mdaniels5757 / waca

includes/Pages/PageLog.php

Indentation +60 added lines, -60 removed lines

@@ -17,64 +17,64 @@
 
 class PageLog extends PagedInternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main()
-    {
-        $this->setHtmlTitle('Logs');
-
-        $filterUser = WebRequest::getString('filterUser');
-        $filterAction = WebRequest::getString('filterAction');
-        $filterObjectType = WebRequest::getString('filterObjectType');
-        $filterObjectId = WebRequest::getInt('filterObjectId');
-
-        $database = $this->getDatabase();
-
-        if (!array_key_exists($filterObjectType, LogHelper::getObjectTypes())) {
-            $filterObjectType = null;
-        }
-
-        $this->addJs("/api.php?action=users&all=true&targetVariable=typeaheaddata");
-
-        // FIXME: domains
-        $logSearch = LogSearchHelper::get($database, 1);
-
-        if ($filterUser !== null) {
-            $userObj = User::getByUsername($filterUser, $database);
-            if ($userObj !== false) {
-                $logSearch->byUser($userObj->getId());
-            }
-            else {
-                $logSearch->byUser(-1);
-            }
-        }
-        if ($filterAction !== null) {
-            $logSearch->byAction($filterAction);
-        }
-        if ($filterObjectType !== null) {
-            $logSearch->byObjectType($filterObjectType);
-        }
-        if ($filterObjectId !== null) {
-            $logSearch->byObjectId($filterObjectId);
-        }
-
-        $this->setSearchHelper($logSearch);
-        $this->setupLimits();
-
-        /** @var Log[] $logs */
-        $logs = $logSearch->getRecordCount($count)->fetch();
-
-        list($users, $logData) = LogHelper::prepareLogsForTemplate($logs, $database, $this->getSiteConfiguration());
-
-        $this->setupPageData($count, array('filterUser' => $filterUser, 'filterAction' => $filterAction, 'filterObjectType' => $filterObjectType, 'filterObjectId' => $filterObjectId));
-
-        $this->assign("logs", $logData);
-        $this->assign("users", $users);
-
-        $this->assign('allLogActions', LogHelper::getLogActions($this->getDatabase()));
-        $this->assign('allObjectTypes', LogHelper::getObjectTypes());
-
-        $this->setTemplate("logs/main.tpl");
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main()
+	{
+		$this->setHtmlTitle('Logs');
+
+		$filterUser = WebRequest::getString('filterUser');
+		$filterAction = WebRequest::getString('filterAction');
+		$filterObjectType = WebRequest::getString('filterObjectType');
+		$filterObjectId = WebRequest::getInt('filterObjectId');
+
+		$database = $this->getDatabase();
+
+		if (!array_key_exists($filterObjectType, LogHelper::getObjectTypes())) {
+			$filterObjectType = null;
+		}
+
+		$this->addJs("/api.php?action=users&all=true&targetVariable=typeaheaddata");
+
+		// FIXME: domains
+		$logSearch = LogSearchHelper::get($database, 1);
+
+		if ($filterUser !== null) {
+			$userObj = User::getByUsername($filterUser, $database);
+			if ($userObj !== false) {
+				$logSearch->byUser($userObj->getId());
+			}
+			else {
+				$logSearch->byUser(-1);
+			}
+		}
+		if ($filterAction !== null) {
+			$logSearch->byAction($filterAction);
+		}
+		if ($filterObjectType !== null) {
+			$logSearch->byObjectType($filterObjectType);
+		}
+		if ($filterObjectId !== null) {
+			$logSearch->byObjectId($filterObjectId);
+		}
+
+		$this->setSearchHelper($logSearch);
+		$this->setupLimits();
+
+		/** @var Log[] $logs */
+		$logs = $logSearch->getRecordCount($count)->fetch();
+
+		list($users, $logData) = LogHelper::prepareLogsForTemplate($logs, $database, $this->getSiteConfiguration());
+
+		$this->setupPageData($count, array('filterUser' => $filterUser, 'filterAction' => $filterAction, 'filterObjectType' => $filterObjectType, 'filterObjectId' => $filterObjectId));
+
+		$this->assign("logs", $logData);
+		$this->assign("users", $users);
+
+		$this->assign('allLogActions', LogHelper::getLogActions($this->getDatabase()));
+		$this->assign('allObjectTypes', LogHelper::getObjectTypes());
+
+		$this->setTemplate("logs/main.tpl");
+	}
 }

includes/Pages/PageListFlaggedComments.php

Indentation +108 added lines, -108 removed lines

@@ -17,112 +17,112 @@
 
 class PageListFlaggedComments extends InternalPageBase
 {
-    /**
-     * @inheritDoc
-     */
-    protected function main()
-    {
-        $this->setHtmlTitle('Flagged comments');
-        $this->setTemplate('flagged-comments.tpl');
-
-        $database = $this->getDatabase();
-        $this->assignCSRFToken();
-
-        /** @var Comment[] $commentObjects */
-        $commentObjects = Comment::getFlaggedComments($database, 1); // FIXME: domains
-        $comments = [];
-
-        $currentUser = User::getCurrent($database);
-
-        $seeRestrictedComments = $this->barrierTest('seeRestrictedComments', $currentUser, 'RequestData');
-        $seeCheckuserComments = $this->barrierTest('seeCheckuserComments', $currentUser, 'RequestData');
-        $alwaysSeePrivateData = $this->barrierTest('alwaysSeePrivateData', $currentUser, 'RequestData');
-
-        foreach ($commentObjects as $object) {
-            $data = [
-                'visibility'    => $object->getVisibility(),
-                'hidden'        => false,
-                'hiddenText'    => false,
-            ];
-
-            if (!$alwaysSeePrivateData) {
-                // tl;dr: This is a stupid configuration, but let's account for it anyway.
-                //
-                // Flagged comments are treated as private data. If you don't have the privilege
-                // RequestData::alwaysSeePrivateData, then we can't show you the content of the comments here.
-                // This page is forced to degrade into basically a list of requests, seriously hampering the usefulness
-                // of this page. Still, we need to handle the case where we have access to this page, but not access
-                // to private data.
-                // At the time of writing, this case does not exist in the current role configuration, but for the role
-                // configuration to be free of assumptions, we need this code.
-
-                /** @var Request $request */
-                $request = Request::getById($object->getRequest(), $database);
-
-                if ($request->getReserved() === $currentUser->getId()) {
-                    $data['hiddenText'] = false;
-                }
-                else {
-                    $data['hiddenText'] = true;
-                }
-            }
-
-            if ($object->getVisibility() == 'requester' || $object->getVisibility() == 'user') {
-                $data['hidden'] = false;
-            }
-            elseif ($object->getVisibility() == 'admin') {
-                if ($seeRestrictedComments) {
-                    $data['hidden'] = false;
-                }
-                else {
-                    $data['hidden'] = true;
-                }
-            }
-            elseif ($object->getVisibility() == 'checkuser') {
-                if ($seeCheckuserComments) {
-                    $data['hidden'] = false;
-                }
-                else {
-                    $data['hidden'] = true;
-                }
-            }
-
-            $this->copyCommentData($object, $data, $database);
-
-            $comments[] = $data;
-        }
-
-        $this->assign('comments', $comments);
-        $this->assign('seeRestrictedComments', $seeRestrictedComments);
-        $this->assign('seeCheckuserComments', $seeCheckuserComments);
-
-        $this->assign('editOthersComments', $this->barrierTest('editOthers', $currentUser, PageEditComment::class));
-        $this->assign('editComments', $this->barrierTest(RoleConfiguration::MAIN, $currentUser, PageEditComment::class));
-        $this->assign('canUnflag', $this->barrierTest('unflag', $currentUser, PageFlagComment::class) && $this->barrierTest(RoleConfiguration::MAIN, $currentUser, PageFlagComment::class));
-    }
-
-    private function copyCommentData(Comment $object, array &$data, PdoDatabase $database): void
-    {
-        if ($data['hidden']) {
-            // All details hidden, so don't copy anything.
-            return;
-        }
-
-        /** @var Request $request */
-        $request = Request::getById($object->getRequest(), $database);
-
-        if (!$data['hiddenText']) {
-            // Comment text is hidden, but presence of the comment is visible.
-            $data['comment'] = $object->getComment();
-        }
-
-        $data['id'] = $object->getId();
-        $data['updateversion'] = $object->getUpdateVersion();
-        $data['time'] = $object->getTime();
-        $data['requestid'] = $object->getRequest();
-        $data['request'] = $request->getName();
-        $data['requeststatus'] = $request->getStatus();
-        $data['userid'] = $object->getUser();
-        $data['user'] = User::getById($object->getUser(), $database)->getUsername();
-    }
+	/**
+	 * @inheritDoc
+	 */
+	protected function main()
+	{
+		$this->setHtmlTitle('Flagged comments');
+		$this->setTemplate('flagged-comments.tpl');
+
+		$database = $this->getDatabase();
+		$this->assignCSRFToken();
+
+		/** @var Comment[] $commentObjects */
+		$commentObjects = Comment::getFlaggedComments($database, 1); // FIXME: domains
+		$comments = [];
+
+		$currentUser = User::getCurrent($database);
+
+		$seeRestrictedComments = $this->barrierTest('seeRestrictedComments', $currentUser, 'RequestData');
+		$seeCheckuserComments = $this->barrierTest('seeCheckuserComments', $currentUser, 'RequestData');
+		$alwaysSeePrivateData = $this->barrierTest('alwaysSeePrivateData', $currentUser, 'RequestData');
+
+		foreach ($commentObjects as $object) {
+			$data = [
+				'visibility'    => $object->getVisibility(),
+				'hidden'        => false,
+				'hiddenText'    => false,
+			];
+
+			if (!$alwaysSeePrivateData) {
+				// tl;dr: This is a stupid configuration, but let's account for it anyway.
+				//
+				// Flagged comments are treated as private data. If you don't have the privilege
+				// RequestData::alwaysSeePrivateData, then we can't show you the content of the comments here.
+				// This page is forced to degrade into basically a list of requests, seriously hampering the usefulness
+				// of this page. Still, we need to handle the case where we have access to this page, but not access
+				// to private data.
+				// At the time of writing, this case does not exist in the current role configuration, but for the role
+				// configuration to be free of assumptions, we need this code.
+
+				/** @var Request $request */
+				$request = Request::getById($object->getRequest(), $database);
+
+				if ($request->getReserved() === $currentUser->getId()) {
+					$data['hiddenText'] = false;
+				}
+				else {
+					$data['hiddenText'] = true;
+				}
+			}
+
+			if ($object->getVisibility() == 'requester' || $object->getVisibility() == 'user') {
+				$data['hidden'] = false;
+			}
+			elseif ($object->getVisibility() == 'admin') {
+				if ($seeRestrictedComments) {
+					$data['hidden'] = false;
+				}
+				else {
+					$data['hidden'] = true;
+				}
+			}
+			elseif ($object->getVisibility() == 'checkuser') {
+				if ($seeCheckuserComments) {
+					$data['hidden'] = false;
+				}
+				else {
+					$data['hidden'] = true;
+				}
+			}
+
+			$this->copyCommentData($object, $data, $database);
+
+			$comments[] = $data;
+		}
+
+		$this->assign('comments', $comments);
+		$this->assign('seeRestrictedComments', $seeRestrictedComments);
+		$this->assign('seeCheckuserComments', $seeCheckuserComments);
+
+		$this->assign('editOthersComments', $this->barrierTest('editOthers', $currentUser, PageEditComment::class));
+		$this->assign('editComments', $this->barrierTest(RoleConfiguration::MAIN, $currentUser, PageEditComment::class));
+		$this->assign('canUnflag', $this->barrierTest('unflag', $currentUser, PageFlagComment::class) && $this->barrierTest(RoleConfiguration::MAIN, $currentUser, PageFlagComment::class));
+	}
+
+	private function copyCommentData(Comment $object, array &$data, PdoDatabase $database): void
+	{
+		if ($data['hidden']) {
+			// All details hidden, so don't copy anything.
+			return;
+		}
+
+		/** @var Request $request */
+		$request = Request::getById($object->getRequest(), $database);
+
+		if (!$data['hiddenText']) {
+			// Comment text is hidden, but presence of the comment is visible.
+			$data['comment'] = $object->getComment();
+		}
+
+		$data['id'] = $object->getId();
+		$data['updateversion'] = $object->getUpdateVersion();
+		$data['time'] = $object->getTime();
+		$data['requestid'] = $object->getRequest();
+		$data['request'] = $request->getName();
+		$data['requeststatus'] = $request->getStatus();
+		$data['userid'] = $object->getUser();
+		$data['user'] = User::getById($object->getUser(), $database)->getUsername();
+	}
 }
\ No newline at end of file

