enwikipedia-acc / waca

smarty-plugins/modifier.relativedate.php

Indentation +57 added lines, -57 removed lines

@@ -16,68 +16,68 @@
  */
 function smarty_modifier_relativedate($input)
 {
-    $now = new DateTime();
+	$now = new DateTime();
 
-    if (gettype($input) === 'object'
-        && (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class)
-    ) {
-        $then = $input;
-    }
-    else {
-        $then = new DateTime($input);
-    }
+	if (gettype($input) === 'object'
+		&& (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class)
+	) {
+		$then = $input;
+	}
+	else {
+		$then = new DateTime($input);
+	}
 
-    $secs = $now->getTimestamp() - $then->getTimestamp();
+	$secs = $now->getTimestamp() - $then->getTimestamp();
 
-    $second = 1;
-    $minute = 60 * $second;
-    $minuteCut = 60 * $second;
-    $hour = 60 * $minute;
-    $hourCut = 90 * $minute;
-    $day = 24 * $hour;
-    $dayCut = 48 * $hour;
-    $week = 7 * $day;
-    $weekCut = 14 * $day;
-    $month = 30 * $day;
-    $monthCut = 60 * $day;
-    $year = 365 * $day;
-    $yearCut = $year * 2;
+	$second = 1;
+	$minute = 60 * $second;
+	$minuteCut = 60 * $second;
+	$hour = 60 * $minute;
+	$hourCut = 90 * $minute;
+	$day = 24 * $hour;
+	$dayCut = 48 * $hour;
+	$week = 7 * $day;
+	$weekCut = 14 * $day;
+	$month = 30 * $day;
+	$monthCut = 60 * $day;
+	$year = 365 * $day;
+	$yearCut = $year * 2;
 
-    $pluralise = true;
+	$pluralise = true;
 
-    if ($secs <= 10) {
-        $output = "just now";
-        $pluralise = false;
-    }
-    elseif ($secs > 10 && $secs < $minuteCut) {
-        $output = round($secs / $second) . " second";
-    }
-    elseif ($secs >= $minuteCut && $secs < $hourCut) {
-        $output = round($secs / $minute) . " minute";
-    }
-    elseif ($secs >= $hourCut && $secs < $dayCut) {
-        $output = round($secs / $hour) . " hour";
-    }
-    elseif ($secs >= $dayCut && $secs < $weekCut) {
-        $output = round($secs / $day) . " day";
-    }
-    elseif ($secs >= $weekCut && $secs < $monthCut) {
-        $output = round($secs / $week) . " week";
-    }
-    elseif ($secs >= $monthCut && $secs < $yearCut) {
-        $output = round($secs / $month) . " month";
-    }
-    elseif ($secs >= $yearCut && $secs < $year * 10) {
-        $output = round($secs / $year) . " year";
-    }
-    else {
-        $output = "a long time ago";
-        $pluralise = false;
-    }
+	if ($secs <= 10) {
+		$output = "just now";
+		$pluralise = false;
+	}
+	elseif ($secs > 10 && $secs < $minuteCut) {
+		$output = round($secs / $second) . " second";
+	}
+	elseif ($secs >= $minuteCut && $secs < $hourCut) {
+		$output = round($secs / $minute) . " minute";
+	}
+	elseif ($secs >= $hourCut && $secs < $dayCut) {
+		$output = round($secs / $hour) . " hour";
+	}
+	elseif ($secs >= $dayCut && $secs < $weekCut) {
+		$output = round($secs / $day) . " day";
+	}
+	elseif ($secs >= $weekCut && $secs < $monthCut) {
+		$output = round($secs / $week) . " week";
+	}
+	elseif ($secs >= $monthCut && $secs < $yearCut) {
+		$output = round($secs / $month) . " month";
+	}
+	elseif ($secs >= $yearCut && $secs < $year * 10) {
+		$output = round($secs / $year) . " year";
+	}
+	else {
+		$output = "a long time ago";
+		$pluralise = false;
+	}
 
-    if ($pluralise) {
-        $output = (substr($output, 0, 2) <> "1 ") ? $output . "s ago" : $output . " ago";
-    }
+	if ($pluralise) {
+		$output = (substr($output, 0, 2) <> "1 ") ? $output . "s ago" : $output . " ago";
+	}
 
-    return $output;
+	return $output;
 }
\ No newline at end of file

Spacing +8 added lines, -8 removed lines

@@ -50,25 +50,25 @@ 
         $pluralise = false;
     }
     elseif ($secs > 10 && $secs < $minuteCut) {
-        $output = round($secs / $second) . " second";
+        $output = round($secs / $second)." second";
     }
     elseif ($secs >= $minuteCut && $secs < $hourCut) {
-        $output = round($secs / $minute) . " minute";
+        $output = round($secs / $minute)." minute";
     }
     elseif ($secs >= $hourCut && $secs < $dayCut) {
-        $output = round($secs / $hour) . " hour";
+        $output = round($secs / $hour)." hour";
     }
     elseif ($secs >= $dayCut && $secs < $weekCut) {
-        $output = round($secs / $day) . " day";
+        $output = round($secs / $day)." day";
     }
     elseif ($secs >= $weekCut && $secs < $monthCut) {
-        $output = round($secs / $week) . " week";
+        $output = round($secs / $week)." week";
     }
     elseif ($secs >= $monthCut && $secs < $yearCut) {
-        $output = round($secs / $month) . " month";
+        $output = round($secs / $month)." month";
     }
     elseif ($secs >= $yearCut && $secs < $year * 10) {
-        $output = round($secs / $year) . " year";
+        $output = round($secs / $year)." year";
     }
     else {
         $output = "a long time ago";
@@ -76,7 +76,7 @@ 
     }
 
     if ($pluralise) {
-        $output = (substr($output, 0, 2) <> "1 ") ? $output . "s ago" : $output . " ago";
+        $output = (substr($output, 0, 2) <> "1 ") ? $output."s ago" : $output." ago";
     }
 
     return $output;

smarty-plugins/modifier.date.php

Indentation +11 added lines, -11 removed lines

@@ -16,16 +16,16 @@
  */
 function smarty_modifier_date($input)
 {
-    if (gettype($input) === 'object'
-        && (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class)
-    ) {
-        /** @var $date DateTime|DateTimeImmutable */
-        $date = $input;
-        $dateString = $date->format('Y-m-d H:i:s');
+	if (gettype($input) === 'object'
+		&& (get_class($input) === DateTime::class || get_class($input) === DateTimeImmutable::class)
+	) {
+		/** @var $date DateTime|DateTimeImmutable */
+		$date = $input;
+		$dateString = $date->format('Y-m-d H:i:s');
 
-        return $dateString;
-    }
-    else {
-        return $input;
-    }
+		return $dateString;
+	}
+	else {
+		return $input;
+	}
 }
\ No newline at end of file

includes/Helpers/SearchHelpers/LogSearchHelper.php

Indentation +73 added lines, -73 removed lines

@@ -13,87 +13,87 @@
 
 class LogSearchHelper extends SearchHelperBase
 {
-    /**
-     * LogSearchHelper constructor.
-     *
-     * @param PdoDatabase $database
-     */
-    protected function __construct(PdoDatabase $database)
-    {
-        parent::__construct($database, 'log', Log::class, 'timestamp DESC');
-    }
+	/**
+	 * LogSearchHelper constructor.
+	 *
+	 * @param PdoDatabase $database
+	 */
+	protected function __construct(PdoDatabase $database)
+	{
+		parent::__construct($database, 'log', Log::class, 'timestamp DESC');
+	}
 
-    /**
-     * Initiates a search for requests
-     *
-     * @param PdoDatabase $database
-     *
-     * @return LogSearchHelper
-     */
-    public static function get(PdoDatabase $database)
-    {
-        $helper = new LogSearchHelper($database);
+	/**
+	 * Initiates a search for requests
+	 *
+	 * @param PdoDatabase $database
+	 *
+	 * @return LogSearchHelper
+	 */
+	public static function get(PdoDatabase $database)
+	{
+		$helper = new LogSearchHelper($database);
 
-        return $helper;
-    }
+		return $helper;
+	}
 
-    /**
-     * Filters the results by user
-     *
-     * @param int $userId
-     *
-     * @return $this
-     */
-    public function byUser($userId)
-    {
-        $this->whereClause .= ' AND user = ?';
-        $this->parameterList[] = $userId;
+	/**
+	 * Filters the results by user
+	 *
+	 * @param int $userId
+	 *
+	 * @return $this
+	 */
+	public function byUser($userId)
+	{
+		$this->whereClause .= ' AND user = ?';
+		$this->parameterList[] = $userId;
 
-        return $this;
-    }
+		return $this;
+	}
 
-    /**
-     * Filters the results by log action
-     *
-     * @param string $action
-     *
-     * @return $this
-     */
-    public function byAction($action)
-    {
-        $this->whereClause .= ' AND action = ?';
-        $this->parameterList[] = $action;
+	/**
+	 * Filters the results by log action
+	 *
+	 * @param string $action
+	 *
+	 * @return $this
+	 */
+	public function byAction($action)
+	{
+		$this->whereClause .= ' AND action = ?';
+		$this->parameterList[] = $action;
 
