mdaniels5757 / waca

includes/Pages/PageUserManagement.php

Indentation +600 added lines, -600 removed lines

@@ -32,18 +32,18 @@ 
  */
 class PageUserManagement extends InternalPageBase
 {
-    const OAUTH_STATE_NONE = 'none';
-    const OAUTH_STATE_PARTIAL = 'partial';
-    const OAUTH_STATE_FULL = 'full';
-
-    // FIXME: domains
-    /** @var string */
-    private $adminMailingList = 'enwiki-acc-admins@googlegroups.com';
-
-    private function getOAuthStatusMap(PdoDatabase $database): array
-    {
-        $oauthStatusQuery = $database->prepare(
-            <<<SQL
+	const OAUTH_STATE_NONE = 'none';
+	const OAUTH_STATE_PARTIAL = 'partial';
+	const OAUTH_STATE_FULL = 'full';
+
+	// FIXME: domains
+	/** @var string */
+	private $adminMailingList = 'enwiki-acc-admins@googlegroups.com';
+
+	private function getOAuthStatusMap(PdoDatabase $database): array
+	{
+		$oauthStatusQuery = $database->prepare(
+			<<<SQL
     SELECT u.id,
            CASE
                WHEN SUM(IF(ot.type = :access, 1, 0)) OVER (PARTITION BY ot.user) > 0 THEN :full
@@ -53,592 +53,592 @@ 
     FROM user u 
     LEFT JOIN oauthtoken ot ON u.id = ot.user;
 SQL
-        );
-
-        $oauthStatusQuery->execute([
-            ':access' => OAuthUserHelper::TOKEN_ACCESS,
-            ':request' => OAuthUserHelper::TOKEN_REQUEST,
-            ':full' => self::OAUTH_STATE_FULL,
-            ':partial' => self::OAUTH_STATE_PARTIAL,
-            ':none' => self::OAUTH_STATE_NONE,
-        ]);
-        $oauthStatusRawData = $oauthStatusQuery->fetchAll(PDO::FETCH_ASSOC);
-        $oauthStatusQuery->closeCursor();
-        $oauthStatusMap = [];
-
-        foreach ($oauthStatusRawData as $row) {
-            $oauthStatusMap[(int)$row['id']] = $row['status'];
-        }
-
-        return $oauthStatusMap;
-    }
-
-    /**
-     * Main function for this page, when no specific actions are called.
-     */
-    protected function main()
-    {
-        $this->setHtmlTitle('User Management');
-
-        $database = $this->getDatabase();
-        $currentUser = User::getCurrent($database);
-
-        $userSearchRequest = WebRequest::getString('usersearch');
-        if ($userSearchRequest !== null) {
-            $searchedUser = User::getByUsername($userSearchRequest, $database);
-            if ($searchedUser !== false) {
-                $this->redirect('statistics/users', 'detail', ['user' => $searchedUser->getId()]);
-                return;
-            }
-        }
-
-        $this->assign('oauthStatusMap', $this->getOAuthStatusMap($database));
-
-        if (WebRequest::getBoolean("showAll")) {
-            $this->assign("showAll", true);
-
-            $deactivatedUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_DEACTIVATED)->fetch();
-            $this->assign('deactivatedUsers', $deactivatedUsers);
-
-            UserSearchHelper::get($database)->getRoleMap($roleMap);
-        }
-        else {
-            $this->assign("showAll", false);
-            $this->assign('deactivatedUsers', array());
-
-            UserSearchHelper::get($database)->statusIn(array('New', 'Active'))->getRoleMap($roleMap);
-        }
-
-        $newUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_NEW)->fetch();
-        $normalUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('user')->fetch();
-        $adminUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('admin')->fetch();
-        $checkUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('checkuser')->fetch();
-        $stewards = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('steward')->fetch();
-        $toolRoots = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('toolRoot')->fetch();
-        $this->assign('newUsers', $newUsers);
-        $this->assign('normalUsers', $normalUsers);
-        $this->assign('adminUsers', $adminUsers);
-        $this->assign('checkUsers', $checkUsers);
-        $this->assign('stewards', $stewards);
-        $this->assign('toolRoots', $toolRoots);
-
-        $this->assign('roles', $roleMap);
-
-        $this->addJs("/api.php?action=users&all=true&targetVariable=typeaheaddata");
-
-        $this->assign('canApprove', $this->barrierTest('approve', $currentUser));
-        $this->assign('canDeactivate', $this->barrierTest('deactivate', $currentUser));
-        $this->assign('canRename', $this->barrierTest('rename', $currentUser));
-        $this->assign('canEditUser', $this->barrierTest('editUser', $currentUser));
-        $this->assign('canEditRoles', $this->barrierTest('editRoles', $currentUser));
-
-        // FIXME: domains!
-        /** @var Domain $domain */
-        $domain = Domain::getById(1, $this->getDatabase());
-        $this->assign('mediawikiScriptPath', $domain->getWikiArticlePath());
-
-        $this->setTemplate("usermanagement/main.tpl");
-    }
-
-    #region Access control
-
-    /**
-     * Action target for editing the roles assigned to a user
-     *
-     * @throws ApplicationLogicException
-     * @throws SmartyException
-     * @throws OptimisticLockFailedException
-     * @throws Exception
-     */
-    protected function editRoles(): void
-    {
-        $this->setHtmlTitle('User Management');
-        $database = $this->getDatabase();
-        $domain = Domain::getCurrent($database);
-        $userId = WebRequest::getInt('user');
-
-        /** @var User|false $user */
-        $user = User::getById($userId, $database);
-
-        if ($user === false || $user->isCommunityUser()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to edit could not be found.');
-        }
-
-        $roleData = $this->getRoleData(UserRole::getForUser($user->getId(), $database, $domain->getId()));
-
-        // Dual-mode action
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-
-            $reason = WebRequest::postString('reason');
-            if ($reason === false || trim($reason) === '') {
-                throw new ApplicationLogicException('No reason specified for roles change');
-            }
-
-            /** @var UserRole[] $delete */
-            $delete = array();
-            /** @var string[] $add */
-            $add = array();
-
-            /** @var UserRole[] $globalDelete */
-            $globalDelete = array();
-            /** @var string[] $globalAdd */
-            $globalAdd = array();
-
-            foreach ($roleData as $name => $r) {
-                if ($r['allowEdit'] !== 1) {
-                    // not allowed, to touch this, so ignore it
-                    continue;
-                }
-
-                $newValue = WebRequest::postBoolean('role-' . $name) ? 1 : 0;
-                if ($newValue !== $r['active']) {
-                    if ($newValue === 0) {
-                        if ($r['globalOnly']) {
-                            $globalDelete[] = $r['object'];
-                        }
-                        else {
-                            $delete[] = $r['object'];
-                        }
-                    }
-
-                    if ($newValue === 1) {
-                        if ($r['globalOnly']) {
-                            $globalAdd[] = $name;
-                        }
-                        else {
-                            $add[] = $name;
-                        }
-                    }
-                }
-            }
-
-            // Check there's something to do
-            if ((count($add) + count($delete) + count($globalAdd) + count($globalDelete)) === 0) {
-                $this->redirect('statistics/users', 'detail', array('user' => $user->getId()));
-                SessionAlert::warning('No changes made to roles.');
-
-                return;
-            }
-
-            $removed = array();
-            $globalRemoved = array();
-
-            foreach ($delete as $d) {
-                $removed[] = $d->getRole();
-                $d->delete();
-            }
-
-            foreach ($globalDelete as $d) {
-                $globalRemoved[] = $d->getRole();
-                $d->delete();
-            }
-
-            foreach ($add as $x) {
-                $a = new UserRole();
-                $a->setUser($user->getId());
-                $a->setRole($x);
-                $a->setDomain($domain->getId());
-                $a->setDatabase($database);
-                $a->save();
-            }
-
-            foreach ($globalAdd as $x) {
-                $a = new UserRole();
-                $a->setUser($user->getId());
-                $a->setRole($x);
-                $a->setDomain(null);
-                $a->setDatabase($database);
-                $a->save();
-            }
-
-            if ((count($add) + count($delete)) > 0) {
-                Logger::userRolesEdited($database, $user, $reason, $add, $removed, $domain->getId());
-            }
-
-            if ((count($globalAdd) + count($globalDelete)) > 0) {
-                Logger::userGlobalRolesEdited($database, $user, $reason, $globalAdd, $globalRemoved);
-            }
-
-            // dummy save for optimistic locking. If this fails, the entire txn will roll back.
