mdaniels5757 /
waca
@@ -10,16 +10,16 @@ |
||
| 10 | 10 | |
| 11 | 11 | interface ITypeAheadHelper |
| 12 | 12 | { |
| 13 | - /** |
|
| 14 | - * @param string $class CSS class to apply this typeahead to. |
|
| 15 | - * @param callable $generator Generator function taking no arguments to return an array of strings. |
|
| 16 | - * |
|
| 17 | - * @return void |
|
| 18 | - */ |
|
| 19 | - public function defineTypeAheadSource($class, callable $generator); |
|
| 13 | + /** |
|
| 14 | + * @param string $class CSS class to apply this typeahead to. |
|
| 15 | + * @param callable $generator Generator function taking no arguments to return an array of strings. |
|
| 16 | + * |
|
| 17 | + * @return void |
|
| 18 | + */ |
|
| 19 | + public function defineTypeAheadSource($class, callable $generator); |
|
| 20 | 20 | |
| 21 | - /** |
|
| 22 | - * @return string HTML fragment containing a JS block for typeaheads. |
|
| 23 | - */ |
|
| 24 | - public function getTypeAheadScriptBlock(); |
|
| 21 | + /** |
|
| 22 | + * @return string HTML fragment containing a JS block for typeaheads. |
|
| 23 | + */ |
|
| 24 | + public function getTypeAheadScriptBlock(); |
|
| 25 | 25 | } |
| 26 | 26 | \ No newline at end of file |
@@ -17,15 +17,15 @@ |
||
| 17 | 17 | */ |
| 18 | 18 | interface IEmailHelper |
| 19 | 19 | { |
| 20 | - /** |
|
| 21 | - * Sends an email to the specified email address. |
|
| 22 | - * |
|
| 23 | - * @param string $to |
|
| 24 | - * @param string $subject |
|
| 25 | - * @param string $content |
|
| 26 | - * @param array $headers Extra headers to include |
|
| 27 | - * |
|
| 28 | - * @return void |
|
| 29 | - */ |
|
| 30 | - public function sendMail($to, $subject, $content, $headers = array()); |
|
| 20 | + /** |
|
| 21 | + * Sends an email to the specified email address. |
|
| 22 | + * |
|
| 23 | + * @param string $to |
|
| 24 | + * @param string $subject |
|
| 25 | + * @param string $content |
|
| 26 | + * @param array $headers Extra headers to include |
|
| 27 | + * |
|
| 28 | + * @return void |
|
| 29 | + */ |
|
| 30 | + public function sendMail($to, $subject, $content, $headers = array()); |
|
| 31 | 31 | } |
| 32 | 32 | \ No newline at end of file |
@@ -12,30 +12,30 @@ |
||
| 12 | 12 | |
| 13 | 13 | interface IBanHelper |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * Summary of nameIsBanned |
|
| 17 | - * |
|
| 18 | - * @param string $name The name to test if is banned. |
|
| 19 | - * |
|
| 20 | - * @return Ban |
|
| 21 | - */ |
|
| 22 | - public function nameIsBanned($name); |
|
| 15 | + /** |
|
| 16 | + * Summary of nameIsBanned |
|
| 17 | + * |
|
| 18 | + * @param string $name The name to test if is banned. |
|
| 19 | + * |
|
| 20 | + * @return Ban |
|
| 21 | + */ |
|
| 22 | + public function nameIsBanned($name); |
|
| 23 | 23 | |
| 24 | - /** |
|
| 25 | - * Summary of emailIsBanned |
|
| 26 | - * |
|
| 27 | - * @param string $email |
|
| 28 | - * |
|
| 29 | - * @return Ban |
|
| 30 | - */ |
|
| 31 | - public function emailIsBanned($email); |
|
| 24 | + /** |
|
| 25 | + * Summary of emailIsBanned |
|
| 26 | + * |
|
| 27 | + * @param string $email |
|
| 28 | + * |
|
| 29 | + * @return Ban |
|
| 30 | + */ |
|
| 31 | + public function emailIsBanned($email); |
|
| 32 | 32 | |
| 33 | - /** |
|
| 34 | - * Summary of ipIsBanned |
|
| 35 | - * |
|
| 36 | - * @param string $ip |
|
| 37 | - * |
|
| 38 | - * @return Ban |
|
| 39 | - */ |
|
| 40 | - public function ipIsBanned($ip); |
|
| 33 | + /** |
|
| 34 | + * Summary of ipIsBanned |
|
| 35 | + * |
|
| 36 | + * @param string $ip |
|
| 37 | + * |
|
| 38 | + * @return Ban |
|
| 39 | + */ |
|
| 40 | + public function ipIsBanned($ip); |
|
| 41 | 41 | } |
@@ -10,12 +10,12 @@ |
||
| 10 | 10 | |
| 11 | 11 | interface IBlacklistHelper |
| 12 | 12 | { |
| 13 | - /** |
|
