enwikipedia-acc / waca

includes/IdentificationVerifier.php

Indentation +157 added lines, -157 removed lines

@@ -26,131 +26,131 @@ 
  */
 class IdentificationVerifier
 {
-    /**
-     * This field is an array of parameters, in key => value format, that should be appended to the Meta Wikimedia
-     * Web Service Endpoint URL to query if a user is listed on the Identification Noticeboard.  Note that URL encoding
-     * of these values is *not* necessary; this is done automatically.
-     *
-     * @var string[]
-     * @category Security-Critical
-     */
-    private static $apiQueryParameters = array(
-        'action'   => 'query',
-        'format'   => 'json',
-        'prop'     => 'links',
-        'titles'   => 'Access to nonpublic information policy/Noticeboard',
-        // Username of the user to be checked, with User: prefix, goes here!  Set in isIdentifiedOnWiki()
-        'pltitles' => '',
-    );
-    /** @var HttpHelper */
-    private $httpHelper;
-    /** @var SiteConfiguration */
-    private $siteConfiguration;
-    /** @var PdoDatabase */
-    private $dbObject;
-
-    /**
-     * IdentificationVerifier constructor.
-     *
-     * @param HttpHelper        $httpHelper
-     * @param SiteConfiguration $siteConfiguration
-     * @param PdoDatabase       $dbObject
-     */
-    public function __construct(HttpHelper $httpHelper, SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
-    {
-        $this->httpHelper = $httpHelper;
-        $this->siteConfiguration = $siteConfiguration;
-        $this->dbObject = $dbObject;
-    }
-
-    /**
-     * Checks if the given user is identified to the Wikimedia Foundation.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    public function isUserIdentified($onWikiName)
-    {
-        if ($this->checkIdentificationCache($onWikiName)) {
-            return true;
-        }
-        else {
-            if ($this->isIdentifiedOnWiki($onWikiName)) {
-                $this->cacheIdentificationStatus($onWikiName);
-
-                return true;
-            }
-            else {
-                return false;
-            }
-        }
-    }
-
-    /**
-     * Checks if the given user has a valid entry in the idcache table.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    private function checkIdentificationCache($onWikiName)
-    {
-        $interval = $this->siteConfiguration->getIdentificationCacheExpiry();
-
-        $query = <<<SQL
+	/**
+	 * This field is an array of parameters, in key => value format, that should be appended to the Meta Wikimedia
+	 * Web Service Endpoint URL to query if a user is listed on the Identification Noticeboard.  Note that URL encoding
+	 * of these values is *not* necessary; this is done automatically.
+	 *
+	 * @var string[]
+	 * @category Security-Critical
+	 */
+	private static $apiQueryParameters = array(
+		'action'   => 'query',
+		'format'   => 'json',
+		'prop'     => 'links',
+		'titles'   => 'Access to nonpublic information policy/Noticeboard',
+		// Username of the user to be checked, with User: prefix, goes here!  Set in isIdentifiedOnWiki()
+		'pltitles' => '',
+	);
+	/** @var HttpHelper */
+	private $httpHelper;
+	/** @var SiteConfiguration */
+	private $siteConfiguration;
+	/** @var PdoDatabase */
+	private $dbObject;
+
+	/**
+	 * IdentificationVerifier constructor.
+	 *
+	 * @param HttpHelper        $httpHelper
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param PdoDatabase       $dbObject
+	 */
+	public function __construct(HttpHelper $httpHelper, SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
+	{
+		$this->httpHelper = $httpHelper;
+		$this->siteConfiguration = $siteConfiguration;
+		$this->dbObject = $dbObject;
+	}
+
+	/**
+	 * Checks if the given user is identified to the Wikimedia Foundation.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	public function isUserIdentified($onWikiName)
+	{
+		if ($this->checkIdentificationCache($onWikiName)) {
+			return true;
+		}
+		else {
+			if ($this->isIdentifiedOnWiki($onWikiName)) {
+				$this->cacheIdentificationStatus($onWikiName);
+
+				return true;
+			}
+			else {
+				return false;
+			}
+		}
+	}
+
+	/**
+	 * Checks if the given user has a valid entry in the idcache table.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	private function checkIdentificationCache($onWikiName)
+	{
+		$interval = $this->siteConfiguration->getIdentificationCacheExpiry();
+
+		$query = <<<SQL
 			SELECT COUNT(`id`)
 			FROM `idcache`
 			WHERE `onwikiusername` = :onwikiname
 				AND DATE_ADD(`checktime`, INTERVAL {$interval}) >= NOW();
 SQL;
-        $stmt = $this->dbObject->prepare($query);
-        $stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
-        $stmt->execute();
-
-        // Guaranteed by the query to only return a single row with a single column
-        $results = $stmt->fetch(PDO::FETCH_NUM);
-
-        // I don't expect this to ever be a value other than 0 or 1 since the `onwikiusername` column is declared as a
-        // unique key - but meh.
-        return $results[0] != 0;
-    }
-
-    /**
-     * Does pretty much exactly what it says on the label - this method will clear all expired idcache entries from the
-     * idcache table.  Meant to be called periodically by a maintenance script.
-     *
-     * @param SiteConfiguration $siteConfiguration
-     * @param PdoDatabase       $dbObject
-     *
-     * @return void
-     */
-    public static function clearExpiredCacheEntries(SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
-    {
-        $interval = $siteConfiguration->getIdentificationCacheExpiry();
-
-        $query = <<<SQL
+		$stmt = $this->dbObject->prepare($query);
+		$stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
+		$stmt->execute();
+
+		// Guaranteed by the query to only return a single row with a single column
+		$results = $stmt->fetch(PDO::FETCH_NUM);
+
+		// I don't expect this to ever be a value other than 0 or 1 since the `onwikiusername` column is declared as a
+		// unique key - but meh.
+		return $results[0] != 0;
+	}
+
+	/**
+	 * Does pretty much exactly what it says on the label - this method will clear all expired idcache entries from the
+	 * idcache table.  Meant to be called periodically by a maintenance script.
+	 *
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param PdoDatabase       $dbObject
+	 *
+	 * @return void
+	 */
+	public static function clearExpiredCacheEntries(SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
+	{
+		$interval = $siteConfiguration->getIdentificationCacheExpiry();
+
+		$query = <<<SQL
 			DELETE FROM `idcache`
 			WHERE DATE_ADD(`checktime`, INTERVAL {$interval}) < NOW();
 SQL;
-        $dbObject->prepare($query)->execute();
-    }
-
-    /**
-     * This method will add an entry to the idcache that the given Wikipedia user has been verified as identified.  This
-     * is so we don't have to hit the API every single time we check.  The cache entry is valid for as long as specified
-     * in the ACC configuration (validity enforced by checkIdentificationCache() and clearExpiredCacheEntries()).
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return void
-     * @category Security-Critical
-     */
-    private function cacheIdentificationStatus($onWikiName)
-    {
-        $query = <<<SQL
+		$dbObject->prepare($query)->execute();
+	}
+
+	/**
+	 * This method will add an entry to the idcache that the given Wikipedia user has been verified as identified.  This
+	 * is so we don't have to hit the API every single time we check.  The cache entry is valid for as long as specified
+	 * in the ACC configuration (validity enforced by checkIdentificationCache() and clearExpiredCacheEntries()).
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return void
+	 * @category Security-Critical
+	 */
+	private function cacheIdentificationStatus($onWikiName)
+	{
+		$query = <<<SQL
 			INSERT INTO `idcache`
 				(`onwikiusername`)
 			VALUES
@@ -159,44 +159,44 @@ 
 				`onwikiusername` = VALUES(`onwikiusername`),
 				`checktime` = CURRENT_TIMESTAMP;
 SQL;
-        $stmt = $this->dbObject->prepare($query);
-        $stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
-        $stmt->execute();
-    }
-
-    /**
-     * Queries the Wikimedia API to determine if the specified user is listed on the identification noticeboard.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @throws EnvironmentException
-     * @category Security-Critical
-     */
-    private function isIdentifiedOnWiki($onWikiName)
-    {
-        $strings = new StringFunctions();
-
-        // First character of Wikipedia usernames is always capitalized.
-        $onWikiName = $strings->ucfirst($onWikiName);
-
-        $parameters = self::$apiQueryParameters;
-        $parameters['pltitles'] = "User:" . $onWikiName;
-
-        try {
-            $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
-            $response = $this->httpHelper->get($endpoint, $parameters);
-            $response = json_decode($response, true);
-        } catch (CurlException $ex) {
-            // failed getting identification status, so throw a nicer error.
-            $m = 'Could not contact metawiki API to determine user\' identification status. '
-                . 'This is probably a transient error, so please try again.';
-
-            throw new EnvironmentException($m, 0, $ex);
-        }
-
-        $page = @array_pop($response['query']['pages']);
-
-        return @$page['links'][0]['title'] === "User:" . $onWikiName;
-    }
+		$stmt = $this->dbObject->prepare($query);
+		$stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
+		$stmt->execute();
+	}
+
+	/**
+	 * Queries the Wikimedia API to determine if the specified user is listed on the identification noticeboard.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @throws EnvironmentException
+	 * @category Security-Critical
+	 */
+	private function isIdentifiedOnWiki($onWikiName)
+	{
+		$strings = new StringFunctions();
+
+		// First character of Wikipedia usernames is always capitalized.
+		$onWikiName = $strings->ucfirst($onWikiName);
+
+		$parameters = self::$apiQueryParameters;
+		$parameters['pltitles'] = "User:" . $onWikiName;
+
+		try {
+			$endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
+			$response = $this->httpHelper->get($endpoint, $parameters);
+			$response = json_decode($response, true);
+		} catch (CurlException $ex) {
+			// failed getting identification status, so throw a nicer error.
+			$m = 'Could not contact metawiki API to determine user\' identification status. '
+				. 'This is probably a transient error, so please try again.';
+
+			throw new EnvironmentException($m, 0, $ex);
+		}
+
+		$page = @array_pop($response['query']['pages']);
+
+		return @$page['links'][0]['title'] === "User:" . $onWikiName;
+	}
 }