-            $user->setUpdateVersion(WebRequest::postInt('updateversion'));
-            $user->save();
-
-            $this->getNotificationHelper()->userRolesEdited($user, $reason);
-            SessionAlert::quick('Roles changed for user ' . htmlentities($user->getUsername(), ENT_COMPAT, 'UTF-8'));
-
-            $this->redirect('statistics/users', 'detail', array('user' => $user->getId()));
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('usermanagement/roleedit.tpl');
-            $this->assign('user', $user);
-            $this->assign('roleData', $roleData);
-        }
-    }
-
-    /**
-     * Action target for deactivating users
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function deactivate()
-    {
-        $this->setHtmlTitle('User Management');
-
-        $database = $this->getDatabase();
-
-        $userId = WebRequest::getInt('user');
-
-        /** @var User $user */
-        $user = User::getById($userId, $database);
-
-        if ($user === false || $user->isCommunityUser()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to deactivate could not be found.');
-        }
-
-        if ($user->isDeactivated()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to deactivate is already deactivated.');
-        }
-
-        // Dual-mode action
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $reason = WebRequest::postString('reason');
-
-            if ($reason === null || trim($reason) === '') {
-                throw new ApplicationLogicException('No reason provided');
-            }
-
-            $user->setStatus(User::STATUS_DEACTIVATED);
-            $user->setUpdateVersion(WebRequest::postInt('updateversion'));
-            $user->save();
-            Logger::deactivatedUser($database, $user, $reason);
-
-            $this->getNotificationHelper()->userDeactivated($user);
-            SessionAlert::quick('Deactivated user ' . htmlentities($user->getUsername(), ENT_COMPAT, 'UTF-8'));
-
-            // send email
-            $this->sendStatusChangeEmail(
-                'Your WP:ACC account has been deactivated',
-                'usermanagement/emails/deactivated.tpl',
-                $reason,
-                $user,
-                User::getCurrent($database)->getUsername()
-            );
-
-            $this->redirect('userManagement');
-
-            return;
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('usermanagement/changelevel-reason.tpl');
-            $this->assign('user', $user);
-            $this->assign('status', User::STATUS_DEACTIVATED);
-            $this->assign("showReason", true);
-
-            if (WebRequest::getString('preload')) {
-                $this->assign('preload', WebRequest::getString('preload'));
-            }
-        }
-    }
-
-    /**
-     * Entry point for the approve action
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function approve()
-    {
-        $this->setHtmlTitle('User Management');
-
-        $database = $this->getDatabase();
-
-        $userId = WebRequest::getInt('user');
-        $user = User::getById($userId, $database);
-
-        if ($user === false || $user->isCommunityUser()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to approve could not be found.');
-        }
-
-        if ($user->isActive()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to approve is already an active user.');
-        }
-
-        // Dual-mode action
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $user->setStatus(User::STATUS_ACTIVE);
-            $user->setUpdateVersion(WebRequest::postInt('updateversion'));
-            $user->save();
-            Logger::approvedUser($database, $user);
-
-            $this->getNotificationHelper()->userApproved($user);
-            SessionAlert::quick('Approved user ' . htmlentities($user->getUsername(), ENT_COMPAT, 'UTF-8'));
-
-            // send email
-            $this->sendStatusChangeEmail(
-                'Your WP:ACC account has been approved',
-                'usermanagement/emails/approved.tpl',
-                null,
-                $user,
-                User::getCurrent($database)->getUsername()
-            );
-
-            $this->redirect("userManagement");
-
-            return;
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate("usermanagement/changelevel-reason.tpl");
-            $this->assign("user", $user);
-            $this->assign("status", "Active");
-            $this->assign("showReason", false);
-        }
-    }
-
-    #endregion
-
-    #region Renaming / Editing
-
-    /**
-     * Entry point for the rename action
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function rename()
-    {
-        $this->setHtmlTitle('User Management');
-
-        $database = $this->getDatabase();
-
-        $userId = WebRequest::getInt('user');
-        $user = User::getById($userId, $database);
-
-        if ($user === false || $user->isCommunityUser()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to rename could not be found.');
-        }
-
-        // Dual-mode action
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $newUsername = WebRequest::postString('newname');
-
-            if ($newUsername === null || trim($newUsername) === "") {
-                throw new ApplicationLogicException('The new username cannot be empty');
-            }
-
-            if (User::getByUsername($newUsername, $database) != false) {
-                throw new ApplicationLogicException('The new username already exists');
-            }
-
-            $oldUsername = $user->getUsername();
-            $user->setUsername($newUsername);
-            $user->setUpdateVersion(WebRequest::postInt('updateversion'));
-
-            $user->save();
-
-            $logEntryData = serialize(array(
-                'old' => $oldUsername,
-                'new' => $newUsername,
-            ));
-
-            Logger::renamedUser($database, $user, $logEntryData);
-
-            SessionAlert::quick("Changed User "
-                . htmlentities($oldUsername, ENT_COMPAT, 'UTF-8')
-                . " name to "
-                . htmlentities($newUsername, ENT_COMPAT, 'UTF-8'));
-
-            $this->getNotificationHelper()->userRenamed($user, $oldUsername);
-
-            // send an email to the user.
