mdaniels5757 / waca

includes/Fragments/NavigationMenuAccessControl.php

Indentation +92 added lines, -92 removed lines

@@ -37,108 +37,108 @@
 
 trait NavigationMenuAccessControl
 {
-    protected abstract function assign($name, $value);
+	protected abstract function assign($name, $value);
 
-    protected abstract function getSecurityManager(): ISecurityManager;
+	protected abstract function getSecurityManager(): ISecurityManager;
 
-    public abstract function getDomainAccessManager(): IDomainAccessManager;
+	public abstract function getDomainAccessManager(): IDomainAccessManager;
 
-    /**
-     * @param $currentUser
-     */
-    protected function setupNavMenuAccess($currentUser)
-    {
-        $this->assign('nav__canRequests', $this->getSecurityManager()
-                ->allows(PageMain::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+	/**
+	 * @param $currentUser
+	 */
+	protected function setupNavMenuAccess($currentUser)
+	{
+		$this->assign('nav__canRequests', $this->getSecurityManager()
+				->allows(PageMain::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
 
-        $this->assign('nav__canLogs', $this->getSecurityManager()
-                ->allows(PageLog::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canUsers', $this->getSecurityManager()
-                ->allows(StatsUsers::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canSearch', $this->getSecurityManager()
-                ->allows(PageSearch::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canStats', $this->getSecurityManager()
-                ->allows(StatsMain::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canLogs', $this->getSecurityManager()
+				->allows(PageLog::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canUsers', $this->getSecurityManager()
+				->allows(StatsUsers::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canSearch', $this->getSecurityManager()
+				->allows(PageSearch::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canStats', $this->getSecurityManager()
+				->allows(StatsMain::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
 
-        $this->assign('nav__canBan', $this->getSecurityManager()
-                ->allows(PageBan::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canEmailMgmt', $this->getSecurityManager()
-                ->allows(PageEmailManagement::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canWelcomeMgmt', $this->getSecurityManager()
-                ->allows(PageWelcomeTemplateManagement::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager()
-                ->allows(PageSiteNotice::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canUserMgmt', $this->getSecurityManager()
-                ->allows(PageUserManagement::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canJobQueue', $this->getSecurityManager()
-                ->allows(PageJobQueue::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canDomainMgmt', $this->getSecurityManager()
-                ->allows(PageDomainManagement::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canFlaggedComments', $this->getSecurityManager()
-                ->allows(PageListFlaggedComments::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canQueueMgmt', $this->getSecurityManager()
-                ->allows(PageQueueManagement::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canFormMgmt', $this->getSecurityManager()
-                ->allows(PageRequestFormManagement::class, RoleConfigurationBase::MAIN,
-                    $currentUser) === ISecurityManager::ALLOWED);
-        $this->assign('nav__canErrorLog', $this->getSecurityManager()
-                ->allows(PageErrorLogViewer::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canBan', $this->getSecurityManager()
+				->allows(PageBan::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canEmailMgmt', $this->getSecurityManager()
+				->allows(PageEmailManagement::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canWelcomeMgmt', $this->getSecurityManager()
+				->allows(PageWelcomeTemplateManagement::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canSiteNoticeMgmt', $this->getSecurityManager()
+				->allows(PageSiteNotice::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canUserMgmt', $this->getSecurityManager()
+				->allows(PageUserManagement::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canJobQueue', $this->getSecurityManager()
+				->allows(PageJobQueue::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canDomainMgmt', $this->getSecurityManager()
+				->allows(PageDomainManagement::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canFlaggedComments', $this->getSecurityManager()
+				->allows(PageListFlaggedComments::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canQueueMgmt', $this->getSecurityManager()
+				->allows(PageQueueManagement::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canFormMgmt', $this->getSecurityManager()
+				->allows(PageRequestFormManagement::class, RoleConfigurationBase::MAIN,
+					$currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canErrorLog', $this->getSecurityManager()
+				->allows(PageErrorLogViewer::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
 
-        $this->assign('nav__canViewRequest', $this->getSecurityManager()
-                ->allows(PageViewRequest::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
+		$this->assign('nav__canViewRequest', $this->getSecurityManager()
+				->allows(PageViewRequest::class, RoleConfigurationBase::MAIN, $currentUser) === ISecurityManager::ALLOWED);
 
-        $this->assign('nav__domainList', []);
-        if ($this->getDomainAccessManager() !== null) {
-            $this->assign('nav__domainList', $this->getDomainAccessManager()->getAllowedDomains($currentUser));
-        }
-    }
+		$this->assign('nav__domainList', []);
+		if ($this->getDomainAccessManager() !== null) {
+			$this->assign('nav__domainList', $this->getDomainAccessManager()->getAllowedDomains($currentUser));
+		}
+	}
 
-    /**
-     * Sets up the badges to draw attention to issues on various admin pages.
-     *
-     * This function checks to see if a user can access the pages, and if so checks the count of problem areas.
-     * If problem areas are found, a number greater than 0 will cause the badge to show up.
-     *
-     * @param User        $currentUser The current user
-     * @param PdoDatabase $database    Database instance
-     *
-     * @return void
-     */
-    public function setUpNavBarBadges(User $currentUser, PdoDatabase $database) {
-        // Set up some variables.
-        // A size of 0 causes nothing to show up on the page (checked on navigation-menu.tpl) so leaving it 0 here is fine.
-        $countOfFlagged = 0;
-        $countOfJobQueue = 0;
+	/**
+	 * Sets up the badges to draw attention to issues on various admin pages.
+	 *
+	 * This function checks to see if a user can access the pages, and if so checks the count of problem areas.
+	 * If problem areas are found, a number greater than 0 will cause the badge to show up.
+	 *
+	 * @param User        $currentUser The current user
+	 * @param PdoDatabase $database    Database instance
+	 *
+	 * @return void
+	 */
+	public function setUpNavBarBadges(User $currentUser, PdoDatabase $database) {
+		// Set up some variables.
+		// A size of 0 causes nothing to show up on the page (checked on navigation-menu.tpl) so leaving it 0 here is fine.
+		$countOfFlagged = 0;
+		$countOfJobQueue = 0;
 
-        // Count of flagged comments:
-        if($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageListFlaggedComments::class)) {
-            // We want all flagged comments that haven't been acknowledged if we can visit the page.
-            $countOfFlagged = sizeof(Comment::getFlaggedComments($database, 1)); // FIXME: domains
-        }
+		// Count of flagged comments:
+		if($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageListFlaggedComments::class)) {
+			// We want all flagged comments that haven't been acknowledged if we can visit the page.
+			$countOfFlagged = sizeof(Comment::getFlaggedComments($database, 1)); // FIXME: domains
+		}
 
-        // Count of failed job queue changes:
-        if($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageJobQueue::class)) {
-            // We want all failed jobs that haven't been acknowledged if we can visit the page.
-            JobQueueSearchHelper::get($database, 1) // FIXME: domains
-                ->statusIn([JobQueue::STATUS_FAILED])
-                ->notAcknowledged()
-                ->getRecordCount($countOfJobQueue);
-        }
+		// Count of failed job queue changes:
+		if($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageJobQueue::class)) {
+			// We want all failed jobs that haven't been acknowledged if we can visit the page.
+			JobQueueSearchHelper::get($database, 1) // FIXME: domains
+				->statusIn([JobQueue::STATUS_FAILED])
+				->notAcknowledged()
+				->getRecordCount($countOfJobQueue);
+		}
 
-        // To generate the main badge, add both up.
-        // If we add more badges in the future, don't forget to add them here!
-        $countOfAll = $countOfFlagged + $countOfJobQueue;
+		// To generate the main badge, add both up.
+		// If we add more badges in the future, don't forget to add them here!
+		$countOfAll = $countOfFlagged + $countOfJobQueue;
 
-        // Set badge variables
-        $this->assign("nav__numFlaggedComments", $countOfFlagged);
-        $this->assign("nav__numJobQueueFailed", $countOfJobQueue);
-        $this->assign("nav__numAdmin", $countOfAll);
-    }
+		// Set badge variables
+		$this->assign("nav__numFlaggedComments", $countOfFlagged);
+		$this->assign("nav__numJobQueueFailed", $countOfJobQueue);
+		$this->assign("nav__numAdmin", $countOfAll);
+	}
 }

Spacing +2 added lines, -2 removed lines

@@ -118,13 +118,13 @@
         $countOfJobQueue = 0;
 
         // Count of flagged comments:
-        if($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageListFlaggedComments::class)) {
+        if ($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageListFlaggedComments::class)) {
             // We want all flagged comments that haven't been acknowledged if we can visit the page.
             $countOfFlagged = sizeof(Comment::getFlaggedComments($database, 1)); // FIXME: domains
         }
 
