManager */ |
|
| 32 | + private $securityManager; |
|
| 33 | + /** @var IBlacklistHelper */ |
|
| 34 | + private $blacklistHelper; |
|
| 35 | + |
|
| 36 | + /** |
|
| 37 | + * @return ITypeAheadHelper |
|
| 38 | + */ |
|
| 39 | + public function getTypeAheadHelper() |
|
| 40 | + { |
|
| 41 | + return $this->typeAheadHelper; |
|
| 42 | + } |
|
| 43 | + |
|
| 44 | + /** |
|
| 45 | + * Sets up the internal IdentificationVerifier instance. Intended to be called from WebStart::setupHelpers(). |
|
| 46 | + * |
|
| 47 | + * @param IdentificationVerifier $identificationVerifier |
|
| 48 | + * |
|
| 49 | + * @return void |
|
| 50 | + */ |
|
| 51 | + public function setIdentificationVerifier(IdentificationVerifier $identificationVerifier) |
|
| 52 | + { |
|
| 53 | + $this->identificationVerifier = $identificationVerifier; |
|
| 54 | + } |
|
| 55 | + |
|
| 56 | + /** |
|
| 57 | + * @param ITypeAheadHelper $typeAheadHelper |
|
| 58 | + */ |
|
| 59 | + public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper) |
|
| 60 | + { |
|
| 61 | + $this->typeAheadHelper = $typeAheadHelper; |
|
| 62 | + } |
|
| 63 | + |
|
| 64 | + /** |
|
| 65 | + * Runs the page code |
|
| 66 | + * |
|
| 67 | + * @throws Exception |
|
| 68 | + * @category Security-Critical |
|
| 69 | + */ |
|
| 70 | + final public function execute() |
|
| 71 | + { |
|
| 72 | + if ($this->getRouteName() === null) { |
|
| 73 | + throw new Exception("Request is unrouted."); |
|
| 74 | + } |
|
| 75 | + |
|
| 76 | + if ($this->getSiteConfiguration() === null) { |
|
| 77 | + throw new Exception("Page has no configuration!"); |
|
| 78 | + } |
|
| 79 | + |
|
| 80 | + $this->setupPage(); |
|
| 81 | + |
|
| 82 | + $this->touchUserLastActive(); |
|
| 83 | + |
|
| 84 | + $currentUser = User::getCurrent($this->getDatabase()); |
|
| 85 | + |
|
| 86 | + // Hey, this is also a security barrier, in addition to the below. Separated out for readability. |
|
| 87 | + if (!$this->isProtectedPage()) { |
|
| 88 | + // This page is /not/ a protected page, as such we can just run it. |
|
| 89 | + $this->runPage(); |
|
| 90 | + |
|
| 91 | + return; |
|
| 92 | + } |
|
| 93 | + |
|
| 94 | + // Security barrier. |
|
| 95 | + // |
|
| 96 | + // This code essentially doesn't care if the user is logged in or not, as the security manager hides all that |
|
| 97 | + // away for us |
|
| 98 | + $securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser); |
|
| 99 | + if ($securityResult === SecurityManager::ALLOWED) { |
|
| 100 | + // We're allowed to run the page, so let's run it. |
|
| 101 | + $this->runPage(); |
|
| 102 | + } |
|
| 103 | + else { |
|
| 104 | + $this->handleAccessDenied($securityResult); |
|
| 105 | + |
|
| 106 | + // Send the headers |
|
| 107 | + $this->sendResponseHeaders(); |
|
| 108 | + } |
|
| 109 | + } |
|
| 110 | + |
|
| 111 | + /** |
|
| 112 | + * Performs final tasks needed before rendering the page. |
|
| 113 | + */ |
|
| 114 | + final public function finalisePage() |
|
| 115 | + { |
|
| 116 | + parent::finalisePage(); |
|
| 117 | + |
|
| 118 | + $this->assign('typeAheadBlock', $this->getTypeAheadHelper()->getTypeAheadScriptBlock()); |
|
| 119 | + |
|
| 120 | + $database = $this->getDatabase(); |
|
| 121 | + |
|
| 122 | + $currentUser = User::getCurrent($database); |
|
| 123 | + if (!$currentUser->isCommunityUser()) { |
|
| 124 | + $sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);'; |
|
| 125 | + $statement = $database->query($sql); |
|
| 126 | + $activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class); |
|
| 127 | + $this->assign('onlineusers', $activeUsers); |
|
| 128 | + } |
|
| 129 | + |
|
| 130 | + $this->setupNavMenuAccess($currentUser); |
|
| 131 | + } |
|
| 132 | + |
|
| 133 | + /** |
|
| 134 | + * Configures whether the page respects roles or not. You probably want this to return true. |
|
| 135 | + * |
|