-            $this->assign('targetUsername', $user->getUsername());
-            $this->assign('toolAdmin', User::getCurrent($database)->getUsername());
-            $this->assign('oldUsername', $oldUsername);
-            $this->assign('mailingList', $this->adminMailingList);
-
-            // FIXME: domains!
-            /** @var Domain $domain */
-            $domain = Domain::getById(1, $database);
-            $this->getEmailHelper()->sendMail(
-                $this->adminMailingList,
-                $user->getEmail(),
-                'Your username on WP:ACC has been changed',
-                $this->fetchTemplate('usermanagement/emails/renamed.tpl')
-            );
-
-            $this->redirect("userManagement");
-
-            return;
-        }
-        else {
-            $this->assignCSRFToken();
-            $this->setTemplate('usermanagement/renameuser.tpl');
-            $this->assign('user', $user);
-        }
-    }
-
-    /**
-     * Entry point for the edit action
-     *
-     * @throws ApplicationLogicException
-     */
-    protected function editUser()
-    {
-        $this->setHtmlTitle('User Management');
-
-        $database = $this->getDatabase();
-
-        $userId = WebRequest::getInt('user');
-        $user = User::getById($userId, $database);
-        $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
-
-        if ($user === false || $user->isCommunityUser()) {
-            throw new ApplicationLogicException('Sorry, the user you are trying to edit could not be found.');
-        }
-
-        // FIXME: domains
-        $prefs = new PreferenceManager($database, $user->getId(), 1);
-
-        // Dual-mode action
-        if (WebRequest::wasPosted()) {
-            $this->validateCSRFToken();
-            $newEmail = WebRequest::postEmail('user_email');
-            $newOnWikiName = WebRequest::postString('user_onwikiname');
-
-            if ($newEmail === null) {
-                throw new ApplicationLogicException('Invalid email address');
-            }
-
-            if ($this->validateUnusedEmail($newEmail, $userId)) {
-                throw new ApplicationLogicException('The specified email address is already in use.');
-            }
-
-            if (!($oauth->isFullyLinked() || $oauth->isPartiallyLinked())) {
-                if (trim($newOnWikiName) == "") {
-                    throw new ApplicationLogicException('New on-wiki username cannot be blank');
-                }
-
-                $user->setOnWikiName($newOnWikiName);
-            }
-
-            $user->setEmail($newEmail);
-
-            $prefs->setLocalPreference(PreferenceManager::PREF_CREATION_MODE, WebRequest::postInt('creationmode'));
-
-            $prefs->setLocalPreference(PreferenceManager::ADMIN_PREF_PREVENT_REACTIVATION, WebRequest::postBoolean('preventReactivation'));
-
-            $user->setUpdateVersion(WebRequest::postInt('updateversion'));
-
-            $user->save();
-
-            Logger::userPreferencesChange($database, $user);
-            $this->getNotificationHelper()->userPrefChange($user);
-            SessionAlert::quick('Changes to user\'s preferences have been saved');
-
-            $this->redirect("userManagement");
-
-            return;
-        }
-        else {
-            $this->assignCSRFToken();
-            $oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(),
-                $this->getSiteConfiguration());
-            $this->setTemplate('usermanagement/edituser.tpl');
-            $this->assign('user', $user);
-            $this->assign('oauth', $oauth);
-
-            $this->assign('preferredCreationMode', (int)$prefs->getPreference(PreferenceManager::PREF_CREATION_MODE));
-            $this->assign('emailSignature', $prefs->getPreference(PreferenceManager::PREF_EMAIL_SIGNATURE));
-
-            $this->assign('preventReactivation', $prefs->getPreference(PreferenceManager::ADMIN_PREF_PREVENT_REACTIVATION) ?? false);
-
-            $this->assign('canManualCreate',
-                $this->barrierTest(PreferenceManager::CREATION_MANUAL, $user, 'RequestCreation'));
-            $this->assign('canOauthCreate',
-                $this->barrierTest(PreferenceManager::CREATION_OAUTH, $user, 'RequestCreation'));
-            $this->assign('canBotCreate',
-                $this->barrierTest(PreferenceManager::CREATION_BOT, $user, 'RequestCreation'));
-        }
-    }
-
-    #endregion
-
-    private function validateUnusedEmail(string $email, int $userId) : bool {
-        $query = 'SELECT COUNT(id) FROM user WHERE email = :email AND id <> :uid';
-        $statement = $this->getDatabase()->prepare($query);
-        $statement->execute(array(':email' => $email, ':uid' => $userId));
-        $inUse = $statement->fetchColumn() > 0;
-        $statement->closeCursor();
-
-        return $inUse;
-    }
-
-    /**
-     * Sends a status change email to the user.
-     *
-     * @param string      $subject           The subject of the email
-     * @param string      $template          The smarty template to use
-     * @param string|null $reason            The reason for performing the status change
-     * @param User        $user              The user affected
-     * @param string      $toolAdminUsername The tool admin's username who is making the edit
-     */
-    private function sendStatusChangeEmail($subject, $template, $reason, $user, $toolAdminUsername)
-    {
-        $this->assign('targetUsername', $user->getUsername());
-        $this->assign('toolAdmin', $toolAdminUsername);
-        $this->assign('actionReason', $reason);
-        $this->assign('mailingList', $this->adminMailingList);
-
-        // FIXME: domains!
-        /** @var Domain $domain */
-        $domain = Domain::getById(1, $this->getDatabase());
-        $this->getEmailHelper()->sendMail(
-            $this->adminMailingList,
-            $user->getEmail(),
-            $subject,
-            $this->fetchTemplate($template)
-        );
-    }
-
-    /**
-     * @param UserRole[] $activeRoles
-     *
-     * @return array
-     */
-    private function getRoleData($activeRoles)
-    {
-        $availableRoles = $this->getSecurityManager()->getAvailableRoles();
-
-        $currentUser = User::getCurrent($this->getDatabase());
-        $this->getSecurityManager()->getActiveRoles($currentUser, $userRoles, $inactiveRoles);
-
-        $initialValue = array('active' => 0, 'allowEdit' => 0, 'description' => '???', 'object' => null);
-
-        $roleData = array();
-        foreach ($availableRoles as $role => $data) {
-            $intersection = array_intersect($data['editableBy'], $userRoles);
-
-            $roleData[$role] = $initialValue;
-            $roleData[$role]['allowEdit'] = count($intersection) > 0 ? 1 : 0;
-            $roleData[$role]['description'] = $data['description'];
-            $roleData[$role]['globalOnly'] = $data['globalOnly'];
-        }
-
-        foreach ($activeRoles as $role) {
-            if (!isset($roleData[$role->getRole()])) {
-                // This value is no longer available in the configuration, allow changing (aka removing) it.