Braces +2 added lines, -1 removed lines

@@ -187,7 +187,8 @@
             $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
             $response = $this->httpHelper->get($endpoint, $parameters);
             $response = json_decode($response, true);
-        } catch (CurlException $ex) {
+        }
+        catch (CurlException $ex) {
             // failed getting identification status, so throw a nicer error.
             $m = 'Could not contact metawiki API to determine user\' identification status. '
                 . 'This is probably a transient error, so please try again.';

Spacing +2 added lines, -2 removed lines

@@ -181,7 +181,7 @@ 
         $onWikiName = $strings->ucfirst($onWikiName);
 
         $parameters = self::$apiQueryParameters;
-        $parameters['pltitles'] = "User:" . $onWikiName;
+        $parameters['pltitles'] = "User:".$onWikiName;
 
         try {
             $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
@@ -197,6 +197,6 @@ 
 
         $page = @array_pop($response['query']['pages']);
 
-        return @$page['links'][0]['title'] === "User:" . $onWikiName;
+        return @$page['links'][0]['title'] === "User:".$onWikiName;
     }
 }

includes/Exceptions/AccessDeniedException.php

Unused Use Statements -2 removed lines

@@ -11,9 +11,7 @@
 use Waca\DataObjects\Log;
 use Waca\DataObjects\User;
 use Waca\Fragments\NavigationMenuAccessControl;
-use Waca\Helpers\HttpHelper;
 use Waca\Helpers\SearchHelpers\LogSearchHelper;
-use Waca\IdentificationVerifier;
 use Waca\PdoDatabase;
 use Waca\Security\SecurityManager;
 

Indentation +85 added lines, -85 removed lines

@@ -26,89 +26,89 @@
  */
 class AccessDeniedException extends ReadableException
 {
-    use NavigationMenuAccessControl;
-
-    /**
-     * @var SecurityManager
-     */
-    private $securityManager;
-
-    /**
-     * AccessDeniedException constructor.
-     *
-     * @param SecurityManager $securityManager
-     */
-    public function __construct(SecurityManager $securityManager = null)
-    {
-        $this->securityManager = $securityManager;
-    }
-
-    public function getReadableError()
-    {
-        if (!headers_sent()) {
-            header("HTTP/1.1 403 Forbidden");
-        }
-
-        $this->setUpSmarty();
-
-        // uck. We should still be able to access the database in this situation though.
-        $database = PdoDatabase::getDatabaseConnection('acc');
-        $currentUser = User::getCurrent($database);
-        $this->assign('currentUser', $currentUser);
-        $this->assign("loggedIn", (!$currentUser->isCommunityUser()));
-
-        if($this->securityManager !== null) {
-            $this->setupNavMenuAccess($currentUser);
-        }
-
-        if ($currentUser->isDeclined()) {
-            $this->assign('htmlTitle', 'Account Declined');
-            $this->assign('declineReason', $this->getLogEntry('Declined', $currentUser, $database));
-
-            return $this->fetchTemplate("exception/account-declined.tpl");
-        }
-
-        if ($currentUser->isSuspended()) {
-            $this->assign('htmlTitle', 'Account Suspended');
-            $this->assign('suspendReason', $this->getLogEntry('Suspended', $currentUser, $database));
-
-            return $this->fetchTemplate("exception/account-suspended.tpl");
-        }
-
-        if ($currentUser->isNewUser()) {
-            $this->assign('htmlTitle', 'Account Pending');
-
-            return $this->fetchTemplate("exception/account-new.tpl");
-        }
-
-        return $this->fetchTemplate("exception/access-denied.tpl");
-    }
-
-    /**
-     * @param string      $action
-     * @param User        $user
-     * @param PdoDatabase $database
-     *
-     * @return null|string
-     */
-    private function getLogEntry($action, User $user, PdoDatabase $database)
-    {
-        /** @var Log[] $logs */
-        $logs = LogSearchHelper::get($database)
-            ->byAction($action)
-            ->byObjectType('User')
-            ->byObjectId($user->getId())
-            ->limit(1)
-            ->fetch();
-
-        return $logs[0]->getComment();
-    }
-
-    /**
-     * @return SecurityManager
-     */
-    protected function getSecurityManager()
-    {
-        return $this->securityManager;
-    }
+	use NavigationMenuAccessControl;
+
+	/**
+	 * @var SecurityManager
+	 */
+	private $securityManager;
+
+	/**
+	 * AccessDeniedException constructor.
+	 *
+	 * @param SecurityManager $securityManager
+	 */
+	public function __construct(SecurityManager $securityManager = null)
+	{
+		$this->securityManager = $securityManager;
+	}
+
+	public function getReadableError()
+	{
+		if (!headers_sent()) {
+			header("HTTP/1.1 403 Forbidden");
+		}
+
+		$this->setUpSmarty();
+
+		// uck. We should still be able to access the database in this situation though.
+		$database = PdoDatabase::getDatabaseConnection('acc');
+		$currentUser = User::getCurrent($database);
+		$this->assign('currentUser', $currentUser);
+		$this->assign("loggedIn", (!$currentUser->isCommunityUser()));
+
+		if($this->securityManager !== null) {
+			$this->setupNavMenuAccess($currentUser);
+		}
+
+		if ($currentUser->isDeclined()) {
+			$this->assign('htmlTitle', 'Account Declined');
+			$this->assign('declineReason', $this->getLogEntry('Declined', $currentUser, $database));
+
+			return $this->fetchTemplate("exception/account-declined.tpl");
+		}
+
+		if ($currentUser->isSuspended()) {
+			$this->assign('htmlTitle', 'Account Suspended');
+			$this->assign('suspendReason', $this->getLogEntry('Suspended', $currentUser, $database));
+
+			return $this->fetchTemplate("exception/account-suspended.tpl");
+		}
+
+		if ($currentUser->isNewUser()) {
+			$this->assign('htmlTitle', 'Account Pending');
+
+			return $this->fetchTemplate("exception/account-new.tpl");
+		}
+
+		return $this->fetchTemplate("exception/access-denied.tpl");
+	}
+
+	/**
+	 * @param string      $action
+	 * @param User        $user
+	 * @param PdoDatabase $database
+	 *
+	 * @return null|string
+	 */
+	private function getLogEntry($action, User $user, PdoDatabase $database)
+	{
+		/** @var Log[] $logs */
+		$logs = LogSearchHelper::get($database)
+			->byAction($action)
+			->byObjectType('User')
+			->byObjectId($user->getId())
+			->limit(1)
+			->fetch();
+
+		return $logs[0]->getComment();
+	}
+
+	/**
+	 * @return SecurityManager
+	 */
+	protected function getSecurityManager()
+	{
+		return $this->securityManager;
+	}
 }
\ No newline at end of file

Spacing +1 added lines, -1 removed lines

@@ -57,7 +57,7 @@
         $this->assign('currentUser', $currentUser);
         $this->assign("loggedIn", (!$currentUser->isCommunityUser()));
 
-        if($this->securityManager !== null) {
+        if ($this->securityManager !== null) {
             $this->setupNavMenuAccess($currentUser);
         }
 

includes/Fragments/NavigationMenuAccessControl.php

Doc Comments +5 added lines, -1 removed lines

@@ -24,6 +24,10 @@ 
 
 trait NavigationMenuAccessControl
 {
+    /**
+     * @param string $name
+     * @param boolean $value
+     */
     protected abstract function assign($name, $value);
 
     /**
@@ -32,7 +36,7 @@ 
     protected abstract function getSecurityManager();
 
     /**
-     * @param $currentUser
+     * @param \Waca\DataObjects\User $currentUser
      */
     protected function setupNavMenuAccess($currentUser)
     {

Indentation +36 added lines, -36 removed lines

@@ -24,45 +24,45 @@
 
 trait NavigationMenuAccessControl
 {
-    protected abstract function assign($name, $value);
+	protected abstract function assign($name, $value);
 
-    /**
-     * @return SecurityManager
-     */
-    protected abstract function getSecurityManager();
+	/**
+	 * @return SecurityManager
+	 */
+	protected abstract function getSecurityManager();
 
-    /**
-     * @param $currentUser
-     */
-    protected function setupNavMenuAccess($currentUser)
-    {
-        $this->assign('nav__canRequests', $this->getSecurityManager()
-                ->allows(PageMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+	/**
+	 * @param $currentUser
+	 */
+	protected function setupNavMenuAccess($currentUser)
+	{
+		$this->assign('nav__canRequests', $this->getSecurityManager()
+				->allows(PageMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
 
-        $this->assign('nav__canLogs', $this->getSecurityManager()
-                ->allows(PageLog::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canUsers', $this->getSecurityManager()
-                ->allows(StatsUsers::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canSearch', $this->getSecurityManager()
-                ->allows(PageSearch::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canStats', $this->getSecurityManager()
-                ->allows(StatsMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canLogs', $this->getSecurityManager()
+				->allows(PageLog::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canUsers', $this->getSecurityManager()
+				->allows(StatsUsers::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canSearch', $this->getSecurityManager()
+				->allows(PageSearch::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canStats', $this->getSecurityManager()
+				->allows(StatsMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
 