includes/Pages/PageRequestFormManagement.php

Indentation +288 added lines, -288 removed lines

@@ -22,292 +22,292 @@
 
 class PageRequestFormManagement extends InternalPageBase
 {
-    protected function main()
-    {
-        $this->setHtmlTitle('Request Form Management');
-
-        $database = $this->getDatabase();
-        $domainId = Domain::getCurrent($database)->getId();
-        $forms = RequestForm::getAllForms($database, $domainId);
-        $this->assign('forms', $forms);
-
-        $queues = [];
-        foreach ($forms as $f) {
-            $queueId = $f->getOverrideQueue();
-            if ($queueId !== null) {
-                if (!isset($queues[$queueId])) {
-                    /** @var RequestQueue $queue */
-                    $queue = RequestQueue::getById($queueId, $this->getDatabase());
-
-                    if ($queue->getDomain() == $domainId) {
-                        $queues[$queueId] = $queue;
-                    }
-                }
-            }
-        }
-
-        $this->assign('queues', $queues);
-
-        $user = User::getCurrent($database);
-        $this->assign('canCreate', $this->barrierTest('create', $user));
-        $this->assign('canEdit', $this->barrierTest('edit', $user));
-        $this->assign('canView', $this->barrierTest('view', $user));
-
-        $this->setTemplate('form-management/main.tpl');
-    }
-
-    protected function preview() {
-        $previewContent = WebRequest::getSessionContext('preview');
-
-        $renderer = new MarkdownRenderingHelper();
-        $this->assign('renderedContent', $renderer->doRender($previewContent['main']));
-        $this->assign('username', $renderer->doRenderInline($previewContent['username']));
-        $this->assign('email', $renderer->doRenderInline($previewContent['email']));
-        $this->assign('comment', $renderer->doRenderInline($previewContent['comment']));
-
-        $this->setTemplate('form-management/preview.tpl');
-    }
-
-    protected function create()
-    {
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $database = $this->getDatabase();
-            $domainId = Domain::getCurrent($database)->getId();
-
-            $form = new RequestForm();
-
-            $form->setDatabase($database);
-            $form->setDomain($domainId);
-
-            $this->setupObjectFromPost($form);
-            $form->setPublicEndpoint(WebRequest::postString('endpoint'));
-
-            if (WebRequest::postString("preview") === "preview") {
-                $this->populateFromObject($form);
-
-                WebRequest::setSessionContext('preview', [
-                    'main' => $form->getFormContent(),
-                    'username' => $form->getUsernameHelp(),
-                    'email' => $form->getEmailHelp(),
-                    'comment' => $form->getCommentHelp(),
-                ]);
-
-                $this->assign('createMode', true);
-                $this->setTemplate('form-management/edit.tpl');
-
-                return;
-            }
-
-            $proceed = true;
-
-            if (RequestForm::getByPublicEndpoint($database, $form->getPublicEndpoint(), $domainId) !== false) {
-                SessionAlert::error("The chosen public endpoint is already in use. Please choose another.");
-                $proceed = false;
-            }
-
-            if (preg_match('/^[A-Za-z][a-zA-Z0-9-]*$/', $form->getPublicEndpoint()) !== 1) {
-                SessionAlert::error("The chosen public endpoint contains invalid characters");
-                $proceed = false;
-            }
-
-            if (RequestForm::getByName($database, $form->getName(), $domainId) !== false) {
-                SessionAlert::error("The chosen name is already in use. Please choose another.");
-                $proceed = false;
-            }
-
-            if ($form->getOverrideQueue() !== null) {
-                /** @var RequestQueue|bool $queue */
-                $queue = RequestQueue::getById($form->getOverrideQueue(), $database);
-                if ($queue === false || $queue->getDomain() !== $domainId || !$queue->isEnabled()) {
-                    SessionAlert::error("The chosen queue does not exist or is disabled.");
-                    $proceed = false;
-                }
-            }
-
-            if ($proceed) {
-                $form->save();
-                Logger::requestFormCreated($database, $form);
-                $this->redirect('requestFormManagement');
-            }
-            else {
-                $this->populateFromObject($form);
-                WebRequest::setSessionContext('preview', [
-                    'main' => $form->getFormContent(),
-                    'username' => $form->getUsernameHelp(),
-                    'email' => $form->getEmailHelp(),
-                    'comment' => $form->getCommentHelp(),
-                ]);
-
-                $this->assign('createMode', true);
-                $this->setTemplate('form-management/edit.tpl');
-            }
-        }
-        else {
-            $this->populateFromObject(new RequestForm());
-            WebRequest::setSessionContext('preview', null);
-            $this->assign('hidePreview', true);
-
-            $this->assignCSRFToken();
-            $this->assign('createMode', true);
-            $this->setTemplate('form-management/edit.tpl');
-        }
-    }
-
-    protected function view()
-    {
-        $database = $this->getDatabase();
-
-        /** @var RequestForm $form */
-        $form = RequestForm::getById(WebRequest::getInt('form'), $database);
-
-        if ($form->getDomain() !== Domain::getCurrent($database)->getId()) {
-            throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
-        }
-
-        $this->populateFromObject($form);
-
-        if ($form->getOverrideQueue() !== null) {
-            $this->assign('queueObject', RequestQueue::getById($form->getOverrideQueue(), $database));
-        }
-
-        WebRequest::setSessionContext('preview', [
-            'main' => $form->getFormContent(),
-            'username' => $form->getUsernameHelp(),
-            'email' => $form->getEmailHelp(),
-            'comment' => $form->getCommentHelp(),
-        ]);
-
-        $renderer = new MarkdownRenderingHelper();
-        $this->assign('renderedContent', $renderer->doRender($form->getFormContent()));
-
-        $this->setTemplate('form-management/view.tpl');
-    }
-
-    protected function edit()
-    {
-        $database = $this->getDatabase();
-
-        /** @var RequestForm $form */
-        $form = RequestForm::getById(WebRequest::getInt('form'), $database);
-
-        if ($form->getDomain() !== Domain::getCurrent($database)->getId()) {
-            throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
-        }
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $this->setupObjectFromPost($form);
-
-            if (WebRequest::postString("preview") === "preview") {
-                $this->populateFromObject($form);
-
-                WebRequest::setSessionContext('preview', [
-                    'main' => $form->getFormContent(),
-                    'username' => $form->getUsernameHelp(),
-                    'email' => $form->getEmailHelp(),
-                    'comment' => $form->getCommentHelp(),
-                ]);
-
-                $this->assign('createMode', false);
-                $this->setTemplate('form-management/edit.tpl');
-
-                return;
-            }
-
-            $proceed = true;
-
-            $foundForm = RequestForm::getByName($database, $form->getName(), $form->getDomain());
-            if ($foundForm !== false && $foundForm->getId() !== $form->getId()) {
-                SessionAlert::error("The chosen name is already in use. Please choose another.");
-                $proceed = false;
-            }
-
-            if ($form->getOverrideQueue() !== null) {
-                /** @var RequestQueue $queue */
-                $queue = RequestQueue::getById($form->getOverrideQueue(), $database);
-                if ($queue === false || $queue->getDomain() !== $form->getDomain() || !$queue->isEnabled()) {
-                    SessionAlert::error("The chosen queue does not exist or is disabled.");
-                    $proceed = false;
-                }
-            }
-
-            if ($proceed) {
-                Logger::requestFormEdited($database, $form);
-                $form->save();
-                $this->redirect('requestFormManagement');
-            }
-            else {
-                $this->populateFromObject($form);
-                WebRequest::setSessionContext('preview', [
-                    'main' => $form->getFormContent(),
-                    'username' => $form->getUsernameHelp(),
-                    'email' => $form->getEmailHelp(),
-                    'comment' => $form->getCommentHelp(),
-                ]);
-
-                $this->assign('createMode', false);
-                $this->setTemplate('form-management/edit.tpl');
-            }
-        }
-        else {
-            $this->populateFromObject($form);
-            WebRequest::setSessionContext('preview', [
-                'main' => $form->getFormContent(),
-                'username' => $form->getUsernameHelp(),
-                'email' => $form->getEmailHelp(),
-                'comment' => $form->getCommentHelp(),
-            ]);
-
-            $this->assign('createMode', false);
-            $this->setTemplate('form-management/edit.tpl');
-        }
-    }
-
-    /**
-     * @param RequestForm $form
-     */
-    protected function populateFromObject(RequestForm $form): void
-    {
-        $this->assignCSRFToken();
-
-        $this->assign('name', $form->getName());
-        $this->assign('enabled', $form->isEnabled());
-        $this->assign('endpoint', $form->getPublicEndpoint());
-        $this->assign('queue', $form->getOverrideQueue());
-        $this->assign('content', $form->getFormContent());
-        $this->assign('username', $form->getUsernameHelp());
-        $this->assign('email', $form->getEmailHelp());
-        $this->assign('comment', $form->getCommentHelp());
-
-        $this->assign('domain', $form->getDomainObject());
-
-        $this->assign('availableQueues', RequestQueue::getEnabledQueues($this->getDatabase()));