| 14 | - * Returns a value indicating whether the provided username is blacklisted by the on-wiki title blacklist |
|
| 15 | - * |
|
| 16 | - * @param string $username |
|
| 17 | - * |
|
| 18 | - * @return bool |
|
| 19 | - */ |
|
| 20 | - public function isBlacklisted($username); |
|
| 13 | + /** |
|
| 14 | + * Returns a value indicating whether the provided username is blacklisted by the on-wiki title blacklist |
|
| 15 | + * |
|
| 16 | + * @param string $username |
|
| 17 | + * |
|
| 18 | + * @return bool |
|
| 19 | + */ |
|
| 20 | + public function isBlacklisted($username); |
|
| 21 | 21 | } |
| 22 | 22 | \ No newline at end of file |
@@ -13,87 +13,87 @@ |
||
| 13 | 13 | |
| 14 | 14 | class LogSearchHelper extends SearchHelperBase |
| 15 | 15 | { |
| 16 | - /** |
|
| 17 | - * LogSearchHelper constructor. |
|
| 18 | - * |
|
| 19 | - * @param PdoDatabase $database |
|
| 20 | - */ |
|
| 21 | - protected function __construct(PdoDatabase $database) |
|
| 22 | - { |
|
| 23 | - parent::__construct($database, 'log', Log::class, 'timestamp DESC'); |
|
| 24 | - } |
|
| 16 | + /** |
|
| 17 | + * LogSearchHelper constructor. |
|
| 18 | + * |
|
| 19 | + * @param PdoDatabase $database |
|
| 20 | + */ |
|
| 21 | + protected function __construct(PdoDatabase $database) |
|
| 22 | + { |
|
| 23 | + parent::__construct($database, 'log', Log::class, 'timestamp DESC'); |
|
| 24 | + } |
|
| 25 | 25 | |
| 26 | - /** |
|
| 27 | - * Initiates a search for requests |
|
| 28 | - * |
|
| 29 | - * @param PdoDatabase $database |
|
| 30 | - * |
|
| 31 | - * @return LogSearchHelper |
|
| 32 | - */ |
|
| 33 | - public static function get(PdoDatabase $database) |
|
| 34 | - { |
|
| 35 | - $helper = new LogSearchHelper($database); |
|
| 26 | + /** |
|
| 27 | + * Initiates a search for requests |
|
| 28 | + * |
|
| 29 | + * @param PdoDatabase $database |
|
| 30 | + * |
|
| 31 | + * @return LogSearchHelper |
|
| 32 | + */ |
|
| 33 | + public static function get(PdoDatabase $database) |
|
| 34 | + { |
|
| 35 | + $helper = new LogSearchHelper($database); |
|
| 36 | 36 | |
| 37 | - return $helper; |
|
| 38 | - } |
|
| 37 | + return $helper; |
|
| 38 | + } |
|
| 39 | 39 | |
| 40 | - /** |
|
| 41 | - * Filters the results by user |
|
| 42 | - * |
|
| 43 | - * @param int $userId |
|
| 44 | - * |
|
| 45 | - * @return $this |
|
| 46 | - */ |
|
| 47 | - public function byUser($userId) |
|
| 48 | - { |
|
| 49 | - $this->whereClause .= ' AND user = ?'; |
|
| 50 | - $this->parameterList[] = $userId; |
|
| 40 | + /** |
|
| 41 | + * Filters the results by user |
|
| 42 | + * |
|
| 43 | + * @param int $userId |
|
| 44 | + * |
|
| 45 | + * @return $this |
|
| 46 | + */ |
|
| 47 | + public function byUser($userId) |
|
| 48 | + { |
|
| 49 | + $this->whereClause .= ' AND user = ?'; |
|
| 50 | + $this->parameterList[] = $userId; |
|
| 51 | 51 | |
| 52 | - return $this; |
|
| 53 | - } |
|
| 52 | + return $this; |
|
| 53 | + } |
|
| 54 | 54 | |
| 55 | - /** |
|
| 56 | - * Filters the results by log action |
|
| 57 | - * |
|
| 58 | - * @param string $action |
|
| 59 | - * |
|
| 60 | - * @return $this |
|
| 61 | - */ |
|
| 62 | - public function byAction($action) |
|
| 63 | - { |
|
| 64 | - $this->whereClause .= ' AND action = ?'; |
|
| 65 | - $this->parameterList[] = $action; |
|
| 55 | + /** |
|
| 56 | + * Filters the results by log action |
|
| 57 | + * |
|
| 58 | + * @param string $action |
|
| 59 | + * |
|
| 60 | + * @return $this |
|
| 61 | + */ |
|
| 62 | + public function byAction($action) |
|
| 63 | + { |
|
| 64 | + $this->whereClause .= ' AND action = ?'; |
|
| 65 | + $this->parameterList[] = $action; |
|
| 66 | 66 | |
| 67 | - return $this; |
|
| 68 | - } |
|
| 67 | + return $this; |
|
| 68 | + } |
|
| 69 | 69 | |
| 70 | - /** |
|
| 71 | - * Filters the results by object type |
|
| 72 | - * |
|
| 73 | - * @param string $objectType |