         // Count of failed job queue changes:
-        if($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageJobQueue::class)) {
+        if ($this->barrierTest(RoleConfigurationBase::MAIN, $currentUser, PageJobQueue::class)) {
             // We want all failed jobs that haven't been acknowledged if we can visit the page.
             JobQueueSearchHelper::get($database, 1) // FIXME: domains
                 ->statusIn([JobQueue::STATUS_FAILED])

includes/Fragments/RequestData.php

Indentation +344 added lines, -344 removed lines

@@ -27,350 +27,350 @@
 
 trait RequestData
 {
-    /** @return SiteConfiguration */
-    protected abstract function getSiteConfiguration();
-
-    /**
-     * @var array Array of IP address classed as 'private' by RFC1918.
-     */
-    protected static $rfc1918ips = array(
-        "10.0.0.0"    => "10.255.255.255",
-        "172.16.0.0"  => "172.31.255.255",
-        "192.168.0.0" => "192.168.255.255",
-        "169.254.0.0" => "169.254.255.255",
-        "127.0.0.0"   => "127.255.255.255",
-    );
-
-    /**
-     * Gets a request object
-     *
-     * @param PdoDatabase $database  The database connection
-     * @param int|null    $requestId The ID of the request to retrieve
-     *
-     * @return Request
-     * @throws ApplicationLogicException
-     */
-    protected function getRequest(PdoDatabase $database, $requestId)
-    {
-        if ($requestId === null) {
-            throw new ApplicationLogicException("No request specified");
-        }
-
-        $request = Request::getById($requestId, $database);
-        if ($request === false || !is_a($request, Request::class)) {
-            throw new ApplicationLogicException('Could not load the requested request!');
-        }
-
-        return $request;
-    }
-
-    /**
-     * Returns a value stating whether the user is allowed to see private data or not
-     *
-     * @param Request $request
-     * @param User    $currentUser
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    protected function isAllowedPrivateData(Request $request, User $currentUser)
-    {
-        // Test the main security barrier for private data access using SecurityManager
-        if ($this->barrierTest('alwaysSeePrivateData', $currentUser, 'RequestData')) {
-            // Tool admins/check-users can always see private data
-            return true;
-        }
-
-        // reserving user is allowed to see the data
-        if ($currentUser->getId() === $request->getReserved()
-            && $request->getReserved() !== null
-            && $this->barrierTest('seePrivateDataWhenReserved', $currentUser, 'RequestData')
-        ) {
-            return true;
-        }
-
-        // user has the reveal hash
-        if (WebRequest::getString('hash') === $request->getRevealHash()
-            && $this->barrierTest('seePrivateDataWithHash', $currentUser, 'RequestData')
-        ) {
-            return true;
-        }
-
-        // nope. Not allowed.
-        return false;
-    }
-
-    /**
-     * Tests the security barrier for a specified action.
-     *
-     * Don't use within templates
-     *
-     * @param string      $action
-     *
-     * @param User        $user
-     * @param null|string $pageName
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    abstract protected function barrierTest($action, User $user, $pageName = null);
-
-    /**
-     * Gets the name of the route that has been passed from the request router.
-     * @return string
-     */
-    abstract protected function getRouteName();
-
-    abstract protected function getSecurityManager(): ISecurityManager;
-
-    /**
-     * Sets the name of the template this page should display.
-     *
-     * @param string $name
-     */
-    abstract protected function setTemplate($name);
-
-    /** @return IXffTrustProvider */
-    abstract protected function getXffTrustProvider();
-
-    /** @return ILocationProvider */
-    abstract protected function getLocationProvider();
-
-    /** @return IRDnsProvider */
-    abstract protected function getRdnsProvider();
-
-    /**
-     * Assigns a Smarty variable
-     *
-     * @param  array|string $name  the template variable name(s)
-     * @param  mixed        $value the value to assign
-     */
-    abstract protected function assign($name, $value);
-
-    /**
-     * @param int|null    $requestReservationId
-     * @param PdoDatabase $database
-     * @param User        $currentUser
-     */
-    protected function setupReservationDetails($requestReservationId, PdoDatabase $database, User $currentUser)
-    {
-        $requestIsReserved = $requestReservationId !== null;
-        $this->assign('requestIsReserved', $requestIsReserved);
-        $this->assign('requestIsReservedByMe', false);
-
-        if ($requestIsReserved) {
-            $this->assign('requestReservedByName', User::getById($requestReservationId, $database)->getUsername());
-            $this->assign('requestReservedById', $requestReservationId);
-
-            if ($requestReservationId === $currentUser->getId()) {
-                $this->assign('requestIsReservedByMe', true);
-            }
-        }
-
-        $this->assign('canBreakReservation', $this->barrierTest('force', $currentUser, PageBreakReservation::class));
-    }
-
-    /**
-     * Adds private request data to Smarty. DO NOT USE WITHOUT FIRST CHECKING THAT THE USER IS AUTHORISED!
-     *
-     * @param Request           $request
-     * @param SiteConfiguration $configuration
-     */
-    protected function setupPrivateData(
-        $request,
-        SiteConfiguration $configuration
-    ) {
-        $xffProvider = $this->getXffTrustProvider();
-
-        $this->assign('requestEmail', $request->getEmail());
-        $emailDomain = explode("@", $request->getEmail())[1];
-        $this->assign("emailurl", $emailDomain);
-        $this->assign('commonEmailDomain', in_array(strtolower($emailDomain), $configuration->getCommonEmailDomains())
-            || $request->getEmail() === $this->getSiteConfiguration()->getDataClearEmail());
-
-        $trustedIp = $xffProvider->getTrustedClientIp($request->getIp(), $request->getForwardedIp());
-        $this->assign('requestTrustedIp', $trustedIp);
-        $this->assign('requestRealIp', $request->getIp());
-        $this->assign('requestForwardedIp', $request->getForwardedIp());
-
-        $trustedIpLocation = $this->getLocationProvider()->getIpLocation($trustedIp);
-        $this->assign('requestTrustedIpLocation', $trustedIpLocation);
-
-        $this->assign('requestHasForwardedIp', $request->getForwardedIp() !== null);
-
-        $this->setupForwardedIpData($request);
-    }
-
-    /**
-     * Adds related request data to Smarty. DO NOT USE WITHOUT FIRST CHECKING THAT THE USER IS AUTHORISED!
-     *
-     * @param Request           $request
-     * @param SiteConfiguration $configuration
-     * @param PdoDatabase       $database
-     */
-    protected function setupRelatedRequests(
-        Request $request,
-        SiteConfiguration $configuration,
-        PdoDatabase $database)
-    {
-        $this->assign('canSeeRelatedRequests', true);
-
-        // TODO: Do we want to return results from other domains?
-        $relatedEmailRequests = RequestSearchHelper::get($database, null)
-            ->byEmailAddress($request->getEmail())
-            ->withConfirmedEmail()
-            ->excludingPurgedData($configuration)
-            ->excludingRequest($request->getId())
-            ->fetch();
-
-        $this->assign('requestRelatedEmailRequestsCount', count($relatedEmailRequests));
-        $this->assign('requestRelatedEmailRequests', $relatedEmailRequests);
-
-        $trustedIp = $this->getXffTrustProvider()->getTrustedClientIp($request->getIp(), $request->getForwardedIp());
-
-        // TODO: Do we want to return results from other domains?
-        $relatedIpRequests = RequestSearchHelper::get($database, null)
-            ->byIp($trustedIp)
-            ->withConfirmedEmail()
-            ->excludingPurgedData($configuration)
-            ->excludingRequest($request->getId())
-            ->fetch();
-
-        $this->assign('requestRelatedIpRequestsCount', count($relatedIpRequests));
-        $this->assign('requestRelatedIpRequests', $relatedIpRequests);
-    }
-
-    /**
-     * Adds checkuser request data to Smarty. DO NOT USE WITHOUT FIRST CHECKING THAT THE USER IS AUTHORISED!
-     *
-     * @param Request $request
-     */
-    protected function setupCheckUserData(Request $request)
-    {
-        $this->assign('requestUserAgent', $request->getUserAgent());
-
-        $data = \Waca\DataObjects\RequestData::getForRequest($request->getId(), $request->getDatabase(), \Waca\DataObjects\RequestData::TYPE_CLIENTHINT);
-        $this->assign('requestClientHints', $data);
-    }
-
-    /**