-        return $this;
-    }
+		return $this;
+	}
 
-    /**
-     * Filters the results by object type
-     *
-     * @param string $objectType
-     *
-     * @return $this
-     */
-    public function byObjectType($objectType)
-    {
-        $this->whereClause .= ' AND objecttype = ?';
-        $this->parameterList[] = $objectType;
+	/**
+	 * Filters the results by object type
+	 *
+	 * @param string $objectType
+	 *
+	 * @return $this
+	 */
+	public function byObjectType($objectType)
+	{
+		$this->whereClause .= ' AND objecttype = ?';
+		$this->parameterList[] = $objectType;
 
-        return $this;
-    }
+		return $this;
+	}
 
-    /**
-     * Filters the results by object type
-     *
-     * @param integer $objectId
-     *
-     * @return $this
-     */
-    public function byObjectId($objectId)
-    {
-        $this->whereClause .= ' AND objectid = ?';
-        $this->parameterList[] = $objectId;
+	/**
+	 * Filters the results by object type
+	 *
+	 * @param integer $objectId
+	 *
+	 * @return $this
+	 */
+	public function byObjectId($objectId)
+	{
+		$this->whereClause .= ' AND objectid = ?';
+		$this->parameterList[] = $objectId;
 
-        return $this;
-    }
+		return $this;
+	}
 }
\ No newline at end of file

includes/Tasks/PageBase.php

Spacing +6 added lines, -6 removed lines

@@ -219,7 +219,7 @@ 
             $targetScriptName = $currentScriptName;
         }
         else {
-            $targetScriptName = $this->getSiteConfiguration()->getBaseUrl() . '/' . $script;
+            $targetScriptName = $this->getSiteConfiguration()->getBaseUrl().'/'.$script;
         }
 
         $pathInfo = array($targetScriptName);
@@ -233,7 +233,7 @@ 
         $url = implode('/', $pathInfo);
 
         if (is_array($parameters) && count($parameters) > 0) {
-            $url .= '?' . http_build_query($parameters);
+            $url .= '?'.http_build_query($parameters);
         }
 
         $this->redirectUrl($url);
@@ -278,7 +278,7 @@ 
      * @param string $path The path (relative to the application root) of the file
      */
     final protected function addCss($path) {
-        if(in_array($path, $this->extraCss)){
+        if (in_array($path, $this->extraCss)) {
             // nothing to do
             return;
         }
@@ -291,8 +291,8 @@ 
      *
      * @param string $path The path (relative to the application root) of the file
      */
-    final protected function addJs($path){
-        if(in_array($path, $this->extraJs)){
+    final protected function addJs($path) {
+        if (in_array($path, $this->extraJs)) {
             // nothing to do
             return;
         }
@@ -345,7 +345,7 @@ 
     protected function sendResponseHeaders()
     {
         if (headers_sent()) {
-            throw new ApplicationLogicException          ('Headers have already been sent! This is likely a bug in the application.');
+            throw new ApplicationLogicException('Headers have already been sent! This is likely a bug in the application.');
         }
 
         foreach ($this->headerQueue as $item) {

Braces +6 added lines, -4 removed lines

@@ -277,8 +277,9 @@ 
      *
      * @param string $path The path (relative to the application root) of the file
      */
-    final protected function addCss($path) {
-        if(in_array($path, $this->extraCss)){
+    final protected function addCss($path)
+    {
+        if(in_array($path, $this->extraCss)) {
             // nothing to do
             return;
         }
@@ -291,8 +292,9 @@ 
      *
      * @param string $path The path (relative to the application root) of the file
      */
-    final protected function addJs($path){
-        if(in_array($path, $this->extraJs)){
+    final protected function addJs($path)
+    {
+        if(in_array($path, $this->extraJs)) {
             // nothing to do
             return;
         }

