mdaniels5757 / waca

smarty-plugins/function.defaultsort.php

Indentation +15 added lines, -15 removed lines

@@ -19,24 +19,24 @@
  */
 function smarty_function_defaultsort($params, Template $template)
 {
-    if (empty($params['id'])) {
-        return "";
-    }
+	if (empty($params['id'])) {
+		return "";
+	}
 
-    $attr = 'data-sortname="' . htmlspecialchars($params['id'], ENT_QUOTES) . '"';
+	$attr = 'data-sortname="' . htmlspecialchars($params['id'], ENT_QUOTES) . '"';
 
-    if (empty($params['req'])) {
-        return $attr;
-    }
+	if (empty($params['req'])) {
+		return $attr;
+	}
 
-    if ($params['dir'] !== 'asc' && $params['dir'] !== 'desc') {
-        $params['dir'] = 'asc';
-    }
+	if ($params['dir'] !== 'asc' && $params['dir'] !== 'desc') {
+		$params['dir'] = 'asc';
+	}
 
-    $sort = '';
-    if ($params['req'] === $params['id']) {
-        $sort = ' data-defaultsort="' . htmlspecialchars($params['dir'], ENT_QUOTES) . '"';
-    }
+	$sort = '';
+	if ($params['req'] === $params['id']) {
+		$sort = ' data-defaultsort="' . htmlspecialchars($params['dir'], ENT_QUOTES) . '"';
+	}
 
-    return $attr . $sort;
+	return $attr . $sort;
 }

includes/Fragments/TemplateOutput.php

Indentation +125 added lines, -125 removed lines

@@ -18,129 +18,129 @@
 
 trait TemplateOutput
 {
-    /** @var Smarty */
-    private $smarty;
-
-    /**
-     * @param string $pluginsDir
-     *
-     * @return void
-     * @throws Exception
-     */
-    private function loadPlugins(string $pluginsDir): void
-    {
-        /** @var DirectoryIterator $file */
-        foreach (new DirectoryIterator($pluginsDir) as $file) {
-            if ($file->isDot()) {
-                continue;
-            }
-
-            if ($file->getExtension() != 'php') {
-                continue;
-            }
-
-            require_once $file->getPathname();
-
-            list($type, $name) = explode('.', $file->getBasename('.php'), 2);
-
-            switch ($type) {
-                case 'modifier':
-                    $this->smarty->registerPlugin(Smarty::PLUGIN_MODIFIER, $name, 'smarty_modifier_' . $name);
-                    break;
-                case 'function':
-                    $this->smarty->registerPlugin(Smarty::PLUGIN_FUNCTION, $name, 'smarty_function_' . $name);
-                    break;
-            }
-        }
-    }
-
-    /**
-     * @return SiteConfiguration
-     */
-    protected abstract function getSiteConfiguration();
-
-    /**
-     * Assigns a Smarty variable
-     *
-     * @param  array|string $name  the template variable name(s)
-     * @param  mixed        $value the value to assign
-     */
-    final protected function assign($name, $value)
-    {
-        $this->smarty->assign($name, $value);
-    }
-
-    /**
-     * Sets up the variables used by the main Smarty base template.
-     *
-     * This list is getting kinda long.
-     * @throws Exception
-     */
-    final protected function setUpSmarty()
-    {
-        $this->smarty = new Smarty();
-        $pluginsDir = $this->getSiteConfiguration()->getFilePath() . '/smarty-plugins';
-
-        // Dynamically load all plugins in the plugins directory
-        $this->loadPlugins($pluginsDir);
-
-        $this->assign('currentUser', User::getCommunity());
-        $this->assign('skin', 'auto');
-        $this->assign('currentDomain', null);
-        $this->assign('loggedIn', false);
-        $this->assign('baseurl', $this->getSiteConfiguration()->getBaseUrl());
-        $this->assign('resourceCacheEpoch', $this->getSiteConfiguration()->getResourceCacheEpoch());
-
-        $this->assign('siteNoticeText', '');
-        $this->assign('siteNoticeVersion', 0);
-        $this->assign('siteNoticeState', 'd-none');
-        $this->assign('toolversion', Environment::getToolVersion());
-
-        // default these
-        $this->assign('onlineusers', array());
-        $this->assign('typeAheadBlock', '');
-        $this->assign('extraJs', array());
-
-        // nav menu access control
-        $this->assign('nav__canRequests', false);
-        $this->assign('nav__canLogs', false);
-        $this->assign('nav__canUsers', false);
-        $this->assign('nav__canSearch', false);
-        $this->assign('nav__canStats', false);
-        $this->assign('nav__canBan', false);
-        $this->assign('nav__canEmailMgmt', false);
-        $this->assign('nav__canWelcomeMgmt', false);
-        $this->assign('nav__canSiteNoticeMgmt', false);
-        $this->assign('nav__canUserMgmt', false);
-        $this->assign('nav__canViewRequest', false);
-        $this->assign('nav__canJobQueue', false);
-        $this->assign('nav__canFlaggedComments', false);
-        $this->assign('nav__canDomainMgmt', false);
-        $this->assign('nav__canQueueMgmt', false);
-        $this->assign('nav__canFormMgmt', false);
-        $this->assign('nav__canErrorLog', false);
-
-        // Navigation badges for concern areas.
-        $this->assign("nav__numAdmin", 0);
-        $this->assign("nav__numFlaggedComments", 0);
-        $this->assign("nav__numJobQueueFailed", 0);
-
-        // debug helpers
-        $this->assign('showDebugCssBreakpoints', $this->getSiteConfiguration()->getDebuggingCssBreakpointsEnabled());
-
-        $this->assign('page', $this);
-    }
-
-    /**
-     * Fetches a rendered Smarty template
-     *
-     * @param $template string Template file path, relative to /templates/
-     *
-     * @return string Templated HTML
-     * @throws Exception
-     */
-    final protected function fetchTemplate($template)
-    {
-        return $this->smarty->fetch($template);
-    }
+	/** @var Smarty */
+	private $smarty;
+
+	/**
+	 * @param string $pluginsDir
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	private function loadPlugins(string $pluginsDir): void
+	{
+		/** @var DirectoryIterator $file */
+		foreach (new DirectoryIterator($pluginsDir) as $file) {
+			if ($file->isDot()) {
+				continue;
+			}
+
+			if ($file->getExtension() != 'php') {
+				continue;
+			}
+
+			require_once $file->getPathname();
+
+			list($type, $name) = explode('.', $file->getBasename('.php'), 2);
+
+			switch ($type) {
+				case 'modifier':
+					$this->smarty->registerPlugin(Smarty::PLUGIN_MODIFIER, $name, 'smarty_modifier_' . $name);
+					break;
+				case 'function':
+					$this->smarty->registerPlugin(Smarty::PLUGIN_FUNCTION, $name, 'smarty_function_' . $name);
+					break;
+			}
+		}
+	}
+
+	/**
+	 * @return SiteConfiguration
+	 */
+	protected abstract function getSiteConfiguration();
+
+	/**
+	 * Assigns a Smarty variable
+	 *
+	 * @param  array|string $name  the template variable name(s)
+	 * @param  mixed        $value the value to assign
+	 */
+	final protected function assign($name, $value)
+	{
+		$this->smarty->assign($name, $value);
+	}
+
+	/**
+	 * Sets up the variables used by the main Smarty base template.
+	 *
+	 * This list is getting kinda long.
+	 * @throws Exception
+	 */
+	final protected function setUpSmarty()
+	{
+		$this->smarty = new Smarty();
+		$pluginsDir = $this->getSiteConfiguration()->getFilePath() . '/smarty-plugins';
+
+		// Dynamically load all plugins in the plugins directory
+		$this->loadPlugins($pluginsDir);
+
+		$this->assign('currentUser', User::getCommunity());
+		$this->assign('skin', 'auto');
+		$this->assign('currentDomain', null);
+		$this->assign('loggedIn', false);
+		$this->assign('baseurl', $this->getSiteConfiguration()->getBaseUrl());
+		$this->assign('resourceCacheEpoch', $this->getSiteConfiguration()->getResourceCacheEpoch());
+
+		$this->assign('siteNoticeText', '');
+		$this->assign('siteNoticeVersion', 0);
+		$this->assign('siteNoticeState', 'd-none');
+		$this->assign('toolversion', Environment::getToolVersion());
+
+		// default these
+		$this->assign('onlineusers', array());
+		$this->assign('typeAheadBlock', '');
+		$this->assign('extraJs', array());
+
+		// nav menu access control
+		$this->assign('nav__canRequests', false);
+		$this->assign('nav__canLogs', false);
+		$this->assign('nav__canUsers', false);
+		$this->assign('nav__canSearch', false);
+		$this->assign('nav__canStats', false);
+		$this->assign('nav__canBan', false);
+		$this->assign('nav__canEmailMgmt', false);
+		$this->assign('nav__canWelcomeMgmt', false);
+		$this->assign('nav__canSiteNoticeMgmt', false);
+		$this->assign('nav__canUserMgmt', false);
+		$this->assign('nav__canViewRequest', false);
+		$this->assign('nav__canJobQueue', false);
+		$this->assign('nav__canFlaggedComments', false);
+		$this->assign('nav__canDomainMgmt', false);
+		$this->assign('nav__canQueueMgmt', false);
+		$this->assign('nav__canFormMgmt', false);
+		$this->assign('nav__canErrorLog', false);
+
+		// Navigation badges for concern areas.
+		$this->assign("nav__numAdmin", 0);
+		$this->assign("nav__numFlaggedComments", 0);
+		$this->assign("nav__numJobQueueFailed", 0);
+
+		// debug helpers
+		$this->assign('showDebugCssBreakpoints', $this->getSiteConfiguration()->getDebuggingCssBreakpointsEnabled());
+
+		$this->assign('page', $this);
+	}
+
+	/**
+	 * Fetches a rendered Smarty template
+	 *
+	 * @param $template string Template file path, relative to /templates/
+	 *
+	 * @return string Templated HTML
+	 * @throws Exception
+	 */
+	final protected function fetchTemplate($template)
+	{
+		return $this->smarty->fetch($template);
+	}
 }