-     * Sets up the basic data for this request, and adds it to Smarty
-     *
-     * @param Request           $request
-     * @param SiteConfiguration $config
-     */
-    protected function setupBasicData(Request $request, SiteConfiguration $config)
-    {
-        $this->assign('requestId', $request->getId());
-        $this->assign('updateVersion', $request->getUpdateVersion());
-        $this->assign('requestName', $request->getName());
-        $this->assign('requestDate', $request->getDate());
-        $this->assign('requestStatus', $request->getStatus());
-
-        $this->assign('requestQueue', null);
-        if ($request->getQueue() !== null) {
-            /** @var RequestQueue $queue */
-            $queue = RequestQueue::getById($request->getQueue(), $this->getDatabase());
-            $this->assign('requestQueue', $queue->getHeader());
-            $this->assign('requestQueueApiName', $queue->getApiName());
-        }
-
-        $this->assign('canPreviewForm', $this->barrierTest('view', User::getCurrent($this->getDatabase()), PageRequestFormManagement::class));
-        $this->assign('originForm', $request->getOriginFormObject());
-
-        $isClosed = $request->getStatus() === RequestStatus::CLOSED || $request->getStatus() === RequestStatus::JOBQUEUE;
-        $this->assign('requestIsClosed', $isClosed);
+	/** @return SiteConfiguration */
+	protected abstract function getSiteConfiguration();
+
+	/**
+	 * @var array Array of IP address classed as 'private' by RFC1918.
+	 */
+	protected static $rfc1918ips = array(
+		"10.0.0.0"    => "10.255.255.255",
+		"172.16.0.0"  => "172.31.255.255",
+		"192.168.0.0" => "192.168.255.255",
+		"169.254.0.0" => "169.254.255.255",
+		"127.0.0.0"   => "127.255.255.255",
+	);
+
+	/**
+	 * Gets a request object
+	 *
+	 * @param PdoDatabase $database  The database connection
+	 * @param int|null    $requestId The ID of the request to retrieve
+	 *
+	 * @return Request
+	 * @throws ApplicationLogicException
+	 */
+	protected function getRequest(PdoDatabase $database, $requestId)
+	{
+		if ($requestId === null) {
+			throw new ApplicationLogicException("No request specified");
+		}
+
+		$request = Request::getById($requestId, $database);
+		if ($request === false || !is_a($request, Request::class)) {
+			throw new ApplicationLogicException('Could not load the requested request!');
+		}
+
+		return $request;
+	}
+
+	/**
+	 * Returns a value stating whether the user is allowed to see private data or not
+	 *
+	 * @param Request $request
+	 * @param User    $currentUser
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	protected function isAllowedPrivateData(Request $request, User $currentUser)
+	{
+		// Test the main security barrier for private data access using SecurityManager
+		if ($this->barrierTest('alwaysSeePrivateData', $currentUser, 'RequestData')) {
+			// Tool admins/check-users can always see private data
+			return true;
+		}
+
+		// reserving user is allowed to see the data
+		if ($currentUser->getId() === $request->getReserved()
+			&& $request->getReserved() !== null
+			&& $this->barrierTest('seePrivateDataWhenReserved', $currentUser, 'RequestData')
+		) {
+			return true;
+		}
+
+		// user has the reveal hash
+		if (WebRequest::getString('hash') === $request->getRevealHash()
+			&& $this->barrierTest('seePrivateDataWithHash', $currentUser, 'RequestData')
+		) {
+			return true;
+		}
+
+		// nope. Not allowed.
+		return false;
+	}
+
+	/**
+	 * Tests the security barrier for a specified action.
+	 *
+	 * Don't use within templates
+	 *
+	 * @param string      $action
+	 *
+	 * @param User        $user
+	 * @param null|string $pageName
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	abstract protected function barrierTest($action, User $user, $pageName = null);
+
+	/**
+	 * Gets the name of the route that has been passed from the request router.
+	 * @return string
+	 */
+	abstract protected function getRouteName();
+
+	abstract protected function getSecurityManager(): ISecurityManager;
+
+	/**
+	 * Sets the name of the template this page should display.
+	 *
+	 * @param string $name
+	 */
+	abstract protected function setTemplate($name);
+
+	/** @return IXffTrustProvider */
+	abstract protected function getXffTrustProvider();
+
+	/** @return ILocationProvider */
+	abstract protected function getLocationProvider();
+
+	/** @return IRDnsProvider */
+	abstract protected function getRdnsProvider();
+
+	/**
+	 * Assigns a Smarty variable
+	 *
+	 * @param  array|string $name  the template variable name(s)
+	 * @param  mixed        $value the value to assign
+	 */
+	abstract protected function assign($name, $value);
+
+	/**
+	 * @param int|null    $requestReservationId
+	 * @param PdoDatabase $database
+	 * @param User        $currentUser
+	 */
+	protected function setupReservationDetails($requestReservationId, PdoDatabase $database, User $currentUser)
+	{
+		$requestIsReserved = $requestReservationId !== null;
+		$this->assign('requestIsReserved', $requestIsReserved);
+		$this->assign('requestIsReservedByMe', false);
+
+		if ($requestIsReserved) {
+			$this->assign('requestReservedByName', User::getById($requestReservationId, $database)->getUsername());
+			$this->assign('requestReservedById', $requestReservationId);
+
+			if ($requestReservationId === $currentUser->getId()) {
+				$this->assign('requestIsReservedByMe', true);
+			}
+		}
+
+		$this->assign('canBreakReservation', $this->barrierTest('force', $currentUser, PageBreakReservation::class));
+	}
+
+	/**
+	 * Adds private request data to Smarty. DO NOT USE WITHOUT FIRST CHECKING THAT THE USER IS AUTHORISED!
+	 *
+	 * @param Request           $request
+	 * @param SiteConfiguration $configuration
+	 */
+	protected function setupPrivateData(
+		$request,
+		SiteConfiguration $configuration
+	) {
+		$xffProvider = $this->getXffTrustProvider();
+
+		$this->assign('requestEmail', $request->getEmail());
+		$emailDomain = explode("@", $request->getEmail())[1];
+		$this->assign("emailurl", $emailDomain);
+		$this->assign('commonEmailDomain', in_array(strtolower($emailDomain), $configuration->getCommonEmailDomains())
+			|| $request->getEmail() === $this->getSiteConfiguration()->getDataClearEmail());
+
+		$trustedIp = $xffProvider->getTrustedClientIp($request->getIp(), $request->getForwardedIp());
+		$this->assign('requestTrustedIp', $trustedIp);
+		$this->assign('requestRealIp', $request->getIp());
+		$this->assign('requestForwardedIp', $request->getForwardedIp());
+
+		$trustedIpLocation = $this->getLocationProvider()->getIpLocation($trustedIp);
+		$this->assign('requestTrustedIpLocation', $trustedIpLocation);
+
+		$this->assign('requestHasForwardedIp', $request->getForwardedIp() !== null);
+
+		$this->setupForwardedIpData($request);
+	}
+
+	/**
+	 * Adds related request data to Smarty. DO NOT USE WITHOUT FIRST CHECKING THAT THE USER IS AUTHORISED!
+	 *
+	 * @param Request           $request
+	 * @param SiteConfiguration $configuration
+	 * @param PdoDatabase       $database
+	 */
+	protected function setupRelatedRequests(
+		Request $request,
+		SiteConfiguration $configuration,
+		PdoDatabase $database)
+	{
+		$this->assign('canSeeRelatedRequests', true);
+
+		// TODO: Do we want to return results from other domains?
+		$relatedEmailRequests = RequestSearchHelper::get($database, null)
+			->byEmailAddress($request->getEmail())
+			->withConfirmedEmail()
+			->excludingPurgedData($configuration)
+			->excludingRequest($request->getId())
+			->fetch();
+
+		$this->assign('requestRelatedEmailRequestsCount', count($relatedEmailRequests));
+		$this->assign('requestRelatedEmailRequests', $relatedEmailRequests);
+
+		$trustedIp = $this->getXffTrustProvider()->getTrustedClientIp($request->getIp(), $request->getForwardedIp());
+
+		// TODO: Do we want to return results from other domains?
+		$relatedIpRequests = RequestSearchHelper::get($database, null)
+			->byIp($trustedIp)
+			->withConfirmedEmail()
+			->excludingPurgedData($configuration)
+			->excludingRequest($request->getId())
+			->fetch();
+
+		$this->assign('requestRelatedIpRequestsCount', count($relatedIpRequests));
+		$this->assign('requestRelatedIpRequests', $relatedIpRequests);
+	}
+
+	/**
+	 * Adds checkuser request data to Smarty. DO NOT USE WITHOUT FIRST CHECKING THAT THE USER IS AUTHORISED!
+	 *
+	 * @param Request $request
+	 */
+	protected function setupCheckUserData(Request $request)
+	{
+		$this->assign('requestUserAgent', $request->getUserAgent());
+
+		$data = \Waca\DataObjects\RequestData::getForRequest($request->getId(), $request->getDatabase(), \Waca\DataObjects\RequestData::TYPE_CLIENTHINT);
+		$this->assign('requestClientHints', $data);
+	}
+
+	/**
+	 * Sets up the basic data for this request, and adds it to Smarty
+	 *
+	 * @param Request           $request
+	 * @param SiteConfiguration $config