Indentation +349 added lines, -349 removed lines

@@ -21,353 +21,353 @@
 
 abstract class PageBase extends TaskBase implements IRoutedTask
 {
-    use TemplateOutput;
-    /** @var string Smarty template to display */
-    protected $template = "base.tpl";
-    /** @var string HTML title. Currently unused. */
-    protected $htmlTitle;
-    /** @var bool Determines if the page is a redirect or not */
-    protected $isRedirecting = false;
-    /** @var array Queue of headers to be sent on successful completion */
-    protected $headerQueue = array();
-    /** @var string The name of the route to use, as determined by the request router. */
-    private $routeName = null;
-    /** @var TokenManager */
-    protected $tokenManager;
-    /** @var string[] Extra CSS files to include */
-    private $extraCss = array();
-    /** @var string[] Extra JS files to include */
-    private $extraJs = array();
-
-    /**
-     * Sets the route the request will take. Only should be called from the request router or barrier test.
-     *
-     * @param string $routeName        The name of the route
-     * @param bool   $skipCallableTest Don't use this unless you know what you're doing, and what the implications are.
-     *
-     * @throws Exception
-     * @category Security-Critical
-     */
-    final public function setRoute($routeName, $skipCallableTest = false)
-    {
-        // Test the new route is callable before adopting it.
-        if (!$skipCallableTest && !is_callable(array($this, $routeName))) {
-            throw new Exception("Proposed route '$routeName' is not callable.");
-        }
-
-        // Adopt the new route
-        $this->routeName = $routeName;
-    }
-
-    /**
-     * Gets the name of the route that has been passed from the request router.
-     * @return string
-     */
-    final public function getRouteName()
-    {
-        return $this->routeName;
-    }
-
-    /**
-     * Performs generic page setup actions
-     */
-    final protected function setupPage()
-    {
-        $this->setUpSmarty();
-
-        $siteNoticeText = SiteNotice::get($this->getDatabase());
-
-        $this->assign('siteNoticeText', $siteNoticeText);
-
-        $currentUser = User::getCurrent($this->getDatabase());
-        $this->assign('currentUser', $currentUser);
-        $this->assign('loggedIn', (!$currentUser->isCommunityUser()));
-    }
-
-    /**
-     * Runs the page logic as routed by the RequestRouter
-     *
-     * Only should be called after a security barrier! That means only from execute().
-     */
-    final protected function runPage()
-    {
-        $database = $this->getDatabase();
-
-        // initialise a database transaction
-        if (!$database->beginTransaction()) {
-            throw new Exception('Failed to start transaction on primary database.');
-        }
-
-        try {
-            // run the page code
-            $this->{$this->getRouteName()}();
-
-            $database->commit();
-        }
-        catch (ApplicationLogicException $ex) {
-            // it's an application logic exception, so nothing went seriously wrong with the site. We can use the
-            // standard templating system for this.
-
-            // Firstly, let's undo anything that happened to the database.
-            $database->rollBack();
-
-            // Reset smarty
-            $this->setUpSmarty();
-
-            // Set the template
-            $this->setTemplate('exception/application-logic.tpl');
-            $this->assign('message', $ex->getMessage());
-
-            // Force this back to false
-            $this->isRedirecting = false;
-            $this->headerQueue = array();
-        }
-        catch (OptimisticLockFailedException $ex) {
-            // it's an optimistic lock failure exception, so nothing went seriously wrong with the site. We can use the
-            // standard templating system for this.
-
-            // Firstly, let's undo anything that happened to the database.
-            $database->rollBack();
-
-            // Reset smarty
-            $this->setUpSmarty();
-
-            // Set the template
-            $this->setTemplate('exception/optimistic-lock-failure.tpl');
-            $this->assign('message', $ex->getMessage());
-
-            $this->assign('debugTrace', false);
-
-            if ($this->getSiteConfiguration()->getDebuggingTraceEnabled()) {
-                ob_start();
-                var_dump(ExceptionHandler::getExceptionData($ex));
-                $textErrorData = ob_get_contents();
-                ob_end_clean();
-
-                $this->assign('exceptionData', $textErrorData);
-                $this->assign('debugTrace', true);
-            }
-
-            // Force this back to false
-            $this->isRedirecting = false;
-            $this->headerQueue = array();
-        }
-        finally {
-            // Catch any hanging on transactions
-            if ($database->hasActiveTransaction()) {
-                $database->rollBack();
-            }
-        }
-
-        // run any finalisation code needed before we send the output to the browser.
-        $this->finalisePage();
-
-        // Send the headers
-        $this->sendResponseHeaders();
-
-        // Check we have a template to use!
-        if ($this->template !== null) {
-            $content = $this->fetchTemplate($this->template);
-            ob_clean();
-            print($content);
-            ob_flush();
-
-            return;
-        }
-    }
-
-    /**
-     * Performs final tasks needed before rendering the page.
-     */
-    protected function finalisePage()
-    {
-        if ($this->isRedirecting) {
-            $this->template = null;
-
-            return;
-        }
-
-        $this->assign('extraCss', $this->extraCss);
-        $this->assign('extraJs', $this->extraJs);
-
-        // If we're actually displaying content, we want to add the session alerts here!
-        $this->assign('alerts', SessionAlert::getAlerts());
-        SessionAlert::clearAlerts();
-
-        $this->assign('htmlTitle', $this->htmlTitle);
-    }
-
-    /**
-     * @return TokenManager
-     */
-    public function getTokenManager()
-    {
-        return $this->tokenManager;
-    }
-
-    /**
-     * @param TokenManager $tokenManager
-     */
-    public function setTokenManager($tokenManager)
-    {
-        $this->tokenManager = $tokenManager;
-    }
-
-    /**
-     * Sends the redirect headers to perform a GET at the destination page.
-     *
-     * Also nullifies the set template so Smarty does not render it.
-     *
-     * @param string      $page   The page to redirect requests to (as used in the UR)
-     * @param null|string $action The action to use on the page.
-     * @param null|array  $parameters
-     * @param null|string $script The script (relative to index.php) to redirect to
-     */
-    final protected function redirect($page = '', $action = null, $parameters = null, $script = null)
-    {
-        $currentScriptName = WebRequest::scriptName();
-
-        // Are we changing script?
-        if ($script === null || substr($currentScriptName, -1 * count($script)) === $script) {
-            $targetScriptName = $currentScriptName;
-        }
-        else {
-            $targetScriptName = $this->getSiteConfiguration()->getBaseUrl() . '/' . $script;
-        }
-
-        $pathInfo = array($targetScriptName);
-
-        $pathInfo[1] = $page;
-
-        if ($action !== null) {
-            $pathInfo[2] = $action;
-        }
-
-        $url = implode('/', $pathInfo);
-
-        if (is_array($parameters) && count($parameters) > 0) {
-            $url .= '?' . http_build_query($parameters);
-        }
-
-        $this->redirectUrl($url);
-    }
-
-    /**
-     * Sends the redirect headers to perform a GET at the new address.
-     *
-     * Also nullifies the set template so Smarty does not render it.
-     *
-     * @param string $path URL to redirect to
-     */
-    final protected function redirectUrl($path)
-    {
-        // 303 See Other = re-request at new address with a GET.
-        $this->headerQueue[] = 'HTTP/1.1 303 See Other';
-        $this->headerQueue[] = "Location: $path";
-
-        $this->setTemplate(null);
-        $this->isRedirecting = true;
-    }
-
-    /**
-     * Sets the name of the template this page should display.
-     *
-     * @param string $name
-     *
-     * @throws Exception
-     */
-    final protected function setTemplate($name)
-    {
-        if ($this->isRedirecting) {
-            throw new Exception('This page has been set as a redirect, no template can be displayed!');
-        }
-
-        $this->template = $name;
-    }
-
-    /**
-     * Adds an extra CSS file to to the page
-     *
-     * @param string $path The path (relative to the application root) of the file
-     */
-    final protected function addCss($path) {
-        if(in_array($path, $this->extraCss)){
-            // nothing to do
-            return;
-        }
-
-        $this->extraCss[] = $path;
-    }
-
-    /**
-     * Adds an extra JS file to to the page
-     *
-     * @param string $path The path (relative to the application root) of the file
-     */
-    final protected function addJs($path){
-        if(in_array($path, $this->extraJs)){
-            // nothing to do
-            return;
-        }
-
-        $this->extraJs[] = $path;
-    }
-
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    abstract protected function main();
-
-    /**
-     * @param string $title
-     */
-    final protected function setHtmlTitle($title)
-    {
-        $this->htmlTitle = $title;
-    }
-
-    public function execute()
-    {
-        if ($this->getRouteName() === null) {
-            throw new Exception('Request is unrouted.');
-        }
-
-        if ($this->getSiteConfiguration() === null) {
-            throw new Exception('Page has no configuration!');
-        }
-
-        $this->setupPage();
-
-        $this->runPage();
-    }
-
-    public function assignCSRFToken()
-    {
-        $token = $this->tokenManager->getNewToken();
-        $this->assign('csrfTokenData', $token->getTokenData());