-                $roleData[$role->getRole()] = $initialValue;
-                $roleData[$role->getRole()]['allowEdit'] = 1;
-            }
-
-            $roleData[$role->getRole()]['object'] = $role;
-            $roleData[$role->getRole()]['active'] = 1;
-        }
-
-        return $roleData;
-    }
+		);
+
+		$oauthStatusQuery->execute([
+			':access' => OAuthUserHelper::TOKEN_ACCESS,
+			':request' => OAuthUserHelper::TOKEN_REQUEST,
+			':full' => self::OAUTH_STATE_FULL,
+			':partial' => self::OAUTH_STATE_PARTIAL,
+			':none' => self::OAUTH_STATE_NONE,
+		]);
+		$oauthStatusRawData = $oauthStatusQuery->fetchAll(PDO::FETCH_ASSOC);
+		$oauthStatusQuery->closeCursor();
+		$oauthStatusMap = [];
+
+		foreach ($oauthStatusRawData as $row) {
+			$oauthStatusMap[(int)$row['id']] = $row['status'];
+		}
+
+		return $oauthStatusMap;
+	}
+
+	/**
+	 * Main function for this page, when no specific actions are called.
+	 */
+	protected function main()
+	{
+		$this->setHtmlTitle('User Management');
+
+		$database = $this->getDatabase();
+		$currentUser = User::getCurrent($database);
+
+		$userSearchRequest = WebRequest::getString('usersearch');
+		if ($userSearchRequest !== null) {
+			$searchedUser = User::getByUsername($userSearchRequest, $database);
+			if ($searchedUser !== false) {
+				$this->redirect('statistics/users', 'detail', ['user' => $searchedUser->getId()]);
+				return;
+			}
+		}
+
+		$this->assign('oauthStatusMap', $this->getOAuthStatusMap($database));
+
+		if (WebRequest::getBoolean("showAll")) {
+			$this->assign("showAll", true);
+
+			$deactivatedUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_DEACTIVATED)->fetch();
+			$this->assign('deactivatedUsers', $deactivatedUsers);
+
+			UserSearchHelper::get($database)->getRoleMap($roleMap);
+		}
+		else {
+			$this->assign("showAll", false);
+			$this->assign('deactivatedUsers', array());
+
+			UserSearchHelper::get($database)->statusIn(array('New', 'Active'))->getRoleMap($roleMap);
+		}
+
+		$newUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_NEW)->fetch();
+		$normalUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('user')->fetch();
+		$adminUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('admin')->fetch();
+		$checkUsers = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('checkuser')->fetch();
+		$stewards = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('steward')->fetch();
+		$toolRoots = UserSearchHelper::get($database)->byStatus(User::STATUS_ACTIVE)->byRole('toolRoot')->fetch();
+		$this->assign('newUsers', $newUsers);
+		$this->assign('normalUsers', $normalUsers);
+		$this->assign('adminUsers', $adminUsers);
+		$this->assign('checkUsers', $checkUsers);
+		$this->assign('stewards', $stewards);
+		$this->assign('toolRoots', $toolRoots);
+
+		$this->assign('roles', $roleMap);
+
+		$this->addJs("/api.php?action=users&all=true&targetVariable=typeaheaddata");
+
+		$this->assign('canApprove', $this->barrierTest('approve', $currentUser));
+		$this->assign('canDeactivate', $this->barrierTest('deactivate', $currentUser));
+		$this->assign('canRename', $this->barrierTest('rename', $currentUser));
+		$this->assign('canEditUser', $this->barrierTest('editUser', $currentUser));
+		$this->assign('canEditRoles', $this->barrierTest('editRoles', $currentUser));
+
+		// FIXME: domains!
+		/** @var Domain $domain */
+		$domain = Domain::getById(1, $this->getDatabase());
+		$this->assign('mediawikiScriptPath', $domain->getWikiArticlePath());
+
+		$this->setTemplate("usermanagement/main.tpl");
+	}
+
+	#region Access control
+
+	/**
+	 * Action target for editing the roles assigned to a user
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws SmartyException
+	 * @throws OptimisticLockFailedException
+	 * @throws Exception
+	 */
+	protected function editRoles(): void
+	{
+		$this->setHtmlTitle('User Management');
+		$database = $this->getDatabase();
+		$domain = Domain::getCurrent($database);
+		$userId = WebRequest::getInt('user');
+
+		/** @var User|false $user */
+		$user = User::getById($userId, $database);
+
+		if ($user === false || $user->isCommunityUser()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to edit could not be found.');
+		}
+
+		$roleData = $this->getRoleData(UserRole::getForUser($user->getId(), $database, $domain->getId()));
+
+		// Dual-mode action
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+
+			$reason = WebRequest::postString('reason');
+			if ($reason === false || trim($reason) === '') {
+				throw new ApplicationLogicException('No reason specified for roles change');
+			}
+
+			/** @var UserRole[] $delete */
+			$delete = array();
+			/** @var string[] $add */
+			$add = array();
+
+			/** @var UserRole[] $globalDelete */
+			$globalDelete = array();
+			/** @var string[] $globalAdd */
+			$globalAdd = array();
+
+			foreach ($roleData as $name => $r) {
+				if ($r['allowEdit'] !== 1) {
+					// not allowed, to touch this, so ignore it
+					continue;
+				}
+
+				$newValue = WebRequest::postBoolean('role-' . $name) ? 1 : 0;
+				if ($newValue !== $r['active']) {
+					if ($newValue === 0) {
+						if ($r['globalOnly']) {
+							$globalDelete[] = $r['object'];
+						}
+						else {
+							$delete[] = $r['object'];
+						}
+					}
+
+					if ($newValue === 1) {
+						if ($r['globalOnly']) {
+							$globalAdd[] = $name;
+						}
+						else {
+							$add[] = $name;
+						}
+					}
+				}
+			}
+
+			// Check there's something to do
+			if ((count($add) + count($delete) + count($globalAdd) + count($globalDelete)) === 0) {
+				$this->redirect('statistics/users', 'detail', array('user' => $user->getId()));
+				SessionAlert::warning('No changes made to roles.');
+
+				return;
+			}
+
+			$removed = array();
+			$globalRemoved = array();
+
+			foreach ($delete as $d) {
+				$removed[] = $d->getRole();
+				$d->delete();
+			}
+
+			foreach ($globalDelete as $d) {
+				$globalRemoved[] = $d->getRole();
+				$d->delete();
+			}
+
+			foreach ($add as $x) {
+				$a = new UserRole();
+				$a->setUser($user->getId());
+				$a->setRole($x);
+				$a->setDomain($domain->getId());
+				$a->setDatabase($database);
+				$a->save();
+			}
+
+			foreach ($globalAdd as $x) {
+				$a = new UserRole();
+				$a->setUser($user->getId());
+				$a->setRole($x);
+				$a->setDomain(null);
+				$a->setDatabase($database);
+				$a->save();
+			}
+
+			if ((count($add) + count($delete)) > 0) {
+				Logger::userRolesEdited($database, $user, $reason, $add, $removed, $domain->getId());
+			}
+
+			if ((count($globalAdd) + count($globalDelete)) > 0) {
+				Logger::userGlobalRolesEdited($database, $user, $reason, $globalAdd, $globalRemoved);
+			}
+
+			// dummy save for optimistic locking. If this fails, the entire txn will roll back.