| 136 | + * Set to false for public pages. You probably want this to return true. |
|
| 137 | + * |
|
| 138 | + * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything |
|
| 139 | + * on this page, so you probably want this to return true. |
|
| 140 | + * |
|
| 141 | + * @return bool |
|
| 142 | + * @category Security-Critical |
|
| 143 | + */ |
|
| 144 | + protected function isProtectedPage() |
|
| 145 | + { |
|
| 146 | + return true; |
|
| 147 | + } |
|
| 148 | + |
|
| 149 | + protected function handleAccessDenied($denyReason) |
|
| 150 | + { |
|
| 151 | + $currentUser = User::getCurrent($this->getDatabase()); |
|
| 152 | + |
|
| 153 | + // Not allowed to access this resource. |
|
| 154 | + // Firstly, let's check if we're even logged in. |
|
| 155 | + if ($currentUser->isCommunityUser()) { |
|
| 156 | + // Not logged in, redirect to login page |
|
| 157 | + WebRequest::setPostLoginRedirect(); |
|
| 158 | + $this->redirect("login"); |
|
| 159 | + |
|
| 160 | + return; |
|
| 161 | + } |
|
| 162 | + else { |
|
| 163 | + // Decide whether this was a rights failure, or an identification failure. |
|
| 164 | + |
|
| 165 | + if ($denyReason === SecurityManager::ERROR_NOT_IDENTIFIED) { |
|
| 166 | + // Not identified |
|
| 167 | + throw new NotIdentifiedException($this->getSecurityManager()); |
|
| 168 | + } |
|
| 169 | + elseif ($denyReason === SecurityManager::ERROR_DENIED) { |
|
| 170 | + // Nope, plain old access denied |
|
| 171 | + throw new AccessDeniedException($this->getSecurityManager()); |
|
| 172 | + } |
|
| 173 | + else { |
|
| 174 | + throw new Exception('Unknown response from security manager.'); |
|
| 175 | + } |
|
| 176 | + } |
|
| 177 | + } |
|
| 178 | + |
|
| 179 | + /** |
|
| 180 | + * Tests the security barrier for a specified action. |
|
| 181 | + * |
|
| 182 | + * Don't use within templates |
|
| 183 | + * |
|
| 184 | + * @param string $action |
|
| 185 | + * |
|
| 186 | + * @param User $user |
|
| 187 | + * @param null|string $pageName |
|
| 188 | + * |
|
| 189 | + * @return bool |
|
| 190 | + * @category Security-Critical |
|
| 191 | + */ |
|
| 192 | + final public function barrierTest($action, User $user, $pageName = null) |
|
| 193 | + { |
|
| 194 | + $page = get_called_class(); |
|
| 195 | + if ($pageName !== null) { |
|
| 196 | + $page = $pageName; |
|
| 197 | + } |
|
| 198 | + |
|
| 199 | + $securityResult = $this->getSecurityManager()->allows($page, $action, $user); |
|
| 200 | + |
|
| 201 | + return $securityResult === SecurityManager::ALLOWED; |
|
| 202 | + } |
|
| 203 | + |
|
| 204 | + /** |
|
| 205 | + * Updates the lastactive timestamp |
|
| 206 | + */ |
|
| 207 | + private function touchUserLastActive() |
|
| 208 | + { |
|
| 209 | + if (WebRequest::getSessionUserId() !== null) { |
|
| 210 | + $query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;'; |
|
| 211 | + $this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId())); |
|
| 212 | + } |
|
| 213 | + } |
|
| 214 | + |
|
| 215 | + /** |
|
| 216 | + * @return SecurityManager |
|
| 217 | + */ |
|
| 218 | + public function getSecurityManager() |
|
| 219 | + { |
|
| 220 | + return $this->securityManager; |
|
| 221 | + } |
|
| 222 | + |
|
| 223 | + /** |
|
| 224 | + * @param SecurityManager $securityManager |
|
| 225 | + */ |
|
| 226 | + public function setSecurityManager(SecurityManager $securityManager) |
|
| 227 | + { |
|
| 228 | + $this->securityManager = $securityManager; |
|
| 229 | + } |
|
| 230 | + |
|
| 231 | + /** |
|
| 232 | + * @return IBlacklistHelper |
|
| 233 | + */ |
|
| 234 | + public function getBlacklistHelper() |
|
| 235 | + { |
|
| 236 | + return $this->blacklistHelper; |
|
| 237 | + } |
|
| 238 | + |
|
| 239 | + /** |
|
| 240 | + * @param IBlacklistHelper $blacklistHelper |
|
| 241 | + */ |
|
| 242 | + public function setBlacklistHelper(IBlacklistHelper $blacklistHelper) |
|
| 243 | + { |
|
| 244 | + $this->blacklistHelper = $blacklistHelper; |