-    }
-
-    /**
-     * @param RequestForm $form
-     *
-     * @return void
-     * @throws ApplicationLogicException
-     */
-    protected function setupObjectFromPost(RequestForm $form): void
-    {
-        if (WebRequest::postString('content') === null
-            || WebRequest::postString('username') === null
-            || WebRequest::postString('email') === null
-            || WebRequest::postString('comment') === null
-        ) {
-            throw new ApplicationLogicException("Form content, username help, email help, and comment help are all required fields.");
-        }
-
-        $form->setName(WebRequest::postString('name'));
-        $form->setEnabled(WebRequest::postBoolean('enabled'));
-        $form->setFormContent(WebRequest::postString('content'));
-        $form->setOverrideQueue(WebRequest::postInt('queue'));
-        $form->setUsernameHelp(WebRequest::postString('username'));
-        $form->setEmailHelp(WebRequest::postString('email'));
-        $form->setCommentHelp(WebRequest::postString('comment'));
-    }
+	protected function main()
+	{
+		$this->setHtmlTitle('Request Form Management');
+
+		$database = $this->getDatabase();
+		$domainId = Domain::getCurrent($database)->getId();
+		$forms = RequestForm::getAllForms($database, $domainId);
+		$this->assign('forms', $forms);
+
+		$queues = [];
+		foreach ($forms as $f) {
+			$queueId = $f->getOverrideQueue();
+			if ($queueId !== null) {
+				if (!isset($queues[$queueId])) {
+					/** @var RequestQueue $queue */
+					$queue = RequestQueue::getById($queueId, $this->getDatabase());
+
+					if ($queue->getDomain() == $domainId) {
+						$queues[$queueId] = $queue;
+					}
+				}
+			}
+		}
+
+		$this->assign('queues', $queues);
+
+		$user = User::getCurrent($database);
+		$this->assign('canCreate', $this->barrierTest('create', $user));
+		$this->assign('canEdit', $this->barrierTest('edit', $user));
+		$this->assign('canView', $this->barrierTest('view', $user));
+
+		$this->setTemplate('form-management/main.tpl');
+	}
+
+	protected function preview() {
+		$previewContent = WebRequest::getSessionContext('preview');
+
+		$renderer = new MarkdownRenderingHelper();
+		$this->assign('renderedContent', $renderer->doRender($previewContent['main']));
+		$this->assign('username', $renderer->doRenderInline($previewContent['username']));
+		$this->assign('email', $renderer->doRenderInline($previewContent['email']));
+		$this->assign('comment', $renderer->doRenderInline($previewContent['comment']));
+
+		$this->setTemplate('form-management/preview.tpl');
+	}
+
+	protected function create()
+	{
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$database = $this->getDatabase();
+			$domainId = Domain::getCurrent($database)->getId();
+
+			$form = new RequestForm();
+
+			$form->setDatabase($database);
+			$form->setDomain($domainId);
+
+			$this->setupObjectFromPost($form);
+			$form->setPublicEndpoint(WebRequest::postString('endpoint'));
+
+			if (WebRequest::postString("preview") === "preview") {
+				$this->populateFromObject($form);
+
+				WebRequest::setSessionContext('preview', [
+					'main' => $form->getFormContent(),
+					'username' => $form->getUsernameHelp(),
+					'email' => $form->getEmailHelp(),
+					'comment' => $form->getCommentHelp(),
+				]);
+
+				$this->assign('createMode', true);
+				$this->setTemplate('form-management/edit.tpl');
+
+				return;
+			}
+
+			$proceed = true;
+
+			if (RequestForm::getByPublicEndpoint($database, $form->getPublicEndpoint(), $domainId) !== false) {
+				SessionAlert::error("The chosen public endpoint is already in use. Please choose another.");
+				$proceed = false;
+			}
+
+			if (preg_match('/^[A-Za-z][a-zA-Z0-9-]*$/', $form->getPublicEndpoint()) !== 1) {
+				SessionAlert::error("The chosen public endpoint contains invalid characters");
+				$proceed = false;
+			}
+
+			if (RequestForm::getByName($database, $form->getName(), $domainId) !== false) {
+				SessionAlert::error("The chosen name is already in use. Please choose another.");
+				$proceed = false;
+			}
+
+			if ($form->getOverrideQueue() !== null) {
+				/** @var RequestQueue|bool $queue */
+				$queue = RequestQueue::getById($form->getOverrideQueue(), $database);
+				if ($queue === false || $queue->getDomain() !== $domainId || !$queue->isEnabled()) {
+					SessionAlert::error("The chosen queue does not exist or is disabled.");
+					$proceed = false;
+				}
+			}
+
+			if ($proceed) {
+				$form->save();
+				Logger::requestFormCreated($database, $form);
+				$this->redirect('requestFormManagement');
+			}
+			else {
+				$this->populateFromObject($form);
+				WebRequest::setSessionContext('preview', [
+					'main' => $form->getFormContent(),
+					'username' => $form->getUsernameHelp(),
+					'email' => $form->getEmailHelp(),
+					'comment' => $form->getCommentHelp(),
+				]);
+
+				$this->assign('createMode', true);
+				$this->setTemplate('form-management/edit.tpl');
+			}
+		}
+		else {
+			$this->populateFromObject(new RequestForm());
+			WebRequest::setSessionContext('preview', null);
+			$this->assign('hidePreview', true);
+
+			$this->assignCSRFToken();
+			$this->assign('createMode', true);
+			$this->setTemplate('form-management/edit.tpl');
+		}
+	}
+
+	protected function view()
+	{
+		$database = $this->getDatabase();
+
+		/** @var RequestForm $form */
+		$form = RequestForm::getById(WebRequest::getInt('form'), $database);
+
+		if ($form->getDomain() !== Domain::getCurrent($database)->getId()) {
+			throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
+		}
+
+		$this->populateFromObject($form);
+
+		if ($form->getOverrideQueue() !== null) {
+			$this->assign('queueObject', RequestQueue::getById($form->getOverrideQueue(), $database));
+		}
+
+		WebRequest::setSessionContext('preview', [
+			'main' => $form->getFormContent(),
+			'username' => $form->getUsernameHelp(),
+			'email' => $form->getEmailHelp(),
+			'comment' => $form->getCommentHelp(),
+		]);
+
+		$renderer = new MarkdownRenderingHelper();
+		$this->assign('renderedContent', $renderer->doRender($form->getFormContent()));
+
+		$this->setTemplate('form-management/view.tpl');
+	}
+
+	protected function edit()
+	{
+		$database = $this->getDatabase();
+
+		/** @var RequestForm $form */
+		$form = RequestForm::getById(WebRequest::getInt('form'), $database);
+
+		if ($form->getDomain() !== Domain::getCurrent($database)->getId()) {
+			throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
+		}
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$this->setupObjectFromPost($form);
+
+			if (WebRequest::postString("preview") === "preview") {
+				$this->populateFromObject($form);
+
+				WebRequest::setSessionContext('preview', [
+					'main' => $form->getFormContent(),
+					'username' => $form->getUsernameHelp(),
+					'email' => $form->getEmailHelp(),
+					'comment' => $form->getCommentHelp(),
+				]);
+
+				$this->assign('createMode', false);
+				$this->setTemplate('form-management/edit.tpl');
+
+				return;
+			}
+
+			$proceed = true;
+
+			$foundForm = RequestForm::getByName($database, $form->getName(), $form->getDomain());
+			if ($foundForm !== false && $foundForm->getId() !== $form->getId()) {
+				SessionAlert::error("The chosen name is already in use. Please choose another.");
+				$proceed = false;
+			}
+
+			if ($form->getOverrideQueue() !== null) {
+				/** @var RequestQueue $queue */
+				$queue = RequestQueue::getById($form->getOverrideQueue(), $database);
+				if ($queue === false || $queue->getDomain() !== $form->getDomain() || !$queue->isEnabled()) {
+					SessionAlert::error("The chosen queue does not exist or is disabled.");
+					$proceed = false;
+				}
+			}
+
+			if ($proceed) {
+				Logger::requestFormEdited($database, $form);
+				$form->save();
+				$this->redirect('requestFormManagement');
+			}
+			else {
+				$this->populateFromObject($form);
+				WebRequest::setSessionContext('preview', [
+					'main' => $form->getFormContent(),
+					'username' => $form->getUsernameHelp(),
+					'email' => $form->getEmailHelp(),
+					'comment' => $form->getCommentHelp(),
+				]);
+
+				$this->assign('createMode', false);
+				$this->setTemplate('form-management/edit.tpl');
+			}
+		}
+		else {
+			$this->populateFromObject($form);
+			WebRequest::setSessionContext('preview', [
+				'main' => $form->getFormContent(),
+				'username' => $form->getUsernameHelp(),
+				'email' => $form->getEmailHelp(),
+				'comment' => $form->getCommentHelp(),
+			]);
+
+			$this->assign('createMode', false);
+			$this->setTemplate('form-management/edit.tpl');
+		}
+	}
+
+	/**
+	 * @param RequestForm $form
+	 */
+	protected function populateFromObject(RequestForm $form): void
+	{
+		$this->assignCSRFToken();
+
+		$this->assign('name', $form->getName());
+		$this->assign('enabled', $form->isEnabled());
+		$this->assign('endpoint', $form->getPublicEndpoint());
+		$this->assign('queue', $form->getOverrideQueue());
+		$this->assign('content', $form->getFormContent());
+		$this->assign('username', $form->getUsernameHelp());
+		$this->assign('email', $form->getEmailHelp());
+		$this->assign('comment', $form->getCommentHelp());
+
+		$this->assign('domain', $form->getDomainObject());
+
+		$this->assign('availableQueues', RequestQueue::getEnabledQueues($this->getDatabase()));
+	}
+
+	/**
+	 * @param RequestForm $form
+	 *
+	 * @return void
+	 * @throws ApplicationLogicException
+	 */
+	protected function setupObjectFromPost(RequestForm $form): void
+	{
+		if (WebRequest::postString('content') === null
+			|| WebRequest::postString('username') === null
+			|| WebRequest::postString('email') === null
+			|| WebRequest::postString('comment') === null
+		) {
+			throw new ApplicationLogicException("Form content, username help, email help, and comment help are all required fields.");
+		}
+
+		$form->setName(WebRequest::postString('name'));
+		$form->setEnabled(WebRequest::postBoolean('enabled'));
+		$form->setFormContent(WebRequest::postString('content'));
+		$form->setOverrideQueue(WebRequest::postInt('queue'));
+		$form->setUsernameHelp(WebRequest::postString('username'));
+		$form->setEmailHelp(WebRequest::postString('email'));
+		$form->setCommentHelp(WebRequest::postString('comment'));
+	}
 }