includes/Security/RoleConfigurationBase.php

Indentation +131 added lines, -131 removed lines

@@ -10,135 +10,135 @@
 
 abstract class RoleConfigurationBase
 {
-    const ACCESS_ALLOW = 1;
-    const ACCESS_DENY = -1;
-    const ACCESS_DEFAULT = 0;
-    const MAIN = 'main';
-    const ALL = '*';
-
-    protected array $roleConfig;
-    protected array $identificationExempt;
-
-    protected function __construct(array $roleConfig, array $identificationExempt)
-    {
-        $this->roleConfig = $roleConfig;
-        $this->identificationExempt = $identificationExempt;
-    }
-
-    /**
-     * Takes an array of role names and flattens the values to a single
-     * resultant role configuration.
-     *
-     * @param string[] $activeRoles
-     * @category Security-Critical
-     */
-    public function getResultantRole(array $activeRoles): array
-    {
-        $result = array();
-
-        $roleConfig = $this->getApplicableRoles($activeRoles);
-
-        // Iterate over every page in every role
-        foreach ($roleConfig as $role) {
-            foreach ($role as $page => $pageRights) {
-                // Create holder in result for this page
-                if (!isset($result[$page])) {
-                    $result[$page] = array();
-                }
-
-                foreach ($pageRights as $action => $permission) {
-                    // Deny takes precedence, so if it's set, don't change it.
-                    if (isset($result[$page][$action])) {
-                        if ($result[$page][$action] === RoleConfigurationBase::ACCESS_DENY) {
-                            continue;
-                        }
-                    }
-
-                    if ($permission === RoleConfigurationBase::ACCESS_DEFAULT) {
-                        // Configured to do precisely nothing.
-                        continue;
-                    }
-
-                    $result[$page][$action] = $permission;
-                }
-            }
-        }
-
-        return $result;
-    }
-
-    /**
-     * Returns a set of all roles which are available to be set.
-     *
-     * Hidden roles and implicit roles are excluded.
-     */
-    public function getAvailableRoles(): array
-    {
-        // remove the implicit roles
-        $possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn', 'user'));
-
-        $actual = array();
-
-        foreach ($possible as $role) {
-            if (!isset($this->roleConfig[$role]['_hidden'])) {
-                $actual[$role] = array(
-                    'description' => $this->roleConfig[$role]['_description'],
-                    'editableBy'  => $this->roleConfig[$role]['_editableBy'],
-                    'globalOnly'  => isset($this->roleConfig[$role]['_globalOnly']) && $this->roleConfig[$role]['_globalOnly'],
-                );
-            }
-        }
-
-        return $actual;
-    }
-
-    /**
-     * Returns a boolean for whether the provided role requires identification
-     * before being used by a user.
-     *
-     * @category Security-Critical
-     */
-    public function roleNeedsIdentification(string $role): bool
-    {
-        if (in_array($role, $this->identificationExempt)) {
-            return false;
-        }
-
-        return true;
-    }
-
-    /**
-     * Takes an array of role names, and returns all the relevant roles for that
-     * set, including any child roles found recursively.
-     *
-     * @param array $roles The names of roles to start searching with
-     */
-    private function getApplicableRoles(array $roles): array
-    {
-        $available = array();
-
-        foreach ($roles as $role) {
-            if (!isset($this->roleConfig[$role])) {
-                // wat
-                continue;
-            }
-
-            $available[$role] = $this->roleConfig[$role];
-
-            if (isset($available[$role]['_childRoles'])) {
-                $childRoles = $this->getApplicableRoles($available[$role]['_childRoles']);
-                $available = array_merge($available, $childRoles);
-
-                unset($available[$role]['_childRoles']);
-            }
-
-            foreach (array('_hidden', '_editableBy', '_description', '_globalOnly') as $item) {
-                if (isset($available[$role][$item])) {
-                    unset($available[$role][$item]);
-                }
-            }
-        }
-
-        return $available;
-    }
+	const ACCESS_ALLOW = 1;
+	const ACCESS_DENY = -1;
+	const ACCESS_DEFAULT = 0;
+	const MAIN = 'main';
+	const ALL = '*';
+
+	protected array $roleConfig;
+	protected array $identificationExempt;
+
+	protected function __construct(array $roleConfig, array $identificationExempt)
+	{
+		$this->roleConfig = $roleConfig;
+		$this->identificationExempt = $identificationExempt;
+	}
+
+	/**
+	 * Takes an array of role names and flattens the values to a single
+	 * resultant role configuration.
+	 *
+	 * @param string[] $activeRoles
+	 * @category Security-Critical
+	 */
+	public function getResultantRole(array $activeRoles): array
+	{
+		$result = array();
+
+		$roleConfig = $this->getApplicableRoles($activeRoles);
+
+		// Iterate over every page in every role
+		foreach ($roleConfig as $role) {
+			foreach ($role as $page => $pageRights) {
+				// Create holder in result for this page
+				if (!isset($result[$page])) {
+					$result[$page] = array();
+				}
+
+				foreach ($pageRights as $action => $permission) {
+					// Deny takes precedence, so if it's set, don't change it.
+					if (isset($result[$page][$action])) {
+						if ($result[$page][$action] === RoleConfigurationBase::ACCESS_DENY) {
+							continue;
+						}
+					}
+
+					if ($permission === RoleConfigurationBase::ACCESS_DEFAULT) {
+						// Configured to do precisely nothing.
+						continue;
+					}
+
+					$result[$page][$action] = $permission;
+				}
+			}
+		}
+
+		return $result;
+	}
+
+	/**
+	 * Returns a set of all roles which are available to be set.
+	 *
+	 * Hidden roles and implicit roles are excluded.
+	 */
+	public function getAvailableRoles(): array
+	{
+		// remove the implicit roles
+		$possible = array_diff(array_keys($this->roleConfig), array('public', 'loggedIn', 'user'));
+
+		$actual = array();
+
+		foreach ($possible as $role) {
+			if (!isset($this->roleConfig[$role]['_hidden'])) {
+				$actual[$role] = array(
+					'description' => $this->roleConfig[$role]['_description'],
+					'editableBy'  => $this->roleConfig[$role]['_editableBy'],
+					'globalOnly'  => isset($this->roleConfig[$role]['_globalOnly']) && $this->roleConfig[$role]['_globalOnly'],
+				);
+			}
+		}
+
+		return $actual;
+	}
+
+	/**
+	 * Returns a boolean for whether the provided role requires identification
+	 * before being used by a user.
+	 *
+	 * @category Security-Critical
+	 */
+	public function roleNeedsIdentification(string $role): bool
+	{
+		if (in_array($role, $this->identificationExempt)) {
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * Takes an array of role names, and returns all the relevant roles for that
+	 * set, including any child roles found recursively.
+	 *
+	 * @param array $roles The names of roles to start searching with
+	 */
+	private function getApplicableRoles(array $roles): array
+	{
+		$available = array();
+
+		foreach ($roles as $role) {
+			if (!isset($this->roleConfig[$role])) {
+				// wat
+				continue;
+			}
+
+			$available[$role] = $this->roleConfig[$role];
+
+			if (isset($available[$role]['_childRoles'])) {
+				$childRoles = $this->getApplicableRoles($available[$role]['_childRoles']);
+				$available = array_merge($available, $childRoles);
+
+				unset($available[$role]['_childRoles']);
+			}
+
+			foreach (array('_hidden', '_editableBy', '_description', '_globalOnly') as $item) {
+				if (isset($available[$role][$item])) {
+					unset($available[$role][$item]);
+				}
+			}
+		}
+
+		return $available;
+	}
 }
\ No newline at end of file