-        $this->assign('nav__canBan', $this->getSecurityManager()
-                ->allows(PageBan::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canEmailMgmt', $this->getSecurityManager()
-                ->allows(PageEmailManagement::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canWelcomeMgmt', $this->getSecurityManager()
-                ->allows(PageWelcomeTemplateManagement::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager()
-                ->allows(PageSiteNotice::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canUserMgmt', $this->getSecurityManager()
-                ->allows(PageUserManagement::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canBan', $this->getSecurityManager()
+				->allows(PageBan::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canEmailMgmt', $this->getSecurityManager()
+				->allows(PageEmailManagement::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canWelcomeMgmt', $this->getSecurityManager()
+				->allows(PageWelcomeTemplateManagement::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager()
+				->allows(PageSiteNotice::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canUserMgmt', $this->getSecurityManager()
+				->allows(PageUserManagement::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
 
-        $this->assign('nav__canViewRequest', $this->getSecurityManager()
-                ->allows(PageViewRequest::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-    }
+		$this->assign('nav__canViewRequest', $this->getSecurityManager()
+				->allows(PageViewRequest::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+	}
 }
\ No newline at end of file

includes/Pages/Registration/PageRegisterBase.php

Doc Comments +8 added lines, -5 removed lines

@@ -44,6 +44,9 @@ 
         }
     }
 
+    /**
+     * @return string
+     */
     protected abstract function getRegistrationTemplate();
 
     protected function isProtectedPage()
@@ -70,12 +73,12 @@ 
     }
 
     /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
+     * @param null|string $emailAddress
+     * @param null|string $password
+     * @param null|string $username
      * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
+     * @param null|integer $confirmationId
+     * @param null|string $onwikiUsername
      *
      * @throws ApplicationLogicException
      */

Indentation +198 added lines, -198 removed lines

@@ -18,202 +18,202 @@
 
 abstract class PageRegisterBase extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main()
-    {
-        $useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup();
-
-        // Dual-mode page
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            try {
-                $this->handlePost($useOAuthSignup);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('register');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign("useOAuthSignup", $useOAuthSignup);
-            $this->setTemplate($this->getRegistrationTemplate());
-        }
-    }
-
-    protected abstract function getRegistrationTemplate();
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * @param string $emailAddress
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateUniqueEmail($emailAddress)
-    {
-        $query = 'SELECT COUNT(id) FROM user WHERE email = :email';
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->execute(array(':email' => $emailAddress));
-
-        if ($statement->fetchColumn() > 0) {
-            throw new ApplicationLogicException('That email address is already in use on this system.');
-        }
-
-        $statement->closeCursor();
-    }
-
-    /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
-     * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateRequest(
-        $emailAddress,
-        $password,
-        $username,
-        $useOAuthSignup,
-        $confirmationId,
-        $onwikiUsername
-    ) {
-        if (!WebRequest::postBoolean('guidelines')) {
-            throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.');
-        }
-
-        $this->validateGeneralInformation($emailAddress, $password, $username);
-        $this->validateUniqueEmail($emailAddress);
-        $this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername);
-    }
-
-    /**
-     * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername)
-    {
-        if (!$useOAuthSignup) {
-            if ($confirmationId === null || $confirmationId <= 0) {
-                throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.');
-            }
-
-            if ($onwikiUsername === null) {
-                throw new ApplicationLogicException('Please specify your on-wiki username.');
-            }
-        }
-    }
-
-    /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateGeneralInformation($emailAddress, $password, $username)
-    {
-        if ($emailAddress === null) {
-            throw new ApplicationLogicException('Your email address appears to be invalid!');
-        }
-
-        if ($password !== WebRequest::postString('pass2')) {
-            throw new ApplicationLogicException('Your passwords did not match, please try again.');
-        }
-
-        if (User::getByUsername($username, $this->getDatabase()) !== false) {
-            throw new ApplicationLogicException('That username is already in use on this system.');
-        }
-    }
-
-    /**
-     * @param $useOAuthSignup
-     *
-     * @throws ApplicationLogicException
-     * @throws \Exception
-     */
-    protected function handlePost($useOAuthSignup)
-    {
-        // Get the data
-        $emailAddress = WebRequest::postEmail('email');
-        $password = WebRequest::postString('pass');
-        $username = WebRequest::postString('name');
-
-        // Only set if OAuth is disabled
-        $confirmationId = WebRequest::postInt('conf_revid');
-        $onwikiUsername = WebRequest::postString('wname');
-
-        // Do some validation
-        $this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId,
-            $onwikiUsername);
-
-        $database = $this->getDatabase();
-
-        $user = new User();
-        $user->setDatabase($database);
-
-        $user->setUsername($username);
-        $user->setPassword($password);
-        $user->setEmail($emailAddress);
-
-        if (!$useOAuthSignup) {
-            $user->setOnWikiName($onwikiUsername);
-            $user->setConfirmationDiff($confirmationId);
-        }
-
-        $user->save();
-
-        $defaultRole = $this->getDefaultRole();
-
-        $role = new UserRole();
-        $role->setDatabase($database);
-        $role->setUser($user->getId());
-        $role->setRole($defaultRole);
-        $role->save();
-
-        // Log now to get the signup date.
-        Logger::newUser($database, $user);
-        Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array());
-
-        if ($useOAuthSignup) {
-            $oauthHelper = $this->getOAuthHelper();
-
-            $requestToken = $oauthHelper->getRequestToken();
-            $user->setOAuthRequestToken($requestToken->key);
-            $user->setOAuthRequestSecret($requestToken->secret);
-            $user->save();
-
-            WebRequest::setPartialLogin($user);
-
-            $this->redirectUrl($oauthHelper->getAuthoriseUrl($requestToken->key));
-        }
-        else {
-            // only notify if we're not using the oauth signup.
-            $this->getNotificationHelper()->userNew($user);
-            WebRequest::setLoggedInUser($user);
-            $this->redirect('preferences');
-        }
-    }
-
-    protected abstract function getDefaultRole();
-
-    /**
-     * Entry point for registration complete
-     */
-    protected function done()
-    {
-        $this->setTemplate('registration/alert-registrationcomplete.tpl');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main()
+	{
+		$useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup();
+
+		// Dual-mode page
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			try {
+				$this->handlePost($useOAuthSignup);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('register');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign("useOAuthSignup", $useOAuthSignup);
+			$this->setTemplate($this->getRegistrationTemplate());
+		}
+	}
+
+	protected abstract function getRegistrationTemplate();
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * @param string $emailAddress
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateUniqueEmail($emailAddress)
+	{
+		$query = 'SELECT COUNT(id) FROM user WHERE email = :email';
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->execute(array(':email' => $emailAddress));
+
+		if ($statement->fetchColumn() > 0) {
+			throw new ApplicationLogicException('That email address is already in use on this system.');
+		}
+
+		$statement->closeCursor();
+	}
+
+	/**
+	 * @param $emailAddress
+	 * @param $password
+	 * @param $username
+	 * @param $useOAuthSignup
+	 * @param $confirmationId
+	 * @param $onwikiUsername
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateRequest(
+		$emailAddress,
+		$password,
+		$username,
+		$useOAuthSignup,
+		$confirmationId,
+		$onwikiUsername
+	) {
+		if (!WebRequest::postBoolean('guidelines')) {
+			throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.');
+		}
+
+		$this->validateGeneralInformation($emailAddress, $password, $username);
+		$this->validateUniqueEmail($emailAddress);
+		$this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername);
+	}
+
+	/**
+	 * @param $useOAuthSignup
+	 * @param $confirmationId
+	 * @param $onwikiUsername
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername)
+	{
+		if (!$useOAuthSignup) {
+			if ($confirmationId === null || $confirmationId <= 0) {
+				throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.');
+			}
+
+			if ($onwikiUsername === null) {
+				throw new ApplicationLogicException('Please specify your on-wiki username.');
+			}
+		}
+	}
+
+	/**
+	 * @param $emailAddress
+	 * @param $password
+	 * @param $username
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateGeneralInformation($emailAddress, $password, $username)
+	{
+		if ($emailAddress === null) {
+			throw new ApplicationLogicException('Your email address appears to be invalid!');
+		}
+
+		if ($password !== WebRequest::postString('pass2')) {
+			throw new ApplicationLogicException('Your passwords did not match, please try again.');
+		}
+
+		if (User::getByUsername($username, $this->getDatabase()) !== false) {
+			throw new ApplicationLogicException('That username is already in use on this system.');
+		}
+	}
+
+	/**
+	 * @param $useOAuthSignup
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws \Exception
+	 */
+	protected function handlePost($useOAuthSignup)
+	{
+		// Get the data
+		$emailAddress = WebRequest::postEmail('email');
+		$password = WebRequest::postString('pass');
+		$username = WebRequest::postString('name');
+
+		// Only set if OAuth is disabled
+		$confirmationId = WebRequest::postInt('conf_revid');
+		$onwikiUsername = WebRequest::postString('wname');
+
+		// Do some validation
+		$this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId,
+			$onwikiUsername);
+
+		$database = $this->getDatabase();
+
+		$user = new User();
+		$user->setDatabase($database);
+
+		$user->setUsername($username);
+		$user->setPassword($password);
+		$user->setEmail($emailAddress);
+
+		if (!$useOAuthSignup) {
+			$user->setOnWikiName($onwikiUsername);
+			$user->setConfirmationDiff($confirmationId);
+		}
+
+		$user->save();
+
+		$defaultRole = $this->getDefaultRole();
+
+		$role = new UserRole();
+		$role->setDatabase($database);
+		$role->setUser($user->getId());
+		$role->setRole($defaultRole);
+		$role->save();
+
+		// Log now to get the signup date.
+		Logger::newUser($database, $user);
+		Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array());
+
+		if ($useOAuthSignup) {
+			$oauthHelper = $this->getOAuthHelper();
+
+			$requestToken = $oauthHelper->getRequestToken();
+			$user->setOAuthRequestToken($requestToken->key);
+			$user->setOAuthRequestSecret($requestToken->secret);
+			$user->save();
+
+			WebRequest::setPartialLogin($user);
+
+			$this->redirectUrl($oauthHelper->getAuthoriseUrl($requestToken->key));
+		}
+		else {
+			// only notify if we're not using the oauth signup.
+			$this->getNotificationHelper()->userNew($user);
+			WebRequest::setLoggedInUser($user);
+			$this->redirect('preferences');
+		}
+	}
+
+	protected abstract function getDefaultRole();
+
+	/**
+	 * Entry point for registration complete
+	 */
+	protected function done()
+	{
+		$this->setTemplate('registration/alert-registrationcomplete.tpl');
+	}
 }