includes/Pages/UserAuth/PageForgotPassword.php

Indentation +209 added lines, -209 removed lines

@@ -23,213 +23,213 @@
 
 class PageForgotPassword extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     *
-     * This is the forgotten password reset form
-     * @category Security-Critical
-     */
-    protected function main()
-    {
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $username = WebRequest::postString('username');
-            $email = WebRequest::postEmail('email');
-            $database = $this->getDatabase();
-
-            if ($username === null || trim($username) === "" || $email === null || trim($email) === "") {
-                throw new ApplicationLogicException("Both username and email address must be specified!");
-            }
-
-            $user = User::getByUsername($username, $database);
-            $this->sendResetMail($user, $email);
-
-            SessionAlert::success('<strong>Your password reset request has been completed.</strong> If the details you have provided match our records, you should receive an email shortly.');
-
-            $this->redirect('login');
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('forgot-password/forgotpw.tpl');
-        }
-    }
-
-    /**
-     * Sends a reset email if the user is authenticated
-     *
-     * @param User|boolean $user  The user located from the database, or false. Doesn't really matter, since we do the
-     *                            check anyway within this method and silently skip if we don't have a user.
-     * @param string       $email The provided email address
-     */
-    private function sendResetMail($user, $email)
-    {
-        // If the user isn't found, or the email address is wrong, skip sending the details silently.
-        if (!$user instanceof User) {
-            return;
-        }
-
-        if (strtolower($user->getEmail()) === strtolower($email)) {
-            $clientIp = $this->getXffTrustProvider()
-                ->getTrustedClientIp(WebRequest::remoteAddress(), WebRequest::forwardedAddress());
-
-            $this->cleanExistingTokens($user);
-
-            $hash = Base32::encodeUpper(openssl_random_pseudo_bytes(30));
-
-            $encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
-
-            $cred = new Credential();
-            $cred->setDatabase($this->getDatabase());
-            $cred->setFactor(-1);
-            $cred->setUserId($user->getId());
-            $cred->setType('reset');
-            $cred->setData($encryptionHelper->encryptData($hash));
-            $cred->setVersion(0);
-            $cred->setDisabled(0);
-            $cred->setTimeout(new DateTimeImmutable('+ 1 hour'));
-            $cred->setPriority(9);
-            $cred->save();
-
-            $this->assign("user", $user);
-            $this->assign("hash", $hash);
-            $this->assign("remoteAddress", $clientIp);
-
-            $emailContent = $this->fetchTemplate('forgot-password/reset-mail.tpl');
-
-            // FIXME: domains!
-            /** @var Domain $domain */
-            $domain = Domain::getById(1, $this->getDatabase());
-            $this->getEmailHelper()->sendMail(
-                null, $user->getEmail(), "WP:ACC password reset", $emailContent);
-        }
-    }
-
-    /**
-     * Entry point for the reset action
-     *
-     * This is the reset password part of the form.
-     * @category Security-Critical
-     */
-    protected function reset()
-    {
-        $si = WebRequest::getString('si');
-        $id = WebRequest::getString('id');
-
-        if ($si === null || trim($si) === "" || $id === null || trim($id) === "") {
-            throw new ApplicationLogicException("Link not valid, please ensure it has copied correctly");
-        }
-
-        $database = $this->getDatabase();
-        $user = $this->getResettingUser($id, $database, $si);
-
-        // Dual mode
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            try {
-                $this->doReset($user);
-                $this->cleanExistingTokens($user);
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('forgotPassword', 'reset', array('si' => $si, 'id' => $id));
-
-                return;
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign('user', $user);
-            $this->setTemplate('forgot-password/forgotpwreset.tpl');
-            $this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");
-        }
-    }
-
-    /**
-     * Gets the user resetting their password from the database, or throwing an exception if that is not possible.
-     *
-     * @param integer     $id       The ID of the user to retrieve
-     * @param PdoDatabase $database The database object to use
-     * @param string      $si       The reset hash provided
-     *
-     * @return User
-     * @throws ApplicationLogicException
-     */
-    private function getResettingUser($id, $database, $si)
-    {
-        $user = User::getById($id, $database);
-
-        if ($user === false || $user->isCommunityUser()) {
-            throw new ApplicationLogicException("Password reset failed. Please try again.");
-        }
-
-        $statement = $database->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
-        $statement->execute([':user' => $user->getId()]);
-
-        /** @var Credential $credential */
-        $credential = $statement->fetchObject(Credential::class);
-
-        $statement->closeCursor();
-
-        if ($credential === false) {
-            throw new ApplicationLogicException("Password reset failed. Please try again.");
-        }
-
-        $credential->setDatabase($database);
-
-        $encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
-        if ($encryptionHelper->decryptData($credential->getData()) != $si) {
-            throw new ApplicationLogicException("Password reset failed. Please try again.");
-        }
-
-        if ($credential->getTimeout() < new DateTimeImmutable()) {
-            $credential->delete();
-            throw new ApplicationLogicException("Password reset token expired. Please try again.");
-        }
-
-        return $user;
-    }
-
-    /**
-     * Performs the setting of the new password
-     *
-     * @param User $user The user to set the password for
-     *
-     * @throws ApplicationLogicException
-     */
-    private function doReset(User $user)
-    {
-        $pw = WebRequest::postString('newpassword');
-        $pw2 = WebRequest::postString('newpasswordconfirm');
-
-        if ($pw !== $pw2) {
-            throw new ApplicationLogicException('Passwords do not match!');
-        }
-
-        $passwordCredentialProvider = new PasswordCredentialProvider($user->getDatabase(), $this->getSiteConfiguration());
-        $passwordCredentialProvider->setCredential($user, 1, $pw);
-
-        SessionAlert::success('You may now log in!');
-        $this->redirect('login');
-    }
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * @param $user
-     */
-    private function cleanExistingTokens($user): void
-    {
-        // clean out existing reset tokens
-        $statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
-        $statement->execute([':user' => $user->getId()]);
-        $existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
-
-        foreach ($existing as $c) {
-            $c->setDatabase($this->getDatabase());
-            $c->delete();
-        }
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 *
+	 * This is the forgotten password reset form
+	 * @category Security-Critical
+	 */
+	protected function main()
+	{
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$username = WebRequest::postString('username');
+			$email = WebRequest::postEmail('email');
+			$database = $this->getDatabase();
+
+			if ($username === null || trim($username) === "" || $email === null || trim($email) === "") {
+				throw new ApplicationLogicException("Both username and email address must be specified!");
+			}
+
+			$user = User::getByUsername($username, $database);
+			$this->sendResetMail($user, $email);
+
+			SessionAlert::success('<strong>Your password reset request has been completed.</strong> If the details you have provided match our records, you should receive an email shortly.');
+
+			$this->redirect('login');
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('forgot-password/forgotpw.tpl');
+		}
+	}
+
+	/**
+	 * Sends a reset email if the user is authenticated
+	 *
+	 * @param User|boolean $user  The user located from the database, or false. Doesn't really matter, since we do the
+	 *                            check anyway within this method and silently skip if we don't have a user.
+	 * @param string       $email The provided email address
+	 */
+	private function sendResetMail($user, $email)
+	{
+		// If the user isn't found, or the email address is wrong, skip sending the details silently.
+		if (!$user instanceof User) {
+			return;
+		}
+
+		if (strtolower($user->getEmail()) === strtolower($email)) {
+			$clientIp = $this->getXffTrustProvider()
+				->getTrustedClientIp(WebRequest::remoteAddress(), WebRequest::forwardedAddress());
+
+			$this->cleanExistingTokens($user);
+
+			$hash = Base32::encodeUpper(openssl_random_pseudo_bytes(30));
+
+			$encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
+
+			$cred = new Credential();
+			$cred->setDatabase($this->getDatabase());
+			$cred->setFactor(-1);
+			$cred->setUserId($user->getId());
+			$cred->setType('reset');
+			$cred->setData($encryptionHelper->encryptData($hash));
+			$cred->setVersion(0);
+			$cred->setDisabled(0);
+			$cred->setTimeout(new DateTimeImmutable('+ 1 hour'));
+			$cred->setPriority(9);
+			$cred->save();
+
+			$this->assign("user", $user);
+			$this->assign("hash", $hash);
+			$this->assign("remoteAddress", $clientIp);
+
+			$emailContent = $this->fetchTemplate('forgot-password/reset-mail.tpl');
+
+			// FIXME: domains!
+			/** @var Domain $domain */
+			$domain = Domain::getById(1, $this->getDatabase());
+			$this->getEmailHelper()->sendMail(
+				null, $user->getEmail(), "WP:ACC password reset", $emailContent);
+		}
+	}
+
+	/**
+	 * Entry point for the reset action
+	 *
+	 * This is the reset password part of the form.
+	 * @category Security-Critical
+	 */
+	protected function reset()
+	{
+		$si = WebRequest::getString('si');
+		$id = WebRequest::getString('id');
+
+		if ($si === null || trim($si) === "" || $id === null || trim($id) === "") {
+			throw new ApplicationLogicException("Link not valid, please ensure it has copied correctly");
+		}
+
+		$database = $this->getDatabase();
+		$user = $this->getResettingUser($id, $database, $si);
+
+		// Dual mode
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			try {
+				$this->doReset($user);
+				$this->cleanExistingTokens($user);
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('forgotPassword', 'reset', array('si' => $si, 'id' => $id));
+
+				return;
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign('user', $user);
+			$this->setTemplate('forgot-password/forgotpwreset.tpl');
+			$this->addJs("/vendor/dropbox/zxcvbn/dist/zxcvbn.js");
+		}
+	}
+
+	/**
+	 * Gets the user resetting their password from the database, or throwing an exception if that is not possible.
+	 *
+	 * @param integer     $id       The ID of the user to retrieve
+	 * @param PdoDatabase $database The database object to use
+	 * @param string      $si       The reset hash provided
+	 *
+	 * @return User
+	 * @throws ApplicationLogicException
+	 */
+	private function getResettingUser($id, $database, $si)
+	{
+		$user = User::getById($id, $database);
+
+		if ($user === false || $user->isCommunityUser()) {
+			throw new ApplicationLogicException("Password reset failed. Please try again.");
+		}
+
+		$statement = $database->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
+		$statement->execute([':user' => $user->getId()]);
+
+		/** @var Credential $credential */
+		$credential = $statement->fetchObject(Credential::class);
+
+		$statement->closeCursor();
+
+		if ($credential === false) {
+			throw new ApplicationLogicException("Password reset failed. Please try again.");
+		}
+
+		$credential->setDatabase($database);
+
+		$encryptionHelper = new EncryptionHelper($this->getSiteConfiguration());
+		if ($encryptionHelper->decryptData($credential->getData()) != $si) {
+			throw new ApplicationLogicException("Password reset failed. Please try again.");
+		}
+
+		if ($credential->getTimeout() < new DateTimeImmutable()) {
+			$credential->delete();
+			throw new ApplicationLogicException("Password reset token expired. Please try again.");
+		}
+
+		return $user;
+	}
+
+	/**
+	 * Performs the setting of the new password
+	 *
+	 * @param User $user The user to set the password for
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function doReset(User $user)
+	{
+		$pw = WebRequest::postString('newpassword');
+		$pw2 = WebRequest::postString('newpasswordconfirm');
+
+		if ($pw !== $pw2) {
+			throw new ApplicationLogicException('Passwords do not match!');
+		}
+
+		$passwordCredentialProvider = new PasswordCredentialProvider($user->getDatabase(), $this->getSiteConfiguration());
+		$passwordCredentialProvider->setCredential($user, 1, $pw);
+
+		SessionAlert::success('You may now log in!');
+		$this->redirect('login');
+	}
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * @param $user
+	 */
+	private function cleanExistingTokens($user): void
+	{
+		// clean out existing reset tokens
+		$statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
+		$statement->execute([':user' => $user->getId()]);
+		$existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
+
+		foreach ($existing as $c) {
+			$c->setDatabase($this->getDatabase());
+			$c->delete();
+		}
+	}
 }