includes/ExceptionHandler.php

Indentation +118 added lines, -118 removed lines

@@ -14,22 +14,22 @@ 
 
 class ExceptionHandler
 {
-    /**
-     * Global exception handler
-     *
-     * Smarty would be nice to use, but it COULD BE smarty that throws the errors.
-     * Let's build something ourselves, and hope it works.
-     *
-     * @param $exception
-     *
-     * @category Security-Critical - has the potential to leak data when exception is thrown.
-     */
-    public static function exceptionHandler(Throwable $exception)
-    {
-        /** @global $siteConfiguration SiteConfiguration */
-        global $siteConfiguration;
-
-        $errorDocument = <<<HTML
+	/**
+	 * Global exception handler
+	 *
+	 * Smarty would be nice to use, but it COULD BE smarty that throws the errors.
+	 * Let's build something ourselves, and hope it works.
+	 *
+	 * @param $exception
+	 *
+	 * @category Security-Critical - has the potential to leak data when exception is thrown.
+	 */
+	public static function exceptionHandler(Throwable $exception)
+	{
+		/** @global $siteConfiguration SiteConfiguration */
+		global $siteConfiguration;
+
+		$errorDocument = <<<HTML
 <!DOCTYPE html>
 <html lang="en"><head>
 <meta charset="utf-8">
@@ -49,106 +49,106 @@ 
 </div></body></html>
 HTML;
 
-        list($errorData, $errorId) = self::logExceptionToDisk($exception, $siteConfiguration, true);
-
-        error_log('Unhandled ' . get_class($exception) . ': ' . $exception->getMessage());
-
-        // clear and discard any content that's been saved to the output buffer
-        if (ob_get_level() > 0) {
-            ob_end_clean();
-        }
-
-        // push error ID into the document.
-        $message = str_replace('$1$', $errorId, $errorDocument);
-
-        if ($siteConfiguration->getDebuggingTraceEnabled()) {
-            ob_start();
-            var_dump($errorData);
-            $textErrorData = ob_get_contents();
-            ob_end_clean();
-
-            $message = str_replace('$2$', $textErrorData, $message);
-        }
-        else {
-            $message = str_replace('$2$', "", $message);
-        }
-
-        // While we *shouldn't* have sent headers by now due to the output buffering, PHPUnit does weird things.
-        // This is "only" needed for the tests, but it's a good idea to wrap this anyway.
-        if (!headers_sent()) {
-            header('HTTP/1.1 500 Internal Server Error');
-        }
-
-        // output the document
-        print $message;
-    }
-
-    /**
-     * @param int    $errorSeverity The severity level of the exception.
-     * @param string $errorMessage  The Exception message to throw.
-     * @param string $errorFile     The filename where the exception is thrown.
-     * @param int    $errorLine     The line number where the exception is thrown.
-     *
-     * @throws ErrorException
-     */
-    public static function errorHandler($errorSeverity, $errorMessage, $errorFile, $errorLine)
-    {
-        // call into the main exception handler above
-        throw new ErrorException($errorMessage, 0, $errorSeverity, $errorFile, $errorLine);
-    }
-
-    /**
-     * @param Throwable $exception
-     *
-     * @return null|array
-     */
-    public static function getExceptionData($exception)
-    {
-        if ($exception == null) {
-            return null;
-        }
-
-        $array = array(
-            'exception' => get_class($exception),
-            'message'   => $exception->getMessage(),
-            'stack'     => $exception->getTraceAsString(),
-        );
-
-        $array['previous'] = self::getExceptionData($exception->getPrevious());
-
-        return $array;
-    }
-
-    public static function logExceptionToDisk(
-        Throwable $exception,
-        SiteConfiguration $siteConfiguration,
-        bool $fromGlobalHandler = false
-    ): array {
-        $errorData = self::getExceptionData($exception);
-        $errorData['server'] = $_SERVER;
-        $errorData['get'] = $_GET;
-        $errorData['post'] = $_POST;
-
-        $redactions = ['password', 'newpassword', 'newpasswordconfirm', 'otp'];
-        foreach ($redactions as $redaction) {
-            if (isset($errorData['post'][$redaction])) {
-                $errorData['post'][$redaction] = '<redacted>';
-            }
-        }
-
-        if ($fromGlobalHandler) {
-            $errorData['globalHandler'] = true;
-        }
-        else {
-            $errorData['globalHandler'] = false;
-        }
-
-        $state = serialize($errorData);
-        $errorId = sha1($state);
-
-        // Save the error for later analysis
-        file_put_contents($siteConfiguration->getErrorLog() . '/' . $errorId . '.log', $state);
-
-        return array($errorData, $errorId);
-    }
+		list($errorData, $errorId) = self::logExceptionToDisk($exception, $siteConfiguration, true);
+
+		error_log('Unhandled ' . get_class($exception) . ': ' . $exception->getMessage());
+
+		// clear and discard any content that's been saved to the output buffer
+		if (ob_get_level() > 0) {
+			ob_end_clean();
+		}
+
+		// push error ID into the document.
+		$message = str_replace('$1$', $errorId, $errorDocument);
+
+		if ($siteConfiguration->getDebuggingTraceEnabled()) {
+			ob_start();
+			var_dump($errorData);
+			$textErrorData = ob_get_contents();
+			ob_end_clean();
+
+			$message = str_replace('$2$', $textErrorData, $message);
+		}
+		else {
+			$message = str_replace('$2$', "", $message);
+		}
+
+		// While we *shouldn't* have sent headers by now due to the output buffering, PHPUnit does weird things.
+		// This is "only" needed for the tests, but it's a good idea to wrap this anyway.
+		if (!headers_sent()) {
+			header('HTTP/1.1 500 Internal Server Error');
+		}
+
+		// output the document
+		print $message;
+	}
+
+	/**
+	 * @param int    $errorSeverity The severity level of the exception.
+	 * @param string $errorMessage  The Exception message to throw.
+	 * @param string $errorFile     The filename where the exception is thrown.
+	 * @param int    $errorLine     The line number where the exception is thrown.
+	 *
+	 * @throws ErrorException
+	 */
+	public static function errorHandler($errorSeverity, $errorMessage, $errorFile, $errorLine)
+	{
+		// call into the main exception handler above
+		throw new ErrorException($errorMessage, 0, $errorSeverity, $errorFile, $errorLine);
+	}
+
+	/**
+	 * @param Throwable $exception
+	 *
+	 * @return null|array
+	 */
+	public static function getExceptionData($exception)
+	{
+		if ($exception == null) {
+			return null;
+		}
+
+		$array = array(
+			'exception' => get_class($exception),
+			'message'   => $exception->getMessage(),
+			'stack'     => $exception->getTraceAsString(),
+		);
+
+		$array['previous'] = self::getExceptionData($exception->getPrevious());
+
+		return $array;
+	}
+
+	public static function logExceptionToDisk(
+		Throwable $exception,
+		SiteConfiguration $siteConfiguration,
+		bool $fromGlobalHandler = false
+	): array {
+		$errorData = self::getExceptionData($exception);
+		$errorData['server'] = $_SERVER;
+		$errorData['get'] = $_GET;
+		$errorData['post'] = $_POST;
+
+		$redactions = ['password', 'newpassword', 'newpasswordconfirm', 'otp'];
+		foreach ($redactions as $redaction) {
+			if (isset($errorData['post'][$redaction])) {
+				$errorData['post'][$redaction] = '<redacted>';
+			}
+		}
+
+		if ($fromGlobalHandler) {
+			$errorData['globalHandler'] = true;
+		}
+		else {
+			$errorData['globalHandler'] = false;
+		}
+
+		$state = serialize($errorData);
+		$errorId = sha1($state);
+
+		// Save the error for later analysis
+		file_put_contents($siteConfiguration->getErrorLog() . '/' . $errorId . '.log', $state);
+
+		return array($errorData, $errorId);
+	}
 }