includes/Security/SecurityManager.php

Indentation +196 added lines, -196 removed lines

@@ -14,200 +14,200 @@
 
 final class SecurityManager
 {
-    const ALLOWED = 1;
-    const ERROR_NOT_IDENTIFIED = 2;
-    const ERROR_DENIED = 3;
-    /** @var IdentificationVerifier */
-    private $identificationVerifier;
-    /**
-     * @var RoleConfiguration
-     */
-    private $roleConfiguration;
-
-    /**
-     * SecurityManager constructor.
-     *
-     * @param IdentificationVerifier $identificationVerifier
-     * @param RoleConfiguration      $roleConfiguration
-     */
-    public function __construct(
-        IdentificationVerifier $identificationVerifier,
-        RoleConfiguration $roleConfiguration
-    ) {
-        $this->identificationVerifier = $identificationVerifier;
-        $this->roleConfiguration = $roleConfiguration;
-    }
-
-    /**
-     * Tests if a user is allowed to perform an action.
-     *
-     * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure
-     * that a user should have access to something.
-     *
-     * @param string $page
-     * @param string $route
-     * @param User   $user
-     *
-     * @return int
-     *
-     * @category Security-Critical
-     */
-    public function allows($page, $route, User $user)
-    {
-        $this->getActiveRoles($user, $activeRoles, $inactiveRoles);
-
-        $availableRights = $this->flattenRoles($activeRoles);
-        $testResult = $this->findResult($availableRights, $page, $route);
-
-        if ($testResult !== null) {
-            // We got a firm result here, so just return it.
-            return $testResult;
-        }
-
-        // No firm result yet, so continue testing the inactive roles so we can give a better error.
-        $inactiveRights = $this->flattenRoles($inactiveRoles);
-        $testResult = $this->findResult($inactiveRights, $page, $route);
-
-        if ($testResult === self::ALLOWED) {
-            // The user is allowed to access this, but their role is inactive.
-            return self::ERROR_NOT_IDENTIFIED;
-        }
-
-        // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied.
-        return self::ERROR_DENIED;
-    }
-
-    /**
-     * @param array  $pseudoRole The role (flattened) to check
-     * @param string $page       The page class to check
-     * @param string $route      The page route to check
-     *
-     * @return int|null
-     */
-    private function findResult($pseudoRole, $page, $route)
-    {
-        if (isset($pseudoRole[$page])) {
-            // check for deny on catch-all route
-            if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
-                if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) {
-                    return self::ERROR_DENIED;
-                }
-            }
-
-            // check normal route
-            if (isset($pseudoRole[$page][$route])) {
-                if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) {
-                    return self::ERROR_DENIED;
-                }
-
-                if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) {
-                    return self::ALLOWED;
-                }
-            }
-
-            // check for allowed on catch-all route
-            if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
-                if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) {
-                    return self::ALLOWED;
-                }
-            }
-        }
-
-        // return indeterminate result
-        return null;
-    }
-
-    /**
-     * Takes an array of roles and flattens the values to a single set.
-     *
-     * @param array $activeRoles
-     *
-     * @return array
-     */
-    private function flattenRoles($activeRoles)
-    {
-        $result = array();
-
-        $roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles);
-
-        // Iterate over every page in every role
-        foreach ($roleConfig as $role) {
-            foreach ($role as $page => $pageRights) {
-                // Create holder in result for this page
-                if (!isset($result[$page])) {
-                    $result[$page] = array();
-                }
-
-                foreach ($pageRights as $action => $permission) {
-                    // Deny takes precedence, so if it's set, don't change it.
-                    if (isset($result[$page][$action])) {
-                        if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) {
-                            continue;
-                        }
-                    }
-
-                    if ($permission === RoleConfiguration::ACCESS_DEFAULT) {
-                        // Configured to do precisely nothing.
-                        continue;
-                    }
-
-                    $result[$page][$action] = $permission;
-                }
-            }
-        }
-
-        return $result;
-    }
-
-    /**
-     * @param User  $user
-     * @param array $activeRoles
-     * @param array $inactiveRoles
-     */
-    public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles)
-    {
-        // Default to the community user here, because the main user is logged out
-        $identified = false;
-        $userRoles = array('public');
-
-        // if we're not the community user, get our real rights.
-        if (!$user->isCommunityUser()) {
-            // Check the user's status - only active users are allowed the effects of roles
-
-            $userRoles[] = 'loggedIn';
-
-            if ($user->isActive()) {
-                $ur = UserRole::getForUser($user->getId(), $user->getDatabase());
-
-                // NOTE: public is still in this array.
-                foreach ($ur as $r) {
-                    $userRoles[] = $r->getRole();
-                }
-
-                $identified = $user->isIdentified($this->identificationVerifier);
-            }
-        }
-
-        $activeRoles = array();
-        $inactiveRoles = array();
-
-        /** @var string $v */
-        foreach ($userRoles as $v) {
-            if ($this->roleConfiguration->roleNeedsIdentification($v)) {
-                if ($identified) {
-                    $activeRoles[] = $v;
-                }
-                else {
-                    $inactiveRoles[] = $v;
-                }
-            }
-            else {
-                $activeRoles[] = $v;
-            }
-        }
-    }
-
-    public function getRoleConfiguration(){
-        return $this->roleConfiguration;
-    }
+	const ALLOWED = 1;
+	const ERROR_NOT_IDENTIFIED = 2;
+	const ERROR_DENIED = 3;
+	/** @var IdentificationVerifier */
+	private $identificationVerifier;
+	/**
+	 * @var RoleConfiguration
+	 */
+	private $roleConfiguration;
+
+	/**
+	 * SecurityManager constructor.
+	 *
+	 * @param IdentificationVerifier $identificationVerifier
+	 * @param RoleConfiguration      $roleConfiguration
+	 */
+	public function __construct(
+		IdentificationVerifier $identificationVerifier,
+		RoleConfiguration $roleConfiguration
+	) {
+		$this->identificationVerifier = $identificationVerifier;
+		$this->roleConfiguration = $roleConfiguration;
+	}
+
+	/**
+	 * Tests if a user is allowed to perform an action.
+	 *
+	 * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure
+	 * that a user should have access to something.
+	 *
+	 * @param string $page
+	 * @param string $route
+	 * @param User   $user
+	 *
+	 * @return int
+	 *
+	 * @category Security-Critical
+	 */
+	public function allows($page, $route, User $user)
+	{
+		$this->getActiveRoles($user, $activeRoles, $inactiveRoles);
+
+		$availableRights = $this->flattenRoles($activeRoles);
+		$testResult = $this->findResult($availableRights, $page, $route);
+
+		if ($testResult !== null) {
+			// We got a firm result here, so just return it.
+			return $testResult;
+		}
+
+		// No firm result yet, so continue testing the inactive roles so we can give a better error.
+		$inactiveRights = $this->flattenRoles($inactiveRoles);
+		$testResult = $this->findResult($inactiveRights, $page, $route);
+
+		if ($testResult === self::ALLOWED) {
+			// The user is allowed to access this, but their role is inactive.
+			return self::ERROR_NOT_IDENTIFIED;
+		}
+
+		// Other options from the secondary test are denied and inconclusive, which at this point defaults to denied.
+		return self::ERROR_DENIED;
+	}
+
+	/**
+	 * @param array  $pseudoRole The role (flattened) to check
+	 * @param string $page       The page class to check
+	 * @param string $route      The page route to check
+	 *
+	 * @return int|null
+	 */
+	private function findResult($pseudoRole, $page, $route)
+	{
+		if (isset($pseudoRole[$page])) {
+			// check for deny on catch-all route
+			if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
+				if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) {
+					return self::ERROR_DENIED;
+				}
+			}
+
+			// check normal route
+			if (isset($pseudoRole[$page][$route])) {
+				if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) {
+					return self::ERROR_DENIED;
+				}
+
+				if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) {
+					return self::ALLOWED;
+				}
+			}
+
+			// check for allowed on catch-all route
+			if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
+				if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) {
+					return self::ALLOWED;
+				}
+			}
+		}
+
+		// return indeterminate result
+		return null;
+	}
+
+	/**
+	 * Takes an array of roles and flattens the values to a single set.
+	 *
+	 * @param array $activeRoles
+	 *
+	 * @return array
+	 */
+	private function flattenRoles($activeRoles)
+	{
+		$result = array();
+
+		$roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles);
+
+		// Iterate over every page in every role
+		foreach ($roleConfig as $role) {
+			foreach ($role as $page => $pageRights) {
+				// Create holder in result for this page
+				if (!isset($result[$page])) {
+					$result[$page] = array();
+				}
+
+				foreach ($pageRights as $action => $permission) {
+					// Deny takes precedence, so if it's set, don't change it.
+					if (isset($result[$page][$action])) {
+						if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) {
+							continue;
+						}
+					}
+
+					if ($permission === RoleConfiguration::ACCESS_DEFAULT) {
+						// Configured to do precisely nothing.
+						continue;
+					}
+
+					$result[$page][$action] = $permission;
+				}
+			}
+		}
+
+		return $result;
+	}
+
+	/**
+	 * @param User  $user
+	 * @param array $activeRoles
+	 * @param array $inactiveRoles
+	 */
+	public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles)
+	{
+		// Default to the community user here, because the main user is logged out
+		$identified = false;
+		$userRoles = array('public');
+
+		// if we're not the community user, get our real rights.
+		if (!$user->isCommunityUser()) {
+			// Check the user's status - only active users are allowed the effects of roles
+
+			$userRoles[] = 'loggedIn';
+
+			if ($user->isActive()) {
+				$ur = UserRole::getForUser($user->getId(), $user->getDatabase());
+
+				// NOTE: public is still in this array.
+				foreach ($ur as $r) {
+					$userRoles[] = $r->getRole();
+				}
+
+				$identified = $user->isIdentified($this->identificationVerifier);
+			}
+		}
+
+		$activeRoles = array();
+		$inactiveRoles = array();
+
+		/** @var string $v */
+		foreach ($userRoles as $v) {
+			if ($this->roleConfiguration->roleNeedsIdentification($v)) {
+				if ($identified) {
+					$activeRoles[] = $v;
+				}
+				else {
+					$inactiveRoles[] = $v;
+				}
+			}
+			else {
+				$activeRoles[] = $v;
+			}
+		}
+	}
+
+	public function getRoleConfiguration(){
+		return $this->roleConfiguration;
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -207,7 +207,7 @@
         }
     }
 