-    }
-
-    public function validateCSRFToken()
-    {
-        if (!$this->tokenManager->validateToken(WebRequest::postString('csrfTokenData'))) {
-            throw new ApplicationLogicException('Form token is not valid, please reload and try again');
-        }
-    }
-
-    protected function sendResponseHeaders()
-    {
-        if (headers_sent()) {
-            throw new ApplicationLogicException          ('Headers have already been sent! This is likely a bug in the application.');
-        }
-
-        foreach ($this->headerQueue as $item) {
-            if (mb_strpos($item, "\r") !== false || mb_strpos($item, "\n") !== false) {
-                // Oops. We're not allowed to do this.
-                throw new Exception('Unable to split header');
-            }
-
-            header($item);
-        }
-    }
+	use TemplateOutput;
+	/** @var string Smarty template to display */
+	protected $template = "base.tpl";
+	/** @var string HTML title. Currently unused. */
+	protected $htmlTitle;
+	/** @var bool Determines if the page is a redirect or not */
+	protected $isRedirecting = false;
+	/** @var array Queue of headers to be sent on successful completion */
+	protected $headerQueue = array();
+	/** @var string The name of the route to use, as determined by the request router. */
+	private $routeName = null;
+	/** @var TokenManager */
+	protected $tokenManager;
+	/** @var string[] Extra CSS files to include */
+	private $extraCss = array();
+	/** @var string[] Extra JS files to include */
+	private $extraJs = array();
+
+	/**
+	 * Sets the route the request will take. Only should be called from the request router or barrier test.
+	 *
+	 * @param string $routeName        The name of the route
+	 * @param bool   $skipCallableTest Don't use this unless you know what you're doing, and what the implications are.
+	 *
+	 * @throws Exception
+	 * @category Security-Critical
+	 */
+	final public function setRoute($routeName, $skipCallableTest = false)
+	{
+		// Test the new route is callable before adopting it.
+		if (!$skipCallableTest && !is_callable(array($this, $routeName))) {
+			throw new Exception("Proposed route '$routeName' is not callable.");
+		}
+
+		// Adopt the new route
+		$this->routeName = $routeName;
+	}
+
+	/**
+	 * Gets the name of the route that has been passed from the request router.
+	 * @return string
+	 */
+	final public function getRouteName()
+	{
+		return $this->routeName;
+	}
+
+	/**
+	 * Performs generic page setup actions
+	 */
+	final protected function setupPage()
+	{
+		$this->setUpSmarty();
+
+		$siteNoticeText = SiteNotice::get($this->getDatabase());
+
+		$this->assign('siteNoticeText', $siteNoticeText);
+
+		$currentUser = User::getCurrent($this->getDatabase());
+		$this->assign('currentUser', $currentUser);
+		$this->assign('loggedIn', (!$currentUser->isCommunityUser()));
+	}
+
+	/**
+	 * Runs the page logic as routed by the RequestRouter
+	 *
+	 * Only should be called after a security barrier! That means only from execute().
+	 */
+	final protected function runPage()
+	{
+		$database = $this->getDatabase();
+
+		// initialise a database transaction
+		if (!$database->beginTransaction()) {
+			throw new Exception('Failed to start transaction on primary database.');
+		}
+
+		try {
+			// run the page code
+			$this->{$this->getRouteName()}();
+
+			$database->commit();
+		}
+		catch (ApplicationLogicException $ex) {
+			// it's an application logic exception, so nothing went seriously wrong with the site. We can use the
+			// standard templating system for this.
+
+			// Firstly, let's undo anything that happened to the database.
+			$database->rollBack();
+
+			// Reset smarty
+			$this->setUpSmarty();
+
+			// Set the template
+			$this->setTemplate('exception/application-logic.tpl');
+			$this->assign('message', $ex->getMessage());
+
+			// Force this back to false
+			$this->isRedirecting = false;
+			$this->headerQueue = array();
+		}
+		catch (OptimisticLockFailedException $ex) {
+			// it's an optimistic lock failure exception, so nothing went seriously wrong with the site. We can use the
+			// standard templating system for this.
+
+			// Firstly, let's undo anything that happened to the database.
+			$database->rollBack();
+
+			// Reset smarty
+			$this->setUpSmarty();
+
+			// Set the template
+			$this->setTemplate('exception/optimistic-lock-failure.tpl');
+			$this->assign('message', $ex->getMessage());
+
+			$this->assign('debugTrace', false);
+
+			if ($this->getSiteConfiguration()->getDebuggingTraceEnabled()) {
+				ob_start();
+				var_dump(ExceptionHandler::getExceptionData($ex));
+				$textErrorData = ob_get_contents();
+				ob_end_clean();
+
+				$this->assign('exceptionData', $textErrorData);
+				$this->assign('debugTrace', true);
+			}
+
+			// Force this back to false
+			$this->isRedirecting = false;
+			$this->headerQueue = array();
+		}
+		finally {
+			// Catch any hanging on transactions
+			if ($database->hasActiveTransaction()) {
+				$database->rollBack();
+			}
+		}
+
+		// run any finalisation code needed before we send the output to the browser.
+		$this->finalisePage();
+
+		// Send the headers
+		$this->sendResponseHeaders();
+
+		// Check we have a template to use!
+		if ($this->template !== null) {
+			$content = $this->fetchTemplate($this->template);
+			ob_clean();
+			print($content);
+			ob_flush();
+
+			return;
+		}
+	}
+
+	/**
+	 * Performs final tasks needed before rendering the page.
+	 */
+	protected function finalisePage()
+	{
+		if ($this->isRedirecting) {
+			$this->template = null;
+
+			return;
+		}
+
+		$this->assign('extraCss', $this->extraCss);
+		$this->assign('extraJs', $this->extraJs);
+
+		// If we're actually displaying content, we want to add the session alerts here!
+		$this->assign('alerts', SessionAlert::getAlerts());
+		SessionAlert::clearAlerts();
+
+		$this->assign('htmlTitle', $this->htmlTitle);
+	}
+
+	/**
+	 * @return TokenManager
+	 */
+	public function getTokenManager()
+	{
+		return $this->tokenManager;
+	}
+
+	/**
+	 * @param TokenManager $tokenManager
+	 */
+	public function setTokenManager($tokenManager)
+	{
+		$this->tokenManager = $tokenManager;
+	}
+
+	/**
+	 * Sends the redirect headers to perform a GET at the destination page.
+	 *
+	 * Also nullifies the set template so Smarty does not render it.
+	 *
+	 * @param string      $page   The page to redirect requests to (as used in the UR)
+	 * @param null|string $action The action to use on the page.
+	 * @param null|array  $parameters
+	 * @param null|string $script The script (relative to index.php) to redirect to
+	 */
+	final protected function redirect($page = '', $action = null, $parameters = null, $script = null)
+	{
+		$currentScriptName = WebRequest::scriptName();
+
+		// Are we changing script?
+		if ($script === null || substr($currentScriptName, -1 * count($script)) === $script) {
+			$targetScriptName = $currentScriptName;
+		}
+		else {
+			$targetScriptName = $this->getSiteConfiguration()->getBaseUrl() . '/' . $script;
+		}
+
+		$pathInfo = array($targetScriptName);
+
+		$pathInfo[1] = $page;
+
+		if ($action !== null) {
+			$pathInfo[2] = $action;
+		}
+
+		$url = implode('/', $pathInfo);
+
+		if (is_array($parameters) && count($parameters) > 0) {
+			$url .= '?' . http_build_query($parameters);
+		}
+
+		$this->redirectUrl($url);
+	}
+
+	/**
+	 * Sends the redirect headers to perform a GET at the new address.
+	 *
+	 * Also nullifies the set template so Smarty does not render it.
+	 *
+	 * @param string $path URL to redirect to
+	 */
+	final protected function redirectUrl($path)
+	{
+		// 303 See Other = re-request at new address with a GET.
+		$this->headerQueue[] = 'HTTP/1.1 303 See Other';
+		$this->headerQueue[] = "Location: $path";
+
+		$this->setTemplate(null);
+		$this->isRedirecting = true;
+	}
+
+	/**
+	 * Sets the name of the template this page should display.
+	 *
+	 * @param string $name
+	 *
+	 * @throws Exception
+	 */
+	final protected function setTemplate($name)
+	{
+		if ($this->isRedirecting) {
+			throw new Exception('This page has been set as a redirect, no template can be displayed!');
+		}
+
+		$this->template = $name;
+	}
+
+	/**
+	 * Adds an extra CSS file to to the page
+	 *
+	 * @param string $path The path (relative to the application root) of the file
+	 */
+	final protected function addCss($path) {
+		if(in_array($path, $this->extraCss)){
+			// nothing to do
+			return;
+		}
+
+		$this->extraCss[] = $path;
+	}
+
+	/**
+	 * Adds an extra JS file to to the page
+	 *
+	 * @param string $path The path (relative to the application root) of the file
+	 */
+	final protected function addJs($path){
+		if(in_array($path, $this->extraJs)){
+			// nothing to do
+			return;
+		}
+
+		$this->extraJs[] = $path;
+	}
+
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	abstract protected function main();
+
+	/**
+	 * @param string $title
+	 */
+	final protected function setHtmlTitle($title)
+	{
+		$this->htmlTitle = $title;
+	}
+
+	public function execute()
+	{
+		if ($this->getRouteName() === null) {
+			throw new Exception('Request is unrouted.');
+		}
+
+		if ($this->getSiteConfiguration() === null) {
+			throw new Exception('Page has no configuration!');
+		}
+
+		$this->setupPage();
+
+		$this->runPage();
+	}
+
+	public function assignCSRFToken()
+	{
+		$token = $this->tokenManager->getNewToken();
+		$this->assign('csrfTokenData', $token->getTokenData());
+	}
+
+	public function validateCSRFToken()
+	{
+		if (!$this->tokenManager->validateToken(WebRequest::postString('csrfTokenData'))) {
+			throw new ApplicationLogicException('Form token is not valid, please reload and try again');
+		}
+	}
+
+	protected function sendResponseHeaders()
+	{
+		if (headers_sent()) {
+			throw new ApplicationLogicException          ('Headers have already been sent! This is likely a bug in the application.');
+		}
+
+		foreach ($this->headerQueue as $item) {
+			if (mb_strpos($item, "\r") !== false || mb_strpos($item, "\n") !== false) {
+				// Oops. We're not allowed to do this.
+				throw new Exception('Unable to split header');
+			}
+
+			header($item);
+		}
+	}
 }