includes/Pages/PageBan.php

Indentation +659 added lines, -659 removed lines

@@ -27,665 +27,665 @@
 
 class PageBan extends InternalPageBase
 {
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main(): void
-    {
-        $this->assignCSRFToken();
-        $this->setHtmlTitle('Bans');
-
-        $database = $this->getDatabase();
-        $currentDomain = Domain::getCurrent($database);
-        $bans = Ban::getActiveBans($database, $currentDomain->getId());
-
-        $this->setupBanList($bans);
-
-        $this->assign('isFiltered', false);
-        $this->assign('currentUnixTime', time());
-        $this->setTemplate('bans/main.tpl');
-    }
-
-    protected function show(): void
-    {
-        $this->assignCSRFToken();
-        $this->setHtmlTitle('Bans');
-
-        $rawIdList = WebRequest::getString('id');
-        if ($rawIdList === null) {
-            $this->redirect('bans');
-
-            return;
-        }
-
-        $idList = explode(',', $rawIdList);
-
-        $database = $this->getDatabase();
-        $currentDomain = Domain::getCurrent($database);
-        $bans = Ban::getByIdList($idList, $database, $currentDomain->getId());
-
-        $this->setupBanList($bans);
-        $this->assign('isFiltered', true);
-        $this->assign('currentUnixTime', time());
-        $this->setTemplate('bans/main.tpl');
-    }
-
-    /**
-     * Entry point for the ban set action
-     * @throws SmartyException
-     * @throws Exception
-     */
-    protected function set(): void
-    {
-        $this->setHtmlTitle('Bans');
-
-        // dual-mode action
-        if (WebRequest::wasPosted()) {
-            try {
-                $this->handlePostMethodForSetBan();
-            }
-            catch (ApplicationLogicException $ex) {
-                SessionAlert::error($ex->getMessage());
-                $this->redirect("bans", "set");
-            }
-        }
-        else {
-            $this->handleGetMethodForSetBan();
-
-            $user = User::getCurrent($this->getDatabase());
-            $banType = WebRequest::getString('type');
-            $banRequest = WebRequest::getInt('request');
-
-            // if the parameters are null, skip loading a request.
-            if ($banType !== null && $banRequest !== null && $banRequest !== 0) {
-                $this->preloadFormForRequest($banRequest, $banType, $user);
-            }
-        }
-    }
-
-    protected function replace(): void
-    {
-        $this->setHtmlTitle('Bans');
-
-        $database = $this->getDatabase();
-        $domain = Domain::getCurrent($database);
-
-        // dual-mode action
-        if (WebRequest::wasPosted()) {
-            try {
-                $originalBanId = WebRequest::postInt('replaceBanId');
-                $originalBanUpdateVersion = WebRequest::postInt('replaceBanUpdateVersion');
-
-                $originalBan = Ban::getActiveId($originalBanId, $database, $domain->getId());
-
-                if ($originalBan === false) {
-                    throw new ApplicationLogicException("The specified ban is not currently active, or doesn't exist.");
-                }
-
-                // Discard original ban; we're replacing it.
-                $originalBan->setUpdateVersion($originalBanUpdateVersion);
-                $originalBan->setActive(false);
-                $originalBan->save();
-
-                Logger::banReplaced($database, $originalBan);
-
-                // Proceed as normal to save the new ban.
-                $this->handlePostMethodForSetBan();
-            }
-            catch (ApplicationLogicException $ex) {
-                $database->rollback();
-                SessionAlert::error($ex->getMessage());
-                $this->redirect("bans", "set");
-            }
-        }
-        else {
-            $this->handleGetMethodForSetBan();
-
-            $user = User::getCurrent($database);
-            $originalBanId = WebRequest::getString('id');
-
-            $originalBan = Ban::getActiveId($originalBanId, $database, $domain->getId());
-
-            if ($originalBan === false) {
-                throw new ApplicationLogicException("The specified ban is not currently active, or doesn't exist.");
-            }
-
-            if ($originalBan->getName() !== null) {
-                if (!$this->barrierTest('name', $user, 'BanType')) {
-                    SessionAlert::error("You are not allowed to set this type of ban.");
-                    $this->redirect("bans", "set");
-                    return;
-                }
-
-                $this->assign('banName', $originalBan->getName());
-            }
-
-            if ($originalBan->getEmail() !== null) {
-                if (!$this->barrierTest('email', $user, 'BanType')) {
-                    SessionAlert::error("You are not allowed to set this type of ban.");
-                    $this->redirect("bans", "set");
-                    return;
-                }
-
-                $this->assign('banEmail', $originalBan->getEmail());
-            }
-
-            if ($originalBan->getUseragent() !== null) {
-                if (!$this->barrierTest('useragent', $user, 'BanType')) {
-                    SessionAlert::error("You are not allowed to set this type of ban.");
-                    $this->redirect("bans", "set");
-                    return;
-                }
-
-                $this->assign('banUseragent', $originalBan->getUseragent());
-            }
-
-            if ($originalBan->getIp() !== null) {
-                if (!$this->barrierTest('ip', $user, 'BanType')) {
-                    SessionAlert::error("You are not allowed to set this type of ban.");
-                    $this->redirect("bans", "set");
-                    return;
-                }
-
-                $this->assign('banIP', $originalBan->getIp() . '/' . $originalBan->getIpMask());
-            }
-
-            $banIsGlobal = $originalBan->getDomain() === null;
-            if ($banIsGlobal) {
-                if (!$this->barrierTest('global', $user, 'BanType')) {
-                    SessionAlert::error("You are not allowed to set this type of ban.");
-                    $this->redirect("bans", "set");
-                    return;
-                }
-            }
-
-            if (!$this->barrierTest($originalBan->getVisibility(), $user, 'BanVisibility')) {
-                SessionAlert::error("You are not allowed to set this type of ban.");
-                $this->redirect("bans", "set");
-                return;
-            }
-
-            $this->assign('banGlobal', $banIsGlobal);
-            $this->assign('banVisibility', $originalBan->getVisibility());
-
-            if ($originalBan->getDuration() !== null) {
-                $this->assign('banDuration', date('c', $originalBan->getDuration()));
-            }
-
-            $this->assign('banReason', $originalBan->getReason());
-            $this->assign('banAction', $originalBan->getAction());
-            $this->assign('banQueue', $originalBan->getTargetQueue());
-
-            $this->assign('replaceBanId', $originalBan->getId());
-            $this->assign('replaceBanUpdateVersion', $originalBan->getUpdateVersion());
-        }
-    }
-
-    /**
-     * Entry point for the ban remove action
-     *
-     * @throws AccessDeniedException
-     * @throws ApplicationLogicException
-     * @throws SmartyException
-     */
-    protected function remove(): void
-    {
-        $this->setHtmlTitle('Bans');
-
-        $ban = $this->getBanForUnban();
-
-        $banHelper = new BanHelper($this->getDatabase(), $this->getXffTrustProvider(), $this->getSecurityManager());
-        if (!$banHelper->canUnban($ban)) {
-            // triggered when a user tries to unban a ban they can't see the entirety of.
-            // there's no UI way to get to this, so a raw exception is fine.
-            throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
-        }
-
-        // dual mode
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $unbanReason = WebRequest::postString('unbanreason');
-
-            if ($unbanReason === null || trim($unbanReason) === "") {
-                SessionAlert::error('No unban reason specified');
-                $this->redirect("bans", "remove", array('id' => $ban->getId()));
-            }
-
-            // set optimistic locking from delete form page load
-            $updateVersion = WebRequest::postInt('updateversion');
-            $ban->setUpdateVersion($updateVersion);
-
-            $database = $this->getDatabase();
-            $ban->setActive(false);
-            $ban->save();
-
-            Logger::unbanned($database, $ban, $unbanReason);
-
-            SessionAlert::quick('Disabled ban.');
-            $this->getNotificationHelper()->unbanned($ban, $unbanReason);
-
-            $this->redirect('bans');
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->assign('ban', $ban);
-            $this->setTemplate('bans/unban.tpl');
-        }
-    }
-
-    /**
-     * Retrieves the requested ban duration from the WebRequest
-     *
-     * @throws ApplicationLogicException
-     */
-    private function getBanDuration(): ?int
-    {
-        $duration = WebRequest::postString('duration');
-        if ($duration === "other") {
-            $duration = strtotime(WebRequest::postString('otherduration'));
-
-            if (!$duration) {
-                throw new ApplicationLogicException('Invalid ban time');
-            }
-            elseif (time() > $duration) {
-                throw new ApplicationLogicException('Ban time has already expired!');
-            }
-
-            return $duration;
-        }