-    public function getRoleConfiguration(){
+    public function getRoleConfiguration() {
         return $this->roleConfiguration;
     }
 }

Braces +2 added lines, -1 removed lines

@@ -207,7 +207,8 @@
         }
     }
 
-    public function getRoleConfiguration(){
+    public function getRoleConfiguration()
+    {
         return $this->roleConfiguration;
     }
 }

includes/Security/RoleConfiguration.php

Indentation +307 added lines, -307 removed lines

@@ -41,338 +41,338 @@
 
 class RoleConfiguration
 {
-    const ACCESS_ALLOW = 1;
-    const ACCESS_DENY = -1;
-    const ACCESS_DEFAULT = 0;
-    const MAIN = 'main';
-    const ALL = '*';
-    /**
-     * A map of roles to rights
-     *
-     * For example:
-     *
-     * array(
-     *   'myrole' => array(
-     *       PageMyPage::class => array(
-     *           'edit' => self::ACCESS_ALLOW,
-     *           'create' => self::ACCESS_DENY,
-     *       )
-     *   )
-     * )
-     *
-     * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
-     * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
-     * be the expected result:
-     *
-     * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
-     * - (A,-,-) = A
-     * - (D,-,-) = D
-     * - (A,D,-) = D (deny takes precedence over allow)
-     * - (A,A,A) = A (repetition has no effect)
-     *
-     * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
-     *
-     * @var array
-     */
-    private $roleConfig = array(
-        'public'            => array(
-            /*
+	const ACCESS_ALLOW = 1;
+	const ACCESS_DENY = -1;
+	const ACCESS_DEFAULT = 0;
+	const MAIN = 'main';
+	const ALL = '*';
+	/**
+	 * A map of roles to rights
+	 *
+	 * For example:
+	 *
+	 * array(
+	 *   'myrole' => array(
+	 *       PageMyPage::class => array(
+	 *           'edit' => self::ACCESS_ALLOW,
+	 *           'create' => self::ACCESS_DENY,
+	 *       )
+	 *   )
+	 * )
+	 *
+	 * Note that DENY takes precedence over everything else when roles are combined, followed by ALLOW, followed by
+	 * DEFAULT. Thus, if you have the following ([A]llow, [D]eny, [-] (default)) grants in different roles, this should
+	 * be the expected result:
+	 *
+	 * - (-,-,-) = - (default because nothing to explicitly say allowed or denied equates to a denial)
+	 * - (A,-,-) = A
+	 * - (D,-,-) = D
+	 * - (A,D,-) = D (deny takes precedence over allow)
+	 * - (A,A,A) = A (repetition has no effect)
+	 *
+	 * The public role is special, and is applied to all users automatically. Avoid using deny on this role.
+	 *
+	 * @var array
+	 */
+	private $roleConfig = array(
+		'public'            => array(
+			/*
              * THIS ROLE IS GRANTED TO ALL LOGGED *OUT* USERS IMPLICITLY.
              *
              * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
              * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
              */
-            '_childRoles'    => array(
-                'publicStats',
-            ),
-            PageOAuth::class => array(
-                'callback' => self::ACCESS_ALLOW,
-            ),
-            PageTeam::class  => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'loggedIn'            => array(
-            /*
+			'_childRoles'    => array(
+				'publicStats',
+			),
+			PageOAuth::class => array(
+				'callback' => self::ACCESS_ALLOW,
+			),
+			PageTeam::class  => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'loggedIn'            => array(
+			/*
              * THIS ROLE IS GRANTED TO ALL LOGGED IN USERS IMPLICITLY.
              *
              * USERS IN THIS ROLE DO NOT HAVE TO BE IDENTIFIED TO GET THE RIGHTS CONFERRED HERE.
              * DO NOT ADD ANY SECURITY-SENSITIVE RIGHTS HERE.
              */
-            '_childRoles'    => array(
-                'public',
-            ),
-            PagePreferences::class               => array(
-                self::MAIN       => self::ACCESS_ALLOW,
-                'changePassword' => self::ACCESS_ALLOW,
-            ),
-            PageOAuth::class                     => array(
-                'attach' => self::ACCESS_ALLOW,
-                'detach' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'user'              => array(
-            '_description' => 'A standard tool user.',
-            '_editableBy' => array('admin', 'toolRoot'),
-            '_childRoles'                        => array(
-                'internalStats',
-            ),
-            PageMain::class                      => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageBan::class                       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageEditComment::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageEmailManagement::class           => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-            ),
-            PageExpandedRequestList::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageLog::class                       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageSearch::class                    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageWelcomeTemplateManagement::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'select'   => self::ACCESS_ALLOW,
-                'view'     => self::ACCESS_ALLOW,
-            ),
-            PageViewRequest::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            'RequestData'                        => array(
-                'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
-                'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
-            ),
-            PageCustomClose::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageComment::class                   => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageCloseRequest::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageDeferRequest::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageDropRequest::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageReservation::class               => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageSendToUser::class                => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageBreakReservation::class          => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
+			'_childRoles'    => array(
+				'public',
+			),
+			PagePreferences::class               => array(
+				self::MAIN       => self::ACCESS_ALLOW,
+				'changePassword' => self::ACCESS_ALLOW,
+			),
+			PageOAuth::class                     => array(
+				'attach' => self::ACCESS_ALLOW,
+				'detach' => self::ACCESS_ALLOW,
+			),
+		),
+		'user'              => array(
+			'_description' => 'A standard tool user.',
+			'_editableBy' => array('admin', 'toolRoot'),
+			'_childRoles'                        => array(
+				'internalStats',
+			),
+			PageMain::class                      => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageBan::class                       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageEditComment::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageEmailManagement::class           => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+			),
+			PageExpandedRequestList::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageLog::class                       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageSearch::class                    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageWelcomeTemplateManagement::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'select'   => self::ACCESS_ALLOW,
+				'view'     => self::ACCESS_ALLOW,
+			),
+			PageViewRequest::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			'RequestData'                        => array(
+				'seePrivateDataWhenReserved' => self::ACCESS_ALLOW,
+				'seePrivateDataWithHash'     => self::ACCESS_ALLOW,
+			),
+			PageCustomClose::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageComment::class                   => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageCloseRequest::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageDeferRequest::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageDropRequest::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageReservation::class               => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageSendToUser::class                => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageBreakReservation::class          => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
 