includes/Pages/UserAuth/Login/PagePasswordLogin.php

Indentation +27 added lines, -27 removed lines

@@ -13,31 +13,31 @@
 
 class PagePasswordLogin extends LoginCredentialPageBase
 {
-    protected function providerSpecificSetup()
-    {
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-        if ($partialId !== null && $partialStage > 1) {
-            $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-            $statement = $this->getDatabase()->prepare($sql);
-            $statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
-            $nextStage = $statement->fetchColumn();
-            $statement->closeCursor();
-
-            $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-            return;
-        }
-
-        $this->setTemplate('login/password.tpl');
-    }
-
-    protected function getProviderCredentials()
-    {
-        $password = WebRequest::postString("password");
-        if ($password === null || $password === "") {
-            throw new ApplicationLogicException("No password specified");
-        }
-
-        return $password;
-    }
+	protected function providerSpecificSetup()
+	{
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+		if ($partialId !== null && $partialStage > 1) {
+			$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+			$statement = $this->getDatabase()->prepare($sql);
+			$statement->execute(array(':user' => $partialId, ':stage' => $partialStage));
+			$nextStage = $statement->fetchColumn();
+			$statement->closeCursor();
+
+			$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+			return;
+		}
+
+		$this->setTemplate('login/password.tpl');
+	}
+
+	protected function getProviderCredentials()
+	{
+		$password = WebRequest::postString("password");
+		if ($password === null || $password === "") {
+			throw new ApplicationLogicException("No password specified");
+		}
+
+		return $password;
+	}
 }
\ No newline at end of file

includes/Pages/UserAuth/Login/LoginCredentialPageBase.php

Indentation +306 added lines, -306 removed lines

@@ -21,310 +21,310 @@
 
 abstract class LoginCredentialPageBase extends InternalPageBase
 {
-    /** @var User */
-    protected $partialUser = null;
-    protected $nextPageMap = array(
-        'yubikeyotp' => 'otp',
-        'totp'       => 'otp',
-        'scratch'    => 'otp',
-    );
-    protected $names = array(
-        'yubikeyotp' => 'Yubikey OTP',
-        'totp'       => 'TOTP (phone code generator)',
-        'scratch'    => 'scratch token',
-    );
-
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        if (!$this->enforceHttps()) {
-            return;
-        }
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $database = $this->getDatabase();
-            try {
-                list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-
-                if ($partialStage === null) {
-                    $partialStage = 1;
-                }
-
-                if ($partialId === null) {
-                    $username = WebRequest::postString('username');
-
-                    if ($username === null || trim($username) === '') {
-                        throw new ApplicationLogicException('No username specified.');
-                    }
-
-                    $user = User::getByUsername($username, $database);
-                }
-                else {
-                    $user = User::getById($partialId, $database);
-                }
-
-                if ($user === false) {
-                    throw new ApplicationLogicException("Authentication failed");
-                }
-
-                $authMan = new AuthenticationManager($database, $this->getSiteConfiguration(),
-                    $this->getHttpHelper());
-
-                $credential = $this->getProviderCredentials();
-
-                $authResult = $authMan->authenticate($user, $credential, $partialStage);
-
-                if ($authResult === AuthenticationManager::AUTH_FAIL) {
-                    throw new ApplicationLogicException("Authentication failed");
-                }
-
-                if ($authResult === AuthenticationManager::AUTH_REQUIRE_NEXT_STAGE) {
-                    $this->processJumpNextStage($user, $partialStage, $database);
-
-                    return;
-                }
-
-                if ($authResult === AuthenticationManager::AUTH_OK) {
-                    $this->processLoginSuccess($user);
-
-                    return;
-                }
-            }
-            catch (ApplicationLogicException $ex) {
-                WebRequest::clearAuthPartialLogin();
-
-                SessionAlert::error($ex->getMessage());
-                $this->redirect('login');
-
-                return;
-            }
-        }
-        else {
-            $this->assign('showSignIn', true);
-
-            $this->setupPartial();
-            $this->assignCSRFToken();
-            $this->providerSpecificSetup();
-        }
-    }
-
-    protected function isProtectedPage()
-    {
-        return false;
-    }
-
-    /**
-     * Enforces HTTPS on the login form
-     *
-     * @return bool
-     */
-    private function enforceHttps()
-    {
-        if ($this->getSiteConfiguration()->getUseStrictTransportSecurity() !== false) {
-            if (WebRequest::isHttps()) {
-                // Client can clearly use HTTPS, so let's enforce it for all connections.
-                $this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
-            }
-            else {
-                // This is the login form, not the request form. We need protection here.
-                $this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
-
-                return false;
-            }
-        }
-
-        return true;
-    }
-
-    protected abstract function providerSpecificSetup();
-
-    protected function setupPartial()
-    {
-        $database = $this->getDatabase();
-
-        // default stuff
-        $this->assign('alternatives', array()); // 'u2f' => array('U2F token'), 'otp' => array('TOTP', 'scratch', 'yubiotp')));
-
-        // is this stage one?
-        list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
-        if ($partialStage === null || $partialId === null) {
-            WebRequest::clearAuthPartialLogin();
-        }
-
-        // Check to see if we have a partial login in progress
-        $username = null;
-        if ($partialId !== null) {
-            // Yes, enforce this username
-            $this->partialUser = User::getById($partialId, $database);
-            $username = $this->partialUser->getUsername();
-
-            $this->setupAlternates($this->partialUser, $partialStage, $database);
-        }
-        else {
-            // No, see if we've preloaded a username
-            $preloadUsername = WebRequest::getString('tplUsername');
-            if ($preloadUsername !== null) {
-                $username = $preloadUsername;
-            }
-        }
-
-        if ($partialStage === null) {
-            $partialStage = 1;
-        }
-
-        $this->assign('partialStage', $partialStage);
-        $this->assign('username', $username);
-    }
-
-    /**
-     * Redirect the user back to wherever they came from after a successful login
-     *
-     * @param User $user
-     */
-    protected function goBackWhenceYouCame(User $user)
-    {
-        // Redirect to wherever the user came from
-        $redirectDestination = WebRequest::clearPostLoginRedirect();
-        if ($redirectDestination !== null) {
-            $this->redirectUrl($redirectDestination);
-        }
-        else {
-            if ($user->isNewUser()) {
-                // home page isn't allowed, go to preferences instead
-                $this->redirect('preferences');
-            }
-            else {
-                // go to the home page
-                $this->redirect('');
-            }
-        }
-    }
-
-    private function processLoginSuccess(User $user)
-    {
-        // Touch force logout
-        $user->setForceLogout(false);
-        $user->save();
-
-        $oauth = new OAuthUserHelper($user, $this->getDatabase(), $this->getOAuthProtocolHelper(),
-            $this->getSiteConfiguration());
-
-        if ($oauth->isFullyLinked()) {
-            try {
-                // Reload the user's identity ticket.
-                $oauth->refreshIdentity();
-
-                // Check for blocks
-                if ($oauth->getIdentity()->getBlocked()) {
-                    // blocked!
-                    SessionAlert::error("You are currently blocked on-wiki. You will not be able to log in until you are unblocked.");
-                    $this->redirect('login');
-
-                    return;
-                }
-            }
-            catch (OAuthException $ex) {
-                // Oops. Refreshing ticket failed. Force a re-auth.
-                $authoriseUrl = $oauth->getRequestToken();
-                WebRequest::setOAuthPartialLogin($user);
-                $this->redirectUrl($authoriseUrl);
-
-                return;
-            }
-        }
-
-        if (($this->getSiteConfiguration()->getEnforceOAuth() && !$oauth->isFullyLinked())
-            || $oauth->isPartiallyLinked()
-        ) {
-            $authoriseUrl = $oauth->getRequestToken();
-            WebRequest::setOAuthPartialLogin($user);
-            $this->redirectUrl($authoriseUrl);
-
-            return;
-        }
-
-        WebRequest::setLoggedInUser($user);
-        $this->getDomainAccessManager()->switchToDefaultDomain($user);
-
-        $this->goBackWhenceYouCame($user);
-    }
-
-    protected abstract function getProviderCredentials();
-
-    /**
-     * @param User        $user
-     * @param int         $partialStage
-     * @param PdoDatabase $database
-     *
-     * @throws ApplicationLogicException
-     */
-    private function processJumpNextStage(User $user, $partialStage, PdoDatabase $database)
-    {
-        WebRequest::setAuthPartialLogin($user->getId(), $partialStage + 1);