+	 */
+	protected function setupBasicData(Request $request, SiteConfiguration $config)
+	{
+		$this->assign('requestId', $request->getId());
+		$this->assign('updateVersion', $request->getUpdateVersion());
+		$this->assign('requestName', $request->getName());
+		$this->assign('requestDate', $request->getDate());
+		$this->assign('requestStatus', $request->getStatus());
+
+		$this->assign('requestQueue', null);
+		if ($request->getQueue() !== null) {
+			/** @var RequestQueue $queue */
+			$queue = RequestQueue::getById($request->getQueue(), $this->getDatabase());
+			$this->assign('requestQueue', $queue->getHeader());
+			$this->assign('requestQueueApiName', $queue->getApiName());
+		}
+
+		$this->assign('canPreviewForm', $this->barrierTest('view', User::getCurrent($this->getDatabase()), PageRequestFormManagement::class));
+		$this->assign('originForm', $request->getOriginFormObject());
+
+		$isClosed = $request->getStatus() === RequestStatus::CLOSED || $request->getStatus() === RequestStatus::JOBQUEUE;
+		$this->assign('requestIsClosed', $isClosed);
 		$isHospital = $request->getStatus() === RequestStatus::HOSPITAL;
 		$this->assign('requestIsHospital', $isHospital);
-    }
-
-    /**
-     * Sets up the forwarded IP data for this request and adds it to Smarty
-     *
-     * @param Request $request
-     */
-    protected function setupForwardedIpData(Request $request)
-    {
-        if ($request->getForwardedIp() !== null) {
-            $requestProxyData = array(); // Initialize array to store data to be output in Smarty template.
-            $proxyIndex = 0;
-
-            // Assuming [client] <=> [proxy1] <=> [proxy2] <=> [proxy3] <=> [us], we will see an XFF header of [client],
-            // [proxy1], [proxy2], and our actual IP will be [proxy3]
-            $proxies = explode(",", $request->getForwardedIp());
-            $proxies[] = $request->getIp();
-
-            // Origin is the supposed "client" IP.
-            $origin = $proxies[0];
-            $this->assign("forwardedOrigin", $origin);
-
-            // We step through the servers in reverse order, from closest to furthest
-            $proxies = array_reverse($proxies);
-
-            // By default, we have trust, because the first in the chain is now REMOTE_ADDR, which is hardest to spoof.
-            $trust = true;
-
-            /**
-             * @var int    $index     The zero-based index of the proxy.
-             * @var string $proxyData The proxy IP address (although possibly not!)
-             */
-            foreach ($proxies as $index => $proxyData) {
-                $proxyAddress = trim($proxyData);
-                $requestProxyData[$proxyIndex]['ip'] = $proxyAddress;
-
-                // get data on this IP.
-                $thisProxyIsTrusted = $this->getXffTrustProvider()->isTrusted($proxyAddress);
-
-                $proxyIsInPrivateRange = $this->getXffTrustProvider()
-                    ->ipInRange(self::$rfc1918ips, $proxyAddress);
-
-                if (!$proxyIsInPrivateRange) {
-                    $proxyReverseDns = $this->getRdnsProvider()->getReverseDNS($proxyAddress);
-                    $proxyLocation = $this->getLocationProvider()->getIpLocation($proxyAddress);
-                }
-                else {
-                    // this is going to fail, so why bother trying?
-                    $proxyReverseDns = false;
-                    $proxyLocation = false;
-                }
-
-                // current trust chain status BEFORE this link
-                $preLinkTrust = $trust;
-
-                // is *this* link trusted? Note, this will be true even if there is an untrusted link before this!
-                $requestProxyData[$proxyIndex]['trustedlink'] = $thisProxyIsTrusted;
-
-                // set the trust status of the chain to this point
-                $trust = $trust & $thisProxyIsTrusted;
-
-                // If this is the origin address, and the chain was trusted before this point, then we can trust
-                // the origin.
-                if ($preLinkTrust && $proxyAddress == $origin) {
-                    // if this is the origin, then we are at the last point in the chain.
-                    // @todo: this is probably the cause of some bugs when an IP appears twice - we're missing a check
-                    // to see if this is *really* the last in the chain, rather than just the same IP as it.
-                    $trust = true;
-                }
-
-                $requestProxyData[$proxyIndex]['trust'] = $trust;
-
-                $requestProxyData[$proxyIndex]['rdnsfailed'] = $proxyReverseDns === false;
-                $requestProxyData[$proxyIndex]['rdns'] = $proxyReverseDns;
-                $requestProxyData[$proxyIndex]['routable'] = !$proxyIsInPrivateRange;
-
-                $requestProxyData[$proxyIndex]['location'] = $proxyLocation;
-
-                if ($proxyReverseDns === $proxyAddress && $proxyIsInPrivateRange === false) {
-                    $requestProxyData[$proxyIndex]['rdns'] = null;
-                }
-
-                $showLinks = (!$trust || $proxyAddress == $origin) && !$proxyIsInPrivateRange;
-                $requestProxyData[$proxyIndex]['showlinks'] = $showLinks;
-
-                $proxyIndex++;
-            }
-
-            $this->assign("requestProxyData", $requestProxyData);
-        }
-    }
+	}
+
+	/**
+	 * Sets up the forwarded IP data for this request and adds it to Smarty
+	 *
+	 * @param Request $request
+	 */
+	protected function setupForwardedIpData(Request $request)
+	{
+		if ($request->getForwardedIp() !== null) {
+			$requestProxyData = array(); // Initialize array to store data to be output in Smarty template.
+			$proxyIndex = 0;
+
+			// Assuming [client] <=> [proxy1] <=> [proxy2] <=> [proxy3] <=> [us], we will see an XFF header of [client],
+			// [proxy1], [proxy2], and our actual IP will be [proxy3]
+			$proxies = explode(",", $request->getForwardedIp());
+			$proxies[] = $request->getIp();
+
+			// Origin is the supposed "client" IP.
+			$origin = $proxies[0];
+			$this->assign("forwardedOrigin", $origin);
+
+			// We step through the servers in reverse order, from closest to furthest
+			$proxies = array_reverse($proxies);
+
+			// By default, we have trust, because the first in the chain is now REMOTE_ADDR, which is hardest to spoof.
+			$trust = true;
+
+			/**
+			 * @var int    $index     The zero-based index of the proxy.
+			 * @var string $proxyData The proxy IP address (although possibly not!)
+			 */
+			foreach ($proxies as $index => $proxyData) {
+				$proxyAddress = trim($proxyData);
+				$requestProxyData[$proxyIndex]['ip'] = $proxyAddress;
+
+				// get data on this IP.
+				$thisProxyIsTrusted = $this->getXffTrustProvider()->isTrusted($proxyAddress);
+
+				$proxyIsInPrivateRange = $this->getXffTrustProvider()
+					->ipInRange(self::$rfc1918ips, $proxyAddress);
+
+				if (!$proxyIsInPrivateRange) {
+					$proxyReverseDns = $this->getRdnsProvider()->getReverseDNS($proxyAddress);
+					$proxyLocation = $this->getLocationProvider()->getIpLocation($proxyAddress);
+				}
+				else {
+					// this is going to fail, so why bother trying?
+					$proxyReverseDns = false;
+					$proxyLocation = false;
+				}
+
+				// current trust chain status BEFORE this link
+				$preLinkTrust = $trust;
+
+				// is *this* link trusted? Note, this will be true even if there is an untrusted link before this!
+				$requestProxyData[$proxyIndex]['trustedlink'] = $thisProxyIsTrusted;
+
+				// set the trust status of the chain to this point
+				$trust = $trust & $thisProxyIsTrusted;
+
+				// If this is the origin address, and the chain was trusted before this point, then we can trust
+				// the origin.
+				if ($preLinkTrust && $proxyAddress == $origin) {
+					// if this is the origin, then we are at the last point in the chain.
+					// @todo: this is probably the cause of some bugs when an IP appears twice - we're missing a check
+					// to see if this is *really* the last in the chain, rather than just the same IP as it.
+					$trust = true;
+				}
+
+				$requestProxyData[$proxyIndex]['trust'] = $trust;
+
+				$requestProxyData[$proxyIndex]['rdnsfailed'] = $proxyReverseDns === false;
+				$requestProxyData[$proxyIndex]['rdns'] = $proxyReverseDns;
+				$requestProxyData[$proxyIndex]['routable'] = !$proxyIsInPrivateRange;
+
+				$requestProxyData[$proxyIndex]['location'] = $proxyLocation;
+
+				if ($proxyReverseDns === $proxyAddress && $proxyIsInPrivateRange === false) {
+					$requestProxyData[$proxyIndex]['rdns'] = null;
+				}
+
+				$showLinks = (!$trust || $proxyAddress == $origin) && !$proxyIsInPrivateRange;
+				$requestProxyData[$proxyIndex]['showlinks'] = $showLinks;
+
+				$proxyIndex++;
+			}
+
+			$this->assign("requestProxyData", $requestProxyData);
+		}
+	}
 }