-        ),
-        'admin'             => array(
-            '_description' => 'A tool administrator.',
-            '_editableBy' => array('admin', 'toolRoot'),
-            '_childRoles'                        => array(
-                'user', 'requestAdminTools',
-            ),
-            PageEmailManagement::class           => array(
-                'edit'   => self::ACCESS_ALLOW,
-                'create' => self::ACCESS_ALLOW,
-            ),
-            PageSiteNotice::class                => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            PageUserManagement::class            => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-                'approve'   => self::ACCESS_ALLOW,
-                'decline'   => self::ACCESS_ALLOW,
-                'rename'    => self::ACCESS_ALLOW,
-                'editUser'  => self::ACCESS_ALLOW,
-                'suspend'   => self::ACCESS_ALLOW,
-                'editRoles' => self::ACCESS_ALLOW,
-            ),
-            PageWelcomeTemplateManagement::class => array(
-                'edit'   => self::ACCESS_ALLOW,
-                'delete' => self::ACCESS_ALLOW,
-                'add'    => self::ACCESS_ALLOW,
-            ),
-        ),
-        'checkuser'         => array(
-            '_description' => 'A user with CheckUser access',
-            '_editableBy' => array('checkuser', 'toolRoot'),
-            '_childRoles'             => array(
-                'user', 'requestAdminTools',
-            ),
-            PageUserManagement::class => array(
-                self::MAIN  => self::ACCESS_ALLOW,
-                'suspend'   => self::ACCESS_ALLOW,
-                'editRoles' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'             => array(
-                'seeUserAgentData' => self::ACCESS_ALLOW,
-            ),
-        ),
-        'toolRoot'         => array(
-            '_description' => 'A user with shell access to the servers running the tool',
-            '_editableBy' => array('toolRoot'),
-            '_childRoles'             => array(
-                'admin', 'checkuser',
-            ),
-        ),
+		),
+		'admin'             => array(
+			'_description' => 'A tool administrator.',
+			'_editableBy' => array('admin', 'toolRoot'),
+			'_childRoles'                        => array(
+				'user', 'requestAdminTools',
+			),
+			PageEmailManagement::class           => array(
+				'edit'   => self::ACCESS_ALLOW,
+				'create' => self::ACCESS_ALLOW,
+			),
+			PageSiteNotice::class                => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			PageUserManagement::class            => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+				'approve'   => self::ACCESS_ALLOW,
+				'decline'   => self::ACCESS_ALLOW,
+				'rename'    => self::ACCESS_ALLOW,
+				'editUser'  => self::ACCESS_ALLOW,
+				'suspend'   => self::ACCESS_ALLOW,
+				'editRoles' => self::ACCESS_ALLOW,
+			),
+			PageWelcomeTemplateManagement::class => array(
+				'edit'   => self::ACCESS_ALLOW,
+				'delete' => self::ACCESS_ALLOW,
+				'add'    => self::ACCESS_ALLOW,
+			),
+		),
+		'checkuser'         => array(
+			'_description' => 'A user with CheckUser access',
+			'_editableBy' => array('checkuser', 'toolRoot'),
+			'_childRoles'             => array(
+				'user', 'requestAdminTools',
+			),
+			PageUserManagement::class => array(
+				self::MAIN  => self::ACCESS_ALLOW,
+				'suspend'   => self::ACCESS_ALLOW,
+				'editRoles' => self::ACCESS_ALLOW,
+			),
+			'RequestData'             => array(
+				'seeUserAgentData' => self::ACCESS_ALLOW,
+			),
+		),
+		'toolRoot'         => array(
+			'_description' => 'A user with shell access to the servers running the tool',
+			'_editableBy' => array('toolRoot'),
+			'_childRoles'             => array(
+				'admin', 'checkuser',
+			),
+		),
 
-        // Child roles go below this point
-        'publicStats'       => array(
-            '_hidden'               => true,
-            StatsUsers::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'detail'   => self::ACCESS_ALLOW,
-            ),
-            StatsTopCreators::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'internalStats'     => array(
-            '_hidden'                    => true,
-            StatsMain::class             => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsFastCloses::class       => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsInactiveUsers::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsMonthlyStats::class     => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsReservedRequests::class => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-            StatsTemplateStats::class    => array(
-                self::MAIN => self::ACCESS_ALLOW,
-            ),
-        ),
-        'requestAdminTools' => array(
-            '_hidden'                   => true,
-            PageBan::class              => array(
-                self::MAIN => self::ACCESS_ALLOW,
-                'set'      => self::ACCESS_ALLOW,
-                'remove'   => self::ACCESS_ALLOW,
-            ),
-            PageEditComment::class      => array(
-                'editOthers' => self::ACCESS_ALLOW,
-            ),
-            PageBreakReservation::class => array(
-                'force' => self::ACCESS_ALLOW,
-            ),
-            PageCustomClose::class      => array(
-                'skipCcMailingList' => self::ACCESS_ALLOW,
-            ),
-            'RequestData'               => array(
-                'reopenOldRequest'      => self::ACCESS_ALLOW,
-                'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
-                'alwaysSeeHash'         => self::ACCESS_ALLOW,
-                'seeRestrictedComments' => self::ACCESS_ALLOW,
-            ),
-        ),
-    );
-    /** @var array
-     * List of roles which are *exempt* from the identification requirements
-     *
-     * Think twice about adding roles to this list.
-     *
-     * @category Security-Critical
-     */
-    private $identificationExempt = array('public', 'loggedIn');
+		// Child roles go below this point
+		'publicStats'       => array(
+			'_hidden'               => true,
+			StatsUsers::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'detail'   => self::ACCESS_ALLOW,
+			),
+			StatsTopCreators::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'internalStats'     => array(
+			'_hidden'                    => true,
+			StatsMain::class             => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsFastCloses::class       => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsInactiveUsers::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsMonthlyStats::class     => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsReservedRequests::class => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+			StatsTemplateStats::class    => array(
+				self::MAIN => self::ACCESS_ALLOW,
+			),
+		),
+		'requestAdminTools' => array(
+			'_hidden'                   => true,
+			PageBan::class              => array(
+				self::MAIN => self::ACCESS_ALLOW,
+				'set'      => self::ACCESS_ALLOW,
+				'remove'   => self::ACCESS_ALLOW,
+			),
+			PageEditComment::class      => array(
+				'editOthers' => self::ACCESS_ALLOW,
+			),
+			PageBreakReservation::class => array(
+				'force' => self::ACCESS_ALLOW,
+			),
+			PageCustomClose::class      => array(
+				'skipCcMailingList' => self::ACCESS_ALLOW,
+			),
+			'RequestData'               => array(
+				'reopenOldRequest'      => self::ACCESS_ALLOW,
+				'alwaysSeePrivateData'  => self::ACCESS_ALLOW,
+				'alwaysSeeHash'         => self::ACCESS_ALLOW,
+				'seeRestrictedComments' => self::ACCESS_ALLOW,
+			),
+		),
+	);
+	/** @var array
+	 * List of roles which are *exempt* from the identification requirements
+	 *
+	 * Think twice about adding roles to this list.
+	 *
+	 * @category Security-Critical
+	 */
+	private $identificationExempt = array('public', 'loggedIn');
 
-    /**
-     * RoleConfiguration constructor.
-     *
-     * @param array $roleConfig           Set to non-null to override the default configuration.
-     * @param array $identificationExempt Set to non-null to override the default configuration.
-     */
-    public function __construct(array $roleConfig = null, array $identificationExempt = null)
-    {
-        if ($roleConfig !== null) {
-            $this->roleConfig = $roleConfig;
-        }
+	/**
+	 * RoleConfiguration constructor.
+	 *
+	 * @param array $roleConfig           Set to non-null to override the default configuration.
+	 * @param array $identificationExempt Set to non-null to override the default configuration.
+	 */
+	public function __construct(array $roleConfig = null, array $identificationExempt = null)
+	{
+		if ($roleConfig !== null) {
+			$this->roleConfig = $roleConfig;
+		}
 
-        if ($identificationExempt !== null) {
-            $this->identificationExempt = $identificationExempt;
-        }
-    }
+		if ($identificationExempt !== null) {
+			$this->identificationExempt = $identificationExempt;
+		}
+	}
 
-    /**
-     * @param array $roles The roles to check
-     *
-     * @return array
-     */
-    public function getApplicableRoles(array $roles)
-    {
-        $available = array();
+	/**
+	 * @param array $roles The roles to check
+	 *
+	 * @return array
+	 */
+	public function getApplicableRoles(array $roles)
+	{
+		$available = array();
 
-        foreach ($roles as $role) {
-            if (!isset($this->roleConfig[$role])) {
-                // wat
-                continue;
-            }
+		foreach ($roles as $role) {
+			if (!isset($this->roleConfig[$role])) {
+				// wat
+				continue;
+			}
 
-            $available[$role] = $this->roleConfig[$role];
+			$available[$role] = $this->roleConfig[$role];
 
-            if (isset($available[$role]['_childRoles'])) {
-                $childRoles = self::getApplicableRoles($available[$role]['_childRoles']);
-                $available = array_merge($available, $childRoles);
+			if (isset($available[$role]['_childRoles'])) {
+				$childRoles = self::getApplicableRoles($available[$role]['_childRoles']);
+				$available = array_merge($available, $childRoles);
 
-                unset($available[$role]['_childRoles']);
-            }
+				unset($available[$role]['_childRoles']);
+			}
 
-            foreach (array('_hidden', '_editableBy', '_description') as $item) {
-                if (isset($available[$role][$item])) {
-                    unset($available[$role][$item]);
-                }
-            }
-        }
+			foreach (array('_hidden', '_editableBy', '_description') as $item) {
+				if (isset($available[$role][$item])) {
+					unset($available[$role][$item]);
+				}
+			}
+		}
 
-        return $available;
-    }
+		return $available;
+	}
 
-    public function getAvailableRoles()
-    {
-        $possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn'));
+	public function getAvailableRoles()
+	{
+		$possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn'));
 
-        $actual = array();
+		$actual = array();
 
-        foreach ($possible as $role) {
-            if (!isset($this->roleConfig[$role]['_hidden'])) {
-                $actual[$role] = array(
-                    'description' => $this->roleConfig[$role]['_description'],
-                    'editableBy'  => $this->roleConfig[$role]['_editableBy'],
-                );
-            }
-        }
+		foreach ($possible as $role) {
+			if (!isset($this->roleConfig[$role]['_hidden'])) {
+				$actual[$role] = array(
+					'description' => $this->roleConfig[$role]['_description'],
+					'editableBy'  => $this->roleConfig[$role]['_editableBy'],
+				);
+			}
+		}
 
-        return $actual;
-    }
+		return $actual;
+	}
 
-    /**
-     * @param string $role
-     *
-     * @return bool
-     */
-    public function roleNeedsIdentification($role)
-    {
-        if (in_array($role, $this->identificationExempt)) {
-            return false;
-        }
+	/**
+	 * @param string $role
+	 *
+	 * @return bool
+	 */
+	public function roleNeedsIdentification($role)
+	{
+		if (in_array($role, $this->identificationExempt)) {
+			return false;
+		}
 