|
| 74 | - * |
|
| 75 | - * @return $this |
|
| 76 | - */ |
|
| 77 | - public function byObjectType($objectType) |
|
| 78 | - { |
|
| 79 | - $this->whereClause .= ' AND objecttype = ?'; |
|
| 80 | - $this->parameterList[] = $objectType; |
|
| 70 | + /** |
|
| 71 | + * Filters the results by object type |
|
| 72 | + * |
|
| 73 | + * @param string $objectType |
|
| 74 | + * |
|
| 75 | + * @return $this |
|
| 76 | + */ |
|
| 77 | + public function byObjectType($objectType) |
|
| 78 | + { |
|
| 79 | + $this->whereClause .= ' AND objecttype = ?'; |
|
| 80 | + $this->parameterList[] = $objectType; |
|
| 81 | 81 | |
| 82 | - return $this; |
|
| 83 | - } |
|
| 82 | + return $this; |
|
| 83 | + } |
|
| 84 | 84 | |
| 85 | - /** |
|
| 86 | - * Filters the results by object type |
|
| 87 | - * |
|
| 88 | - * @param integer $objectId |
|
| 89 | - * |
|
| 90 | - * @return $this |
|
| 91 | - */ |
|
| 92 | - public function byObjectId($objectId) |
|
| 93 | - { |
|
| 94 | - $this->whereClause .= ' AND objectid = ?'; |
|
| 95 | - $this->parameterList[] = $objectId; |
|
| 85 | + /** |
|
| 86 | + * Filters the results by object type |
|
| 87 | + * |
|
| 88 | + * @param integer $objectId |
|
| 89 | + * |
|
| 90 | + * @return $this |
|
| 91 | + */ |
|
| 92 | + public function byObjectId($objectId) |
|
| 93 | + { |
|
| 94 | + $this->whereClause .= ' AND objectid = ?'; |
|
| 95 | + $this->parameterList[] = $objectId; |
|
| 96 | 96 | |
| 97 | - return $this; |
|
| 98 | - } |
|
| 97 | + return $this; |
|
| 98 | + } |
|
| 99 | 99 | } |
| 100 | 100 | \ No newline at end of file |
@@ -12,52 +12,52 @@ |
||
| 12 | 12 | |
| 13 | 13 | class WikiTextHelper |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * @var SiteConfiguration |
|
| 17 | - */ |
|
| 18 | - private $configuration; |
|
| 19 | - /** |
|
| 20 | - * @var HttpHelper |
|
| 21 | - */ |
|
| 22 | - private $http; |
|
| 23 | - |
|
| 24 | - /** |
|
| 25 | - * WikiTextHelper constructor. |
|
| 26 | - * |
|
| 27 | - * @param SiteConfiguration $configuration |
|
| 28 | - * @param HttpHelper $http |
|
| 29 | - */ |
|
| 30 | - public function __construct(SiteConfiguration $configuration, HttpHelper $http) |
|
| 31 | - { |
|
| 32 | - $this->configuration = $configuration; |
|
| 33 | - $this->http = $http; |
|
| 34 | - } |
|
| 35 | - |
|
| 36 | - /** |
|
| 37 | - * Gets the HTML for the provided wiki-markup from the MediaWiki service endpoint |
|
| 38 | - * |
|
| 39 | - * @param string $wikiText |
|
| 40 | - * |
|
| 41 | - * @return string |
|
| 42 | - */ |
|
| 43 | - public function getHtmlForWikiText($wikiText) |
|
| 44 | - { |
|
| 45 | - $endpoint = $this->configuration->getMediawikiWebServiceEndpoint(); |
|
| 46 | - |
|
| 47 | - $parameters = array( |
|
| 48 | - 'action' => 'parse', |
|
| 49 | - 'pst' => true, |
|
| 50 | - 'contentmodel' => 'wikitext', |
|
| 51 | - 'disablelimitreport' => true, |
|
| 52 | - 'disabletoc' => true, |
|
| 53 | - 'disableeditsection' => true, |
|
| 54 | - 'format' => 'php', |
|
| 55 | - 'text' => $wikiText, |
|
| 56 | - ); |
|
| 57 | - |
|
| 58 | - $apiResult = $this->http->get($endpoint, $parameters); |
|
| 59 | - $parseResult = unserialize($apiResult); |
|
| 60 | - |
|
| 61 | - return $parseResult['parse']['text']['*']; |
|
| 62 | - } |
|
| 15 | + /** |
|
| 16 | + * @var SiteConfiguration |
|
| 17 | + */ |
|
| 18 | + private $configuration; |
|
| 19 | + /** |
|
| 20 | + * @var HttpHelper |
|
| 21 | + */ |
|
| 22 | + private $http; |
|
| 23 | + |
|
| 24 | + /** |
|
| 25 | + * WikiTextHelper constructor. |
|
| 26 | + * |
|
| 27 | + * @param SiteConfiguration $configuration |
|
| 28 | + * @param HttpHelper $http |
|
| 29 | + */ |
|
| 30 | + public function __construct(SiteConfiguration $configuration, HttpHelper $http) |
|
| 31 | + { |
|
| 32 | + $this->configuration = $configuration; |
|