includes/Fragments/LogEntryLookup.php

Indentation +14 added lines, -14 removed lines

@@ -16,20 +16,20 @@
 
 trait LogEntryLookup
 {
-    protected function getLogEntry(string $action, User $user, PdoDatabase $database): ?string
-    {
-        /** @var Log[] $logs */
-        $logs = LogSearchHelper::get($database, null)
-            ->byAction($action)
-            ->byObjectType('User')
-            ->byObjectId($user->getId())
-            ->limit(1)
-            ->fetch();
+	protected function getLogEntry(string $action, User $user, PdoDatabase $database): ?string
+	{
+		/** @var Log[] $logs */
+		$logs = LogSearchHelper::get($database, null)
+			->byAction($action)
+			->byObjectType('User')
+			->byObjectId($user->getId())
+			->limit(1)
+			->fetch();
 
-        if (count($logs) > 0) {
-            return $logs[0]->getComment();
-        }
+		if (count($logs) > 0) {
+			return $logs[0]->getComment();
+		}
 
-        return null;
-    }
+		return null;
+	}
 }
\ No newline at end of file

includes/Tasks/InternalPageBase.php

Indentation +228 added lines, -228 removed lines

@@ -24,232 +24,232 @@
 
 abstract class InternalPageBase extends PageBase
 {
-    use NavigationMenuAccessControl;
-
-    /** @var ITypeAheadHelper */
-    private $typeAheadHelper;
-    private ISecurityManager $securityManager;
-    /** @var IBlacklistHelper */
-    private $blacklistHelper;
-
-    private IDomainAccessManager $domainAccessManager;
-
-    /**
-     * @return ITypeAheadHelper
-     */
-    public function getTypeAheadHelper()
-    {
-        return $this->typeAheadHelper;
-    }
-
-    /**
-     * @param ITypeAheadHelper $typeAheadHelper
-     */
-    public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper)
-    {
-        $this->typeAheadHelper = $typeAheadHelper;
-    }
-
-    /**
-     * Runs the page code
-     *
-     * @throws Exception
-     * @category Security-Critical
-     */
-    final public function execute()
-    {
-        if ($this->getRouteName() === null) {
-            throw new Exception("Request is unrouted.");
-        }
-
-        if ($this->getSiteConfiguration() === null) {
-            throw new Exception("Page has no configuration!");
-        }
-
-        $this->setupPage();
-
-        $this->touchUserLastActive();
-
-        $currentUser = User::getCurrent($this->getDatabase());
-
-        // Hey, this is also a security barrier, in addition to the below. Separated out for readability.
-        if (!$this->isProtectedPage()) {
-            // This page is /not/ a protected page, as such we can just run it.
-            $this->runPage();
-
-            return;
-        }
-
-        // Security barrier.
-        //
-        // This code essentially doesn't care if the user is logged in or not, as the security manager hides all that
-        // away for us
-        $securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser);
-        if ($securityResult === ISecurityManager::ALLOWED) {
-            // We're allowed to run the page, so let's run it.
-            $this->runPage();
-        }
-        else {
-            $this->handleAccessDenied($securityResult);
-
-            // Send the headers
-            $this->sendResponseHeaders();
-        }
-    }
-
-    /**
-     * Performs final tasks needed before rendering the page.
-     */
-    final public function finalisePage()
-    {
-        parent::finalisePage();
-
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        // Load in the badges for the navbar
-        $this->setUpNavBarBadges($currentUser, $database);
-
-        if ($this->barrierTest('viewSiteNotice', User::getCurrent($database), 'GlobalInfo')) {
-            $siteNotice = SiteNotice::get($this->getDatabase());
-            $siteNoticeHash = sha1($siteNotice);
-
-            if (WebRequest::testSiteNoticeCookieValue($siteNoticeHash)) {
-                $this->assign('siteNoticeState', 'd-none');
-            }
-            else {
-                $this->assign('siteNoticeState', 'd-block');
-            }
-
-            $this->assign('siteNoticeText', $siteNotice);
-            $this->assign('siteNoticeVersion', $siteNoticeHash);
-        }
-
-        if ($this->barrierTest('viewOnlineUsers', User::getCurrent($database), 'GlobalInfo')) {
-            $sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);';
-            $statement = $database->query($sql);
-            $activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class);
-            $this->assign('onlineusers', $activeUsers);
-        }
-
-        $this->setupNavMenuAccess($currentUser);
-    }
-
-    /**
-     * Configures whether the page respects roles or not. You probably want this to return true.
-     *
-     * Set to false for public pages. You probably want this to return true.
-     *
-     * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything
-     * on this page, so you probably want this to return true.
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    protected function isProtectedPage()
-    {
-        return true;
-    }
-
-    protected function handleAccessDenied($denyReason)
-    {
-        $currentUser = User::getCurrent($this->getDatabase());
-
-        // Not allowed to access this resource.
-        // Firstly, let's check if we're even logged in.
-        if ($currentUser->isCommunityUser()) {
-            // Not logged in, redirect to login page
-            WebRequest::setPostLoginRedirect();
-            $this->redirect("login");
-
-            return;
-        }
-        else {
-            // Decide whether this was a rights failure, or an identification failure.
-
-            if ($denyReason === ISecurityManager::ERROR_NOT_IDENTIFIED) {
-                // Not identified
-                throw new NotIdentifiedException($this->getSecurityManager(), $this->getDomainAccessManager());
-            }
-            elseif ($denyReason === ISecurityManager::ERROR_DENIED) {
-                // Nope, plain old access denied
-                throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
-            }
-            else {
-                throw new Exception('Unknown response from security manager.');
-            }
-        }
-    }
-
-    /**
-     * Tests the security barrier for a specified action.
-     *
-     * Don't use within templates
-     *
-     * @param string      $action
-     *
-     * @param User        $user
-     * @param null|string $pageName
-     *
-     * @return bool
-     * @category Security-Critical
-     */
-    final public function barrierTest($action, User $user, $pageName = null)
-    {
-        $page = get_called_class();
-        if ($pageName !== null) {
-            $page = $pageName;
-        }
-
-        $securityResult = $this->getSecurityManager()->allows($page, $action, $user);
-
-        return $securityResult === ISecurityManager::ALLOWED;
-    }
-
-    /**
-     * Updates the lastactive timestamp
-     */
-    private function touchUserLastActive()
-    {
-        if (WebRequest::getSessionUserId() !== null) {
-            $query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;';
-            $this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId()));
-        }
-    }
-
-    public function getSecurityManager(): ISecurityManager
-    {
-        return $this->securityManager;
-    }
-
-    public function setSecurityManager(ISecurityManager $securityManager)
-    {
-        $this->securityManager = $securityManager;
-    }
-
-    /**
-     * @return IBlacklistHelper
-     */
-    public function getBlacklistHelper()
-    {
-        return $this->blacklistHelper;
-    }
-
-    /**
-     * @param IBlacklistHelper $blacklistHelper
-     */
-    public function setBlacklistHelper(IBlacklistHelper $blacklistHelper)
-    {
-        $this->blacklistHelper = $blacklistHelper;
-    }
-
-    public function getDomainAccessManager(): IDomainAccessManager
-    {
-        return $this->domainAccessManager;
-    }
-
-    public function setDomainAccessManager(IDomainAccessManager $domainAccessManager): void
-    {
-        $this->domainAccessManager = $domainAccessManager;
-    }
+	use NavigationMenuAccessControl;
+
+	/** @var ITypeAheadHelper */
+	private $typeAheadHelper;
+	private ISecurityManager $securityManager;
+	/** @var IBlacklistHelper */
+	private $blacklistHelper;
+
+	private IDomainAccessManager $domainAccessManager;
+
+	/**
+	 * @return ITypeAheadHelper
+	 */
+	public function getTypeAheadHelper()
+	{
+		return $this->typeAheadHelper;
+	}
+
+	/**
+	 * @param ITypeAheadHelper $typeAheadHelper
+	 */
+	public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper)
+	{
+		$this->typeAheadHelper = $typeAheadHelper;
+	}
+
+	/**
+	 * Runs the page code
+	 *
+	 * @throws Exception
+	 * @category Security-Critical
+	 */
+	final public function execute()
+	{
+		if ($this->getRouteName() === null) {
+			throw new Exception("Request is unrouted.");
+		}
+
+		if ($this->getSiteConfiguration() === null) {
+			throw new Exception("Page has no configuration!");
+		}
+
+		$this->setupPage();
+
+		$this->touchUserLastActive();
+
+		$currentUser = User::getCurrent($this->getDatabase());
+
+		// Hey, this is also a security barrier, in addition to the below. Separated out for readability.
+		if (!$this->isProtectedPage()) {
+			// This page is /not/ a protected page, as such we can just run it.
+			$this->runPage();
+
+			return;
+		}
+
+		// Security barrier.
+		//
+		// This code essentially doesn't care if the user is logged in or not, as the security manager hides all that
+		// away for us
+		$securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser);
+		if ($securityResult === ISecurityManager::ALLOWED) {
+			// We're allowed to run the page, so let's run it.
+			$this->runPage();
+		}
+		else {
+			$this->handleAccessDenied($securityResult);
+
+			// Send the headers
+			$this->sendResponseHeaders();
+		}
+	}
+
+	/**
+	 * Performs final tasks needed before rendering the page.
+	 */
+	final public function finalisePage()
+	{
+		parent::finalisePage();
+
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		// Load in the badges for the navbar
+		$this->setUpNavBarBadges($currentUser, $database);
+
+		if ($this->barrierTest('viewSiteNotice', User::getCurrent($database), 'GlobalInfo')) {
+			$siteNotice = SiteNotice::get($this->getDatabase());
+			$siteNoticeHash = sha1($siteNotice);
+
+			if (WebRequest::testSiteNoticeCookieValue($siteNoticeHash)) {
+				$this->assign('siteNoticeState', 'd-none');
+			}
+			else {
+				$this->assign('siteNoticeState', 'd-block');
+			}
+
+			$this->assign('siteNoticeText', $siteNotice);
+			$this->assign('siteNoticeVersion', $siteNoticeHash);
+		}
+
+		if ($this->barrierTest('viewOnlineUsers', User::getCurrent($database), 'GlobalInfo')) {
+			$sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);';
+			$statement = $database->query($sql);
+			$activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class);
+			$this->assign('onlineusers', $activeUsers);
+		}
+
+		$this->setupNavMenuAccess($currentUser);
+	}
+
+	/**
+	 * Configures whether the page respects roles or not. You probably want this to return true.
+	 *
+	 * Set to false for public pages. You probably want this to return true.
+	 *
+	 * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything
+	 * on this page, so you probably want this to return true.
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	protected function isProtectedPage()
+	{
+		return true;
+	}
+
+	protected function handleAccessDenied($denyReason)
+	{
+		$currentUser = User::getCurrent($this->getDatabase());
+
+		// Not allowed to access this resource.
+		// Firstly, let's check if we're even logged in.
+		if ($currentUser->isCommunityUser()) {
+			// Not logged in, redirect to login page
+			WebRequest::setPostLoginRedirect();
+			$this->redirect("login");
+
+			return;
+		}
+		else {
+			// Decide whether this was a rights failure, or an identification failure.
+
+			if ($denyReason === ISecurityManager::ERROR_NOT_IDENTIFIED) {
+				// Not identified
+				throw new NotIdentifiedException($this->getSecurityManager(), $this->getDomainAccessManager());
+			}
+			elseif ($denyReason === ISecurityManager::ERROR_DENIED) {
+				// Nope, plain old access denied
+				throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
+			}
+			else {
+				throw new Exception('Unknown response from security manager.');
+			}
+		}
+	}
+
+	/**
+	 * Tests the security barrier for a specified action.
+	 *
+	 * Don't use within templates
+	 *
+	 * @param string      $action
+	 *
+	 * @param User        $user
+	 * @param null|string $pageName
+	 *
+	 * @return bool
+	 * @category Security-Critical
+	 */
+	final public function barrierTest($action, User $user, $pageName = null)
+	{
+		$page = get_called_class();
+		if ($pageName !== null) {
+			$page = $pageName;
+		}
+
+		$securityResult = $this->getSecurityManager()->allows($page, $action, $user);
+
+		return $securityResult === ISecurityManager::ALLOWED;
+	}
+
+	/**
+	 * Updates the lastactive timestamp
+	 */
+	private function touchUserLastActive()
+	{
+		if (WebRequest::getSessionUserId() !== null) {
+			$query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;';
+			$this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId()));
+		}
+	}
+
+	public function getSecurityManager(): ISecurityManager
+	{
+		return $this->securityManager;
+	}
+
+	public function setSecurityManager(ISecurityManager $securityManager)
+	{
+		$this->securityManager = $securityManager;
+	}
+
+	/**
+	 * @return IBlacklistHelper
+	 */
+	public function getBlacklistHelper()
+	{
+		return $this->blacklistHelper;
+	}
+
+	/**
+	 * @param IBlacklistHelper $blacklistHelper
+	 */
+	public function setBlacklistHelper(IBlacklistHelper $blacklistHelper)
+	{
+		$this->blacklistHelper = $blacklistHelper;
+	}
+
+	public function getDomainAccessManager(): IDomainAccessManager
+	{
+		return $this->domainAccessManager;
+	}
+
+	public function setDomainAccessManager(IDomainAccessManager $domainAccessManager): void
+	{
+		$this->domainAccessManager = $domainAccessManager;
+	}
 }

Braces +5 added lines, -10 removed lines

@@ -88,8 +88,7 @@ 
         if ($securityResult === ISecurityManager::ALLOWED) {
             // We're allowed to run the page, so let's run it.
             $this->runPage();
-        }
-        else {
+        } else {
             $this->handleAccessDenied($securityResult);
 