-        return true;
-    }
+		return true;
+	}
 }

includes/Tasks/InternalPageBase.php

Indentation +221 added lines, -221 removed lines

@@ -22,225 +22,225 @@
 
 abstract class InternalPageBase extends PageBase
 {
-    use NavigationMenuAccessControl;
-
-    /** @var IdentificationVerifier */
-    private $identificationVerifier;
-    /** @var ITypeAheadHelper */
-    private $typeAheadHelper;
-    /** @var SecurityManager */
-    private $securityManager;
-    /** @var IBlacklistHelper */
-    private $blacklistHelper;
-
-    /**
-     * @return ITypeAheadHelper
-     */
-    public function getTypeAheadHelper()
-    {
-        return $this->typeAheadHelper;
-    }
-
-    /**
-     * Sets up the internal IdentificationVerifier instance.  Intended to be called from WebStart::setupHelpers().
-     *
-     * @param IdentificationVerifier $identificationVerifier
-     *
-     * @return void
-     */
-    public function setIdentificationVerifier(IdentificationVerifier $identificationVerifier)
-    {
-        $this->identificationVerifier = $identificationVerifier;
-    }
-
-    /**
-     * @param ITypeAheadHelper $typeAheadHelper
-     */
-    public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper)
-    {
-        $this->typeAheadHelper = $typeAheadHelper;
-    }
-
-    /**
-     * Runs the page code
-     *
-     * @throws Exception
-     * @category Security-Critical
-     */
-    final public function execute()
-    {
-        if ($this->getRouteName() === null) {
-            throw new Exception("Request is unrouted.");
-        }
-
-        if ($this->getSiteConfiguration() === null) {
-            throw new Exception("Page has no configuration!");
-        }
-
-        $this->setupPage();
-
-        $this->touchUserLastActive();
-
-        $currentUser = User::getCurrent($this->getDatabase());
-
-        // Hey, this is also a security barrier, in addition to the below. Separated out for readability.
-        if (!$this->isProtectedPage()) {
-            // This page is /not/ a protected page, as such we can just run it.
-            $this->runPage();
-
-            return;
-        }
-
-        // Security barrier.
-        //
-        // This code essentially doesn't care if the user is logged in or not, as the security manager hides all that
-        // away for us
-        $securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser);
-        if ($securityResult === SecurityManager::ALLOWED) {
-            // We're allowed to run the page, so let's run it.
-            $this->runPage();
-        }
-        else {
-            $this->handleAccessDenied($securityResult);
-
-            // Send the headers
-            $this->sendResponseHeaders();
-        }
-    }
-
-    /**
-     * Performs final tasks needed before rendering the page.
-     */
-    final public function finalisePage()
-    {
-        parent::finalisePage();
-
-        $this->assign('typeAheadBlock', $this->getTypeAheadHelper()->getTypeAheadScriptBlock());
-
-        $database = $this->getDatabase();
-
-        $currentUser = User::getCurrent($database);
-        if (!$currentUser->isCommunityUser()) {
-            $sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);';
-            $statement = $database->query($sql);
-            $activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class);
-            $this->assign('onlineusers', $activeUsers);
-        }
-
-        $this->setupNavMenuAccess($currentUser);
-    }
-
-    /**
-     * Configures whether the page respects roles or not. You probably want this to return true.
-     *
-     * Set to false for public pages. You probably want this to return true.
-     *
-     * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything
-     * on this page, so you probably want this to return true.
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    protected function isProtectedPage()
-    {
-        return true;
-    }
-
-    protected function handleAccessDenied($denyReason)
-    {
-        $currentUser = User::getCurrent($this->getDatabase());
-
-        // Not allowed to access this resource.
-        // Firstly, let's check if we're even logged in.
-        if ($currentUser->isCommunityUser()) {
-            // Not logged in, redirect to login page
-            WebRequest::setPostLoginRedirect();
-            $this->redirect("login");
-
-            return;
-        }
-        else {
-            // Decide whether this was a rights failure, or an identification failure.
-
-            if ($denyReason === SecurityManager::ERROR_NOT_IDENTIFIED) {
-                // Not identified
-                throw new NotIdentifiedException($this->getSecurityManager());
-            }
-            elseif ($denyReason === SecurityManager::ERROR_DENIED) {
-                // Nope, plain old access denied
-                throw new AccessDeniedException($this->getSecurityManager());
-            }
-            else {
-                throw new Exception('Unknown response from security manager.');
-            }
-        }
-    }
-
-    /**
-     * Tests the security barrier for a specified action.
-     *
-     * Don't use within templates
-     *
-     * @param string      $action
-     *
-     * @param User        $user
-     * @param null|string $pageName
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    final public function barrierTest($action, User $user, $pageName = null)
-    {
-        $page = get_called_class();
-        if ($pageName !== null) {
-            $page = $pageName;
-        }
-
-        $securityResult = $this->getSecurityManager()->allows($page, $action, $user);
-
-        return $securityResult === SecurityManager::ALLOWED;
-    }
-
-    /**
-     * Updates the lastactive timestamp
-     */
-    private function touchUserLastActive()
-    {
-        if (WebRequest::getSessionUserId() !== null) {
-            $query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;';
-            $this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId()));
-        }
-    }
-
-    /**
-     * @return SecurityManager
-     */
-    public function getSecurityManager()
-    {
-        return $this->securityManager;
-    }
-
-    /**
-     * @param SecurityManager $securityManager
-     */
-    public function setSecurityManager(SecurityManager $securityManager)
-    {
-        $this->securityManager = $securityManager;
-    }
-
-    /**
-     * @return IBlacklistHelper
-     */
-    public function getBlacklistHelper()
-    {
-        return $this->blacklistHelper;
-    }
-
-    /**
-     * @param IBlacklistHelper $blacklistHelper
-     */
-    public function setBlacklistHelper(IBlacklistHelper $blacklistHelper)
-    {
-        $this->blacklistHelper = $blacklistHelper;
-    }
+	use NavigationMenuAccessControl;
+
+	/** @var IdentificationVerifier */
+	private $identificationVerifier;
+	/** @var ITypeAheadHelper */
+	private $typeAheadHelper;
+	/** @var SecurityManager */
+	private $securityManager;
+	/** @var IBlacklistHelper */
+	private $blacklistHelper;
+
+	/**
+	 * @return ITypeAheadHelper
+	 */
+	public function getTypeAheadHelper()
+	{
+		return $this->typeAheadHelper;
+	}
+
+	/**
+	 * Sets up the internal IdentificationVerifier instance.  Intended to be called from WebStart::setupHelpers().
+	 *
+	 * @param IdentificationVerifier $identificationVerifier
+	 *
+	 * @return void
+	 */
+	public function setIdentificationVerifier(IdentificationVerifier $identificationVerifier)
+	{
+		$this->identificationVerifier = $identificationVerifier;
+	}
+
+	/**
+	 * @param ITypeAheadHelper $typeAheadHelper
+	 */
+	public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper)
+	{
+		$this->typeAheadHelper = $typeAheadHelper;
+	}
+
+	/**
+	 * Runs the page code
+	 *
+	 * @throws Exception
+	 * @category Security-Critical
+	 */
+	final public function execute()
+	{
+		if ($this->getRouteName() === null) {
+			throw new Exception("Request is unrouted.");
+		}
+
+		if ($this->getSiteConfiguration() === null) {
+			throw new Exception("Page has no configuration!");
+		}
+
+		$this->setupPage();
+
+		$this->touchUserLastActive();
+
+		$currentUser = User::getCurrent($this->getDatabase());
+
+		// Hey, this is also a security barrier, in addition to the below. Separated out for readability.
+		if (!$this->isProtectedPage()) {
+			// This page is /not/ a protected page, as such we can just run it.
+			$this->runPage();
+
+			return;
+		}
+
+		// Security barrier.
+		//
+		// This code essentially doesn't care if the user is logged in or not, as the security manager hides all that
+		// away for us
+		$securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser);
+		if ($securityResult === SecurityManager::ALLOWED) {
+			// We're allowed to run the page, so let's run it.
+			$this->runPage();
+		}
+		else {
+			$this->handleAccessDenied($securityResult);
+
+			// Send the headers
+			$this->sendResponseHeaders();
+		}
+	}
+
+	/**
+	 * Performs final tasks needed before rendering the page.
+	 */
+	final public function finalisePage()
+	{
+		parent::finalisePage();
+
+		$this->assign('typeAheadBlock', $this->getTypeAheadHelper()->getTypeAheadScriptBlock());
+
+		$database = $this->getDatabase();
+
+		$currentUser = User::getCurrent($database);
+		if (!$currentUser->isCommunityUser()) {
+			$sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);';
+			$statement = $database->query($sql);
+			$activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class);
+			$this->assign('onlineusers', $activeUsers);
+		}
+
+		$this->setupNavMenuAccess($currentUser);
+	}
+
+	/**
+	 * Configures whether the page respects roles or not. You probably want this to return true.
+	 *
+	 * Set to false for public pages. You probably want this to return true.
+	 *
+	 * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything
+	 * on this page, so you probably want this to return true.
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	protected function isProtectedPage()
+	{
+		return true;
+	}
+
+	protected function handleAccessDenied($denyReason)
+	{
+		$currentUser = User::getCurrent($this->getDatabase());
+
+		// Not allowed to access this resource.
+		// Firstly, let's check if we're even logged in.
+		if ($currentUser->isCommunityUser()) {
+			// Not logged in, redirect to login page
+			WebRequest::setPostLoginRedirect();
+			$this->redirect("login");
+
+			return;
+		}
+		else {
+			// Decide whether this was a rights failure, or an identification failure.
+
+			if ($denyReason === SecurityManager::ERROR_NOT_IDENTIFIED) {
+				// Not identified
+				throw new NotIdentifiedException($this->getSecurityManager());
+			}
+			elseif ($denyReason === SecurityManager::ERROR_DENIED) {
+				// Nope, plain old access denied
+				throw new AccessDeniedException($this->getSecurityManager());
+			}
+			else {
+				throw new Exception('Unknown response from security manager.');
+			}
+		}
+	}
+
+	/**
+	 * Tests the security barrier for a specified action.
+	 *
+	 * Don't use within templates
+	 *
+	 * @param string      $action
+	 *
+	 * @param User        $user
+	 * @param null|string $pageName
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	final public function barrierTest($action, User $user, $pageName = null)
+	{
+		$page = get_called_class();
+		if ($pageName !== null) {
+			$page = $pageName;
+		}
+
+		$securityResult = $this->getSecurityManager()->allows($page, $action, $user);
+
+		return $securityResult === SecurityManager::ALLOWED;
+	}
+
+	/**
+	 * Updates the lastactive timestamp
+	 */
+	private function touchUserLastActive()
+	{
+		if (WebRequest::getSessionUserId() !== null) {
+			$query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;';
+			$this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId()));
+		}
+	}
+
+	/**
+	 * @return SecurityManager
+	 */
+	public function getSecurityManager()
+	{
+		return $this->securityManager;
+	}
+
+	/**
+	 * @param SecurityManager $securityManager
+	 */
+	public function setSecurityManager(SecurityManager $securityManager)
+	{
+		$this->securityManager = $securityManager;
+	}
+
+	/**
+	 * @return IBlacklistHelper
+	 */
+	public function getBlacklistHelper()
+	{
+		return $this->blacklistHelper;
+	}
+
+	/**
+	 * @param IBlacklistHelper $blacklistHelper
+	 */
+	public function setBlacklistHelper(IBlacklistHelper $blacklistHelper)
+	{
+		$this->blacklistHelper = $blacklistHelper;
+	}
 }