| 33 | + $this->http = $http; |
|
| 34 | + } |
|
| 35 | + |
|
| 36 | + /** |
|
| 37 | + * Gets the HTML for the provided wiki-markup from the MediaWiki service endpoint |
|
| 38 | + * |
|
| 39 | + * @param string $wikiText |
|
| 40 | + * |
|
| 41 | + * @return string |
|
| 42 | + */ |
|
| 43 | + public function getHtmlForWikiText($wikiText) |
|
| 44 | + { |
|
| 45 | + $endpoint = $this->configuration->getMediawikiWebServiceEndpoint(); |
|
| 46 | + |
|
| 47 | + $parameters = array( |
|
| 48 | + 'action' => 'parse', |
|
| 49 | + 'pst' => true, |
|
| 50 | + 'contentmodel' => 'wikitext', |
|
| 51 | + 'disablelimitreport' => true, |
|
| 52 | + 'disabletoc' => true, |
|
| 53 | + 'disableeditsection' => true, |
|
| 54 | + 'format' => 'php', |
|
| 55 | + 'text' => $wikiText, |
|
| 56 | + ); |
|
| 57 | + |
|
| 58 | + $apiResult = $this->http->get($endpoint, $parameters); |
|
| 59 | + $parseResult = unserialize($apiResult); |
|
| 60 | + |
|
| 61 | + return $parseResult['parse']['text']['*']; |
|
| 62 | + } |
|
| 63 | 63 | } |
| 64 | 64 | \ No newline at end of file |
@@ -12,21 +12,21 @@ |
||
| 12 | 12 | |
| 13 | 13 | class EmailHelper implements IEmailHelper |
| 14 | 14 | { |
| 15 | - /** |
|
| 16 | - * @param string $to |
|
| 17 | - * @param string $subject |
|
| 18 | - * @param string $content |
|
| 19 | - * @param array $headers Extra headers to include |
|
| 20 | - */ |
|
| 21 | - public function sendMail($to, $subject, $content, $headers = array()) |
|
| 22 | - { |
|
| 23 | - $headers['From'] = '[email protected]'; |
|
| 24 | - $headerString = ''; |
|
| 15 | + /** |
|
| 16 | + * @param string $to |
|
| 17 | + * @param string $subject |
|
| 18 | + * @param string $content |
|
| 19 | + * @param array $headers Extra headers to include |
|
| 20 | + */ |
|
| 21 | + public function sendMail($to, $subject, $content, $headers = array()) |
|
| 22 | + { |
|
| 23 | + $headers['From'] = '[email protected]'; |
|
| 24 | + $headerString = ''; |
|
| 25 | 25 | |
| 26 | - foreach ($headers as $header => $headerValue) { |
|
| 27 | - $headerString .= $header . ': ' . $headerValue . "\r\n"; |
|
| 28 | - } |
|
| 26 | + foreach ($headers as $header => $headerValue) { |
|
| 27 | + $headerString .= $header . ': ' . $headerValue . "\r\n"; |
|
| 28 | + } |
|
| 29 | 29 | |
| 30 | - mail($to, $subject, $content, $headerString); |
|
| 31 | - } |
|
| 30 | + mail($to, $subject, $content, $headerString); |
|
| 31 | + } |
|
| 32 | 32 | } |
| 33 | 33 | \ No newline at end of file |
@@ -13,21 +13,21 @@ |
||
| 13 | 13 | */ |
| 14 | 14 | class Environment |
| 15 | 15 | { |
| 16 | - /** |
|
| 17 | - * @var string Cached copy of the tool version |
|
| 18 | - */ |
|
| 19 | - private static $toolVersion = null; |
|
| 16 | + /** |
|
| 17 | + * @var string Cached copy of the tool version |
|
| 18 | + */ |
|
| 19 | + private static $toolVersion = null; |
|
| 20 | 20 | |
| 21 | - /** |
|
| 22 | - * Gets the tool version, using cached data if available. |
|
| 23 | - * @return string |
|
| 24 | - */ |
|
| 25 | - public static function getToolVersion() |
|
| 26 | - { |
|
| 27 | - if (self::$toolVersion === null) { |
|
| 28 | - self::$toolVersion = exec("git describe --always --dirty"); |
|
| 29 | - } |
|
| 21 | + /** |
|
| 22 | + * Gets the tool version, using cached data if available. |
|
| 23 | + * @return string |
|
| 24 | + */ |
|
| 25 | + public static function getToolVersion() |
|
| 26 | + { |
|
| 27 | + if (self::$toolVersion === null) { |
|
| 28 | + self::$toolVersion = exec("git describe --always --dirty"); |
|
| 29 | + } |
|
| 30 | 30 | |
| 31 | - return self::$toolVersion; |
|
| 32 | - } |
|
| 31 | + return self::$toolVersion; |
|
| 32 | + } |
|
| 33 | 33 | } |
@@ -207,7 +207,7 @@ |
||
| 207 | 207 | } |
| 208 | 208 | } |
| 209 | 209 | |
| 210 | - public function getRoleConfiguration(){ |
|