-        elseif ($duration === "-1") {
-            return null;
-        }
-        else {
-            return WebRequest::postInt('duration') + time();
-        }
-    }
-
-    /**
-     * Handles the POST method on the set action
-     *
-     * @throws ApplicationLogicException
-     * @throws Exception
-     */
-    private function handlePostMethodForSetBan()
-    {
-        $this->validateCSRFToken();
-        $database = $this->getDatabase();
-        $user = User::getCurrent($database);
-        $currentDomain = Domain::getCurrent($database);
-
-        // Checks whether there is a reason entered for ban.
-        $reason = WebRequest::postString('banreason');
-        if ($reason === null || trim($reason) === "") {
-            throw new ApplicationLogicException('You must specify a ban reason');
-        }
-
-        // ban targets
-        list($targetName, $targetIp, $targetEmail, $targetUseragent) = $this->getRawBanTargets($user);
-
-        $visibility = $this->getBanVisibility();
-
-        // Validate ban duration
-        $duration = $this->getBanDuration();
-
-        $action = WebRequest::postString('banAction') ?? Ban::ACTION_NONE;
-
-        $global = WebRequest::postBoolean('banGlobal');
-        if (!$this->barrierTest('global', $user, 'BanType')) {
-            $global = false;
-        }
-
-        if ($action === Ban::ACTION_DEFER && $global) {
-            throw new ApplicationLogicException("Cannot set a global ban in defer-to-queue mode.");
-        }
-
-        // handle CIDR ranges
-        $targetMask = null;
-        if ($targetIp !== null) {
-            list($targetIp, $targetMask) = $this->splitCidrRange($targetIp);
-            $this->validateIpBan($targetIp, $targetMask, $user, $action);
-        }
-
-        $banHelper = new BanHelper($this->getDatabase(), $this->getXffTrustProvider(), $this->getSecurityManager());
-
-        $bansByTarget = $banHelper->getBansByTarget(
-            $targetName,
-            $targetEmail,
-            $targetIp,
-            $targetMask,
-            $targetUseragent,
-            $currentDomain->getId());
-
-        if (count($bansByTarget) > 0) {
-            throw new ApplicationLogicException('This target is already banned!');
-        }
-
-        $ban = new Ban();
-        $ban->setDatabase($database);
-        $ban->setActive(true);
-
-        $ban->setName($targetName);
-        $ban->setIp($targetIp, $targetMask);
-        $ban->setEmail($targetEmail);
-        $ban->setUseragent($targetUseragent);
-
-        $ban->setUser($user->getId());
-        $ban->setReason($reason);
-        $ban->setDuration($duration);
-        $ban->setVisibility($visibility);
-
-        $ban->setDomain($global ? null : $currentDomain->getId());
-
-        $ban->setAction($action);
-        if ($ban->getAction() === Ban::ACTION_DEFER) {
-            //FIXME: domains
-            $queue = RequestQueue::getByApiName($database, WebRequest::postString('banActionTarget'), 1);
-            if ($queue === false) {
-                throw new ApplicationLogicException("Unknown target queue");
-            }
-
-            if (!$queue->isEnabled()) {
-                throw new ApplicationLogicException("Target queue is not enabled");
-            }
-
-            $ban->setTargetQueue($queue->getId());
-        }
-
-        $ban->save();
-
-        Logger::banned($database, $ban, $reason);
-
-        $this->getNotificationHelper()->banned($ban);
-        SessionAlert::quick('Ban has been set.');
-
-        $this->redirect('bans');
-    }
-
-    /**
-     * Handles the GET method on the set action
-     * @throws Exception
-     */
-    private function handleGetMethodForSetBan()
-    {
-        $this->setTemplate('bans/banform.tpl');
-        $this->assignCSRFToken();
-
-        $this->assign('maxIpRange', $this->getSiteConfiguration()->getBanMaxIpRange());
-        $this->assign('maxIpBlockRange', $this->getSiteConfiguration()->getBanMaxIpBlockRange());
-
-        $this->assign('banVisibility', 'user');
-        $this->assign('banGlobal', false);
-        $this->assign('banQueue', false);
-        $this->assign('banAction', Ban::ACTION_BLOCK);
-        $this->assign('banDuration', '');
-        $this->assign('banReason', '');
-
-        $this->assign('banEmail', '');
-        $this->assign('banIP', '');
-        $this->assign('banName', '');
-        $this->assign('banUseragent', '');
-
-        $this->assign('replaceBanId', null);
-
-
-
-        $database = $this->getDatabase();
-
-        $user = User::getCurrent($database);
-        $this->setupSecurity($user);
-
-        $queues = RequestQueue::getEnabledQueues($database);
-
-        $this->assign('requestQueues', $queues);
-    }
-
-    /**
-     * Finds the Ban object referenced in the WebRequest if it is valid
-     *
-     * @return Ban
-     * @throws ApplicationLogicException
-     */
-    private function getBanForUnban(): Ban
-    {
-        $banId = WebRequest::getInt('id');
-        if ($banId === null || $banId === 0) {
-            throw new ApplicationLogicException("The ban ID appears to be missing. This is probably a bug.");
-        }
-
-        $database = $this->getDatabase();
-        $this->setupSecurity(User::getCurrent($database));
-        $currentDomain = Domain::getCurrent($database);
-        $ban = Ban::getActiveId($banId, $database, $currentDomain->getId());
-
-        if ($ban === false) {
-            throw new ApplicationLogicException("The specified ban is not currently active, or doesn't exist.");
-        }
-
-        return $ban;
-    }
-
-    /**
-     * Sets up Smarty variables for access control
-     */
-    private function setupSecurity(User $user): void
-    {
-        $this->assign('canSeeIpBan', $this->barrierTest('ip', $user, 'BanType'));
-        $this->assign('canSeeNameBan', $this->barrierTest('name', $user, 'BanType'));
-        $this->assign('canSeeEmailBan', $this->barrierTest('email', $user, 'BanType'));
-        $this->assign('canSeeUseragentBan', $this->barrierTest('useragent', $user, 'BanType'));
-
-        $this->assign('canGlobalBan', $this->barrierTest('global', $user, 'BanType'));
-
-        $this->assign('canSeeUserVisibility', $this->barrierTest('user', $user, 'BanVisibility'));
-        $this->assign('canSeeAdminVisibility', $this->barrierTest('admin', $user, 'BanVisibility'));
-        $this->assign('canSeeCheckuserVisibility', $this->barrierTest('checkuser', $user, 'BanVisibility'));
-    }
-
-    /**
-     * Validates that the provided IP is acceptable for a ban of this type
-     *
-     * @param string $targetIp   IP address
-     * @param int    $targetMask CIDR prefix length
-     * @param User   $user       User performing the ban
-     * @param string $action     Ban action to take
-     *
-     * @throws ApplicationLogicException
-     */
-    private function validateIpBan(string $targetIp, int $targetMask, User $user, string $action): void
-    {
-        // validate this is an IP
-        if (!filter_var($targetIp, FILTER_VALIDATE_IP)) {
-            throw new ApplicationLogicException("Not a valid IP address");
-        }
-
-        $canLargeIpBan = $this->barrierTest('ip-largerange', $user, 'BanType');
-        $maxIpBlockRange = $this->getSiteConfiguration()->getBanMaxIpBlockRange();
-        $maxIpRange = $this->getSiteConfiguration()->getBanMaxIpRange();
-
-        // validate CIDR ranges
-        if (filter_var($targetIp, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
-            if ($targetMask < 0 || $targetMask > 128) {
-                throw new ApplicationLogicException("CIDR mask out of range for IPv6");
-            }
-
-            // prevent setting the ban if:
-            //  * the user isn't allowed to set large bans, AND
-            //  * the ban is a drop or a block (preventing human review of the request), AND
-            //  * the mask is too wide-reaching
-            if (!$canLargeIpBan && ($action == Ban::ACTION_BLOCK || $action == Ban::ACTION_DROP) && $targetMask < $maxIpBlockRange[6]) {
-                throw new ApplicationLogicException("The requested IP range for this ban is too wide for the block/drop action.");
-            }
-
-            if (!$canLargeIpBan && $targetMask < $maxIpRange[6]) {
-                throw new ApplicationLogicException("The requested IP range for this ban is too wide.");
-            }
-        }
-
-        if (filter_var($targetIp, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
-            if ($targetMask < 0 || $targetMask > 32) {
-                throw new ApplicationLogicException("CIDR mask out of range for IPv4");
-            }
-
-            if (!$canLargeIpBan && ($action == Ban::ACTION_BLOCK || $action == Ban::ACTION_DROP) && $targetMask < $maxIpBlockRange[4]) {
-                throw new ApplicationLogicException("The IP range for this ban is too wide for the block/drop action.");
-            }
-
-            if (!$canLargeIpBan && $targetMask < $maxIpRange[4]) {
-                throw new ApplicationLogicException("The requested IP range for this ban is too wide.");
-            }
-        }
-
-        $squidIpList = $this->getSiteConfiguration()->getSquidList();
-        if (in_array($targetIp, $squidIpList)) {
-            throw new ApplicationLogicException("This IP address is on the protected list of proxies, and cannot be banned.");
-        }
-    }
-
-    /**
-     * Configures a ban list template for display
-     *
-     * @param Ban[] $bans
-     */
-    private function setupBanList(array $bans): void
-    {
-        $userIds = array_map(fn(Ban $entry) => $entry->getUser(), $bans);