             // Send the headers
@@ -116,8 +115,7 @@ 
 
             if (WebRequest::testSiteNoticeCookieValue($siteNoticeHash)) {
                 $this->assign('siteNoticeState', 'd-none');
-            }
-            else {
+            } else {
                 $this->assign('siteNoticeState', 'd-block');
             }
 
@@ -163,19 +161,16 @@ 
             $this->redirect("login");
 
             return;
-        }
-        else {
+        } else {
             // Decide whether this was a rights failure, or an identification failure.
 
             if ($denyReason === ISecurityManager::ERROR_NOT_IDENTIFIED) {
                 // Not identified
                 throw new NotIdentifiedException($this->getSecurityManager(), $this->getDomainAccessManager());
-            }
-            elseif ($denyReason === ISecurityManager::ERROR_DENIED) {
+            } elseif ($denyReason === ISecurityManager::ERROR_DENIED) {
                 // Nope, plain old access denied
                 throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
-            }
-            else {
+            } else {
                 throw new Exception('Unknown response from security manager.');
             }
         }

includes/Tasks/TextApiPageBase.php

Indentation +16 added lines, -16 removed lines

@@ -13,23 +13,23 @@
 
 abstract class TextApiPageBase extends ApiPageBase implements IRoutedTask
 {
-    final protected function main()
-    {
-        if (headers_sent()) {
-            throw new ApiException('Headers have already been sent - this indicates a bug in the application!');
-        }
+	final protected function main()
+	{
+		if (headers_sent()) {
+			throw new ApiException('Headers have already been sent - this indicates a bug in the application!');
+		}
 
-        try {
-            $responseData = $this->runApiPage();
-        }
-        catch (ApiException $ex) {
-            $responseData = $ex->getMessage();
-        }
+		try {
+			$responseData = $this->runApiPage();
+		}
+		catch (ApiException $ex) {
+			$responseData = $ex->getMessage();
+		}
 
-        header('Content-Type: text/plain');
+		header('Content-Type: text/plain');
 
-        ob_end_clean();
-        print($responseData);
-        ob_start();
-    }
+		ob_end_clean();
+		print($responseData);
+		ob_start();
+	}
 }

includes/IIdentificationVerifier.php

Indentation +10 added lines, -10 removed lines

@@ -18,14 +18,14 @@
  */
 interface IIdentificationVerifier
 {
-    /**
-     * Checks if the given user is identified to the Wikimedia Foundation.
-     *
-     * @param string $onWikiName The Wikipedia username of the user
-     *
-     * @return bool
-     * @throws EnvironmentException
-     * @category Security-Critical
-     */
-    public function isUserIdentified(string $onWikiName): bool;
+	/**
+	 * Checks if the given user is identified to the Wikimedia Foundation.
+	 *
+	 * @param string $onWikiName The Wikipedia username of the user
+	 *
+	 * @return bool
+	 * @throws EnvironmentException
+	 * @category Security-Critical
+	 */
+	public function isUserIdentified(string $onWikiName): bool;
 }
\ No newline at end of file

includes/API/Actions/CountAction.php

Indentation +92 added lines, -92 removed lines

@@ -22,47 +22,47 @@ 
  */
 class CountAction extends XmlApiPageBase implements IXmlApiAction
 {
-    /**
-     * The target user
-     * @var User $user
-     */
-    private $user;
+	/**
+	 * The target user
+	 * @var User $user
+	 */
+	private $user;
 
-    public function executeApiAction(DOMElement $apiDocument)
-    {
-        $username = WebRequest::getString('user');
-        if ($username === null) {
-            throw new ApiException("Please specify a username");
-        }
+	public function executeApiAction(DOMElement $apiDocument)
+	{
+		$username = WebRequest::getString('user');
+		if ($username === null) {
+			throw new ApiException("Please specify a username");
+		}
 
-        $userElement = $this->document->createElement("user");
-        $userElement->setAttribute("name", $username);
-        $apiDocument->appendChild($userElement);
+		$userElement = $this->document->createElement("user");
+		$userElement->setAttribute("name", $username);
+		$apiDocument->appendChild($userElement);
 
-        $user = User::getByUsername($username, $this->getDatabase());
+		$user = User::getByUsername($username, $this->getDatabase());
 
-        if ($user === false) {
-            $userElement->setAttribute("missing", "true");
+		if ($user === false) {
+			$userElement->setAttribute("missing", "true");
 
-            return $apiDocument;
-        }
+			return $apiDocument;
+		}
 
-        $this->user = $user;
+		$this->user = $user;
 
-        $userElement->setAttribute("level", $this->user->getStatus());
-        $userElement->setAttribute("created", $this->getAccountsCreated());
+		$userElement->setAttribute("level", $this->user->getStatus());
+		$userElement->setAttribute("created", $this->getAccountsCreated());
 
-        $userElement->setAttribute("today", $this->getToday());
+		$userElement->setAttribute("today", $this->getToday());
 
-        // Let the IRC bot handle the result of this.
-        $this->fetchAdminData($userElement);
+		// Let the IRC bot handle the result of this.
+		$this->fetchAdminData($userElement);
 
-        return $apiDocument;
-    }
+		return $apiDocument;
+	}
 
-    private function getAccountsCreated()
-    {
-        $query = <<<QUERY
+	private function getAccountsCreated()
+	{
+		$query = <<<QUERY
         SELECT COUNT(*) AS count
         FROM log
             LEFT JOIN emailtemplate ON concat('Closed ', emailtemplate.id) = log.action
@@ -73,17 +73,17 @@ 
             AND user.username = :username;
 QUERY;
 
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->execute(array(":username" => $this->user->getUsername(), ":created" => EmailTemplate::ACTION_CREATED));
-        $result = $statement->fetchColumn();
-        $statement->closeCursor();
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->execute(array(":username" => $this->user->getUsername(), ":created" => EmailTemplate::ACTION_CREATED));
+		$result = $statement->fetchColumn();
+		$statement->closeCursor();
 
-        return $result;
-    }
+		return $result;
+	}
 
-    private function getToday()
-    {
-        $query = <<<QUERY
+	private function getToday()
+	{
+		$query = <<<QUERY
         SELECT
             COUNT(*) AS count
         FROM log
@@ -95,75 +95,75 @@ 
             AND user.username = :username;
 QUERY;
 
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->bindValue(":username", $this->user->getUsername());
-        $statement->bindValue(":date", date('Y-m-d') . "%");
-        $statement->bindValue(":created", EmailTemplate::ACTION_CREATED);
-        $statement->execute();
-        $today = $statement->fetchColumn();
-        $statement->closeCursor();
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->bindValue(":username", $this->user->getUsername());
+		$statement->bindValue(":date", date('Y-m-d') . "%");
+		$statement->bindValue(":created", EmailTemplate::ACTION_CREATED);
+		$statement->execute();
+		$today = $statement->fetchColumn();
+		$statement->closeCursor();
 
-        return $today;
-    }
+		return $today;
+	}
 
-    private function fetchAdminData(DOMElement $userElement)
-    {
-        $query = "SELECT COUNT(*) AS count FROM log WHERE log.user = :userid AND log.action = :action;";
+	private function fetchAdminData(DOMElement $userElement)
+	{
+		$query = "SELECT COUNT(*) AS count FROM log WHERE log.user = :userid AND log.action = :action;";
 
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->bindValue(":userid", $this->user->getId());
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->bindValue(":userid", $this->user->getId());
         
-        // Each entry is in the form [ database string, attribute name ]
-        // and it happens to be that the attribute is just the lower case form of the database value
-        $actions = [
-            ['Promoted', 'promoted'],
-            ['Approved', 'approved'],
-            ['Demoted', 'demoted'],
-            ['Renamed', 'renamed'],
-            ['Edited', 'edited'],
-            ['Prefchange', 'prefchange'],
-            ['DeactivatedUser', 'deactivateduser'],
-        ];
-        foreach ($actions as $action) {
-            $dbValue = $action[0];
-            $attributeName = $action[1];
+		// Each entry is in the form [ database string, attribute name ]
+		// and it happens to be that the attribute is just the lower case form of the database value
+		$actions = [
+			['Promoted', 'promoted'],
+			['Approved', 'approved'],
+			['Demoted', 'demoted'],
+			['Renamed', 'renamed'],
+			['Edited', 'edited'],
+			['Prefchange', 'prefchange'],
+			['DeactivatedUser', 'deactivateduser'],
+		];
+		foreach ($actions as $action) {
+			$dbValue = $action[0];
+			$attributeName = $action[1];
             
-            $statement->bindValue(":action", $dbValue);
-            $statement->execute();
-            $attributeValue = $statement->fetchColumn();
-            $userElement->setAttribute($attributeName, $attributeValue);
-            $statement->closeCursor();
-        }
-
-        // Combine all three actions affecting Welcome templates into one count.
-        $combinedquery = $this->getDatabase()->prepare(<<<SQL
+			$statement->bindValue(":action", $dbValue);
+			$statement->execute();
+			$attributeValue = $statement->fetchColumn();
+			$userElement->setAttribute($attributeName, $attributeValue);
+			$statement->closeCursor();
+		}
+
+		// Combine all three actions affecting Welcome templates into one count.
+		$combinedquery = $this->getDatabase()->prepare(<<<SQL
             SELECT
                 COUNT(*) AS count
             FROM log
             WHERE log.user = :userid
                 AND log.action IN ('CreatedTemplate', 'EditedTemplate', 'DeletedTemplate');
 SQL
-        );
+		);
 
-        $combinedquery->bindValue(":userid", $this->user->getId());
-        $combinedquery->execute();
-        $dtc = $combinedquery->fetchColumn();
-        $userElement->setAttribute("welctempchange", $dtc);
-        $combinedquery->closeCursor();
+		$combinedquery->bindValue(":userid", $this->user->getId());
+		$combinedquery->execute();
+		$dtc = $combinedquery->fetchColumn();
+		$userElement->setAttribute("welctempchange", $dtc);
+		$combinedquery->closeCursor();
 