| 210 | + public function getRoleConfiguration() { |
|
| 211 | 211 | return $this->roleConfiguration; |
| 212 | 212 | } |
| 213 | 213 | } |
@@ -196,18 +196,17 @@ |
||
| 196 | 196 | if ($this->roleConfiguration->roleNeedsIdentification($v)) { |
| 197 | 197 | if ($identified) { |
| 198 | 198 | $activeRoles[] = $v; |
| 199 | - } |
|
| 200 | - else { |
|
| 199 | + } else { |
|
| 201 | 200 | $inactiveRoles[] = $v; |
| 202 | 201 | } |
| 203 | - } |
|
| 204 | - else { |
|
| 202 | + } else { |
|
| 205 | 203 | $activeRoles[] = $v; |
| 206 | 204 | } |
| 207 | 205 | } |
| 208 | 206 | } |
| 209 | 207 | |
| 210 | - public function getRoleConfiguration(){ |
|
| 208 | + public function getRoleConfiguration() |
|
| 209 | + { |
|
| 211 | 210 | return $this->roleConfiguration; |
| 212 | 211 | } |
| 213 | 212 | } |
@@ -14,199 +14,199 @@ |
||
| 14 | 14 | |
| 15 | 15 | final class SecurityManager |
| 16 | 16 | { |
| 17 | - const ALLOWED = 1; |
|
| 18 | - const ERROR_NOT_IDENTIFIED = 2; |
|
| 19 | - const ERROR_DENIED = 3; |
|
| 20 | - /** @var IdentificationVerifier */ |
|
| 21 | - private $identificationVerifier; |
|
| 22 | - /** |
|
| 23 | - * @var RoleConfiguration |
|
| 24 | - */ |
|
| 25 | - private $roleConfiguration; |
|
| 26 | - |
|
| 27 | - /** |
|
| 28 | - * SecurityManager constructor. |
|
| 29 | - * |
|
| 30 | - * @param IdentificationVerifier $identificationVerifier |
|
| 31 | - * @param RoleConfiguration $roleConfiguration |
|
| 32 | - */ |
|
| 33 | - public function __construct( |
|
| 34 | - IdentificationVerifier $identificationVerifier, |
|
| 35 | - RoleConfiguration $roleConfiguration |
|
| 36 | - ) { |
|
| 37 | - $this->identificationVerifier = $identificationVerifier; |
|
| 38 | - $this->roleConfiguration = $roleConfiguration; |
|
| 39 | - } |
|
| 40 | - |
|
| 41 | - /** |
|
| 42 | - * Tests if a user is allowed to perform an action. |
|
| 43 | - * |
|
| 44 | - * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure |
|
| 45 | - * that a user should have access to something. |
|
| 46 | - * |
|
| 47 | - * @param string $page |
|
| 48 | - * @param string $route |
|
| 49 | - * @param User $user |
|
| 50 | - * |
|
| 51 | - * @return int |
|
| 52 | - * |
|
| 53 | - * @category Security-Critical |
|
| 54 | - */ |
|
| 55 | - public function allows($page, $route, User $user) |
|
| 56 | - { |
|
| 57 | - $this->getActiveRoles($user, $activeRoles, $inactiveRoles); |
|
| 58 | - |
|
| 59 | - $availableRights = $this->flattenRoles($activeRoles); |
|
| 60 | - $testResult = $this->findResult($availableRights, $page, $route); |
|
| 61 | - |
|
| 62 | - if ($testResult !== null) { |
|
| 63 | - // We got a firm result here, so just return it. |
|
| 64 | - return $testResult; |
|
| 65 | - } |
|
| 66 | - |
|
| 67 | - // No firm result yet, so continue testing the inactive roles so we can give a better error. |
|
| 68 | - $inactiveRights = $this->flattenRoles($inactiveRoles); |
|
| 69 | - $testResult = $this->findResult($inactiveRights, $page, $route); |
|
| 70 | - |
|
| 71 | - if ($testResult === self::ALLOWED) { |
|
| 72 | - // The user is allowed to access this, but their role is inactive. |
|
| 73 | - return self::ERROR_NOT_IDENTIFIED; |
|
| 74 | - } |
|
| 75 | - |
|
| 76 | - // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied. |
|
| 77 | - return self::ERROR_DENIED; |
|
| 78 | - } |
|
| 79 | - |
|
| 80 | - /** |
|
| 81 | - * @param array $pseudoRole The role (flattened) to check |
|
| 82 | - * @param string $page The page class to check |
|
| 83 | - * @param string $route The page route to check |
|
| 84 | - * |
|
| 85 | - * @return int|null |
|
| 86 | - */ |
|
| 87 | - private function findResult($pseudoRole, $page, $route) |
|
| 88 | - { |
|
| 89 | - if (isset($pseudoRole[$page])) { |
|
| 90 | - // check for deny on catch-all route |
|