+			$user->setUpdateVersion(WebRequest::postInt('updateversion'));
+			$user->save();
+
+			$this->getNotificationHelper()->userRolesEdited($user, $reason);
+			SessionAlert::quick('Roles changed for user ' . htmlentities($user->getUsername(), ENT_COMPAT, 'UTF-8'));
+
+			$this->redirect('statistics/users', 'detail', array('user' => $user->getId()));
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('usermanagement/roleedit.tpl');
+			$this->assign('user', $user);
+			$this->assign('roleData', $roleData);
+		}
+	}
+
+	/**
+	 * Action target for deactivating users
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function deactivate()
+	{
+		$this->setHtmlTitle('User Management');
+
+		$database = $this->getDatabase();
+
+		$userId = WebRequest::getInt('user');
+
+		/** @var User $user */
+		$user = User::getById($userId, $database);
+
+		if ($user === false || $user->isCommunityUser()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to deactivate could not be found.');
+		}
+
+		if ($user->isDeactivated()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to deactivate is already deactivated.');
+		}
+
+		// Dual-mode action
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$reason = WebRequest::postString('reason');
+
+			if ($reason === null || trim($reason) === '') {
+				throw new ApplicationLogicException('No reason provided');
+			}
+
+			$user->setStatus(User::STATUS_DEACTIVATED);
+			$user->setUpdateVersion(WebRequest::postInt('updateversion'));
+			$user->save();
+			Logger::deactivatedUser($database, $user, $reason);
+
+			$this->getNotificationHelper()->userDeactivated($user);
+			SessionAlert::quick('Deactivated user ' . htmlentities($user->getUsername(), ENT_COMPAT, 'UTF-8'));
+
+			// send email
+			$this->sendStatusChangeEmail(
+				'Your WP:ACC account has been deactivated',
+				'usermanagement/emails/deactivated.tpl',
+				$reason,
+				$user,
+				User::getCurrent($database)->getUsername()
+			);
+
+			$this->redirect('userManagement');
+
+			return;
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('usermanagement/changelevel-reason.tpl');
+			$this->assign('user', $user);
+			$this->assign('status', User::STATUS_DEACTIVATED);
+			$this->assign("showReason", true);
+
+			if (WebRequest::getString('preload')) {
+				$this->assign('preload', WebRequest::getString('preload'));
+			}
+		}
+	}
+
+	/**
+	 * Entry point for the approve action
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function approve()
+	{
+		$this->setHtmlTitle('User Management');
+
+		$database = $this->getDatabase();
+
+		$userId = WebRequest::getInt('user');
+		$user = User::getById($userId, $database);
+
+		if ($user === false || $user->isCommunityUser()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to approve could not be found.');
+		}
+
+		if ($user->isActive()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to approve is already an active user.');
+		}
+
+		// Dual-mode action
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$user->setStatus(User::STATUS_ACTIVE);
+			$user->setUpdateVersion(WebRequest::postInt('updateversion'));
+			$user->save();
+			Logger::approvedUser($database, $user);
+
+			$this->getNotificationHelper()->userApproved($user);
+			SessionAlert::quick('Approved user ' . htmlentities($user->getUsername(), ENT_COMPAT, 'UTF-8'));
+
+			// send email
+			$this->sendStatusChangeEmail(
+				'Your WP:ACC account has been approved',
+				'usermanagement/emails/approved.tpl',
+				null,
+				$user,
+				User::getCurrent($database)->getUsername()
+			);
+
+			$this->redirect("userManagement");
+
+			return;
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate("usermanagement/changelevel-reason.tpl");
+			$this->assign("user", $user);
+			$this->assign("status", "Active");
+			$this->assign("showReason", false);
+		}
+	}
+
+	#endregion
+
+	#region Renaming / Editing
+
+	/**
+	 * Entry point for the rename action
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function rename()
+	{
+		$this->setHtmlTitle('User Management');
+
+		$database = $this->getDatabase();
+
+		$userId = WebRequest::getInt('user');
+		$user = User::getById($userId, $database);
+
+		if ($user === false || $user->isCommunityUser()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to rename could not be found.');
+		}
+
+		// Dual-mode action
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$newUsername = WebRequest::postString('newname');
+
+			if ($newUsername === null || trim($newUsername) === "") {
+				throw new ApplicationLogicException('The new username cannot be empty');
+			}
+
+			if (User::getByUsername($newUsername, $database) != false) {
+				throw new ApplicationLogicException('The new username already exists');
+			}
+
+			$oldUsername = $user->getUsername();
+			$user->setUsername($newUsername);
+			$user->setUpdateVersion(WebRequest::postInt('updateversion'));
+
+			$user->save();
+
+			$logEntryData = serialize(array(
+				'old' => $oldUsername,
+				'new' => $newUsername,
+			));
+
+			Logger::renamedUser($database, $user, $logEntryData);
+
+			SessionAlert::quick("Changed User "
+				. htmlentities($oldUsername, ENT_COMPAT, 'UTF-8')
+				. " name to "
+				. htmlentities($newUsername, ENT_COMPAT, 'UTF-8'));
+
+			$this->getNotificationHelper()->userRenamed($user, $oldUsername);
+
+			// send an email to the user.
+			$this->assign('targetUsername', $user->getUsername());
+			$this->assign('toolAdmin', User::getCurrent($database)->getUsername());
+			$this->assign('oldUsername', $oldUsername);
+			$this->assign('mailingList', $this->adminMailingList);
+
+			// FIXME: domains!