-        $userList = UserSearchHelper::get($this->getDatabase())->inIds($userIds)->fetchMap('username');
-
-        $domainIds = array_filter(array_unique(array_map(fn(Ban $entry) => $entry->getDomain(), $bans)));
-        $domains = [];
-        foreach ($domainIds as $d) {
-            if ($d === null) {
-                continue;
-            }
-            $domains[$d] = Domain::getById($d, $this->getDatabase());
-        }
-
-        $this->assign('domains', $domains);
-
-        $user = User::getCurrent($this->getDatabase());
-        $this->assign('canSet', $this->barrierTest('set', $user));
-        $this->assign('canRemove', $this->barrierTest('remove', $user));
-
-        $this->setupSecurity($user);
-
-        $this->assign('usernames', $userList);
-        $this->assign('activebans', $bans);
-
-        $banHelper = new BanHelper($this->getDatabase(), $this->getXffTrustProvider(), $this->getSecurityManager());
-        $this->assign('banHelper', $banHelper);
-    }
-
-    /**
-     * Converts a plain IP or CIDR mask into an IP and a CIDR suffix
-     *
-     * @param string $targetIp IP or CIDR range
-     *
-     * @return array
-     */
-    private function splitCidrRange(string $targetIp): array
-    {
-        if (strpos($targetIp, '/') !== false) {
-            $ipParts = explode('/', $targetIp, 2);
-            $targetIp = $ipParts[0];
-            $targetMask = (int)$ipParts[1];
-        }
-        else {
-            // Default the CIDR range based on the IP type
-            $targetMask = filter_var($targetIp, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) ? 128 : 32;
-        }
-
-        return array($targetIp, $targetMask);
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main(): void
+	{
+		$this->assignCSRFToken();
+		$this->setHtmlTitle('Bans');
+
+		$database = $this->getDatabase();
+		$currentDomain = Domain::getCurrent($database);
+		$bans = Ban::getActiveBans($database, $currentDomain->getId());
+
+		$this->setupBanList($bans);
+
+		$this->assign('isFiltered', false);
+		$this->assign('currentUnixTime', time());
+		$this->setTemplate('bans/main.tpl');
+	}
+
+	protected function show(): void
+	{
+		$this->assignCSRFToken();
+		$this->setHtmlTitle('Bans');
+
+		$rawIdList = WebRequest::getString('id');
+		if ($rawIdList === null) {
+			$this->redirect('bans');
+
+			return;
+		}
+
+		$idList = explode(',', $rawIdList);
+
+		$database = $this->getDatabase();
+		$currentDomain = Domain::getCurrent($database);
+		$bans = Ban::getByIdList($idList, $database, $currentDomain->getId());
+
+		$this->setupBanList($bans);
+		$this->assign('isFiltered', true);
+		$this->assign('currentUnixTime', time());
+		$this->setTemplate('bans/main.tpl');
+	}
+
+	/**
+	 * Entry point for the ban set action
+	 * @throws SmartyException
+	 * @throws Exception
+	 */
+	protected function set(): void
+	{
+		$this->setHtmlTitle('Bans');
+
+		// dual-mode action
+		if (WebRequest::wasPosted()) {
+			try {
+				$this->handlePostMethodForSetBan();
+			}
+			catch (ApplicationLogicException $ex) {
+				SessionAlert::error($ex->getMessage());
+				$this->redirect("bans", "set");
+			}
+		}
+		else {
+			$this->handleGetMethodForSetBan();
+
+			$user = User::getCurrent($this->getDatabase());
+			$banType = WebRequest::getString('type');
+			$banRequest = WebRequest::getInt('request');
+
+			// if the parameters are null, skip loading a request.
+			if ($banType !== null && $banRequest !== null && $banRequest !== 0) {
+				$this->preloadFormForRequest($banRequest, $banType, $user);
+			}
+		}
+	}
+
+	protected function replace(): void
+	{
+		$this->setHtmlTitle('Bans');
+
+		$database = $this->getDatabase();
+		$domain = Domain::getCurrent($database);
+
+		// dual-mode action
+		if (WebRequest::wasPosted()) {
+			try {
+				$originalBanId = WebRequest::postInt('replaceBanId');
+				$originalBanUpdateVersion = WebRequest::postInt('replaceBanUpdateVersion');
+
+				$originalBan = Ban::getActiveId($originalBanId, $database, $domain->getId());
+
+				if ($originalBan === false) {
+					throw new ApplicationLogicException("The specified ban is not currently active, or doesn't exist.");
+				}
+
+				// Discard original ban; we're replacing it.
+				$originalBan->setUpdateVersion($originalBanUpdateVersion);
+				$originalBan->setActive(false);
+				$originalBan->save();
+
+				Logger::banReplaced($database, $originalBan);
+
+				// Proceed as normal to save the new ban.
+				$this->handlePostMethodForSetBan();
+			}
+			catch (ApplicationLogicException $ex) {
+				$database->rollback();
+				SessionAlert::error($ex->getMessage());
+				$this->redirect("bans", "set");
+			}
+		}
+		else {
+			$this->handleGetMethodForSetBan();
+
+			$user = User::getCurrent($database);
+			$originalBanId = WebRequest::getString('id');
+
+			$originalBan = Ban::getActiveId($originalBanId, $database, $domain->getId());
+
+			if ($originalBan === false) {
+				throw new ApplicationLogicException("The specified ban is not currently active, or doesn't exist.");
+			}
+
+			if ($originalBan->getName() !== null) {
+				if (!$this->barrierTest('name', $user, 'BanType')) {
+					SessionAlert::error("You are not allowed to set this type of ban.");
+					$this->redirect("bans", "set");
+					return;
+				}
+
+				$this->assign('banName', $originalBan->getName());
+			}
+
+			if ($originalBan->getEmail() !== null) {
+				if (!$this->barrierTest('email', $user, 'BanType')) {
+					SessionAlert::error("You are not allowed to set this type of ban.");
+					$this->redirect("bans", "set");
+					return;
+				}
+
+				$this->assign('banEmail', $originalBan->getEmail());
+			}
+
+			if ($originalBan->getUseragent() !== null) {
+				if (!$this->barrierTest('useragent', $user, 'BanType')) {
+					SessionAlert::error("You are not allowed to set this type of ban.");
+					$this->redirect("bans", "set");
+					return;
+				}
+
+				$this->assign('banUseragent', $originalBan->getUseragent());
+			}
+
+			if ($originalBan->getIp() !== null) {
+				if (!$this->barrierTest('ip', $user, 'BanType')) {
+					SessionAlert::error("You are not allowed to set this type of ban.");
+					$this->redirect("bans", "set");
+					return;
+				}
+
+				$this->assign('banIP', $originalBan->getIp() . '/' . $originalBan->getIpMask());
+			}
+
+			$banIsGlobal = $originalBan->getDomain() === null;
+			if ($banIsGlobal) {
+				if (!$this->barrierTest('global', $user, 'BanType')) {
+					SessionAlert::error("You are not allowed to set this type of ban.");
+					$this->redirect("bans", "set");
+					return;
+				}
+			}
+
+			if (!$this->barrierTest($originalBan->getVisibility(), $user, 'BanVisibility')) {
+				SessionAlert::error("You are not allowed to set this type of ban.");
+				$this->redirect("bans", "set");
+				return;
+			}
+
+			$this->assign('banGlobal', $banIsGlobal);
+			$this->assign('banVisibility', $originalBan->getVisibility());
+
+			if ($originalBan->getDuration() !== null) {
+				$this->assign('banDuration', date('c', $originalBan->getDuration()));
+			}
+
+			$this->assign('banReason', $originalBan->getReason());
+			$this->assign('banAction', $originalBan->getAction());
+			$this->assign('banQueue', $originalBan->getTargetQueue());
+
+			$this->assign('replaceBanId', $originalBan->getId());
+			$this->assign('replaceBanUpdateVersion', $originalBan->getUpdateVersion());
+		}
+	}
+
+	/**
+	 * Entry point for the ban remove action
+	 *
+	 * @throws AccessDeniedException
+	 * @throws ApplicationLogicException
+	 * @throws SmartyException
+	 */
+	protected function remove(): void
+	{
+		$this->setHtmlTitle('Bans');
+
+		$ban = $this->getBanForUnban();
+
+		$banHelper = new BanHelper($this->getDatabase(), $this->getXffTrustProvider(), $this->getSecurityManager());
+		if (!$banHelper->canUnban($ban)) {
+			// triggered when a user tries to unban a ban they can't see the entirety of.
+			// there's no UI way to get to this, so a raw exception is fine.
+			throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
+		}
+
+		// dual mode
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$unbanReason = WebRequest::postString('unbanreason');
+
+			if ($unbanReason === null || trim($unbanReason) === "") {
+				SessionAlert::error('No unban reason specified');
+				$this->redirect("bans", "remove", array('id' => $ban->getId()));
+			}
+
+			// set optimistic locking from delete form page load
+			$updateVersion = WebRequest::postInt('updateversion');
+			$ban->setUpdateVersion($updateVersion);
+
+			$database = $this->getDatabase();
+			$ban->setActive(false);
+			$ban->save();
+
+			Logger::unbanned($database, $ban, $unbanReason);
+
+			SessionAlert::quick('Disabled ban.');
+			$this->getNotificationHelper()->unbanned($ban, $unbanReason);
+
+			$this->redirect('bans');
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->assign('ban', $ban);
+			$this->setTemplate('bans/unban.tpl');
+		}
+	}
+
+	/**
+	 * Retrieves the requested ban duration from the WebRequest
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function getBanDuration(): ?int
+	{
+		$duration = WebRequest::postString('duration');
+		if ($duration === "other") {
+			$duration = strtotime(WebRequest::postString('otherduration'));
+
+			if (!$duration) {
+				throw new ApplicationLogicException('Invalid ban time');
+			}
+			elseif (time() > $duration) {
+				throw new ApplicationLogicException('Ban time has already expired!');
+			}
+
+			return $duration;
+		}
+		elseif ($duration === "-1") {
+			return null;
+		}
+		else {
+			return WebRequest::postInt('duration') + time();
+		}
+	}
+
+	/**
+	 * Handles the POST method on the set action