| 91 | - if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 92 | - if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) { |
|
| 93 | - return self::ERROR_DENIED; |
|
| 94 | - } |
|
| 95 | - } |
|
| 96 | - |
|
| 97 | - // check normal route |
|
| 98 | - if (isset($pseudoRole[$page][$route])) { |
|
| 99 | - if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) { |
|
| 100 | - return self::ERROR_DENIED; |
|
| 101 | - } |
|
| 102 | - |
|
| 103 | - if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 104 | - return self::ALLOWED; |
|
| 105 | - } |
|
| 106 | - } |
|
| 107 | - |
|
| 108 | - // check for allowed on catch-all route |
|
| 109 | - if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 110 | - if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 111 | - return self::ALLOWED; |
|
| 112 | - } |
|
| 113 | - } |
|
| 114 | - } |
|
| 115 | - |
|
| 116 | - // return indeterminate result |
|
| 117 | - return null; |
|
| 118 | - } |
|
| 119 | - |
|
| 120 | - /** |
|
| 121 | - * Takes an array of roles and flattens the values to a single set. |
|
| 122 | - * |
|
| 123 | - * @param array $activeRoles |
|
| 124 | - * |
|
| 125 | - * @return array |
|
| 126 | - */ |
|
| 127 | - private function flattenRoles($activeRoles) |
|
| 128 | - { |
|
| 129 | - $result = array(); |
|
| 130 | - |
|
| 131 | - $roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles); |
|
| 132 | - |
|
| 133 | - // Iterate over every page in every role |
|
| 134 | - foreach ($roleConfig as $role) { |
|
| 135 | - foreach ($role as $page => $pageRights) { |
|
| 136 | - // Create holder in result for this page |
|
| 137 | - if (!isset($result[$page])) { |
|
| 138 | - $result[$page] = array(); |
|
| 139 | - } |
|
| 140 | - |
|
| 141 | - foreach ($pageRights as $action => $permission) { |
|
| 142 | - // Deny takes precedence, so if it's set, don't change it. |
|
| 143 | - if (isset($result[$page][$action])) { |
|
| 144 | - if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) { |
|
| 145 | - continue; |
|
| 146 | - } |
|
| 147 | - } |
|
| 148 | - |
|
| 149 | - if ($permission === RoleConfiguration::ACCESS_DEFAULT) { |
|
| 150 | - // Configured to do precisely nothing. |
|
| 151 | - continue; |
|
| 152 | - } |
|
| 153 | - |
|
| 154 | - $result[$page][$action] = $permission; |
|
| 155 | - } |
|
| 156 | - } |
|
| 157 | - } |
|
| 158 | - |
|
| 159 | - return $result; |
|
| 160 | - } |
|
| 161 | - |
|
| 162 | - /** |
|
| 163 | - * @param User $user |
|
| 164 | - * @param array $activeRoles |
|
| 165 | - * @param array $inactiveRoles |
|
| 166 | - */ |
|
| 167 | - public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles) |
|
| 168 | - { |
|
| 169 | - // Default to the community user here, because the main user is logged out |
|
| 170 | - $identified = false; |
|
| 171 | - $userRoles = array('public'); |
|
| 172 | - |
|
| 173 | - // if we're not the community user, get our real rights. |
|
| 174 | - if (!$user->isCommunityUser()) { |
|
| 175 | - // Check the user's status - only active users are allowed the effects of roles |
|
| 176 | - |
|
| 177 | - $userRoles[] = 'loggedIn'; |
|
| 178 | - |
|
| 179 | - if ($user->isActive()) { |
|
| 180 | - $ur = UserRole::getForUser($user->getId(), $user->getDatabase()); |
|
| 181 | - |
|
| 182 | - // NOTE: public is still in this array. |
|
| 183 | - foreach ($ur as $r) { |
|
| 184 | - $userRoles[] = $r->getRole(); |
|
| 185 | - } |
|
| 186 | - |
|
| 187 | - $identified = $user->isIdentified($this->identificationVerifier); |
|
| 188 | - } |
|
| 189 | - } |
|
| 190 | - |
|
| 191 | - $activeRoles = array(); |
|
| 192 | - $inactiveRoles = array(); |
|
| 193 | - |
|
| 194 | - foreach ($userRoles as $v) { |
|
| 195 | - if ($this->roleConfiguration->roleNeedsIdentification($v)) { |
|
| 196 | - if ($identified) { |
|
| 197 | - $activeRoles[] = $v; |
|