+			/** @var Domain $domain */
+			$domain = Domain::getById(1, $database);
+			$this->getEmailHelper()->sendMail(
+				$this->adminMailingList,
+				$user->getEmail(),
+				'Your username on WP:ACC has been changed',
+				$this->fetchTemplate('usermanagement/emails/renamed.tpl')
+			);
+
+			$this->redirect("userManagement");
+
+			return;
+		}
+		else {
+			$this->assignCSRFToken();
+			$this->setTemplate('usermanagement/renameuser.tpl');
+			$this->assign('user', $user);
+		}
+	}
+
+	/**
+	 * Entry point for the edit action
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	protected function editUser()
+	{
+		$this->setHtmlTitle('User Management');
+
+		$database = $this->getDatabase();
+
+		$userId = WebRequest::getInt('user');
+		$user = User::getById($userId, $database);
+		$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+
+		if ($user === false || $user->isCommunityUser()) {
+			throw new ApplicationLogicException('Sorry, the user you are trying to edit could not be found.');
+		}
+
+		// FIXME: domains
+		$prefs = new PreferenceManager($database, $user->getId(), 1);
+
+		// Dual-mode action
+		if (WebRequest::wasPosted()) {
+			$this->validateCSRFToken();
+			$newEmail = WebRequest::postEmail('user_email');
+			$newOnWikiName = WebRequest::postString('user_onwikiname');
+
+			if ($newEmail === null) {
+				throw new ApplicationLogicException('Invalid email address');
+			}
+
+			if ($this->validateUnusedEmail($newEmail, $userId)) {
+				throw new ApplicationLogicException('The specified email address is already in use.');
+			}
+
+			if (!($oauth->isFullyLinked() || $oauth->isPartiallyLinked())) {
+				if (trim($newOnWikiName) == "") {
+					throw new ApplicationLogicException('New on-wiki username cannot be blank');
+				}
+
+				$user->setOnWikiName($newOnWikiName);
+			}
+
+			$user->setEmail($newEmail);
+
+			$prefs->setLocalPreference(PreferenceManager::PREF_CREATION_MODE, WebRequest::postInt('creationmode'));
+
+			$prefs->setLocalPreference(PreferenceManager::ADMIN_PREF_PREVENT_REACTIVATION, WebRequest::postBoolean('preventReactivation'));
+
+			$user->setUpdateVersion(WebRequest::postInt('updateversion'));
+
+			$user->save();
+
+			Logger::userPreferencesChange($database, $user);
+			$this->getNotificationHelper()->userPrefChange($user);
+			SessionAlert::quick('Changes to user\'s preferences have been saved');
+
+			$this->redirect("userManagement");
+
+			return;
+		}
+		else {
+			$this->assignCSRFToken();
+			$oauth = new OAuthUserHelper($user, $database, $this->getOAuthProtocolHelper(),
+				$this->getSiteConfiguration());
+			$this->setTemplate('usermanagement/edituser.tpl');
+			$this->assign('user', $user);
+			$this->assign('oauth', $oauth);
+
+			$this->assign('preferredCreationMode', (int)$prefs->getPreference(PreferenceManager::PREF_CREATION_MODE));
+			$this->assign('emailSignature', $prefs->getPreference(PreferenceManager::PREF_EMAIL_SIGNATURE));
+
+			$this->assign('preventReactivation', $prefs->getPreference(PreferenceManager::ADMIN_PREF_PREVENT_REACTIVATION) ?? false);
+
+			$this->assign('canManualCreate',
+				$this->barrierTest(PreferenceManager::CREATION_MANUAL, $user, 'RequestCreation'));
+			$this->assign('canOauthCreate',
+				$this->barrierTest(PreferenceManager::CREATION_OAUTH, $user, 'RequestCreation'));
+			$this->assign('canBotCreate',
+				$this->barrierTest(PreferenceManager::CREATION_BOT, $user, 'RequestCreation'));
+		}
+	}
+
+	#endregion
+
+	private function validateUnusedEmail(string $email, int $userId) : bool {
+		$query = 'SELECT COUNT(id) FROM user WHERE email = :email AND id <> :uid';
+		$statement = $this->getDatabase()->prepare($query);
+		$statement->execute(array(':email' => $email, ':uid' => $userId));
+		$inUse = $statement->fetchColumn() > 0;
+		$statement->closeCursor();
+
+		return $inUse;
+	}
+
+	/**
+	 * Sends a status change email to the user.
+	 *
+	 * @param string      $subject           The subject of the email
+	 * @param string      $template          The smarty template to use
+	 * @param string|null $reason            The reason for performing the status change
+	 * @param User        $user              The user affected
+	 * @param string      $toolAdminUsername The tool admin's username who is making the edit
+	 */
+	private function sendStatusChangeEmail($subject, $template, $reason, $user, $toolAdminUsername)
+	{
+		$this->assign('targetUsername', $user->getUsername());
+		$this->assign('toolAdmin', $toolAdminUsername);
+		$this->assign('actionReason', $reason);
+		$this->assign('mailingList', $this->adminMailingList);
+
+		// FIXME: domains!
+		/** @var Domain $domain */
+		$domain = Domain::getById(1, $this->getDatabase());
+		$this->getEmailHelper()->sendMail(
+			$this->adminMailingList,
+			$user->getEmail(),
+			$subject,
+			$this->fetchTemplate($template)
+		);
+	}
+
+	/**
+	 * @param UserRole[] $activeRoles
+	 *
+	 * @return array
+	 */
+	private function getRoleData($activeRoles)
+	{
+		$availableRoles = $this->getSecurityManager()->getAvailableRoles();
+
+		$currentUser = User::getCurrent($this->getDatabase());
+		$this->getSecurityManager()->getActiveRoles($currentUser, $userRoles, $inactiveRoles);
+
+		$initialValue = array('active' => 0, 'allowEdit' => 0, 'description' => '???', 'object' => null);
+
+		$roleData = array();
+		foreach ($availableRoles as $role => $data) {
+			$intersection = array_intersect($data['editableBy'], $userRoles);
+
+			$roleData[$role] = $initialValue;
+			$roleData[$role]['allowEdit'] = count($intersection) > 0 ? 1 : 0;
+			$roleData[$role]['description'] = $data['description'];
+			$roleData[$role]['globalOnly'] = $data['globalOnly'];
+		}
+
+		foreach ($activeRoles as $role) {
+			if (!isset($roleData[$role->getRole()])) {
+				// This value is no longer available in the configuration, allow changing (aka removing) it.