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws Exception
+	 */
+	private function handlePostMethodForSetBan()
+	{
+		$this->validateCSRFToken();
+		$database = $this->getDatabase();
+		$user = User::getCurrent($database);
+		$currentDomain = Domain::getCurrent($database);
+
+		// Checks whether there is a reason entered for ban.
+		$reason = WebRequest::postString('banreason');
+		if ($reason === null || trim($reason) === "") {
+			throw new ApplicationLogicException('You must specify a ban reason');
+		}
+
+		// ban targets
+		list($targetName, $targetIp, $targetEmail, $targetUseragent) = $this->getRawBanTargets($user);
+
+		$visibility = $this->getBanVisibility();
+
+		// Validate ban duration
+		$duration = $this->getBanDuration();
+
+		$action = WebRequest::postString('banAction') ?? Ban::ACTION_NONE;
+
+		$global = WebRequest::postBoolean('banGlobal');
+		if (!$this->barrierTest('global', $user, 'BanType')) {
+			$global = false;
+		}
+
+		if ($action === Ban::ACTION_DEFER && $global) {
+			throw new ApplicationLogicException("Cannot set a global ban in defer-to-queue mode.");
+		}
+
+		// handle CIDR ranges
+		$targetMask = null;
+		if ($targetIp !== null) {
+			list($targetIp, $targetMask) = $this->splitCidrRange($targetIp);
+			$this->validateIpBan($targetIp, $targetMask, $user, $action);
+		}
+
+		$banHelper = new BanHelper($this->getDatabase(), $this->getXffTrustProvider(), $this->getSecurityManager());
+
+		$bansByTarget = $banHelper->getBansByTarget(
+			$targetName,
+			$targetEmail,
+			$targetIp,
+			$targetMask,
+			$targetUseragent,
+			$currentDomain->getId());
+
+		if (count($bansByTarget) > 0) {
+			throw new ApplicationLogicException('This target is already banned!');
+		}
+
+		$ban = new Ban();
+		$ban->setDatabase($database);
+		$ban->setActive(true);
+
+		$ban->setName($targetName);
+		$ban->setIp($targetIp, $targetMask);
+		$ban->setEmail($targetEmail);
+		$ban->setUseragent($targetUseragent);
+
+		$ban->setUser($user->getId());
+		$ban->setReason($reason);
+		$ban->setDuration($duration);
+		$ban->setVisibility($visibility);
+
+		$ban->setDomain($global ? null : $currentDomain->getId());
+
+		$ban->setAction($action);
+		if ($ban->getAction() === Ban::ACTION_DEFER) {
+			//FIXME: domains
+			$queue = RequestQueue::getByApiName($database, WebRequest::postString('banActionTarget'), 1);
+			if ($queue === false) {
+				throw new ApplicationLogicException("Unknown target queue");
+			}
+
+			if (!$queue->isEnabled()) {
+				throw new ApplicationLogicException("Target queue is not enabled");
+			}
+
+			$ban->setTargetQueue($queue->getId());
+		}
+
+		$ban->save();
+
+		Logger::banned($database, $ban, $reason);
+
+		$this->getNotificationHelper()->banned($ban);
+		SessionAlert::quick('Ban has been set.');
+
+		$this->redirect('bans');
+	}
+
+	/**
+	 * Handles the GET method on the set action
+	 * @throws Exception
+	 */
+	private function handleGetMethodForSetBan()
+	{
+		$this->setTemplate('bans/banform.tpl');
+		$this->assignCSRFToken();
+
+		$this->assign('maxIpRange', $this->getSiteConfiguration()->getBanMaxIpRange());
+		$this->assign('maxIpBlockRange', $this->getSiteConfiguration()->getBanMaxIpBlockRange());
+
+		$this->assign('banVisibility', 'user');
+		$this->assign('banGlobal', false);
+		$this->assign('banQueue', false);
+		$this->assign('banAction', Ban::ACTION_BLOCK);
+		$this->assign('banDuration', '');
+		$this->assign('banReason', '');
+
+		$this->assign('banEmail', '');
+		$this->assign('banIP', '');
+		$this->assign('banName', '');
+		$this->assign('banUseragent', '');
+
+		$this->assign('replaceBanId', null);
+
+
+
+		$database = $this->getDatabase();
+
+		$user = User::getCurrent($database);
+		$this->setupSecurity($user);
+
+		$queues = RequestQueue::getEnabledQueues($database);
+
+		$this->assign('requestQueues', $queues);
+	}
+
+	/**
+	 * Finds the Ban object referenced in the WebRequest if it is valid
+	 *
+	 * @return Ban
+	 * @throws ApplicationLogicException
+	 */
+	private function getBanForUnban(): Ban
+	{
+		$banId = WebRequest::getInt('id');
+		if ($banId === null || $banId === 0) {
+			throw new ApplicationLogicException("The ban ID appears to be missing. This is probably a bug.");
+		}
+
+		$database = $this->getDatabase();
+		$this->setupSecurity(User::getCurrent($database));
+		$currentDomain = Domain::getCurrent($database);
+		$ban = Ban::getActiveId($banId, $database, $currentDomain->getId());
+
+		if ($ban === false) {
+			throw new ApplicationLogicException("The specified ban is not currently active, or doesn't exist.");
+		}
+
+		return $ban;
+	}
+
+	/**
+	 * Sets up Smarty variables for access control
+	 */
+	private function setupSecurity(User $user): void
+	{
+		$this->assign('canSeeIpBan', $this->barrierTest('ip', $user, 'BanType'));
+		$this->assign('canSeeNameBan', $this->barrierTest('name', $user, 'BanType'));
+		$this->assign('canSeeEmailBan', $this->barrierTest('email', $user, 'BanType'));
+		$this->assign('canSeeUseragentBan', $this->barrierTest('useragent', $user, 'BanType'));
+
+		$this->assign('canGlobalBan', $this->barrierTest('global', $user, 'BanType'));
+
+		$this->assign('canSeeUserVisibility', $this->barrierTest('user', $user, 'BanVisibility'));
+		$this->assign('canSeeAdminVisibility', $this->barrierTest('admin', $user, 'BanVisibility'));
+		$this->assign('canSeeCheckuserVisibility', $this->barrierTest('checkuser', $user, 'BanVisibility'));
+	}
+
+	/**
+	 * Validates that the provided IP is acceptable for a ban of this type
+	 *
+	 * @param string $targetIp   IP address
+	 * @param int    $targetMask CIDR prefix length
+	 * @param User   $user       User performing the ban
+	 * @param string $action     Ban action to take
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function validateIpBan(string $targetIp, int $targetMask, User $user, string $action): void
+	{
+		// validate this is an IP
+		if (!filter_var($targetIp, FILTER_VALIDATE_IP)) {
+			throw new ApplicationLogicException("Not a valid IP address");
+		}
+
+		$canLargeIpBan = $this->barrierTest('ip-largerange', $user, 'BanType');
+		$maxIpBlockRange = $this->getSiteConfiguration()->getBanMaxIpBlockRange();
+		$maxIpRange = $this->getSiteConfiguration()->getBanMaxIpRange();
+
+		// validate CIDR ranges
+		if (filter_var($targetIp, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+			if ($targetMask < 0 || $targetMask > 128) {
+				throw new ApplicationLogicException("CIDR mask out of range for IPv6");
+			}
+
+			// prevent setting the ban if:
+			//  * the user isn't allowed to set large bans, AND
+			//  * the ban is a drop or a block (preventing human review of the request), AND
+			//  * the mask is too wide-reaching
+			if (!$canLargeIpBan && ($action == Ban::ACTION_BLOCK || $action == Ban::ACTION_DROP) && $targetMask < $maxIpBlockRange[6]) {
+				throw new ApplicationLogicException("The requested IP range for this ban is too wide for the block/drop action.");
+			}
+
+			if (!$canLargeIpBan && $targetMask < $maxIpRange[6]) {
+				throw new ApplicationLogicException("The requested IP range for this ban is too wide.");
+			}
+		}
+
+		if (filter_var($targetIp, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+			if ($targetMask < 0 || $targetMask > 32) {
+				throw new ApplicationLogicException("CIDR mask out of range for IPv4");
+			}
+
+			if (!$canLargeIpBan && ($action == Ban::ACTION_BLOCK || $action == Ban::ACTION_DROP) && $targetMask < $maxIpBlockRange[4]) {
+				throw new ApplicationLogicException("The IP range for this ban is too wide for the block/drop action.");
+			}
+
+			if (!$canLargeIpBan && $targetMask < $maxIpRange[4]) {
+				throw new ApplicationLogicException("The requested IP range for this ban is too wide.");
+			}
+		}
+
+		$squidIpList = $this->getSiteConfiguration()->getSquidList();
+		if (in_array($targetIp, $squidIpList)) {
+			throw new ApplicationLogicException("This IP address is on the protected list of proxies, and cannot be banned.");
+		}
+	}
+
+	/**
+	 * Configures a ban list template for display
+	 *
+	 * @param Ban[] $bans
+	 */
+	private function setupBanList(array $bans): void
+	{
+		$userIds = array_map(fn(Ban $entry) => $entry->getUser(), $bans);
+		$userList = UserSearchHelper::get($this->getDatabase())->inIds($userIds)->fetchMap('username');
+
+		$domainIds = array_filter(array_unique(array_map(fn(Ban $entry) => $entry->getDomain(), $bans)));
+		$domains = [];
+		foreach ($domainIds as $d) {
+			if ($d === null) {
+				continue;
+			}
+			$domains[$d] = Domain::getById($d, $this->getDatabase());
+		}
+
+		$this->assign('domains', $domains);
+
+		$user = User::getCurrent($this->getDatabase());
+		$this->assign('canSet', $this->barrierTest('set', $user));
+		$this->assign('canRemove', $this->barrierTest('remove', $user));
+
+		$this->setupSecurity($user);
+
+		$this->assign('usernames', $userList);
+		$this->assign('activebans', $bans);
+
+		$banHelper = new BanHelper($this->getDatabase(), $this->getXffTrustProvider(), $this->getSecurityManager());
+		$this->assign('banHelper', $banHelper);
+	}
+
+	/**
+	 * Converts a plain IP or CIDR mask into an IP and a CIDR suffix
+	 *
+	 * @param string $targetIp IP or CIDR range
+	 *
+	 * @return array
+	 */
+	private function splitCidrRange(string $targetIp): array
+	{
+		if (strpos($targetIp, '/') !== false) {
+			$ipParts = explode('/', $targetIp, 2);
+			$targetIp = $ipParts[0];
+			$targetMask = (int)$ipParts[1];
+		}
+		else {
+			// Default the CIDR range based on the IP type
+			$targetMask = filter_var($targetIp, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) ? 128 : 32;
+		}
+
+		return array($targetIp, $targetMask);
 }
 