includes/IdentificationVerifier.php

Indentation +157 added lines, -157 removed lines

@@ -26,131 +26,131 @@ 
  */
 class IdentificationVerifier
 {
-    /**
-     * This field is an array of parameters, in key => value format, that should be appended to the Meta Wikimedia
-     * Web Service Endpoint URL to query if a user is listed on the Identification Noticeboard.  Note that URL encoding
-     * of these values is *not* necessary; this is done automatically.
-     *
-     * @var string[]
-     * @category Security-Critical
-     */
-    private static $apiQueryParameters = array(
-        'action'   => 'query',
-        'format'   => 'json',
-        'prop'     => 'links',
-        'titles'   => 'Access to nonpublic information policy/Noticeboard',
-        // Username of the user to be checked, with User: prefix, goes here!  Set in isIdentifiedOnWiki()
-        'pltitles' => '',
-    );
-    /** @var HttpHelper */
-    private $httpHelper;
-    /** @var SiteConfiguration */
-    private $siteConfiguration;
-    /** @var PdoDatabase */
-    private $dbObject;
-
-    /**
-     * IdentificationVerifier constructor.
-     *
-     * @param HttpHelper        $httpHelper
-     * @param SiteConfiguration $siteConfiguration
-     * @param PdoDatabase       $dbObject
-     */
-    public function __construct(HttpHelper $httpHelper, SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
-    {
-        $this->httpHelper = $httpHelper;
-        $this->siteConfiguration = $siteConfiguration;
-        $this->dbObject = $dbObject;
-    }
-
-    /**
-     * Checks if the given user is identified to the Wikimedia Foundation.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    public function isUserIdentified($onWikiName)
-    {
-        if ($this->checkIdentificationCache($onWikiName)) {
-            return true;
-        }
-        else {
-            if ($this->isIdentifiedOnWiki($onWikiName)) {
-                $this->cacheIdentificationStatus($onWikiName);
-
-                return true;
-            }
-            else {
-                return false;
-            }
-        }
-    }
-
-    /**
-     * Checks if the given user has a valid entry in the idcache table.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    private function checkIdentificationCache($onWikiName)
-    {
-        $interval = $this->siteConfiguration->getIdentificationCacheExpiry();
-
-        $query = <<<SQL
+	/**
+	 * This field is an array of parameters, in key => value format, that should be appended to the Meta Wikimedia
+	 * Web Service Endpoint URL to query if a user is listed on the Identification Noticeboard.  Note that URL encoding
+	 * of these values is *not* necessary; this is done automatically.
+	 *
+	 * @var string[]
+	 * @category Security-Critical
+	 */
+	private static $apiQueryParameters = array(
+		'action'   => 'query',
+		'format'   => 'json',
+		'prop'     => 'links',
+		'titles'   => 'Access to nonpublic information policy/Noticeboard',
+		// Username of the user to be checked, with User: prefix, goes here!  Set in isIdentifiedOnWiki()
+		'pltitles' => '',
+	);
+	/** @var HttpHelper */
+	private $httpHelper;
+	/** @var SiteConfiguration */
+	private $siteConfiguration;
+	/** @var PdoDatabase */
+	private $dbObject;
+
+	/**
+	 * IdentificationVerifier constructor.
+	 *
+	 * @param HttpHelper        $httpHelper
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param PdoDatabase       $dbObject
+	 */
+	public function __construct(HttpHelper $httpHelper, SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
+	{
+		$this->httpHelper = $httpHelper;
+		$this->siteConfiguration = $siteConfiguration;
+		$this->dbObject = $dbObject;
+	}
+
+	/**
+	 * Checks if the given user is identified to the Wikimedia Foundation.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	public function isUserIdentified($onWikiName)
+	{
+		if ($this->checkIdentificationCache($onWikiName)) {
+			return true;
+		}
+		else {
+			if ($this->isIdentifiedOnWiki($onWikiName)) {
+				$this->cacheIdentificationStatus($onWikiName);
+
+				return true;
+			}
+			else {
+				return false;
+			}
+		}
+	}
+
+	/**
+	 * Checks if the given user has a valid entry in the idcache table.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	private function checkIdentificationCache($onWikiName)
+	{
+		$interval = $this->siteConfiguration->getIdentificationCacheExpiry();
+
+		$query = <<<SQL
 			SELECT COUNT(`id`)
 			FROM `idcache`
 			WHERE `onwikiusername` = :onwikiname
 				AND DATE_ADD(`checktime`, INTERVAL {$interval}) >= NOW();
 SQL;
-        $stmt = $this->dbObject->prepare($query);
-        $stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
-        $stmt->execute();
-
-        // Guaranteed by the query to only return a single row with a single column
-        $results = $stmt->fetch(PDO::FETCH_NUM);
-
-        // I don't expect this to ever be a value other than 0 or 1 since the `onwikiusername` column is declared as a
-        // unique key - but meh.
-        return $results[0] != 0;
-    }
-
-    /**
-     * Does pretty much exactly what it says on the label - this method will clear all expired idcache entries from the
-     * idcache table.  Meant to be called periodically by a maintenance script.
-     *
-     * @param SiteConfiguration $siteConfiguration
-     * @param PdoDatabase       $dbObject
-     *
-     * @return void
-     */
-    public static function clearExpiredCacheEntries(SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
-    {
-        $interval = $siteConfiguration->getIdentificationCacheExpiry();
-
-        $query = <<<SQL
+		$stmt = $this->dbObject->prepare($query);
+		$stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
+		$stmt->execute();
+
+		// Guaranteed by the query to only return a single row with a single column
+		$results = $stmt->fetch(PDO::FETCH_NUM);
+
+		// I don't expect this to ever be a value other than 0 or 1 since the `onwikiusername` column is declared as a
+		// unique key - but meh.
+		return $results[0] != 0;
+	}
+
+	/**
+	 * Does pretty much exactly what it says on the label - this method will clear all expired idcache entries from the
+	 * idcache table.  Meant to be called periodically by a maintenance script.
+	 *
+	 * @param SiteConfiguration $siteConfiguration
+	 * @param PdoDatabase       $dbObject
+	 *
+	 * @return void
+	 */
+	public static function clearExpiredCacheEntries(SiteConfiguration $siteConfiguration, PdoDatabase $dbObject)
+	{
+		$interval = $siteConfiguration->getIdentificationCacheExpiry();
+
+		$query = <<<SQL
 			DELETE FROM `idcache`
 			WHERE DATE_ADD(`checktime`, INTERVAL {$interval}) < NOW();
 SQL;
-        $dbObject->prepare($query)->execute();
-    }
-
-    /**
-     * This method will add an entry to the idcache that the given Wikipedia user has been verified as identified.  This
-     * is so we don't have to hit the API every single time we check.  The cache entry is valid for as long as specified
-     * in the ACC configuration (validity enforced by checkIdentificationCache() and clearExpiredCacheEntries()).
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return void
-     * @category Security-Critical
-     */
-    private function cacheIdentificationStatus($onWikiName)
-    {
-        $query = <<<SQL
+		$dbObject->prepare($query)->execute();
+	}
+
+	/**
+	 * This method will add an entry to the idcache that the given Wikipedia user has been verified as identified.  This
+	 * is so we don't have to hit the API every single time we check.  The cache entry is valid for as long as specified
+	 * in the ACC configuration (validity enforced by checkIdentificationCache() and clearExpiredCacheEntries()).
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return void
+	 * @category Security-Critical
+	 */
+	private function cacheIdentificationStatus($onWikiName)
+	{
+		$query = <<<SQL
 			INSERT INTO `idcache`
 				(`onwikiusername`)
 			VALUES
@@ -159,44 +159,44 @@ 
 				`onwikiusername` = VALUES(`onwikiusername`),
 				`checktime` = CURRENT_TIMESTAMP;
 SQL;
-        $stmt = $this->dbObject->prepare($query);
-        $stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
-        $stmt->execute();
-    }
-
-    /**
-     * Queries the Wikimedia API to determine if the specified user is listed on the identification noticeboard.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @throws EnvironmentException
-     * @category Security-Critical
-     */
-    private function isIdentifiedOnWiki($onWikiName)
-    {
-        $strings = new StringFunctions();
-
-        // First character of Wikipedia usernames is always capitalized.
-        $onWikiName = $strings->ucfirst($onWikiName);
-
-        $parameters = self::$apiQueryParameters;
-        $parameters['pltitles'] = "User:" . $onWikiName;
-
-        try {
-            $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
-            $response = $this->httpHelper->get($endpoint, $parameters);
-            $response = json_decode($response, true);
-        } catch (CurlException $ex) {
-            // failed getting identification status, so throw a nicer error.
-            $m = 'Could not contact metawiki API to determine user\' identification status. '
-                . 'This is probably a transient error, so please try again.';
-
-            throw new EnvironmentException($m, 0, $ex);
-        }
-
-        $page = @array_pop($response['query']['pages']);
-
-        return @$page['links'][0]['title'] === "User:" . $onWikiName;
-    }
+		$stmt = $this->dbObject->prepare($query);
+		$stmt->bindValue(':onwikiname', $onWikiName, PDO::PARAM_STR);
+		$stmt->execute();
+	}
+
+	/**
+	 * Queries the Wikimedia API to determine if the specified user is listed on the identification noticeboard.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @throws EnvironmentException
+	 * @category Security-Critical
+	 */
+	private function isIdentifiedOnWiki($onWikiName)
+	{
+		$strings = new StringFunctions();
+
+		// First character of Wikipedia usernames is always capitalized.
+		$onWikiName = $strings->ucfirst($onWikiName);
+
+		$parameters = self::$apiQueryParameters;
+		$parameters['pltitles'] = "User:" . $onWikiName;
+
+		try {
+			$endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
+			$response = $this->httpHelper->get($endpoint, $parameters);
+			$response = json_decode($response, true);
+		} catch (CurlException $ex) {
+			// failed getting identification status, so throw a nicer error.
+			$m = 'Could not contact metawiki API to determine user\' identification status. '
+				. 'This is probably a transient error, so please try again.';
+
+			throw new EnvironmentException($m, 0, $ex);
+		}
+
+		$page = @array_pop($response['query']['pages']);
+
+		return @$page['links'][0]['title'] === "User:" . $onWikiName;
+	}
 }

Braces +2 added lines, -1 removed lines

@@ -187,7 +187,8 @@
             $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
             $response = $this->httpHelper->get($endpoint, $parameters);
             $response = json_decode($response, true);
-        } catch (CurlException $ex) {
+        }
+        catch (CurlException $ex) {
             // failed getting identification status, so throw a nicer error.
             $m = 'Could not contact metawiki API to determine user\' identification status. '
                 . 'This is probably a transient error, so please try again.';

Spacing +2 added lines, -2 removed lines

@@ -181,7 +181,7 @@ 
         $onWikiName = $strings->ucfirst($onWikiName);
 
         $parameters = self::$apiQueryParameters;
-        $parameters['pltitles'] = "User:" . $onWikiName;
+        $parameters['pltitles'] = "User:".$onWikiName;
 
         try {
             $endpoint = $this->siteConfiguration->getMetaWikimediaWebServiceEndpoint();
@@ -197,6 +197,6 @@ 
 
         $page = @array_pop($response['query']['pages']);
 
-        return @$page['links'][0]['title'] === "User:" . $onWikiName;
+        return @$page['links'][0]['title'] === "User:".$onWikiName;
     }
 }

includes/Exceptions/AccessDeniedException.php

Unused Use Statements -2 removed lines

@@ -11,9 +11,7 @@
 use Waca\DataObjects\Log;
 use Waca\DataObjects\User;
 use Waca\Fragments\NavigationMenuAccessControl;
-use Waca\Helpers\HttpHelper;
 use Waca\Helpers\SearchHelpers\LogSearchHelper;
-use Waca\IdentificationVerifier;
 use Waca\PdoDatabase;
 use Waca\Security\SecurityManager;
 