+				$roleData[$role->getRole()] = $initialValue;
+				$roleData[$role->getRole()]['allowEdit'] = 1;
+			}
+
+			$roleData[$role->getRole()]['object'] = $role;
+			$roleData[$role->getRole()]['active'] = 1;
+		}
+
+		return $roleData;
+	}
 }

includes/Helpers/OAuthUserHelper.php

Indentation +452 added lines, -452 removed lines

@@ -26,460 +26,460 @@
 
 class OAuthUserHelper implements IMediaWikiClient
 {
-    const TOKEN_REQUEST = 'request';
-    const TOKEN_ACCESS = 'access';
-    /** @var PDOStatement */
-    private static $tokenCountStatement = null;
-    /** @var PDOStatement */
-    private $getTokenStatement;
-    /**
-     * @var User
-     */
-    private $user;
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
-    /**
-     * @var IOAuthProtocolHelper
-     */
-    private $oauthProtocolHelper;
-    /**
-     * @var bool|null Is the user linked to OAuth
-     */
-    private $linked;
-    private $partiallyLinked;
-    /** @var OAuthToken */
-    private $accessToken;
-    /** @var bool */
-    private $accessTokenLoaded = false;
-    /**
-     * @var OAuthIdentity
-     */
-    private $identity = null;
-    /**
-     * @var bool
-     */
-    private $identityLoaded = false;
-    /**
-     * @var SiteConfiguration
-     */
-    private $siteConfiguration;
-
-    private $legacyTokens;
-
-    #region Static methods
-
-    public static function findUserByRequestToken($requestToken, PdoDatabase $database)
-    {
-        $statement = $database->prepare(<<<'SQL'
+	const TOKEN_REQUEST = 'request';
+	const TOKEN_ACCESS = 'access';
+	/** @var PDOStatement */
+	private static $tokenCountStatement = null;
+	/** @var PDOStatement */
+	private $getTokenStatement;
+	/**
+	 * @var User
+	 */
+	private $user;
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
+	/**
+	 * @var IOAuthProtocolHelper
+	 */
+	private $oauthProtocolHelper;
+	/**
+	 * @var bool|null Is the user linked to OAuth
+	 */
+	private $linked;
+	private $partiallyLinked;
+	/** @var OAuthToken */
+	private $accessToken;
+	/** @var bool */
+	private $accessTokenLoaded = false;
+	/**
+	 * @var OAuthIdentity
+	 */
+	private $identity = null;
+	/**
+	 * @var bool
+	 */
+	private $identityLoaded = false;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $siteConfiguration;
+
+	private $legacyTokens;
+
+	#region Static methods
+
+	public static function findUserByRequestToken($requestToken, PdoDatabase $database)
+	{
+		$statement = $database->prepare(<<<'SQL'
             SELECT u.* FROM user u 
             INNER JOIN oauthtoken t ON t.user = u.id 
             WHERE t.type = :type AND t.token = :token
 SQL
-        );
-        $statement->execute(array(':type' => self::TOKEN_REQUEST, ':token' => $requestToken));
-
-        /** @var User $user */
-        $user = $statement->fetchObject(User::class);
-        $statement->closeCursor();
-
-        if ($user === false) {
-            throw new ApplicationLogicException('Token not found in store, please try again');
-        }
-
-        $user->setDatabase($database);
-
-        return $user;
-    }
-
-    private static function userIsFullyLinked(User $user, PdoDatabase $database = null)
-    {
-        if (self::$tokenCountStatement === null && $database === null) {
-            throw new ApplicationLogicException('Static link request without initialised statement');
-        }
-
-        return self::runTokenCount($user->getId(), $database, self::TOKEN_ACCESS);
-    }
-
-    private static function userIsPartiallyLinked(User $user, PdoDatabase $database = null)
-    {
-        if (self::$tokenCountStatement === null && $database === null) {
-            throw new ApplicationLogicException('Static link request without initialised statement');
-        }
-
-        if (self::userIsFullyLinked($user, $database)) {
-            return false;
-        }
-
-        return self::runTokenCount($user->getId(), $database, self::TOKEN_REQUEST)
-            || $user->getOnWikiName() == null;
-    }
-
-    /**
-     * @param PdoDatabase $database
-     */
-    private static function prepareTokenCountStatement(PdoDatabase $database)
-    {
-        if (self::$tokenCountStatement === null) {
-            self::$tokenCountStatement = $database->prepare('SELECT COUNT(*) FROM oauthtoken WHERE user = :user AND type = :type');
-        }
-    }
-
-    private static function runTokenCount($userId, $database, $tokenType)
-    {
-        if (self::$tokenCountStatement === null) {
-            self::prepareTokenCountStatement($database);
-        }
-
-        self::$tokenCountStatement->execute(array(
-            ':user' => $userId,
-            ':type' => $tokenType,
-        ));
-
-        $tokenCount = self::$tokenCountStatement->fetchColumn();
-        $linked = $tokenCount > 0;
-        self::$tokenCountStatement->closeCursor();
-
-        return $linked;
-    }
-
-    #endregion Static methods
-
-    /**
-     * OAuthUserHelper constructor.
-     *
-     * @param User                 $user
-     * @param PdoDatabase          $database
-     * @param IOAuthProtocolHelper $oauthProtocolHelper
-     * @param SiteConfiguration    $siteConfiguration
-     */
-    public function __construct(
-        User $user,
-        PdoDatabase $database,
-        IOAuthProtocolHelper $oauthProtocolHelper,
-        SiteConfiguration $siteConfiguration
-    ) {
-        $this->user = $user;
-        $this->database = $database;
-        $this->oauthProtocolHelper = $oauthProtocolHelper;
-
-        $this->linked = null;
-        $this->partiallyLinked = null;
-        $this->siteConfiguration = $siteConfiguration;
-
-        self::prepareTokenCountStatement($database);
-        $this->getTokenStatement = $this->database->prepare('SELECT * FROM oauthtoken WHERE user = :user AND type = :type');
-
-        $this->legacyTokens = $this->siteConfiguration->getOauthLegacyConsumerTokens();
-    }
-
-    /**
-     * Determines if the user is fully connected to OAuth.
-     *
-     * @return bool
-     */
-    public function isFullyLinked()
-    {
-        if ($this->linked === null) {
-            $this->linked = self::userIsFullyLinked($this->user, $this->database);
-        }
-
-        return $this->linked;
-    }
-
-    /**
-     * Attempts to figure out if a user is partially linked to OAuth, and therefore needs to complete the OAuth
-     * procedure before configuring.