-
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
-        $statement = $database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage + 1));
-        $nextStage = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if (!isset($this->nextPageMap[$nextStage])) {
-            throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
-        }
-
-        $this->redirect("login/" . $this->nextPageMap[$nextStage]);
-    }
-
-    private function setupAlternates(User $user, $partialStage, PdoDatabase $database)
-    {
-        // get the providers available
-        $sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0';
-        $statement = $database->prepare($sql);
-        $statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage));
-        $alternates = $statement->fetchAll(PDO::FETCH_COLUMN);
-
-        $types = array();
-        foreach ($alternates as $item) {
-            $type = $this->nextPageMap[$item];
-            if (!isset($types[$type])) {
-                $types[$type] = array();
-            }
-
-            $types[$type][] = $item;
-        }
-
-        $userOptions = array();
-        if (get_called_class() !== PageOtpLogin::class) {
-            $userOptions = array_merge($userOptions, $this->setupUserOptionsForType($types, 'otp', $userOptions));
-        }
-
-        $this->assign('alternatives', $userOptions);
-    }
-
-    /**
-     * @param $types
-     * @param $type
-     * @param $userOptions
-     *
-     * @return mixed
-     */
-    private function setupUserOptionsForType($types, $type, $userOptions)
-    {
-        if (isset($types[$type])) {
-            $options = $types[$type];
-
-            array_walk($options, function(&$val) {
-                $val = $this->names[$val];
-            });
-
-            $userOptions[$type] = $options;
-        }
-
-        return $userOptions;
-    }
+	/** @var User */
+	protected $partialUser = null;
+	protected $nextPageMap = array(
+		'yubikeyotp' => 'otp',
+		'totp'       => 'otp',
+		'scratch'    => 'otp',
+	);
+	protected $names = array(
+		'yubikeyotp' => 'Yubikey OTP',
+		'totp'       => 'TOTP (phone code generator)',
+		'scratch'    => 'scratch token',
+	);
+
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		if (!$this->enforceHttps()) {
+			return;
+		}
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$database = $this->getDatabase();
+			try {
+				list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+
+				if ($partialStage === null) {
+					$partialStage = 1;
+				}
+
+				if ($partialId === null) {
+					$username = WebRequest::postString('username');
+
+					if ($username === null || trim($username) === '') {
+						throw new ApplicationLogicException('No username specified.');
+					}
+
+					$user = User::getByUsername($username, $database);
+				}
+				else {
+					$user = User::getById($partialId, $database);
+				}
+
+				if ($user === false) {
+					throw new ApplicationLogicException("Authentication failed");
+				}
+
+				$authMan = new AuthenticationManager($database, $this->getSiteConfiguration(),
+					$this->getHttpHelper());
+
+				$credential = $this->getProviderCredentials();
+
+				$authResult = $authMan->authenticate($user, $credential, $partialStage);
+
+				if ($authResult === AuthenticationManager::AUTH_FAIL) {
+					throw new ApplicationLogicException("Authentication failed");
+				}
+
+				if ($authResult === AuthenticationManager::AUTH_REQUIRE_NEXT_STAGE) {
+					$this->processJumpNextStage($user, $partialStage, $database);
+
+					return;
+				}
+
+				if ($authResult === AuthenticationManager::AUTH_OK) {
+					$this->processLoginSuccess($user);
+
+					return;
+				}
+			}
+			catch (ApplicationLogicException $ex) {
+				WebRequest::clearAuthPartialLogin();
+
+				SessionAlert::error($ex->getMessage());
+				$this->redirect('login');
+
+				return;
+			}
+		}
+		else {
+			$this->assign('showSignIn', true);
+
+			$this->setupPartial();
+			$this->assignCSRFToken();
+			$this->providerSpecificSetup();
+		}
+	}
+
+	protected function isProtectedPage()
+	{
+		return false;
+	}
+
+	/**
+	 * Enforces HTTPS on the login form
+	 *
+	 * @return bool
+	 */
+	private function enforceHttps()
+	{
+		if ($this->getSiteConfiguration()->getUseStrictTransportSecurity() !== false) {
+			if (WebRequest::isHttps()) {
+				// Client can clearly use HTTPS, so let's enforce it for all connections.
+				$this->headerQueue[] = "Strict-Transport-Security: max-age=15768000";
+			}
+			else {
+				// This is the login form, not the request form. We need protection here.
+				$this->redirectUrl('https://' . WebRequest::serverName() . WebRequest::requestUri());
+
+				return false;
+			}
+		}
+
+		return true;
+	}
+
+	protected abstract function providerSpecificSetup();
+
+	protected function setupPartial()
+	{
+		$database = $this->getDatabase();
+
+		// default stuff
+		$this->assign('alternatives', array()); // 'u2f' => array('U2F token'), 'otp' => array('TOTP', 'scratch', 'yubiotp')));
+
+		// is this stage one?
+		list($partialId, $partialStage) = WebRequest::getAuthPartialLogin();
+		if ($partialStage === null || $partialId === null) {
+			WebRequest::clearAuthPartialLogin();
+		}
+
+		// Check to see if we have a partial login in progress
+		$username = null;
+		if ($partialId !== null) {
+			// Yes, enforce this username
+			$this->partialUser = User::getById($partialId, $database);
+			$username = $this->partialUser->getUsername();
+
+			$this->setupAlternates($this->partialUser, $partialStage, $database);
+		}
+		else {
+			// No, see if we've preloaded a username
+			$preloadUsername = WebRequest::getString('tplUsername');
+			if ($preloadUsername !== null) {
+				$username = $preloadUsername;
+			}
+		}
+
+		if ($partialStage === null) {
+			$partialStage = 1;
+		}
+
+		$this->assign('partialStage', $partialStage);
+		$this->assign('username', $username);
+	}
+
+	/**
+	 * Redirect the user back to wherever they came from after a successful login
+	 *
+	 * @param User $user
+	 */
+	protected function goBackWhenceYouCame(User $user)
+	{
+		// Redirect to wherever the user came from
+		$redirectDestination = WebRequest::clearPostLoginRedirect();
+		if ($redirectDestination !== null) {
+			$this->redirectUrl($redirectDestination);
+		}
+		else {
+			if ($user->isNewUser()) {
+				// home page isn't allowed, go to preferences instead
+				$this->redirect('preferences');
+			}
+			else {
+				// go to the home page
+				$this->redirect('');
+			}
+		}
+	}
+
+	private function processLoginSuccess(User $user)
+	{
+		// Touch force logout
+		$user->setForceLogout(false);
+		$user->save();
+
+		$oauth = new OAuthUserHelper($user, $this->getDatabase(), $this->getOAuthProtocolHelper(),
+			$this->getSiteConfiguration());
+
+		if ($oauth->isFullyLinked()) {
+			try {
+				// Reload the user's identity ticket.
+				$oauth->refreshIdentity();
+
+				// Check for blocks
+				if ($oauth->getIdentity()->getBlocked()) {
+					// blocked!
+					SessionAlert::error("You are currently blocked on-wiki. You will not be able to log in until you are unblocked.");
+					$this->redirect('login');
+
+					return;
+				}
+			}
+			catch (OAuthException $ex) {
+				// Oops. Refreshing ticket failed. Force a re-auth.
+				$authoriseUrl = $oauth->getRequestToken();
+				WebRequest::setOAuthPartialLogin($user);
+				$this->redirectUrl($authoriseUrl);
+
+				return;
+			}
+		}
+
+		if (($this->getSiteConfiguration()->getEnforceOAuth() && !$oauth->isFullyLinked())
+			|| $oauth->isPartiallyLinked()
+		) {
+			$authoriseUrl = $oauth->getRequestToken();
+			WebRequest::setOAuthPartialLogin($user);
+			$this->redirectUrl($authoriseUrl);
+
+			return;
+		}
+
+		WebRequest::setLoggedInUser($user);
+		$this->getDomainAccessManager()->switchToDefaultDomain($user);
+
+		$this->goBackWhenceYouCame($user);
+	}
+
+	protected abstract function getProviderCredentials();
+
+	/**
+	 * @param User        $user
+	 * @param int         $partialStage
+	 * @param PdoDatabase $database
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function processJumpNextStage(User $user, $partialStage, PdoDatabase $database)
+	{
+		WebRequest::setAuthPartialLogin($user->getId(), $partialStage + 1);
+
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0 ORDER BY priority';
+		$statement = $database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage + 1));
+		$nextStage = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if (!isset($this->nextPageMap[$nextStage])) {
+			throw new ApplicationLogicException('Unknown page handler for next authentication stage.');
+		}
+
+		$this->redirect("login/" . $this->nextPageMap[$nextStage]);
+	}
+
+	private function setupAlternates(User $user, $partialStage, PdoDatabase $database)
+	{
+		// get the providers available
+		$sql = 'SELECT type FROM credential WHERE user = :user AND factor = :stage AND disabled = 0';
+		$statement = $database->prepare($sql);
+		$statement->execute(array(':user' => $user->getId(), ':stage' => $partialStage));
+		$alternates = $statement->fetchAll(PDO::FETCH_COLUMN);
+
+		$types = array();
+		foreach ($alternates as $item) {
+			$type = $this->nextPageMap[$item];
+			if (!isset($types[$type])) {
+				$types[$type] = array();
+			}
+
+			$types[$type][] = $item;
+		}
+
+		$userOptions = array();
+		if (get_called_class() !== PageOtpLogin::class) {
+			$userOptions = array_merge($userOptions, $this->setupUserOptionsForType($types, 'otp', $userOptions));
+		}
+
+		$this->assign('alternatives', $userOptions);
+	}
+
+	/**
+	 * @param $types
+	 * @param $type
+	 * @param $userOptions
+	 *
+	 * @return mixed
+	 */
+	private function setupUserOptionsForType($types, $type, $userOptions)
+	{
+		if (isset($types[$type])) {
+			$options = $types[$type];
+
+			array_walk($options, function(&$val) {
+				$val = $this->names[$val];
+			});
+
+			$userOptions[$type] = $options;
+		}
+
+		return $userOptions;
+	}
 }