Indentation +85 added lines, -85 removed lines

@@ -26,89 +26,89 @@
  */
 class AccessDeniedException extends ReadableException
 {
-    use NavigationMenuAccessControl;
-
-    /**
-     * @var SecurityManager
-     */
-    private $securityManager;
-
-    /**
-     * AccessDeniedException constructor.
-     *
-     * @param SecurityManager $securityManager
-     */
-    public function __construct(SecurityManager $securityManager = null)
-    {
-        $this->securityManager = $securityManager;
-    }
-
-    public function getReadableError()
-    {
-        if (!headers_sent()) {
-            header("HTTP/1.1 403 Forbidden");
-        }
-
-        $this->setUpSmarty();
-
-        // uck. We should still be able to access the database in this situation though.
-        $database = PdoDatabase::getDatabaseConnection('acc');
-        $currentUser = User::getCurrent($database);
-        $this->assign('currentUser', $currentUser);
-        $this->assign("loggedIn", (!$currentUser->isCommunityUser()));
-
-        if($this->securityManager !== null) {
-            $this->setupNavMenuAccess($currentUser);
-        }
-
-        if ($currentUser->isDeclined()) {
-            $this->assign('htmlTitle', 'Account Declined');
-            $this->assign('declineReason', $this->getLogEntry('Declined', $currentUser, $database));
-
-            return $this->fetchTemplate("exception/account-declined.tpl");
-        }
-
-        if ($currentUser->isSuspended()) {
-            $this->assign('htmlTitle', 'Account Suspended');
-            $this->assign('suspendReason', $this->getLogEntry('Suspended', $currentUser, $database));
-
-            return $this->fetchTemplate("exception/account-suspended.tpl");
-        }
-
-        if ($currentUser->isNewUser()) {
-            $this->assign('htmlTitle', 'Account Pending');
-
-            return $this->fetchTemplate("exception/account-new.tpl");
-        }
-
-        return $this->fetchTemplate("exception/access-denied.tpl");
-    }
-
-    /**
-     * @param string      $action
-     * @param User        $user
-     * @param PdoDatabase $database
-     *
-     * @return null|string
-     */
-    private function getLogEntry($action, User $user, PdoDatabase $database)
-    {
-        /** @var Log[] $logs */
-        $logs = LogSearchHelper::get($database)
-            ->byAction($action)
-            ->byObjectType('User')
-            ->byObjectId($user->getId())
-            ->limit(1)
-            ->fetch();
-
-        return $logs[0]->getComment();
-    }
-
-    /**
-     * @return SecurityManager
-     */
-    protected function getSecurityManager()
-    {
-        return $this->securityManager;
-    }
+	use NavigationMenuAccessControl;
+
+	/**
+	 * @var SecurityManager
+	 */
+	private $securityManager;
+
+	/**
+	 * AccessDeniedException constructor.
+	 *
+	 * @param SecurityManager $securityManager
+	 */
+	public function __construct(SecurityManager $securityManager = null)
+	{
+		$this->securityManager = $securityManager;
+	}
+
+	public function getReadableError()
+	{
+		if (!headers_sent()) {
+			header("HTTP/1.1 403 Forbidden");
+		}
+
+		$this->setUpSmarty();
+
+		// uck. We should still be able to access the database in this situation though.
+		$database = PdoDatabase::getDatabaseConnection('acc');
+		$currentUser = User::getCurrent($database);
+		$this->assign('currentUser', $currentUser);
+		$this->assign("loggedIn", (!$currentUser->isCommunityUser()));
+
+		if($this->securityManager !== null) {
+			$this->setupNavMenuAccess($currentUser);
+		}
+
+		if ($currentUser->isDeclined()) {
+			$this->assign('htmlTitle', 'Account Declined');
+			$this->assign('declineReason', $this->getLogEntry('Declined', $currentUser, $database));
+
+			return $this->fetchTemplate("exception/account-declined.tpl");
+		}
+
+		if ($currentUser->isSuspended()) {
+			$this->assign('htmlTitle', 'Account Suspended');
+			$this->assign('suspendReason', $this->getLogEntry('Suspended', $currentUser, $database));
+
+			return $this->fetchTemplate("exception/account-suspended.tpl");
+		}
+
+		if ($currentUser->isNewUser()) {
+			$this->assign('htmlTitle', 'Account Pending');
+
+			return $this->fetchTemplate("exception/account-new.tpl");
+		}
+
+		return $this->fetchTemplate("exception/access-denied.tpl");
+	}
+
+	/**
+	 * @param string      $action
+	 * @param User        $user
+	 * @param PdoDatabase $database
+	 *
+	 * @return null|string
+	 */
+	private function getLogEntry($action, User $user, PdoDatabase $database)
+	{
+		/** @var Log[] $logs */
+		$logs = LogSearchHelper::get($database)
+			->byAction($action)
+			->byObjectType('User')
+			->byObjectId($user->getId())
+			->limit(1)
+			->fetch();
+
+		return $logs[0]->getComment();
+	}
+
+	/**
+	 * @return SecurityManager
+	 */
+	protected function getSecurityManager()
+	{
+		return $this->securityManager;
+	}
 }
\ No newline at end of file

Spacing +1 added lines, -1 removed lines

@@ -57,7 +57,7 @@
         $this->assign('currentUser', $currentUser);
         $this->assign("loggedIn", (!$currentUser->isCommunityUser()));
 
-        if($this->securityManager !== null) {
+        if ($this->securityManager !== null) {
             $this->setupNavMenuAccess($currentUser);
         }
 

includes/Fragments/NavigationMenuAccessControl.php

Doc Comments +5 added lines, -1 removed lines

@@ -24,6 +24,10 @@ 
 
 trait NavigationMenuAccessControl
 {
+    /**
+     * @param string $name
+     * @param boolean $value
+     */
     protected abstract function assign($name, $value);
 
     /**
@@ -32,7 +36,7 @@ 
     protected abstract function getSecurityManager();
 
     /**
-     * @param $currentUser
+     * @param \Waca\DataObjects\User $currentUser
      */
     protected function setupNavMenuAccess($currentUser)
     {

Indentation +39 added lines, -39 removed lines

@@ -25,48 +25,48 @@
 
 trait NavigationMenuAccessControl
 {
-    protected abstract function assign($name, $value);
+	protected abstract function assign($name, $value);
 
-    /**
-     * @return SecurityManager
-     */
-    protected abstract function getSecurityManager();
+	/**
+	 * @return SecurityManager
+	 */
+	protected abstract function getSecurityManager();
 
-    /**
-     * @param $currentUser
-     */
-    protected function setupNavMenuAccess($currentUser)
-    {
-        $this->assign('nav__canRequests', $this->getSecurityManager()
-                ->allows(PageMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+	/**
+	 * @param $currentUser
+	 */
+	protected function setupNavMenuAccess($currentUser)
+	{
+		$this->assign('nav__canRequests', $this->getSecurityManager()
+				->allows(PageMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
 
-        $this->assign('nav__canLogs', $this->getSecurityManager()
-                ->allows(PageLog::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canUsers', $this->getSecurityManager()
-                ->allows(StatsUsers::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canSearch', $this->getSecurityManager()
-                ->allows(PageSearch::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canStats', $this->getSecurityManager()
-                ->allows(StatsMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canLogs', $this->getSecurityManager()
+				->allows(PageLog::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canUsers', $this->getSecurityManager()
+				->allows(StatsUsers::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canSearch', $this->getSecurityManager()
+				->allows(PageSearch::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canStats', $this->getSecurityManager()
+				->allows(StatsMain::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
 
-        $this->assign('nav__canBan', $this->getSecurityManager()
-                ->allows(PageBan::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canEmailMgmt', $this->getSecurityManager()
-                ->allows(PageEmailManagement::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canWelcomeMgmt', $this->getSecurityManager()
-                ->allows(PageWelcomeTemplateManagement::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager()
-                ->allows(PageSiteNotice::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canUserMgmt', $this->getSecurityManager()
-                ->allows(PageUserManagement::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
-        $this->assign('nav__canJobQueue', $this->getSecurityManager()
-                ->allows(PageJobQueue::class, RoleConfiguration::MAIN,
-                    $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canBan', $this->getSecurityManager()
+				->allows(PageBan::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canEmailMgmt', $this->getSecurityManager()
+				->allows(PageEmailManagement::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canWelcomeMgmt', $this->getSecurityManager()
+				->allows(PageWelcomeTemplateManagement::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager()
+				->allows(PageSiteNotice::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canUserMgmt', $this->getSecurityManager()
+				->allows(PageUserManagement::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
+		$this->assign('nav__canJobQueue', $this->getSecurityManager()
+				->allows(PageJobQueue::class, RoleConfiguration::MAIN,
+					$currentUser) === SecurityManager::ALLOWED);
 
-        $this->assign('nav__canViewRequest', $this->getSecurityManager()
-                ->allows(PageViewRequest::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
-    }
+		$this->assign('nav__canViewRequest', $this->getSecurityManager()
+				->allows(PageViewRequest::class, RoleConfiguration::MAIN, $currentUser) === SecurityManager::ALLOWED);
+	}
 }
\ No newline at end of file

includes/Pages/Registration/PageRegisterBase.php

Doc Comments +8 added lines, -5 removed lines

@@ -44,6 +44,9 @@ 
         }
     }
 
+    /**
+     * @return string
+     */
     protected abstract function getRegistrationTemplate();
 
     protected function isProtectedPage()
@@ -70,12 +73,12 @@ 
     }
 
     /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
+     * @param null|string $emailAddress
+     * @param null|string $password
+     * @param null|string $username
      * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
+     * @param null|integer $confirmationId
+     * @param null|string $onwikiUsername
      *
      * @throws ApplicationLogicException
      */