-    /**
-     * Returns the validated ban visibility from WebRequest
-     *
-     * @throws ApplicationLogicException
-     */
-    private function getBanVisibility(): string
-    {
-        $visibility = WebRequest::postString('banVisibility');
-        if ($visibility !== 'user' && $visibility !== 'admin' && $visibility !== 'checkuser') {
-            throw new ApplicationLogicException('Invalid ban visibility');
-        }
-
-        return $visibility;
-    }
-
-    /**
-     * Returns array of [username, ip, email, ua] as ban targets from WebRequest,
-     * filtered for whether the user is allowed to set bans including those types.
-     *
-     * @return string[]
-     * @throws ApplicationLogicException
-     */
-    private function getRawBanTargets(User $user): array
-    {
-        $targetName = WebRequest::postString('banName');
-        $targetIp = WebRequest::postString('banIP');
-        $targetEmail = WebRequest::postString('banEmail');
-        $targetUseragent = WebRequest::postString('banUseragent');
-
-        // check the user is allowed to use provided targets
-        if (!$this->barrierTest('name', $user, 'BanType')) {
-            $targetName = null;
-        }
-        if (!$this->barrierTest('ip', $user, 'BanType')) {
-            $targetIp = null;
-        }
-        if (!$this->barrierTest('email', $user, 'BanType')) {
-            $targetEmail = null;
-        }
-        if (!$this->barrierTest('useragent', $user, 'BanType')) {
-            $targetUseragent = null;
-        }
-
-        // Checks whether there is a target entered to ban.
-        if ($targetName === null && $targetIp === null && $targetEmail === null && $targetUseragent === null) {
-            throw new ApplicationLogicException('You must specify a target to be banned');
-        }
-
-        return array($targetName, $targetIp, $targetEmail, $targetUseragent);
-    }
-
-    private function preloadFormForRequest(int $banRequest, string $banType, User $user): void
-    {
-        $database = $this->getDatabase();
-
-        // Attempt to resolve the correct target
-        /** @var Request|false $request */
-        $request = Request::getById($banRequest, $database);
-        if ($request === false) {
-            $this->assign('bantarget', '');
-
-            return;
-        }
-
-        switch ($banType) {
-            case 'EMail':
-                if ($this->barrierTest('email', $user, 'BanType')) {
-                    $this->assign('banEmail', $request->getEmail());
-                }
-                break;
-            case 'IP':
-                if ($this->barrierTest('ip', $user, 'BanType')) {
-                    $trustedIp = $this->getXffTrustProvider()->getTrustedClientIp(
-                        $request->getIp(),
-                        $request->getForwardedIp());
-
-                    $this->assign('banIP', $trustedIp);
-                }
-                break;
-            case 'Name':
-                if ($this->barrierTest('name', $user, 'BanType')) {
-                    $this->assign('banName', $request->getName());
-                }
-                break;
-            case 'UA':
-                if ($this->barrierTest('useragent', $user, 'BanType')) {
-                    $this->assign('banUseragent', $request->getEmail());
-                }
-                break;
-        }
-    }
+	/**
+	 * Returns the validated ban visibility from WebRequest
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	private function getBanVisibility(): string
+	{
+		$visibility = WebRequest::postString('banVisibility');
+		if ($visibility !== 'user' && $visibility !== 'admin' && $visibility !== 'checkuser') {
+			throw new ApplicationLogicException('Invalid ban visibility');
+		}
+
+		return $visibility;
+	}
+
+	/**
+	 * Returns array of [username, ip, email, ua] as ban targets from WebRequest,
+	 * filtered for whether the user is allowed to set bans including those types.
+	 *
+	 * @return string[]
+	 * @throws ApplicationLogicException
+	 */
+	private function getRawBanTargets(User $user): array
+	{
+		$targetName = WebRequest::postString('banName');
+		$targetIp = WebRequest::postString('banIP');
+		$targetEmail = WebRequest::postString('banEmail');
+		$targetUseragent = WebRequest::postString('banUseragent');
+
+		// check the user is allowed to use provided targets
+		if (!$this->barrierTest('name', $user, 'BanType')) {
+			$targetName = null;
+		}
+		if (!$this->barrierTest('ip', $user, 'BanType')) {
+			$targetIp = null;
+		}
+		if (!$this->barrierTest('email', $user, 'BanType')) {
+			$targetEmail = null;
+		}
+		if (!$this->barrierTest('useragent', $user, 'BanType')) {
+			$targetUseragent = null;
+		}
+
+		// Checks whether there is a target entered to ban.
+		if ($targetName === null && $targetIp === null && $targetEmail === null && $targetUseragent === null) {
+			throw new ApplicationLogicException('You must specify a target to be banned');
+		}
+
+		return array($targetName, $targetIp, $targetEmail, $targetUseragent);
+	}
+
+	private function preloadFormForRequest(int $banRequest, string $banType, User $user): void
+	{
+		$database = $this->getDatabase();
+
+		// Attempt to resolve the correct target
+		/** @var Request|false $request */
+		$request = Request::getById($banRequest, $database);
+		if ($request === false) {
+			$this->assign('bantarget', '');
+
+			return;
+		}
+
+		switch ($banType) {
+			case 'EMail':
+				if ($this->barrierTest('email', $user, 'BanType')) {
+					$this->assign('banEmail', $request->getEmail());
+				}
+				break;
+			case 'IP':
+				if ($this->barrierTest('ip', $user, 'BanType')) {
+					$trustedIp = $this->getXffTrustProvider()->getTrustedClientIp(
+						$request->getIp(),
+						$request->getForwardedIp());
+
+					$this->assign('banIP', $trustedIp);
+				}
+				break;
+			case 'Name':
+				if ($this->barrierTest('name', $user, 'BanType')) {
+					$this->assign('banName', $request->getName());
+				}
+				break;
+			case 'UA':
+				if ($this->barrierTest('useragent', $user, 'BanType')) {
+					$this->assign('banUseragent', $request->getEmail());
+				}
+				break;
+		}
+	}
 }