includes/Pages/UserAuth/PagePreferences.php

Indentation +161 added lines, -161 removed lines

@@ -20,165 +20,165 @@
 
 class PagePreferences extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $this->setHtmlTitle('Preferences');
-
-        $enforceOAuth = $this->getSiteConfiguration()->getEnforceOAuth();
-        $database = $this->getDatabase();
-        $user = User::getCurrent($database);
-        $preferencesManager = PreferenceManager::getForCurrent($database);
-
-        // Dual mode
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $this->setPreference($preferencesManager,PreferenceManager::PREF_EMAIL_SIGNATURE, 'emailSignature');
-            $this->setPreferenceWithValue($preferencesManager,PreferenceManager::PREF_SKIP_JS_ABORT, 'skipJsAbort', WebRequest::postBoolean('skipJsAbort') ? 1 : 0);
-            $this->setPreferenceWithValue($preferencesManager,PreferenceManager::PREF_QUEUE_HELP, 'showQueueHelp', WebRequest::postBoolean('showQueueHelp') ? 1 : 0);
-            $this->setCreationMode($user, $preferencesManager);
-            $this->setSkin($preferencesManager);
-            $preferencesManager->setGlobalPreference(PreferenceManager::PREF_DEFAULT_DOMAIN, WebRequest::postInt('defaultDomain'));
-
-            $email = WebRequest::postEmail('email');
-            if ($email !== null) {
-                $user->setEmail($email);
-            }
-
-            $user->save();
-            SessionAlert::success("Preferences updated!");
-
-            if ($this->barrierTest(RoleConfiguration::MAIN, $user, PageMain::class)) {
-                $this->redirect('');
-            }
-            else {
-                $this->redirect('preferences');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('preferences/prefs.tpl');
-
-            // FIXME: domains!
-            /** @var Domain $domain */
-            $domain = Domain::getById(1, $this->getDatabase());
-            $this->assign('mediawikiScriptPath', $domain->getWikiArticlePath());
-
-            $this->assign("enforceOAuth", $enforceOAuth);
-
-            $this->assignPreference($preferencesManager, PreferenceManager::PREF_EMAIL_SIGNATURE, 'emailSignature', false);
-            $this->assignPreference($preferencesManager, PreferenceManager::PREF_CREATION_MODE, 'creationMode', false);
-            $this->assignPreference($preferencesManager, PreferenceManager::PREF_SKIN, 'skin', true);
-            $this->assignPreference($preferencesManager, PreferenceManager::PREF_SKIP_JS_ABORT, 'skipJsAbort', false);
-            $this->assignPreference($preferencesManager, PreferenceManager::PREF_QUEUE_HELP, 'showQueueHelp', false, true);
-            $this->assignPreference($preferencesManager, PreferenceManager::PREF_DEFAULT_DOMAIN, 'defaultDomain', true);
-
-            $this->assign('canManualCreate',
-                $this->barrierTest(PreferenceManager::CREATION_MANUAL, $user, 'RequestCreation'));
-            $this->assign('canOauthCreate',
-                $this->barrierTest(PreferenceManager::CREATION_OAUTH, $user, 'RequestCreation'));
-            $this->assign('canBotCreate',
-                $this->barrierTest(PreferenceManager::CREATION_BOT, $user, 'RequestCreation'));
-
-            $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(),
-                $this->getSiteConfiguration());
-            $this->assign('oauth', $oauth);
-
-            $identity = null;
-            if ($oauth->isFullyLinked()) {
-                $identity = $oauth->getIdentity(true);
-            }
-
-            $this->assign('identity', $identity);
-            $this->assign('graceTime', $this->getSiteConfiguration()->getOauthIdentityGraceTime());
-        }
-    }
-
-    private function assignPreference(
-        PreferenceManager $preferencesManager,
-        string $preference,
-        string $fieldName,
-        bool $defaultGlobal,
-        $defaultValue = null
-    ): void {
-        $this->assign($fieldName, $preferencesManager->getPreference($preference) ?? $defaultValue);
-        $this->assign($fieldName . 'Global', $preferencesManager->isGlobalPreference($preference) ?? $defaultGlobal);
-    }
-
-    private function setPreferenceWithValue(
-        PreferenceManager $preferencesManager,
-        string $preferenceName,
-        string $fieldName,
-        $value
-    ): void {
-        $globalDefinition = WebRequest::postBoolean($fieldName . 'Global');
-        if ($globalDefinition) {
-            $preferencesManager->setGlobalPreference($preferenceName, $value);
-        }
-        else {
-            $preferencesManager->setLocalPreference($preferenceName, $value);
-        }
-    }
-
-    private function setPreference(
-        PreferenceManager $preferencesManager,
-        string $preferenceName,
-        string $fieldName
-    ): void {
-        $this->setPreferenceWithValue($preferencesManager, $preferenceName, $fieldName, WebRequest::postString($fieldName));
-    }
-
-    protected function refreshOAuth()
-    {
-        if (!WebRequest::wasPosted()) {
-            $this->redirect('preferences');
-
-            return;
-        }
-
-        $database = $this->getDatabase();
-        $oauth = new OAuthUserHelper(User::getCurrent($database), $database, $this->getOAuthProtocolHelper(),
-            $this->getSiteConfiguration());
-
-        // token is for old consumer, run through the approval workflow again
-        if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()->getOAuthConsumerToken()) {
-            $authoriseUrl = $oauth->getRequestToken();
-            $this->redirectUrl($authoriseUrl);
-
-            return;
-        }
-
-        if ($oauth->isFullyLinked()) {
-            $oauth->refreshIdentity();
-        }
-
-        $this->redirect('preferences');
-
-        return;
-    }
-
-    private function setCreationMode(User $user, PreferenceManager $preferenceManager)
-    {
-        // if the user is selecting a creation mode that they are not allowed, do nothing.
-        // this has the side effect of allowing them to keep a selected mode that either has been changed for them,
-        // or that they have kept from when they previously had certain access.
-        // This setting is only settable locally, as ACLs may change between domains.
-        $creationMode = WebRequest::postInt('creationMode');
-        if ($this->barrierTest($creationMode, $user, 'RequestCreation')) {
-            $preferenceManager->setLocalPreference(PreferenceManager::PREF_CREATION_MODE, WebRequest::postString('creationMode'));
-        }
-    }
-
-    private function setSkin(PreferenceManager $preferencesManager): void
-    {
-        $newSkin = WebRequest::postString('skin');
-        $allowedSkins = ['main', 'alt', 'auto'];
-        if (in_array($newSkin, $allowedSkins)) {
-            $this->setPreference($preferencesManager, PreferenceManager::PREF_SKIN, 'skin');
-        }
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$this->setHtmlTitle('Preferences');
+
+		$enforceOAuth = $this->getSiteConfiguration()->getEnforceOAuth();
+		$database = $this->getDatabase();
+		$user = User::getCurrent($database);
+		$preferencesManager = PreferenceManager::getForCurrent($database);
+
+		// Dual mode
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$this->setPreference($preferencesManager,PreferenceManager::PREF_EMAIL_SIGNATURE, 'emailSignature');
+			$this->setPreferenceWithValue($preferencesManager,PreferenceManager::PREF_SKIP_JS_ABORT, 'skipJsAbort', WebRequest::postBoolean('skipJsAbort') ? 1 : 0);
+			$this->setPreferenceWithValue($preferencesManager,PreferenceManager::PREF_QUEUE_HELP, 'showQueueHelp', WebRequest::postBoolean('showQueueHelp') ? 1 : 0);
+			$this->setCreationMode($user, $preferencesManager);
+			$this->setSkin($preferencesManager);
+			$preferencesManager->setGlobalPreference(PreferenceManager::PREF_DEFAULT_DOMAIN, WebRequest::postInt('defaultDomain'));
+
+			$email = WebRequest::postEmail('email');
+			if ($email !== null) {
+				$user->setEmail($email);
+			}
+
+			$user->save();
+			SessionAlert::success("Preferences updated!");
+
+			if ($this->barrierTest(RoleConfiguration::MAIN, $user, PageMain::class)) {
+				$this->redirect('');
+			}
+			else {
+				$this->redirect('preferences');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('preferences/prefs.tpl');
+
+			// FIXME: domains!
+			/** @var Domain $domain */
+			$domain = Domain::getById(1, $this->getDatabase());
+			$this->assign('mediawikiScriptPath', $domain->getWikiArticlePath());
+
+			$this->assign("enforceOAuth", $enforceOAuth);
+
+			$this->assignPreference($preferencesManager, PreferenceManager::PREF_EMAIL_SIGNATURE, 'emailSignature', false);
+			$this->assignPreference($preferencesManager, PreferenceManager::PREF_CREATION_MODE, 'creationMode', false);
+			$this->assignPreference($preferencesManager, PreferenceManager::PREF_SKIN, 'skin', true);
+			$this->assignPreference($preferencesManager, PreferenceManager::PREF_SKIP_JS_ABORT, 'skipJsAbort', false);
+			$this->assignPreference($preferencesManager, PreferenceManager::PREF_QUEUE_HELP, 'showQueueHelp', false, true);
+			$this->assignPreference($preferencesManager, PreferenceManager::PREF_DEFAULT_DOMAIN, 'defaultDomain', true);
+
+			$this->assign('canManualCreate',
+				$this->barrierTest(PreferenceManager::CREATION_MANUAL, $user, 'RequestCreation'));
+			$this->assign('canOauthCreate',
+				$this->barrierTest(PreferenceManager::CREATION_OAUTH, $user, 'RequestCreation'));
+			$this->assign('canBotCreate',
+				$this->barrierTest(PreferenceManager::CREATION_BOT, $user, 'RequestCreation'));
+
+			$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(),
+				$this->getSiteConfiguration());
+			$this->assign('oauth', $oauth);
+
+			$identity = null;
+			if ($oauth->isFullyLinked()) {
+				$identity = $oauth->getIdentity(true);
+			}
+
+			$this->assign('identity', $identity);
+			$this->assign('graceTime', $this->getSiteConfiguration()->getOauthIdentityGraceTime());
+		}
+	}
+
+	private function assignPreference(
+		PreferenceManager $preferencesManager,
+		string $preference,
+		string $fieldName,
+		bool $defaultGlobal,
+		$defaultValue = null
+	): void {
+		$this->assign($fieldName, $preferencesManager->getPreference($preference) ?? $defaultValue);
+		$this->assign($fieldName . 'Global', $preferencesManager->isGlobalPreference($preference) ?? $defaultGlobal);
+	}
+
+	private function setPreferenceWithValue(
+		PreferenceManager $preferencesManager,
+		string $preferenceName,
+		string $fieldName,
+		$value
+	): void {
+		$globalDefinition = WebRequest::postBoolean($fieldName . 'Global');
+		if ($globalDefinition) {
+			$preferencesManager->setGlobalPreference($preferenceName, $value);
+		}
+		else {
+			$preferencesManager->setLocalPreference($preferenceName, $value);
+		}
+	}
+
+	private function setPreference(
+		PreferenceManager $preferencesManager,
+		string $preferenceName,
+		string $fieldName
+	): void {
+		$this->setPreferenceWithValue($preferencesManager, $preferenceName, $fieldName, WebRequest::postString($fieldName));
+	}
+
+	protected function refreshOAuth()
+	{
+		if (!WebRequest::wasPosted()) {
+			$this->redirect('preferences');
+
+			return;
+		}
+
+		$database = $this->getDatabase();
+		$oauth = new OAuthUserHelper(User::getCurrent($database), $database, $this->getOAuthProtocolHelper(),
+			$this->getSiteConfiguration());
+
+		// token is for old consumer, run through the approval workflow again
+		if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()->getOAuthConsumerToken()) {
+			$authoriseUrl = $oauth->getRequestToken();
+			$this->redirectUrl($authoriseUrl);
+
+			return;
+		}
+
+		if ($oauth->isFullyLinked()) {
+			$oauth->refreshIdentity();
+		}
+
+		$this->redirect('preferences');
+
+		return;
+	}
+
+	private function setCreationMode(User $user, PreferenceManager $preferenceManager)
+	{
+		// if the user is selecting a creation mode that they are not allowed, do nothing.
+		// this has the side effect of allowing them to keep a selected mode that either has been changed for them,
+		// or that they have kept from when they previously had certain access.
+		// This setting is only settable locally, as ACLs may change between domains.
+		$creationMode = WebRequest::postInt('creationMode');
+		if ($this->barrierTest($creationMode, $user, 'RequestCreation')) {
+			$preferenceManager->setLocalPreference(PreferenceManager::PREF_CREATION_MODE, WebRequest::postString('creationMode'));
+		}
+	}
+
+	private function setSkin(PreferenceManager $preferencesManager): void
+	{
+		$newSkin = WebRequest::postString('skin');
+		$allowedSkins = ['main', 'alt', 'auto'];
+		if (in_array($newSkin, $allowedSkins)) {
+			$this->setPreference($preferencesManager, PreferenceManager::PREF_SKIN, 'skin');
+		}
+	}
 }