Indentation +196 added lines, -196 removed lines

@@ -20,200 +20,200 @@
 
 abstract class PageRegisterBase extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main()
-    {
-        $useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup();
-
-        // Dual-mode page
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            try {
-                $this->handlePost($useOAuthSignup);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('register');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign("useOAuthSignup", $useOAuthSignup);
-            $this->setTemplate($this->getRegistrationTemplate());
-        }
-    }
-
-    protected abstract function getRegistrationTemplate();
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * @param string $emailAddress
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateUniqueEmail($emailAddress)
-    {
-        $query = 'SELECT COUNT(id) FROM user WHERE email = :email';
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->execute(array(':email' => $emailAddress));
-
-        if ($statement->fetchColumn() > 0) {
-            throw new ApplicationLogicException('That email address is already in use on this system.');
-        }
-
-        $statement->closeCursor();
-    }
-
-    /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
-     * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateRequest(
-        $emailAddress,
-        $password,
-        $username,
-        $useOAuthSignup,
-        $confirmationId,
-        $onwikiUsername
-    ) {
-        if (!WebRequest::postBoolean('guidelines')) {
-            throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.');
-        }
-
-        $this->validateGeneralInformation($emailAddress, $password, $username);
-        $this->validateUniqueEmail($emailAddress);
-        $this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername);
-    }
-
-    /**
-     * @param $useOAuthSignup
-     * @param $confirmationId
-     * @param $onwikiUsername
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername)
-    {
-        if (!$useOAuthSignup) {
-            if ($confirmationId === null || $confirmationId <= 0) {
-                throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.');
-            }
-
-            if ($onwikiUsername === null) {
-                throw new ApplicationLogicException('Please specify your on-wiki username.');
-            }
-        }
-    }
-
-    /**
-     * @param $emailAddress
-     * @param $password
-     * @param $username
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function validateGeneralInformation($emailAddress, $password, $username)
-    {
-        if ($emailAddress === null) {
-            throw new ApplicationLogicException('Your email address appears to be invalid!');
-        }
-
-        if ($password !== WebRequest::postString('pass2')) {
-            throw new ApplicationLogicException('Your passwords did not match, please try again.');
-        }
-
-        if (User::getByUsername($username, $this->getDatabase()) !== false) {
-            throw new ApplicationLogicException('That username is already in use on this system.');
-        }
-    }
-
-    /**
-     * @param $useOAuthSignup
-     *
-     * @throws ApplicationLogicException
-     * @throws \Exception
-     */
-    protected function handlePost($useOAuthSignup)
-    {
-        // Get the data
-        $emailAddress = WebRequest::postEmail('email');
-        $password = WebRequest::postString('pass');
-        $username = WebRequest::postString('name');
-
-        // Only set if OAuth is disabled
-        $confirmationId = WebRequest::postInt('conf_revid');
-        $onwikiUsername = WebRequest::postString('wname');
-
-        // Do some validation
-        $this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId,
-            $onwikiUsername);
-
-        $database = $this->getDatabase();
-
-        $user = new User();
-        $user->setDatabase($database);
-
-        $user->setUsername($username);
-        $user->setEmail($emailAddress);
-
-        if (!$useOAuthSignup) {
-            $user->setOnWikiName($onwikiUsername);
-            $user->setConfirmationDiff($confirmationId);
-        }
-
-        $user->save();
-
-        $passwordCredentialProvider = new PasswordCredentialProvider($database, $this->getSiteConfiguration());
-        $passwordCredentialProvider->setCredential($user, 1, $password);
-
-        $defaultRole = $this->getDefaultRole();
-
-        $role = new UserRole();
-        $role->setDatabase($database);
-        $role->setUser($user->getId());
-        $role->setRole($defaultRole);
-        $role->save();
-
-        // Log now to get the signup date.
-        Logger::newUser($database, $user);
-        Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array());
-
-        if ($useOAuthSignup) {
-            $oauthProtocolHelper = $this->getOAuthProtocolHelper();
-            $oauth = new OAuthUserHelper($user, $database, $oauthProtocolHelper, $this->getSiteConfiguration());
-
-            $authoriseUrl = $oauth->getRequestToken();
-            WebRequest::setOAuthPartialLogin($user);
-            $this->redirectUrl($authoriseUrl);
-        }
-        else {
-            // only notify if we're not using the oauth signup.
-            $this->getNotificationHelper()->userNew($user);
-            WebRequest::setLoggedInUser($user);
-            $this->redirect('preferences');
-        }
-    }
-
-    protected abstract function getDefaultRole();
-
-    /**
-     * Entry point for registration complete
-     */
-    protected function done()
-    {
-        $this->setTemplate('registration/alert-registrationcomplete.tpl');
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main()
+	{
+		$useOAuthSignup = $this->getSiteConfiguration()->getUseOAuthSignup();
+
+		// Dual-mode page
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			try {
+				$this->handlePost($useOAuthSignup);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('register');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign("useOAuthSignup", $useOAuthSignup);
+			$this->setTemplate($this->getRegistrationTemplate());
+		}
+	}
+
+	protected abstract function getRegistrationTemplate();
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * @param string $emailAddress
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateUniqueEmail($emailAddress)
+	{
+		$query = 'SELECT COUNT(id) FROM user WHERE email = :email';
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->execute(array(':email' => $emailAddress));
+
+		if ($statement->fetchColumn() > 0) {
+			throw new ApplicationLogicException('That email address is already in use on this system.');
+		}
+
+		$statement->closeCursor();
+	}
+
+	/**
+	 * @param $emailAddress
+	 * @param $password
+	 * @param $username
+	 * @param $useOAuthSignup
+	 * @param $confirmationId
+	 * @param $onwikiUsername
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateRequest(
+		$emailAddress,
+		$password,
+		$username,
+		$useOAuthSignup,
+		$confirmationId,
+		$onwikiUsername
+	) {
+		if (!WebRequest::postBoolean('guidelines')) {
+			throw new ApplicationLogicException('You must read the interface guidelines before your request may be submitted.');
+		}
+
+		$this->validateGeneralInformation($emailAddress, $password, $username);
+		$this->validateUniqueEmail($emailAddress);
+		$this->validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername);
+	}
+
+	/**
+	 * @param $useOAuthSignup
+	 * @param $confirmationId
+	 * @param $onwikiUsername
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateNonOAuthFields($useOAuthSignup, $confirmationId, $onwikiUsername)
+	{
+		if (!$useOAuthSignup) {
+			if ($confirmationId === null || $confirmationId <= 0) {
+				throw new ApplicationLogicException('Please enter the revision id of your confirmation edit.');
+			}
+
+			if ($onwikiUsername === null) {
+				throw new ApplicationLogicException('Please specify your on-wiki username.');
+			}
+		}
+	}
+
+	/**
+	 * @param $emailAddress
+	 * @param $password
+	 * @param $username
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function validateGeneralInformation($emailAddress, $password, $username)
+	{
+		if ($emailAddress === null) {
+			throw new ApplicationLogicException('Your email address appears to be invalid!');
+		}
+
+		if ($password !== WebRequest::postString('pass2')) {
+			throw new ApplicationLogicException('Your passwords did not match, please try again.');
+		}
+
+		if (User::getByUsername($username, $this->getDatabase()) !== false) {
+			throw new ApplicationLogicException('That username is already in use on this system.');
+		}
+	}
+
+	/**
+	 * @param $useOAuthSignup
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws \Exception
+	 */
+	protected function handlePost($useOAuthSignup)
+	{
+		// Get the data
+		$emailAddress = WebRequest::postEmail('email');
+		$password = WebRequest::postString('pass');
+		$username = WebRequest::postString('name');
+
+		// Only set if OAuth is disabled
+		$confirmationId = WebRequest::postInt('conf_revid');
+		$onwikiUsername = WebRequest::postString('wname');
+
+		// Do some validation
+		$this->validateRequest($emailAddress, $password, $username, $useOAuthSignup, $confirmationId,
+			$onwikiUsername);
+
+		$database = $this->getDatabase();
+
+		$user = new User();
+		$user->setDatabase($database);
+
+		$user->setUsername($username);
+		$user->setEmail($emailAddress);
+
+		if (!$useOAuthSignup) {
+			$user->setOnWikiName($onwikiUsername);
+			$user->setConfirmationDiff($confirmationId);
+		}
+
+		$user->save();
+
+		$passwordCredentialProvider = new PasswordCredentialProvider($database, $this->getSiteConfiguration());
+		$passwordCredentialProvider->setCredential($user, 1, $password);
+
+		$defaultRole = $this->getDefaultRole();
+
+		$role = new UserRole();
+		$role->setDatabase($database);
+		$role->setUser($user->getId());
+		$role->setRole($defaultRole);
+		$role->save();
+
+		// Log now to get the signup date.
+		Logger::newUser($database, $user);
+		Logger::userRolesEdited($database, $user, 'Registration', array($defaultRole), array());
+
+		if ($useOAuthSignup) {
+			$oauthProtocolHelper = $this->getOAuthProtocolHelper();
+			$oauth = new OAuthUserHelper($user, $database, $oauthProtocolHelper, $this->getSiteConfiguration());
+
+			$authoriseUrl = $oauth->getRequestToken();
+			WebRequest::setOAuthPartialLogin($user);
+			$this->redirectUrl($authoriseUrl);
+		}
+		else {
+			// only notify if we're not using the oauth signup.
+			$this->getNotificationHelper()->userNew($user);
+			WebRequest::setLoggedInUser($user);
+			$this->redirect('preferences');
+		}
+	}
+
+	protected abstract function getDefaultRole();
+
+	/**
+	 * Entry point for registration complete
+	 */
+	protected function done()
+	{
+		$this->setTemplate('registration/alert-registrationcomplete.tpl');
+	}
 }