|
| 245 | + } |
|
| 246 | 246 | } |
@@ -15,52 +15,52 @@ |
||
| 15 | 15 | |
| 16 | 16 | class NotIdentifiedException extends ReadableException |
| 17 | 17 | { |
| 18 | - use NavigationMenuAccessControl; |
|
| 19 | - /** |
|
| 20 | - * @var SecurityManager |
|
| 21 | - */ |
|
| 22 | - private $securityManager; |
|
| 18 | + use NavigationMenuAccessControl; |
|
| 19 | + /** |
|
| 20 | + * @var SecurityManager |
|
| 21 | + */ |
|
| 22 | + private $securityManager; |
|
| 23 | 23 | |
| 24 | - /** |
|
| 25 | - * NotIdentifiedException constructor. |
|
| 26 | - * |
|
| 27 | - * @param SecurityManager $securityManager |
|
| 28 | - */ |
|
| 29 | - public function __construct(SecurityManager $securityManager = null) |
|
| 30 | - { |
|
| 31 | - $this->securityManager = $securityManager; |
|
| 32 | - } |
|
| 24 | + /** |
|
| 25 | + * NotIdentifiedException constructor. |
|
| 26 | + * |
|
| 27 | + * @param SecurityManager $securityManager |
|
| 28 | + */ |
|
| 29 | + public function __construct(SecurityManager $securityManager = null) |
|
| 30 | + { |
|
| 31 | + $this->securityManager = $securityManager; |
|
| 32 | + } |
|
| 33 | 33 | |
| 34 | - /** |
|
| 35 | - * Returns a readable HTML error message that's displayable to the user using templates. |
|
| 36 | - * @return string |
|
| 37 | - */ |
|
| 38 | - public function getReadableError() |
|
| 39 | - { |
|
| 40 | - if (!headers_sent()) { |
|
| 41 | - header("HTTP/1.1 403 Forbidden"); |
|
| 42 | - } |
|
| 34 | + /** |
|
| 35 | + * Returns a readable HTML error message that's displayable to the user using templates. |
|
| 36 | + * @return string |
|
| 37 | + */ |
|
| 38 | + public function getReadableError() |
|
| 39 | + { |
|
| 40 | + if (!headers_sent()) { |
|
| 41 | + header("HTTP/1.1 403 Forbidden"); |
|
| 42 | + } |
|
| 43 | 43 | |
| 44 | - $this->setUpSmarty(); |
|
| 44 | + $this->setUpSmarty(); |
|
| 45 | 45 | |
| 46 | - // uck. We should still be able to access the database in this situation though. |
|
| 47 | - $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 48 | - $currentUser = User::getCurrent($database); |
|
| 49 | - $this->assign('currentUser', $currentUser); |
|
| 50 | - $this->assign("loggedIn", (!$currentUser->isCommunityUser())); |
|
| 46 | + // uck. We should still be able to access the database in this situation though. |
|
| 47 | + $database = PdoDatabase::getDatabaseConnection('acc'); |
|
| 48 | + $currentUser = User::getCurrent($database); |
|
| 49 | + $this->assign('currentUser', $currentUser); |
|
| 50 | + $this->assign("loggedIn", (!$currentUser->isCommunityUser())); |
|
| 51 | 51 | |
| 52 | - if($this->securityManager !== null) { |
|
| 53 | - $this->setupNavMenuAccess($currentUser); |
|
| 54 | - } |
|
| 52 | + if($this->securityManager !== null) { |
|
| 53 | + $this->setupNavMenuAccess($currentUser); |
|
| 54 | + } |
|
| 55 | 55 | |
| 56 | - return $this->fetchTemplate("exception/not-identified.tpl"); |
|
| 57 | - } |
|
| 56 | + return $this->fetchTemplate("exception/not-identified.tpl"); |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | - /** |
|
| 60 | - * @return SecurityManager |
|
| 61 | - */ |
|
| 62 | - protected function getSecurityManager() |
|
| 63 | - { |
|
| 64 | - return $this->securityManager; |
|
| 65 | - } |
|
| 59 | + /** |
|
| 60 | + * @return SecurityManager |
|
| 61 | + */ |
|
| 62 | + protected function getSecurityManager() |
|
| 63 | + { |
|
| 64 | + return $this->securityManager; |
|
| 65 | + } |
|
| 66 | 66 | } |
| 67 | 67 | \ No newline at end of file |
@@ -57,7 +57,7 @@ |
||
| 57 | 57 | $this->assign('currentUser', $currentUser); |
| 58 | 58 | $this->assign("loggedIn", (!$currentUser->isCommunityUser())); |
| 59 | 59 | |
| 60 | - if($this->securityManager !== null) { |
|
| 60 | + if ($this->securityManager !== null) { |
|
| 61 | 61 | $this->setupNavMenuAccess($currentUser); |
| 62 | 62 | } |
| 63 | 63 | |