| 198 | - } |
|
| 199 | - else { |
|
| 200 | - $inactiveRoles[] = $v; |
|
| 201 | - } |
|
| 202 | - } |
|
| 203 | - else { |
|
| 204 | - $activeRoles[] = $v; |
|
| 205 | - } |
|
| 206 | - } |
|
| 207 | - } |
|
| 208 | - |
|
| 209 | - public function getRoleConfiguration(){ |
|
| 210 | - return $this->roleConfiguration; |
|
| 211 | - } |
|
| 17 | + const ALLOWED = 1; |
|
| 18 | + const ERROR_NOT_IDENTIFIED = 2; |
|
| 19 | + const ERROR_DENIED = 3; |
|
| 20 | + /** @var IdentificationVerifier */ |
|
| 21 | + private $identificationVerifier; |
|
| 22 | + /** |
|
| 23 | + * @var RoleConfiguration |
|
| 24 | + */ |
|
| 25 | + private $roleConfiguration; |
|
| 26 | + |
|
| 27 | + /** |
|
| 28 | + * SecurityManager constructor. |
|
| 29 | + * |
|
| 30 | + * @param IdentificationVerifier $identificationVerifier |
|
| 31 | + * @param RoleConfiguration $roleConfiguration |
|
| 32 | + */ |
|
| 33 | + public function __construct( |
|
| 34 | + IdentificationVerifier $identificationVerifier, |
|
| 35 | + RoleConfiguration $roleConfiguration |
|
| 36 | + ) { |
|
| 37 | + $this->identificationVerifier = $identificationVerifier; |
|
| 38 | + $this->roleConfiguration = $roleConfiguration; |
|
| 39 | + } |
|
| 40 | + |
|
| 41 | + /** |
|
| 42 | + * Tests if a user is allowed to perform an action. |
|
| 43 | + * |
|
| 44 | + * This method should form a hard, deterministic security barrier, and only return true if it is absolutely sure |
|
| 45 | + * that a user should have access to something. |
|
| 46 | + * |
|
| 47 | + * @param string $page |
|
| 48 | + * @param string $route |
|
| 49 | + * @param User $user |
|
| 50 | + * |
|
| 51 | + * @return int |
|
| 52 | + * |
|
| 53 | + * @category Security-Critical |
|
| 54 | + */ |
|
| 55 | + public function allows($page, $route, User $user) |
|
| 56 | + { |
|
| 57 | + $this->getActiveRoles($user, $activeRoles, $inactiveRoles); |
|
| 58 | + |
|
| 59 | + $availableRights = $this->flattenRoles($activeRoles); |
|
| 60 | + $testResult = $this->findResult($availableRights, $page, $route); |
|
| 61 | + |
|
| 62 | + if ($testResult !== null) { |
|
| 63 | + // We got a firm result here, so just return it. |
|
| 64 | + return $testResult; |
|
| 65 | + } |
|
| 66 | + |
|
| 67 | + // No firm result yet, so continue testing the inactive roles so we can give a better error. |
|
| 68 | + $inactiveRights = $this->flattenRoles($inactiveRoles); |
|
| 69 | + $testResult = $this->findResult($inactiveRights, $page, $route); |
|
| 70 | + |
|
| 71 | + if ($testResult === self::ALLOWED) { |
|
| 72 | + // The user is allowed to access this, but their role is inactive. |
|
| 73 | + return self::ERROR_NOT_IDENTIFIED; |
|
| 74 | + } |
|
| 75 | + |
|
| 76 | + // Other options from the secondary test are denied and inconclusive, which at this point defaults to denied. |
|
| 77 | + return self::ERROR_DENIED; |
|
| 78 | + } |
|
| 79 | + |
|
| 80 | + /** |
|
| 81 | + * @param array $pseudoRole The role (flattened) to check |
|
| 82 | + * @param string $page The page class to check |
|
| 83 | + * @param string $route The page route to check |
|
| 84 | + * |
|
| 85 | + * @return int|null |
|
| 86 | + */ |
|
| 87 | + private function findResult($pseudoRole, $page, $route) |
|
| 88 | + { |
|
| 89 | + if (isset($pseudoRole[$page])) { |
|
| 90 | + // check for deny on catch-all route |
|
| 91 | + if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 92 | + if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_DENY) { |
|
| 93 | + return self::ERROR_DENIED; |
|
| 94 | + } |
|
| 95 | + } |
|
| 96 | + |
|
| 97 | + // check normal route |
|
| 98 | + if (isset($pseudoRole[$page][$route])) { |
|
| 99 | + if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_DENY) { |
|
| 100 | + return self::ERROR_DENIED; |
|
| 101 | + } |
|
| 102 | + |
|