-        // Combine both actions affecting Email templates into one count.
-        $combinedquery = $this->getDatabase()->prepare(<<<SQL
+		// Combine both actions affecting Email templates into one count.
+		$combinedquery = $this->getDatabase()->prepare(<<<SQL
             SELECT COUNT(*) AS count
             FROM log
             WHERE log.user = :userid
                 AND log.action IN ('CreatedEmail', 'EditedEmail');
 SQL
-        );
-
-        $combinedquery->bindValue(":userid", $this->user->getId());
-        $combinedquery->execute();
-        $cec = $combinedquery->fetchColumn();
-        $userElement->setAttribute("emailtempchange", $cec);
-        $combinedquery->closeCursor();
-    }
+		);
+
+		$combinedquery->bindValue(":userid", $this->user->getId());
+		$combinedquery->execute();
+		$cec = $combinedquery->fetchColumn();
+		$userElement->setAttribute("emailtempchange", $cec);
+		$combinedquery->closeCursor();
+	}
 }

includes/API/Actions/MetricsAction.php

Indentation +64 added lines, -64 removed lines

@@ -18,57 +18,57 @@ 
  */
 class MetricsAction extends TextApiPageBase implements IApiAction
 {
-    private array $metrics = [];
+	private array $metrics = [];
 
-    private function defineMetric(string $name, string $help, string $type = 'gauge'): void
-    {
-        $this->metrics[$name] = ['help' => $help, 'type' => $type, 'values' => []];
-    }
+	private function defineMetric(string $name, string $help, string $type = 'gauge'): void
+	{
+		$this->metrics[$name] = ['help' => $help, 'type' => $type, 'values' => []];
+	}
 
-    private function setMetric(string $name, array $labels = [], int $value = 0): void
-    {
-        $calculatedLabel = '';
+	private function setMetric(string $name, array $labels = [], int $value = 0): void
+	{
+		$calculatedLabel = '';
 
-        if (count($labels) > 0) {
-            ksort($labels);
+		if (count($labels) > 0) {
+			ksort($labels);
 
-            $labelData = [];
-            foreach ($labels as $label => $labelValue) {
-                $labelData[] = $label . '="' . $labelValue . '"';
-            }
+			$labelData = [];
+			foreach ($labels as $label => $labelValue) {
+				$labelData[] = $label . '="' . $labelValue . '"';
+			}
 
-            $calculatedLabel = '{' . implode(',', $labelData) . '}';
-        }
+			$calculatedLabel = '{' . implode(',', $labelData) . '}';
+		}
 
-        $this->metrics[$name]['values'][$calculatedLabel] = $value;
-    }
+		$this->metrics[$name]['values'][$calculatedLabel] = $value;
+	}
 
-    public function runApiPage(): string
-    {
-        $this->defineMetric('acc_users', 'Number of users');
-        $statement = $this->getDatabase()->query('SELECT status, COUNT(*) AS count FROM user GROUP BY status;');
+	public function runApiPage(): string
+	{
+		$this->defineMetric('acc_users', 'Number of users');
+		$statement = $this->getDatabase()->query('SELECT status, COUNT(*) AS count FROM user GROUP BY status;');
 
-        foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
-            $this->setMetric('acc_users', ['status' => $row['status']], $row['count']);
-        }
-        $statement->closeCursor();
+		foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
+			$this->setMetric('acc_users', ['status' => $row['status']], $row['count']);
+		}
+		$statement->closeCursor();
 
-        $this->defineMetric('acc_active_domain_users', 'Number of active users in each domain');
-        $statement = $this->getDatabase()->query('
+		$this->defineMetric('acc_active_domain_users', 'Number of active users in each domain');
+		$statement = $this->getDatabase()->query('
             SELECT d.shortname, COUNT(1) AS count FROM userdomain ud 
             INNER JOIN user u ON ud.user = u.id
             INNER JOIN domain d on ud.domain = d.id
             WHERE u.status = \'Active\'
             GROUP BY d.shortname;');
 
-        foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
-            $this->setMetric('acc_active_domain_users', ['domain' => $row['shortname']], $row['count']);
-        }
-        $statement->closeCursor();
+		foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
+			$this->setMetric('acc_active_domain_users', ['domain' => $row['shortname']], $row['count']);
+		}
+		$statement->closeCursor();
 
 
-        $this->defineMetric('acc_active_domain_roles', 'Number of active users in each role');
-        $statement = $this->getDatabase()->query('
+		$this->defineMetric('acc_active_domain_roles', 'Number of active users in each role');
+		$statement = $this->getDatabase()->query('
             SELECT coalesce(d.shortname, \'\') AS domain, ur.role, COUNT(1) AS count
             FROM userrole ur
             INNER JOIN user u ON ur.user = u.id
@@ -76,53 +76,53 @@ 
             WHERE u.status = \'Active\' AND ur.role <> \'user\'
             GROUP BY d.shortname, ur.role;');
 
-        foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
-            $this->setMetric('acc_active_domain_roles', ['domain' => $row['domain'], 'role' => $row['role']], $row['count']);
-        }
-        $statement->closeCursor();
+		foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
+			$this->setMetric('acc_active_domain_roles', ['domain' => $row['domain'], 'role' => $row['role']], $row['count']);
+		}
+		$statement->closeCursor();
 
 
-        $this->defineMetric('acc_active_domain_bans', 'Number of active bans in each domain');
-        $statement = $this->getDatabase()->query('
+		$this->defineMetric('acc_active_domain_bans', 'Number of active bans in each domain');
+		$statement = $this->getDatabase()->query('
             SELECT coalesce(d.shortname, \'\') AS domain, COUNT(1) AS count
             FROM ban b LEFT JOIN domain d ON b.domain = d.id
             WHERE (b.duration > UNIX_TIMESTAMP() OR b.duration is null) AND b.active = 1
             GROUP BY d.shortname;');
 
-        foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
-            $this->setMetric('acc_active_domain_bans', ['domain' => $row['domain'], 'role' => $row['role']], $row['count']);
-        }
-        $statement->closeCursor();
+		foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
+			$this->setMetric('acc_active_domain_bans', ['domain' => $row['domain'], 'role' => $row['role']], $row['count']);
+		}
+		$statement->closeCursor();
 
 
-        $this->defineMetric('acc_queued_requests', 'Number of requests in each queue');
-        $statement = $this->getDatabase()->query('
+		$this->defineMetric('acc_queued_requests', 'Number of requests in each queue');
+		$statement = $this->getDatabase()->query('
             SELECT r.status, d.shortname, rq.header, COUNT(1) as count FROM request r
             INNER JOIN domain d on r.domain = d.id
             LEFT JOIN waca.requestqueue rq ON r.queue = rq.id
             WHERE r.status <> \'Closed\' AND r.emailconfirm = \'Confirmed\'
             GROUP BY r.status, d.shortname, rq.header;');
 
-        foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
-            $this->setMetric('acc_queued_requests', ['status' => $row['status'], 'shortname' => $row['shortname'], 'queue' => $row['header']], $row['count']);
-        }
-        $statement->closeCursor();
+		foreach ($statement->fetchAll(PDO::FETCH_ASSOC) as $row) {
+			$this->setMetric('acc_queued_requests', ['status' => $row['status'], 'shortname' => $row['shortname'], 'queue' => $row['header']], $row['count']);
+		}
+		$statement->closeCursor();
 
-        return $this->writeMetrics();
-    }
+		return $this->writeMetrics();
+	}
 
-    private function writeMetrics() : string
-    {
-        $data = '';
+	private function writeMetrics() : string
+	{
+		$data = '';
 
-        foreach ($this->metrics as $name => $metricData) {
-            $data .= "# HELP {$name} {$metricData['help']}\n";
-            $data .= "# TYPE {$name} {$metricData['type']}\n";
-            foreach ($metricData['values'] as $label => $value) {
-                $data .= "{$name}{$label} {$value}\n";
-            }
-        }
+		foreach ($this->metrics as $name => $metricData) {
+			$data .= "# HELP {$name} {$metricData['help']}\n";
+			$data .= "# TYPE {$name} {$metricData['type']}\n";
+			foreach ($metricData['values'] as $label => $value) {
+				$data .= "{$name}{$label} {$value}\n";
+			}
+		}
 