includes/Pages/UserAuth/MultiFactor/PageMultiFactor.php

Indentation +293 added lines, -293 removed lines

@@ -26,297 +26,297 @@
 
 class PageMultiFactor extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     * @return void
-     */
-    protected function main()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
-            $this->getHttpHelper());
-        $this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
-        $this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
-
-        $scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-        $this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
-        $this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
-
-        $this->assign('allowedTotp', $this->barrierTest('enableTotp', $currentUser));
-        $this->assign('allowedYubikey', $this->barrierTest('enableYubikeyOtp', $currentUser));
-
-        $this->setTemplate('mfa/mfa.tpl');
-    }
-
-    protected function enableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-            $otp = WebRequest::postString('otp');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                try {
-                    $otpCredentialProvider->setCredential($currentUser, 2, $otp);
-                    SessionAlert::success('Enabled YubiKey OTP.');
-
-                    $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                    if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                        $scratchProvider->setCredential($currentUser, 2, null);
-                        $tokens = $scratchProvider->getTokens();
-                        $this->assign('tokens', $tokens);
-                        $this->setTemplate('mfa/regenScratchTokens.tpl');
-                        return;
-                    }
-                }
-                catch (ApplicationLogicException $ex) {
-                    SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
-                }
-
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->setTemplate('mfa/enableYubikey.tpl');
-        }
-    }
-
-    protected function disableYubikeyOtp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
-            $this->getSiteConfiguration(), $this->getHttpHelper());
-
-        $factorType = 'YubiKey OTP';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function enableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            // used for routing only, not security
-            $stage = WebRequest::postString('stage');
-
-            if ($stage === "auth") {
-                $password = WebRequest::postString('password');
-
-                $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                    $this->getSiteConfiguration());
-                $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-                if ($result) {
-                    $otpCredentialProvider->setCredential($currentUser, 2, null);
-
-                    $provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
-
-                    $renderer = new ImageRenderer(
-                        new RendererStyle(256),
-                        new SvgImageBackEnd()
-                    );
-
-                    $writer = new Writer($renderer);
-                    $svg = $writer->writeString($provisioningUrl);
-
-                    $this->assign('svg', $svg);
-                    $this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
-
-                    $this->assignCSRFToken();
-                    $this->setTemplate('mfa/enableTotpEnroll.tpl');
-
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - invalid credentials.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            if ($stage === "enroll") {
-                // we *must* have a defined credential already here,
-                if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
-                    $otp = WebRequest::postString('otp');
-                    $result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
-
-                    if ($result) {
-                        SessionAlert::success('Enabled TOTP.');
-
-                        $scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
-                        if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
-                            $scratchProvider->setCredential($currentUser, 2, null);
-                            $tokens = $scratchProvider->getTokens();
-                            $this->assign('tokens', $tokens);
-                            $this->setTemplate('mfa/regenScratchTokens.tpl');
-                            return;
-                        }
-                    }
-                    else {
-                        $otpCredentialProvider->deleteCredential($currentUser);
-                        SessionAlert::error('Error enabling TOTP: invalid token provided');
-                    }
-
-
-                    $this->redirect('multiFactor');
-                    return;
-                }
-                else {
-                    SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
-                    $this->redirect('multiFactor');
-
-                    return;
-                }
-            }
-
-            // urgh, dunno what happened, but it's not something expected.
-            throw new ApplicationLogicException();
-        }
-        else {
-            if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-
-            $this->assign('alertmessage', 'To enable your multi-factor credentials, please prove you are who you say you are by providing your tool password below.');
-            $this->assign('alertheader', 'Provide credentials');
-            $this->assign('continueText', 'Verify password');
-            $this->setTemplate('mfa/enableAuth.tpl');
-        }
-    }
-
-    protected function disableTotp()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
-
-        $factorType = 'TOTP';
-
-        $this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
-    }
-
-    protected function scratch()
-    {
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $otpCredentialProvider = new ScratchTokenCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $password = WebRequest::postString('password');
-
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->setCredential($currentUser, 2, null);
-                $tokens = $otpCredentialProvider->getTokens();
-                $this->assign('tokens', $tokens);
-                $this->setTemplate('mfa/regenScratchTokens.tpl');
-            }
-            else {
-                SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            $this->assignCSRFToken();
-
-            $this->assign('alertmessage', 'To regenerate your emergency scratch tokens, please prove you are who you say you are by providing your tool password below. Note that continuing will invalidate all remaining scratch tokens, and provide a set of new ones.');
-            $this->assign('alertheader', 'Re-generate scratch tokens');
-            $this->assign('continueText', 'Regenerate Scratch Tokens');
-
-            $this->setTemplate('mfa/enableAuth.tpl');
-        }
-    }
-
-    /**
-     * @param PdoDatabase         $database
-     * @param User                $currentUser
-     * @param ICredentialProvider $otpCredentialProvider
-     * @param string              $factorType
-     *
-     * @throws ApplicationLogicException
-     */
-    private function deleteCredential(
-        PdoDatabase $database,
-        User $currentUser,
-        ICredentialProvider $otpCredentialProvider,
-        $factorType
-    ) {
-        if (WebRequest::wasPosted()) {
-            $passwordCredentialProvider = new PasswordCredentialProvider($database,
-                $this->getSiteConfiguration());
-
-            $this->validateCSRFToken();
-
-            $password = WebRequest::postString('password');
-            $result = $passwordCredentialProvider->authenticate($currentUser, $password);
-
-            if ($result) {
-                $otpCredentialProvider->deleteCredential($currentUser);
-                SessionAlert::success('Disabled ' . $factorType . '.');
-                $this->redirect('multiFactor');
-            }
-            else {
-                SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
-                $this->redirect('multiFactor');
-            }
-        }
-        else {
-            if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
-                // user is not enrolled, we shouldn't have got here.
-                throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
-            }
-
-            $this->assignCSRFToken();
-            $this->assign('otpType', $factorType);
-            $this->setTemplate('mfa/disableOtp.tpl');
-        }
-    }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 * @return void
+	 */
+	protected function main()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$yubikeyOtpCredentialProvider = new YubikeyOtpCredentialProvider($database, $this->getSiteConfiguration(),
+			$this->getHttpHelper());
+		$this->assign('yubikeyOtpIdentity', $yubikeyOtpCredentialProvider->getYubikeyData($currentUser->getId()));
+		$this->assign('yubikeyOtpEnrolled', $yubikeyOtpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$totpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('totpEnrolled', $totpCredentialProvider->userIsEnrolled($currentUser->getId()));
+
+		$scratchCredentialProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+		$this->assign('scratchEnrolled', $scratchCredentialProvider->userIsEnrolled($currentUser->getId()));
+		$this->assign('scratchRemaining', $scratchCredentialProvider->getRemaining($currentUser->getId()));
+
+		$this->assign('allowedTotp', $this->barrierTest('enableTotp', $currentUser));
+		$this->assign('allowedYubikey', $this->barrierTest('enableYubikeyOtp', $currentUser));
+
+		$this->setTemplate('mfa/mfa.tpl');
+	}
+
+	protected function enableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+			$otp = WebRequest::postString('otp');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				try {
+					$otpCredentialProvider->setCredential($currentUser, 2, $otp);
+					SessionAlert::success('Enabled YubiKey OTP.');
+
+					$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+					if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+						$scratchProvider->setCredential($currentUser, 2, null);
+						$tokens = $scratchProvider->getTokens();
+						$this->assign('tokens', $tokens);
+						$this->setTemplate('mfa/regenScratchTokens.tpl');
+						return;
+					}
+				}
+				catch (ApplicationLogicException $ex) {
+					SessionAlert::error('Error enabling YubiKey OTP: ' . $ex->getMessage());
+				}
+
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error enabling YubiKey OTP - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->setTemplate('mfa/enableYubikey.tpl');
+		}
+	}
+
+	protected function disableYubikeyOtp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new YubikeyOtpCredentialProvider($database,
+			$this->getSiteConfiguration(), $this->getHttpHelper());
+
+		$factorType = 'YubiKey OTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function enableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			// used for routing only, not security
+			$stage = WebRequest::postString('stage');
+
+			if ($stage === "auth") {
+				$password = WebRequest::postString('password');
+
+				$passwordCredentialProvider = new PasswordCredentialProvider($database,
+					$this->getSiteConfiguration());
+				$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+				if ($result) {
+					$otpCredentialProvider->setCredential($currentUser, 2, null);
+
+					$provisioningUrl = $otpCredentialProvider->getProvisioningUrl($currentUser);
+
+					$renderer = new ImageRenderer(
+						new RendererStyle(256),
+						new SvgImageBackEnd()
+					);
+
+					$writer = new Writer($renderer);
+					$svg = $writer->writeString($provisioningUrl);
+
+					$this->assign('svg', $svg);
+					$this->assign('secret', $otpCredentialProvider->getSecret($currentUser));
+
+					$this->assignCSRFToken();
+					$this->setTemplate('mfa/enableTotpEnroll.tpl');
+
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - invalid credentials.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			if ($stage === "enroll") {
+				// we *must* have a defined credential already here,
+				if ($otpCredentialProvider->isPartiallyEnrolled($currentUser)) {
+					$otp = WebRequest::postString('otp');
+					$result = $otpCredentialProvider->verifyEnable($currentUser, $otp);
+
+					if ($result) {
+						SessionAlert::success('Enabled TOTP.');
+
+						$scratchProvider = new ScratchTokenCredentialProvider($database, $this->getSiteConfiguration());
+						if ($scratchProvider->getRemaining($currentUser->getId()) < 3) {
+							$scratchProvider->setCredential($currentUser, 2, null);
+							$tokens = $scratchProvider->getTokens();
+							$this->assign('tokens', $tokens);
+							$this->setTemplate('mfa/regenScratchTokens.tpl');
+							return;
+						}
+					}
+					else {
+						$otpCredentialProvider->deleteCredential($currentUser);
+						SessionAlert::error('Error enabling TOTP: invalid token provided');
+					}
+
+
+					$this->redirect('multiFactor');
+					return;
+				}
+				else {
+					SessionAlert::error('Error enabling TOTP - no enrollment found or enrollment expired.');
+					$this->redirect('multiFactor');
+
+					return;
+				}
+			}
+
+			// urgh, dunno what happened, but it's not something expected.
+			throw new ApplicationLogicException();
+		}
+		else {
+			if ($otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is already enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+
+			$this->assign('alertmessage', 'To enable your multi-factor credentials, please prove you are who you say you are by providing your tool password below.');
+			$this->assign('alertheader', 'Provide credentials');
+			$this->assign('continueText', 'Verify password');
+			$this->setTemplate('mfa/enableAuth.tpl');
+		}
+	}
+
+	protected function disableTotp()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$otpCredentialProvider = new TotpCredentialProvider($database, $this->getSiteConfiguration());
+
+		$factorType = 'TOTP';
+
+		$this->deleteCredential($database, $currentUser, $otpCredentialProvider, $factorType);
+	}
+
+	protected function scratch()
+	{
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$otpCredentialProvider = new ScratchTokenCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$password = WebRequest::postString('password');
+
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->setCredential($currentUser, 2, null);
+				$tokens = $otpCredentialProvider->getTokens();
+				$this->assign('tokens', $tokens);
+				$this->setTemplate('mfa/regenScratchTokens.tpl');
+			}
+			else {
+				SessionAlert::error('Error refreshing scratch tokens - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			$this->assignCSRFToken();
+
+			$this->assign('alertmessage', 'To regenerate your emergency scratch tokens, please prove you are who you say you are by providing your tool password below. Note that continuing will invalidate all remaining scratch tokens, and provide a set of new ones.');
+			$this->assign('alertheader', 'Re-generate scratch tokens');
+			$this->assign('continueText', 'Regenerate Scratch Tokens');
+
+			$this->setTemplate('mfa/enableAuth.tpl');
+		}
+	}
+
+	/**
+	 * @param PdoDatabase         $database
+	 * @param User                $currentUser
+	 * @param ICredentialProvider $otpCredentialProvider
+	 * @param string              $factorType
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function deleteCredential(
+		PdoDatabase $database,
+		User $currentUser,
+		ICredentialProvider $otpCredentialProvider,
+		$factorType
+	) {
+		if (WebRequest::wasPosted()) {
+			$passwordCredentialProvider = new PasswordCredentialProvider($database,
+				$this->getSiteConfiguration());
+
+			$this->validateCSRFToken();
+
+			$password = WebRequest::postString('password');
+			$result = $passwordCredentialProvider->authenticate($currentUser, $password);
+
+			if ($result) {
+				$otpCredentialProvider->deleteCredential($currentUser);
+				SessionAlert::success('Disabled ' . $factorType . '.');
+				$this->redirect('multiFactor');
+			}
+			else {
+				SessionAlert::error('Error disabling ' . $factorType . ' - invalid credentials.');
+				$this->redirect('multiFactor');
+			}
+		}
+		else {
+			if (!$otpCredentialProvider->userIsEnrolled($currentUser->getId())) {
+				// user is not enrolled, we shouldn't have got here.
+				throw new ApplicationLogicException('User is not enrolled in the selected MFA mechanism');
+			}
+
+			$this->assignCSRFToken();
+			$this->assign('otpType', $factorType);
+			$this->setTemplate('mfa/disableOtp.tpl');
+		}
+	}
 }

includes/Pages/UserAuth/PageLogout.php

Indentation +16 added lines, -16 removed lines

@@ -14,22 +14,22 @@
 
 class PageLogout extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main()
-    {
-        if (WebRequest::wasPosted()) {
-            Session::destroy();
-            $this->redirect("login");
-            return;
-        }
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main()
+	{
+		if (WebRequest::wasPosted()) {
+			Session::destroy();
+			$this->redirect("login");
+			return;
+		}
 
-        $this->redirect();
-    }
+		$this->redirect();
+	}
 
-    protected function isProtectedPage()
-    {
-        return false;
-    }
+	protected function isProtectedPage()
+	{
+		return false;
+	}
 }