| 103 | + if ($pseudoRole[$page][$route] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 104 | + return self::ALLOWED; |
|
| 105 | + } |
|
| 106 | + } |
|
| 107 | + |
|
| 108 | + // check for allowed on catch-all route |
|
| 109 | + if (isset($pseudoRole[$page][RoleConfiguration::ALL])) { |
|
| 110 | + if ($pseudoRole[$page][RoleConfiguration::ALL] === RoleConfiguration::ACCESS_ALLOW) { |
|
| 111 | + return self::ALLOWED; |
|
| 112 | + } |
|
| 113 | + } |
|
| 114 | + } |
|
| 115 | + |
|
| 116 | + // return indeterminate result |
|
| 117 | + return null; |
|
| 118 | + } |
|
| 119 | + |
|
| 120 | + /** |
|
| 121 | + * Takes an array of roles and flattens the values to a single set. |
|
| 122 | + * |
|
| 123 | + * @param array $activeRoles |
|
| 124 | + * |
|
| 125 | + * @return array |
|
| 126 | + */ |
|
| 127 | + private function flattenRoles($activeRoles) |
|
| 128 | + { |
|
| 129 | + $result = array(); |
|
| 130 | + |
|
| 131 | + $roleConfig = $this->roleConfiguration->getApplicableRoles($activeRoles); |
|
| 132 | + |
|
| 133 | + // Iterate over every page in every role |
|
| 134 | + foreach ($roleConfig as $role) { |
|
| 135 | + foreach ($role as $page => $pageRights) { |
|
| 136 | + // Create holder in result for this page |
|
| 137 | + if (!isset($result[$page])) { |
|
| 138 | + $result[$page] = array(); |
|
| 139 | + } |
|
| 140 | + |
|
| 141 | + foreach ($pageRights as $action => $permission) { |
|
| 142 | + // Deny takes precedence, so if it's set, don't change it. |
|
| 143 | + if (isset($result[$page][$action])) { |
|
| 144 | + if ($result[$page][$action] === RoleConfiguration::ACCESS_DENY) { |
|
| 145 | + continue; |
|
| 146 | + } |
|
| 147 | + } |
|
| 148 | + |
|
| 149 | + if ($permission === RoleConfiguration::ACCESS_DEFAULT) { |
|
| 150 | + // Configured to do precisely nothing. |
|
| 151 | + continue; |
|
| 152 | + } |
|
| 153 | + |
|
| 154 | + $result[$page][$action] = $permission; |
|
| 155 | + } |
|
| 156 | + } |
|
| 157 | + } |
|
| 158 | + |
|
| 159 | + return $result; |
|
| 160 | + } |
|
| 161 | + |
|
| 162 | + /** |
|
| 163 | + * @param User $user |
|
| 164 | + * @param array $activeRoles |
|
| 165 | + * @param array $inactiveRoles |
|
| 166 | + */ |
|
| 167 | + public function getActiveRoles(User $user, &$activeRoles, &$inactiveRoles) |
|
| 168 | + { |
|
| 169 | + // Default to the community user here, because the main user is logged out |
|
| 170 | + $identified = false; |
|
| 171 | + $userRoles = array('public'); |
|
| 172 | + |
|
| 173 | + // if we're not the community user, get our real rights. |
|
| 174 | + if (!$user->isCommunityUser()) { |
|
| 175 | + // Check the user's status - only active users are allowed the effects of roles |
|
| 176 | + |
|
| 177 | + $userRoles[] = 'loggedIn'; |
|
| 178 | + |
|
| 179 | + if ($user->isActive()) { |
|
| 180 | + $ur = UserRole::getForUser($user->getId(), $user->getDatabase()); |
|
| 181 | + |
|
| 182 | + // NOTE: public is still in this array. |
|
| 183 | + foreach ($ur as $r) { |
|
| 184 | + $userRoles[] = $r->getRole(); |
|
| 185 | + } |
|
| 186 | + |
|
| 187 | + $identified = $user->isIdentified($this->identificationVerifier); |
|
| 188 | + } |
|
| 189 | + } |
|
| 190 | + |
|
| 191 | + $activeRoles = array(); |
|
| 192 | + $inactiveRoles = array(); |
|
| 193 | + |
|
| 194 | + foreach ($userRoles as $v) { |
|
| 195 | + if ($this->roleConfiguration->roleNeedsIdentification($v)) { |
|
| 196 | + if ($identified) { |
|
| 197 | + $activeRoles[] = $v; |
|
| 198 | + } |
|
| 199 | + else { |
|
| 200 | + $inactiveRoles[] = $v; |
|
| 201 | + } |
|
| 202 | + } |
|
| 203 | + else { |
|
| 204 | + $activeRoles[] = $v; |
|
| 205 | + } |
|
| 206 | + } |
|
| 207 | + } |
|
| 208 | + |
|
| 209 | + public function getRoleConfiguration(){ |
|
| 210 | + return $this->roleConfiguration; |
|
| 211 | + } |
|
| 212 | 212 | } |