includes/Exceptions/NotIdentifiedException.php

Indentation +41 added lines, -41 removed lines

@@ -15,52 +15,52 @@
 
 class NotIdentifiedException extends ReadableException
 {
-    use NavigationMenuAccessControl;
-    /**
-     * @var SecurityManager
-     */
-    private $securityManager;
+	use NavigationMenuAccessControl;
+	/**
+	 * @var SecurityManager
+	 */
+	private $securityManager;
 
-    /**
-     * NotIdentifiedException constructor.
-     *
-     * @param SecurityManager $securityManager
-     */
-    public function __construct(SecurityManager $securityManager = null)
-    {
-        $this->securityManager = $securityManager;
-    }
+	/**
+	 * NotIdentifiedException constructor.
+	 *
+	 * @param SecurityManager $securityManager
+	 */
+	public function __construct(SecurityManager $securityManager = null)
+	{
+		$this->securityManager = $securityManager;
+	}
 
-    /**
-     * Returns a readable HTML error message that's displayable to the user using templates.
-     * @return string
-     */
-    public function getReadableError()
-    {
-        if (!headers_sent()) {
-            header("HTTP/1.1 403 Forbidden");
-        }
+	/**
+	 * Returns a readable HTML error message that's displayable to the user using templates.
+	 * @return string
+	 */
+	public function getReadableError()
+	{
+		if (!headers_sent()) {
+			header("HTTP/1.1 403 Forbidden");
+		}
 
-        $this->setUpSmarty();
+		$this->setUpSmarty();
 
-        // uck. We should still be able to access the database in this situation though.
-        $database = PdoDatabase::getDatabaseConnection('acc');
-        $currentUser = User::getCurrent($database);
-        $this->assign('currentUser', $currentUser);
-        $this->assign("loggedIn", (!$currentUser->isCommunityUser()));
+		// uck. We should still be able to access the database in this situation though.
+		$database = PdoDatabase::getDatabaseConnection('acc');
+		$currentUser = User::getCurrent($database);
+		$this->assign('currentUser', $currentUser);
+		$this->assign("loggedIn", (!$currentUser->isCommunityUser()));
 
-        if($this->securityManager !== null) {
-            $this->setupNavMenuAccess($currentUser);
-        }
+		if($this->securityManager !== null) {
+			$this->setupNavMenuAccess($currentUser);
+		}
 
-        return $this->fetchTemplate("exception/not-identified.tpl");
-    }
+		return $this->fetchTemplate("exception/not-identified.tpl");
+	}
 
-    /**
-     * @return SecurityManager
-     */
-    protected function getSecurityManager()
-    {
-        return $this->securityManager;
-    }
+	/**
+	 * @return SecurityManager
+	 */
+	protected function getSecurityManager()
+	{
+		return $this->securityManager;
+	}
 }
\ No newline at end of file

Spacing +1 added lines, -1 removed lines

@@ -57,7 +57,7 @@
         $this->assign('currentUser', $currentUser);
         $this->assign("loggedIn", (!$currentUser->isCommunityUser()));
 
-        if($this->securityManager !== null) {
+        if ($this->securityManager !== null) {
             $this->setupNavMenuAccess($currentUser);
         }
 

includes/ConsoleTasks/MigrateToRoles.php

Indentation +41 added lines, -41 removed lines

@@ -16,55 +16,55 @@
 
 class MigrateToRoles extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $communityUser = User::getCommunity();
+	public function execute()
+	{
+		$communityUser = User::getCommunity();
 
-        $database = $this->getDatabase();
-        $statement = $database->query('SELECT id, status, checkuser FROM user;');
-        $update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
+		$database = $this->getDatabase();
+		$statement = $database->query('SELECT id, status, checkuser FROM user;');
+		$update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
 
-        $users = $statement->fetchAll(PDO::FETCH_ASSOC);
+		$users = $statement->fetchAll(PDO::FETCH_ASSOC);
 
-        foreach ($users as $user) {
-            $toAdd = array('user');
+		foreach ($users as $user) {
+			$toAdd = array('user');
 
-            if($user['status'] === 'Admin'){
-                $toAdd[] = 'admin';
-            }
+			if($user['status'] === 'Admin'){
+				$toAdd[] = 'admin';
+			}
 
-            if($user['checkuser'] == 1){
-                $toAdd[] = 'checkuser';
-            }
+			if($user['checkuser'] == 1){
+				$toAdd[] = 'checkuser';
+			}
 
-            foreach ($toAdd as $x) {
-                $a = new UserRole();
-                $a->setUser($user['id']);
-                $a->setRole($x);
-                $a->setDatabase($database);
-                $a->save();
-            }
+			foreach ($toAdd as $x) {
+				$a = new UserRole();
+				$a->setUser($user['id']);
+				$a->setRole($x);
+				$a->setDatabase($database);
+				$a->save();
+			}
 
-            $logData = serialize(array(
-                'added' => $toAdd,
-                'removed' => array(),
-                'reason' => 'Initial migration'
-            ));
+			$logData = serialize(array(
+				'added' => $toAdd,
+				'removed' => array(),
+				'reason' => 'Initial migration'
+			));
 
-            $log = new Log();
-            $log->setDatabase($database);
-            $log->setAction('RoleChange');
-            $log->setObjectId($user['id']);
-            $log->setObjectType('User');
-            $log->setUser($communityUser);
-            $log->setComment($logData);
-            $log->save();
+			$log = new Log();
+			$log->setDatabase($database);
+			$log->setAction('RoleChange');
+			$log->setObjectId($user['id']);
+			$log->setObjectType('User');
+			$log->setUser($communityUser);
+			$log->setComment($logData);
+			$log->save();
 
-            if($user['status'] === 'Admin' || $user['status'] === 'User'){
-                $update->execute(array('id' => $user['id']));
-            }
-        }
+			if($user['status'] === 'Admin' || $user['status'] === 'User'){
+				$update->execute(array('id' => $user['id']));
+			}
+		}
 
-        $database->exec("UPDATE schemaversion SET version = 25;");
-    }
+		$database->exec("UPDATE schemaversion SET version = 25;");
+	}
 }

Spacing +3 added lines, -3 removed lines

@@ -29,11 +29,11 @@ 
         foreach ($users as $user) {
             $toAdd = array('user');
 
-            if($user['status'] === 'Admin'){
+            if ($user['status'] === 'Admin') {
                 $toAdd[] = 'admin';
             }
 
-            if($user['checkuser'] == 1){
+            if ($user['checkuser'] == 1) {
                 $toAdd[] = 'checkuser';
             }
 
@@ -60,7 +60,7 @@ 
             $log->setComment($logData);
             $log->save();
 
-            if($user['status'] === 'Admin' || $user['status'] === 'User'){
+            if ($user['status'] === 'Admin' || $user['status'] === 'User') {
                 $update->execute(array('id' => $user['id']));
             }
         }

Braces +3 added lines, -3 removed lines

@@ -29,11 +29,11 @@ 
         foreach ($users as $user) {
             $toAdd = array('user');
 
-            if($user['status'] === 'Admin'){
+            if($user['status'] === 'Admin') {
                 $toAdd[] = 'admin';
             }
 
-            if($user['checkuser'] == 1){
+            if($user['checkuser'] == 1) {
                 $toAdd[] = 'checkuser';
             }
 
@@ -60,7 +60,7 @@ 
             $log->setComment($logData);
             $log->save();
 
-            if($user['status'] === 'Admin' || $user['status'] === 'User'){
+            if($user['status'] === 'Admin' || $user['status'] === 'User') {
                 $update->execute(array('id' => $user['id']));
             }
         }