-        return $data;
-    }
+		return $data;
+	}
 }

includes/Security/SecurityManager.php

Indentation +165 added lines, -165 removed lines

@@ -16,169 +16,169 @@
 
 final class SecurityManager implements ISecurityManager
 {
-    private IIdentificationVerifier $identificationVerifier;
-    private RoleConfigurationBase $roleConfiguration;
-
-    private array $cache = [];
-    private IUserAccessLoader $userAccessLoader;
-
-    public function __construct(
-        IIdentificationVerifier $identificationVerifier,
-        RoleConfigurationBase $roleConfiguration,
-        IUserAccessLoader $userAccessLoader
-    ) {
-        $this->identificationVerifier = $identificationVerifier;
-        $this->roleConfiguration = $roleConfiguration;
-        $this->userAccessLoader = $userAccessLoader;
-    }
-
-    /**
-     * Tests if a user is allowed to perform an action.
-     *
-     * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure
-     * that a user should have access to something.
-     *
-     * @category Security-Critical
-     */
-    public function allows(string $page, string $route, User $user): int
-    {
-        $this->getCachedActiveRoles($user, $activeRoles, $inactiveRoles);
-
-        $availableRights = $this->roleConfiguration->getResultantRole($activeRoles);
-        $testResult = $this->findResult($availableRights, $page, $route);
-
-        if ($testResult !== null) {
-            // We got a firm result here, so just return it.
-            return $testResult;
-        }
-
-        // No firm result yet, so continue testing the inactive roles so we can give a better error.
-        $inactiveRights = $this->roleConfiguration->getResultantRole($inactiveRoles);
-        $testResult = $this->findResult($inactiveRights, $page, $route);
-
-        if ($testResult === self::ALLOWED) {
-            // The user is allowed to access this, but their role is inactive.
-            return self::ERROR_NOT_IDENTIFIED;
-        }
-
-        // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied.
-        return self::ERROR_DENIED;
-    }
-
-    public function getActiveRoles(User $user, ?array &$activeRoles, ?array &$inactiveRoles)
-    {
-        // Default to the community user here, because the main user is logged out
-        $identified = false;
-        $userRoles = array('public');
-
-        // if we're not the community user, get our real rights.
-        if (!$user->isCommunityUser()) {
-            // Check the user's status - only active users are allowed the effects of roles
-
-            $userRoles[] = 'loggedIn';
-
-            if ($user->isActive()) {
-                // All active users get +user
-                $userRoles[] = 'user';
-
-                $loadedRoles = $this->userAccessLoader->loadRolesForUser($user);
-
-                // NOTE: public is still in this array.
-                $userRoles = array_merge($userRoles, $loadedRoles);
-
-                $identified = $this->userIsIdentified($user);
-            }
-        }
-
-        $activeRoles = array();
-        $inactiveRoles = array();
-
-        foreach ($userRoles as $v) {
-            if ($this->roleConfiguration->roleNeedsIdentification($v)) {
-                if ($identified) {
-                    $activeRoles[] = $v;
-                }
-                else {
-                    $inactiveRoles[] = $v;
-                }
-            }
-            else {
-                $activeRoles[] = $v;
-            }
-        }
-    }
-
-    public function getCachedActiveRoles(User $user, ?array &$activeRoles, ?array &$inactiveRoles): void
-    {
-        if (!array_key_exists($user->getId(), $this->cache)) {
-            $this->getActiveRoles($user, $retrievedActiveRoles, $retrievedInactiveRoles);
-            $this->cache[$user->getId()] = ['active' => $retrievedActiveRoles, 'inactive' => $retrievedInactiveRoles];
-        }
-
-        $activeRoles = $this->cache[$user->getId()]['active'];
-        $inactiveRoles = $this->cache[$user->getId()]['inactive'];
-    }
-
-    public function getAvailableRoles(): array
-    {
-        return $this->roleConfiguration->getAvailableRoles();
-    }
-
-    /**
-     * Tests a role for an ACL decision on a specific page/route
-     *
-     * @param array  $pseudoRole The role (flattened) to check
-     * @param string $page       The page class to check
-     * @param string $route      The page route to check
-     *
-     * @return int|null
-     */
-    private function findResult($pseudoRole, $page, $route)
-    {
-        if (isset($pseudoRole[$page])) {
-            // check for deny on catch-all route
-            if (isset($pseudoRole[$page][RoleConfigurationBase::ALL])) {
-                if ($pseudoRole[$page][RoleConfigurationBase::ALL] === RoleConfigurationBase::ACCESS_DENY) {
-                    return self::ERROR_DENIED;
-                }
-            }
-
-            // check normal route
-            if (isset($pseudoRole[$page][$route])) {
-                if ($pseudoRole[$page][$route] === RoleConfigurationBase::ACCESS_DENY) {
-                    return self::ERROR_DENIED;
-                }
-
-                if ($pseudoRole[$page][$route] === RoleConfigurationBase::ACCESS_ALLOW) {
-                    return self::ALLOWED;
-                }
-            }
-
-            // check for allowed on catch-all route
-            if (isset($pseudoRole[$page][RoleConfigurationBase::ALL])) {
-                if ($pseudoRole[$page][RoleConfigurationBase::ALL] === RoleConfigurationBase::ACCESS_ALLOW) {
-                    return self::ALLOWED;
-                }
-            }
-        }
-
-        // return indeterminate result
-        return null;
-    }
-
-    private function userIsIdentified(User $user): bool
-    {
-        if ($user->getForceIdentified() === false) {
-            // User forced to be unidentified in the database.
-            return false;
-        }
-
-        if ($user->getForceIdentified() === true) {
-            // User forced to be identified in the database.
-            return true;
-        }
-
-        // User not forced to any particular identified status; consult IdentificationVerifier
-        return $this->identificationVerifier->isUserIdentified($user->getOnWikiName());
-    }
+	private IIdentificationVerifier $identificationVerifier;
+	private RoleConfigurationBase $roleConfiguration;
+
+	private array $cache = [];
+	private IUserAccessLoader $userAccessLoader;
+
+	public function __construct(
+		IIdentificationVerifier $identificationVerifier,
+		RoleConfigurationBase $roleConfiguration,
+		IUserAccessLoader $userAccessLoader
+	) {
+		$this->identificationVerifier = $identificationVerifier;
+		$this->roleConfiguration = $roleConfiguration;
+		$this->userAccessLoader = $userAccessLoader;
+	}
+
+	/**
+	 * Tests if a user is allowed to perform an action.
+	 *
+	 * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure
+	 * that a user should have access to something.
+	 *
+	 * @category Security-Critical
+	 */
+	public function allows(string $page, string $route, User $user): int
+	{
+		$this->getCachedActiveRoles($user, $activeRoles, $inactiveRoles);
+
+		$availableRights = $this->roleConfiguration->getResultantRole($activeRoles);
+		$testResult = $this->findResult($availableRights, $page, $route);
+
+		if ($testResult !== null) {
+			// We got a firm result here, so just return it.
+			return $testResult;
+		}
+
+		// No firm result yet, so continue testing the inactive roles so we can give a better error.
+		$inactiveRights = $this->roleConfiguration->getResultantRole($inactiveRoles);
+		$testResult = $this->findResult($inactiveRights, $page, $route);
+
+		if ($testResult === self::ALLOWED) {
+			// The user is allowed to access this, but their role is inactive.
+			return self::ERROR_NOT_IDENTIFIED;
+		}
+
+		// Other options from the secondary test are denied and inconclusive, which at this point defaults to denied.
+		return self::ERROR_DENIED;
+	}
+
+	public function getActiveRoles(User $user, ?array &$activeRoles, ?array &$inactiveRoles)
+	{
+		// Default to the community user here, because the main user is logged out
+		$identified = false;
+		$userRoles = array('public');
+
+		// if we're not the community user, get our real rights.
+		if (!$user->isCommunityUser()) {
+			// Check the user's status - only active users are allowed the effects of roles
+
+			$userRoles[] = 'loggedIn';
+
+			if ($user->isActive()) {
+				// All active users get +user
+				$userRoles[] = 'user';
+
+				$loadedRoles = $this->userAccessLoader->loadRolesForUser($user);
+
+				// NOTE: public is still in this array.
+				$userRoles = array_merge($userRoles, $loadedRoles);
+
+				$identified = $this->userIsIdentified($user);
+			}
+		}
+
+		$activeRoles = array();
+		$inactiveRoles = array();
+
+		foreach ($userRoles as $v) {
+			if ($this->roleConfiguration->roleNeedsIdentification($v)) {
+				if ($identified) {
+					$activeRoles[] = $v;
+				}
+				else {
+					$inactiveRoles[] = $v;
+				}
+			}
+			else {
+				$activeRoles[] = $v;
+			}
+		}
+	}
+
+	public function getCachedActiveRoles(User $user, ?array &$activeRoles, ?array &$inactiveRoles): void
+	{
+		if (!array_key_exists($user->getId(), $this->cache)) {
+			$this->getActiveRoles($user, $retrievedActiveRoles, $retrievedInactiveRoles);
+			$this->cache[$user->getId()] = ['active' => $retrievedActiveRoles, 'inactive' => $retrievedInactiveRoles];
+		}
+
+		$activeRoles = $this->cache[$user->getId()]['active'];
+		$inactiveRoles = $this->cache[$user->getId()]['inactive'];
+	}
+
+	public function getAvailableRoles(): array
+	{
+		return $this->roleConfiguration->getAvailableRoles();
+	}
+
+	/**
+	 * Tests a role for an ACL decision on a specific page/route
+	 *
+	 * @param array  $pseudoRole The role (flattened) to check
+	 * @param string $page       The page class to check
+	 * @param string $route      The page route to check
+	 *
+	 * @return int|null
+	 */
+	private function findResult($pseudoRole, $page, $route)
+	{
+		if (isset($pseudoRole[$page])) {
+			// check for deny on catch-all route
+			if (isset($pseudoRole[$page][RoleConfigurationBase::ALL])) {
+				if ($pseudoRole[$page][RoleConfigurationBase::ALL] === RoleConfigurationBase::ACCESS_DENY) {
+					return self::ERROR_DENIED;
+				}
+			}
+
+			// check normal route
+			if (isset($pseudoRole[$page][$route])) {
+				if ($pseudoRole[$page][$route] === RoleConfigurationBase::ACCESS_DENY) {
+					return self::ERROR_DENIED;
+				}
+
+				if ($pseudoRole[$page][$route] === RoleConfigurationBase::ACCESS_ALLOW) {
+					return self::ALLOWED;
+				}
+			}
+
+			// check for allowed on catch-all route
+			if (isset($pseudoRole[$page][RoleConfigurationBase::ALL])) {
+				if ($pseudoRole[$page][RoleConfigurationBase::ALL] === RoleConfigurationBase::ACCESS_ALLOW) {
+					return self::ALLOWED;
+				}
+			}
+		}
+
+		// return indeterminate result
+		return null;
+	}
+
+	private function userIsIdentified(User $user): bool
+	{
+		if ($user->getForceIdentified() === false) {
+			// User forced to be unidentified in the database.
+			return false;
+		}
+
+		if ($user->getForceIdentified() === true) {
+			// User forced to be identified in the database.
+			return true;
+		}
+
+		// User not forced to any particular identified status; consult IdentificationVerifier
+		return $this->identificationVerifier->isUserIdentified($user->getOnWikiName());
+	}
 }