includes/Security/SecurityManager.php

Indentation +196 added lines, -196 removed lines

@@ -14,200 +14,200 @@
 
 final class SecurityManager
 {
-    const ALLOWED = 1;
-    const ERROR_NOT_IDENTIFIED = 2;
-    const ERROR_DENIED = 3;
-    /** @var IdentificationVerifier */
-    private $identificationVerifier;
-    /**
-     * @var RoleConfiguration
-     */
-    private $roleConfiguration;
-
-    /**
-     * SecurityManager constructor.
-     *
-     * @param IdentificationVerifier $identificationVerifier
-     * @param RoleConfiguration      $roleConfiguration
-     */
-    public function __construct(
-        IdentificationVerifier $identificationVerifier,
-        RoleConfiguration $roleConfiguration
-    ) {
-        $this->identificationVerifier = $identificationVerifier;
-        $this->roleConfiguration = $roleConfiguration;
-    }
-
-    /**
-     * Tests if a user is allowed to perform an action.
-     *
-     * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure
-     * that a user should have access to something.
-     *
-     * @param string $page
-     * @param string $route
-     * @param User   $user
-     *
-     * @return int
-     *
-     * @category Security-Critical
-     */
-    public function allows($page, $route, User $user)
-    {
-        $this->getActiveRoles($user, $activeRoles, $inactiveRoles);
-
-        $availableRights = $this->flattenRoles($activeRoles);
-        $testResult = $this->findResult($availableRights, $page, $route);
-
-        if ($testResult !== null) {
-            // We got a firm result here, so just return it.
-            return $testResult;
-        }
-
-        // No firm result yet, so continue testing the inactive roles so we can give a better error.
-        $inactiveRights = $this->flattenRoles($inactiveRoles);
-        $testResult = $this->findResult($inactiveRights, $page, $route);
-
-        if ($testResult === self::ALLOWED) {
-            // The user is allowed to access this, but their role is inactive.
-            return self::ERROR_NOT_IDENTIFIED;
-        }
-
-        // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied.
-        return self::ERROR_DENIED;
-    }
-
-    /**
-     * @param array  $pseudoRole The role (flattened) to check
-     * @param string $page       The page class to check
-     * @param string $route      The page route to check
-     *
-     * @return int|null
-     */
-    private function findResult($pseudoRole, $page, $route)
-    {
-        if (isset($pseudoRole[$page])) {
-            // check for deny on catch-all route
-            if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
-                if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) {
-                    return self::ERROR_DENIED;
-                }
-            }
-
-            // check normal route
-            if (isset($pseudoRole[$page][$route])) {
-                if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) {
-                    return self::ERROR_DENIED;
-                }
-
-                if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) {
-                    return self::ALLOWED;
-                }
-            }
-
-            // check for allowed on catch-all route
-            if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
-                if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) {
-                    return self::ALLOWED;
-                }
-            }
-        }
-
-        // return indeterminate result
-        return null;
-    }
-
-    /**
-     * Takes an array of roles and flattens the values to a single set.
-     *
-     * @param array $activeRoles
-     *
-     * @return array
-     */
-    private function flattenRoles($activeRoles)
-    {
-        $result = array();
-
-        $roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles);
-
-        // Iterate over every page in every role
-        foreach ($roleConfig as $role) {
-            foreach ($role as $page => $pageRights) {
-                // Create holder in result for this page
-                if (!isset($result[$page])) {
-                    $result[$page] = array();
-                }
-
-                foreach ($pageRights as $action => $permission) {
-                    // Deny takes precedence, so if it's set, don't change it.
-                    if (isset($result[$page][$action])) {
-                        if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) {
-                            continue;
-                        }
-                    }
-
-                    if ($permission === RoleConfiguration::ACCESS_DEFAULT) {
-                        // Configured to do precisely nothing.
-                        continue;
-                    }
-
-                    $result[$page][$action] = $permission;
-                }
-            }
-        }
-
-        return $result;
-    }
-
-    /**
-     * @param User  $user
-     * @param array $activeRoles
-     * @param array $inactiveRoles
-     */
-    public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles)
-    {
-        // Default to the community user here, because the main user is logged out
-        $identified = false;
-        $userRoles = array('public');
-
-        // if we're not the community user, get our real rights.
-        if (!$user->isCommunityUser()) {
-            // Check the user's status - only active users are allowed the effects of roles
-
-            $userRoles[] = 'loggedIn';
-
-            if ($user->isActive()) {
-                $ur = UserRole::getForUser($user->getId(), $user->getDatabase());
-
-                // NOTE: public is still in this array.
-                foreach ($ur as $r) {
-                    $userRoles[] = $r->getRole();
-                }
-
-                $identified = $user->isIdentified($this->identificationVerifier);
-            }
-        }
-
-        $activeRoles = array();
-        $inactiveRoles = array();
-
-        /** @var string $v */
-        foreach ($userRoles as $v) {
-            if ($this->roleConfiguration->roleNeedsIdentification($v)) {
-                if ($identified) {
-                    $activeRoles[] = $v;
-                }
-                else {
-                    $inactiveRoles[] = $v;
-                }
-            }
-            else {
-                $activeRoles[] = $v;
-            }
-        }
-    }
-
-    public function getRoleConfiguration(){
-        return $this->roleConfiguration;
-    }
+	const ALLOWED = 1;
+	const ERROR_NOT_IDENTIFIED = 2;
+	const ERROR_DENIED = 3;
+	/** @var IdentificationVerifier */
+	private $identificationVerifier;
+	/**
+	 * @var RoleConfiguration
+	 */
+	private $roleConfiguration;
+
+	/**
+	 * SecurityManager constructor.
+	 *
+	 * @param IdentificationVerifier $identificationVerifier
+	 * @param RoleConfiguration      $roleConfiguration
+	 */
+	public function __construct(
+		IdentificationVerifier $identificationVerifier,
+		RoleConfiguration $roleConfiguration
+	) {
+		$this->identificationVerifier = $identificationVerifier;
+		$this->roleConfiguration = $roleConfiguration;
+	}
+
+	/**
+	 * Tests if a user is allowed to perform an action.
+	 *
+	 * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure
+	 * that a user should have access to something.
+	 *
+	 * @param string $page
+	 * @param string $route
+	 * @param User   $user
+	 *
+	 * @return int
+	 *
+	 * @category Security-Critical
+	 */
+	public function allows($page, $route, User $user)
+	{
+		$this->getActiveRoles($user, $activeRoles, $inactiveRoles);
+
+		$availableRights = $this->flattenRoles($activeRoles);
+		$testResult = $this->findResult($availableRights, $page, $route);
+
+		if ($testResult !== null) {
+			// We got a firm result here, so just return it.
+			return $testResult;
+		}
+
+		// No firm result yet, so continue testing the inactive roles so we can give a better error.
+		$inactiveRights = $this->flattenRoles($inactiveRoles);
+		$testResult = $this->findResult($inactiveRights, $page, $route);
+
+		if ($testResult === self::ALLOWED) {
+			// The user is allowed to access this, but their role is inactive.
+			return self::ERROR_NOT_IDENTIFIED;
+		}
+
+		// Other options from the secondary test are denied and inconclusive, which at this point defaults to denied.
+		return self::ERROR_DENIED;
+	}
+
+	/**
+	 * @param array  $pseudoRole The role (flattened) to check
+	 * @param string $page       The page class to check
+	 * @param string $route      The page route to check
+	 *
+	 * @return int|null
+	 */
+	private function findResult($pseudoRole, $page, $route)
+	{
+		if (isset($pseudoRole[$page])) {
+			// check for deny on catch-all route
+			if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
+				if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) {
+					return self::ERROR_DENIED;
+				}
+			}
+
+			// check normal route
+			if (isset($pseudoRole[$page][$route])) {
+				if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) {
+					return self::ERROR_DENIED;
+				}
+
+				if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) {
+					return self::ALLOWED;
+				}
+			}
+
+			// check for allowed on catch-all route
+			if (isset($pseudoRole[$page][RoleConfiguration::ALL])) {
+				if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) {
+					return self::ALLOWED;
+				}
+			}
+		}
+
+		// return indeterminate result
+		return null;
+	}
+
+	/**
+	 * Takes an array of roles and flattens the values to a single set.
+	 *
+	 * @param array $activeRoles
+	 *
+	 * @return array
+	 */
+	private function flattenRoles($activeRoles)
+	{
+		$result = array();
+
+		$roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles);
+
+		// Iterate over every page in every role
+		foreach ($roleConfig as $role) {
+			foreach ($role as $page => $pageRights) {
+				// Create holder in result for this page
+				if (!isset($result[$page])) {
+					$result[$page] = array();
+				}
+
+				foreach ($pageRights as $action => $permission) {
+					// Deny takes precedence, so if it's set, don't change it.
+					if (isset($result[$page][$action])) {
+						if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) {
+							continue;
+						}
+					}
+
+					if ($permission === RoleConfiguration::ACCESS_DEFAULT) {
+						// Configured to do precisely nothing.
+						continue;
+					}
+
+					$result[$page][$action] = $permission;
+				}
+			}
+		}
+
+		return $result;
+	}
+
+	/**
+	 * @param User  $user
+	 * @param array $activeRoles
+	 * @param array $inactiveRoles
+	 */
+	public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles)
+	{
+		// Default to the community user here, because the main user is logged out
+		$identified = false;
+		$userRoles = array('public');
+
+		// if we're not the community user, get our real rights.
+		if (!$user->isCommunityUser()) {
+			// Check the user's status - only active users are allowed the effects of roles
+
+			$userRoles[] = 'loggedIn';
+
+			if ($user->isActive()) {
+				$ur = UserRole::getForUser($user->getId(), $user->getDatabase());
+
+				// NOTE: public is still in this array.
+				foreach ($ur as $r) {
+					$userRoles[] = $r->getRole();
+				}
+
+				$identified = $user->isIdentified($this->identificationVerifier);
+			}
+		}
+
+		$activeRoles = array();
+		$inactiveRoles = array();
+
+		/** @var string $v */
+		foreach ($userRoles as $v) {
+			if ($this->roleConfiguration->roleNeedsIdentification($v)) {
+				if ($identified) {
+					$activeRoles[] = $v;
+				}
+				else {
+					$inactiveRoles[] = $v;
+				}
+			}
+			else {
+				$activeRoles[] = $v;
+			}
+		}
+	}
+
+	public function getRoleConfiguration(){
+		return $this->roleConfiguration;
+	}
 }

Spacing +1 added lines, -1 removed lines

@@ -207,7 +207,7 @@
         }
     }
 
-    public function getRoleConfiguration(){
+    public function getRoleConfiguration() {
         return $this->roleConfiguration;
     }
 }

Braces +2 added lines, -1 removed lines

@@ -207,7 +207,8 @@
         }
     }
 
-    public function getRoleConfiguration(){
+    public function getRoleConfiguration()
+    {
         return $this->roleConfiguration;
     }
 }