-     * @return bool
-     */
-    public function isPartiallyLinked()
-    {
-        if ($this->partiallyLinked === null) {
-            $this->partiallyLinked = self::userIsPartiallyLinked($this->user, $this->database);
-        }
-
-        return $this->partiallyLinked;
-    }
-
-    public function canCreateAccount()
-    {
-        return $this->isFullyLinked()
-            && $this->getIdentity(true)->getGrantBasic()
-            && $this->getIdentity(true)->getGrantHighVolume()
-            && $this->getIdentity(true)->getGrantCreateAccount();
-    }
-
-    public function canWelcome()
-    {
-        return $this->isFullyLinked()
-            && $this->getIdentity(true)->getGrantBasic()
-            && $this->getIdentity(true)->getGrantHighVolume()
-            && $this->getIdentity(true)->getGrantCreateEditMovePage();
-    }
-
-    /**
-     * @throws OAuthException
-     * @throws CurlException
-     * @throws OptimisticLockFailedException
-     * @throws Exception
-     */
-    public function refreshIdentity()
-    {
-        $this->loadIdentity();
-
-        if ($this->identity === null) {
-            $this->identity = new OAuthIdentity();
-            $this->identity->setUserId($this->user->getId());
-            $this->identity->setDatabase($this->database);
-        }
-
-        $token = $this->loadAccessToken();
-
-        try {
-            $rawTicket = $this->oauthProtocolHelper->getIdentityTicket($token->getToken(), $token->getSecret());
-        }
-        catch (Exception $ex) {
-            if (strpos($ex->getMessage(), "mwoauthdatastore-access-token-not-found") !== false) {
-                throw new OAuthException('No approved grants for this access token.', -1, $ex);
-            }
-
-            throw $ex;
-        }
-
-        $this->identity->populate($rawTicket);
-
-        if (!$this->identityIsValid()) {
-            throw new OAuthException('Identity ticket is not valid!');
-        }
-
-        $this->identity->save();
-
-        $this->user->setOnWikiName($this->identity->getUsername());
-        $this->user->save();
-    }
-
-    /**
-     * @return string
-     * @throws CurlException
-     */
-    public function getRequestToken()
-    {
-        $token = $this->oauthProtocolHelper->getRequestToken();
-
-        $this->partiallyLinked = true;
-        $this->linked = false;
-
-        $this->database
-            ->prepare('DELETE FROM oauthtoken WHERE user = :user AND type = :type')
-            ->execute(array(':user' => $this->user->getId(), ':type' => self::TOKEN_REQUEST));
-
-        $this->database
-            ->prepare('INSERT INTO oauthtoken (user, type, token, secret, expiry) VALUES (:user, :type, :token, :secret, DATE_ADD(NOW(), INTERVAL 1 DAY))')
-            ->execute(array(
-                ':user'   => $this->user->getId(),
-                ':type'   => self::TOKEN_REQUEST,
-                ':token'  => $token->key,
-                ':secret' => $token->secret,
-            ));
-
-        return $this->oauthProtocolHelper->getAuthoriseUrl($token->key);
-    }
-
-    /**
-     * @param $verificationToken
-     *
-     * @throws ApplicationLogicException
-     * @throws CurlException
-     * @throws OAuthException
-     * @throws OptimisticLockFailedException
-     */
-    public function completeHandshake($verificationToken)
-    {
-        $this->getTokenStatement->execute(array(':user' => $this->user->getId(), ':type' => self::TOKEN_REQUEST));
-
-        /** @var OAuthToken $token */
-        $token = $this->getTokenStatement->fetchObject(OAuthToken::class);
-        $this->getTokenStatement->closeCursor();
-
-        if ($token === false) {
-            throw new ApplicationLogicException('Cannot find request token');
-        }
-
-        $token->setDatabase($this->database);
-
-        $accessToken = $this->oauthProtocolHelper->callbackCompleted($token->getToken(), $token->getSecret(),
-            $verificationToken);
-
-        $clearStatement = $this->database->prepare('DELETE FROM oauthtoken WHERE user = :u AND type = :t');
-        $clearStatement->execute(array(':u' => $this->user->getId(), ':t' => self::TOKEN_ACCESS));
-
-        $token->setToken($accessToken->key);
-        $token->setSecret($accessToken->secret);
-        $token->setType(self::TOKEN_ACCESS);
-        $token->setExpiry(null);
-        $token->save();
-
-        $this->partiallyLinked = false;
-        $this->linked = true;
-
-        $this->refreshIdentity();
-    }
-
-    public function detach()
-    {
-        $this->loadIdentity();
-
-        $this->identity->delete();
-        $statement = $this->database->prepare('DELETE FROM oauthtoken WHERE user = :user');
-        $statement->execute(array(':user' => $this->user->getId()));
-
-        $this->identity = null;
-        $this->linked = false;
-        $this->partiallyLinked = false;
-    }
-
-    /**
-     * @param bool $expiredOk
-     *
-     * @return OAuthIdentity
-     * @throws OAuthException
-     */
-    public function getIdentity($expiredOk = false)
-    {
-        $this->loadIdentity();
-
-        if (!$this->identityIsValid($expiredOk)) {
-            throw new OAuthException('Stored identity is not valid.');
-        }
-
-        return $this->identity;
-    }
-
-    public function doApiCall($params, $method)
-    {
-        // Ensure we're logged in
-        $params['assert'] = 'user';
-
-        $token = $this->loadAccessToken();
-        return $this->oauthProtocolHelper->apiCall($params, $token->getToken(), $token->getSecret(), $method);
-    }
-
-    /**
-     * @param bool $expiredOk
-     *
-     * @return bool
-     */
-    private function identityIsValid($expiredOk = false)
-    {
-        $this->loadIdentity();
-
-        if ($this->identity === null) {
-            return false;
-        }
-
-        if ($this->identity->getIssuedAtTime() === false
-            || $this->identity->getExpirationTime() === false
-            || $this->identity->getAudience() === false
-            || $this->identity->getIssuer() === false
-        ) {
-            // this isn't populated properly.
-            return false;
-        }
-
-        $issue = DateTimeImmutable::createFromFormat("U", $this->identity->getIssuedAtTime());
-        $now = new DateTimeImmutable();
-
-        if ($issue > $now) {
-            // wat.
-            return false;
-        }
-
-        if ($this->identityExpired() && !$expiredOk) {
-            // soz.
-            return false;
-        }
-
-        if ($this->identity->getAudience() !== $this->siteConfiguration->getOAuthConsumerToken()) {
-            // token not issued for us
-
-            // we allow cases where the cache is expired and the cache is for a legacy token
-            if (!($expiredOk && in_array($this->identity->getAudience(), $this->legacyTokens))) {
-                return false;
-            }
-        }
-
-        if ($this->identity->getIssuer() !== $this->siteConfiguration->getOauthMediaWikiCanonicalServer()) {
-            // token not issued by the right person
-            return false;
-        }
-
-        // can't find a reason to not trust it
-        return true;
-    }
-
-    /**
-     * @return bool
-     */
-    public function identityExpired()
-    {
-        // allowed max age
-        $gracePeriod = $this->siteConfiguration->getOauthIdentityGraceTime();
-
-        $expiry = DateTimeImmutable::createFromFormat("U", $this->identity->getExpirationTime());
-        $graceExpiry = $expiry->modify($gracePeriod);
-        $now = new DateTimeImmutable();
-
-        return $graceExpiry < $now;
-    }
-
-    /**
-     * Loads the OAuth identity from the database for the current user.
-     */
-    private function loadIdentity()
-    {
-        if ($this->identityLoaded) {
-            return;
-        }
-
-        $statement = $this->database->prepare('SELECT * FROM oauthidentity WHERE user = :user');
-        $statement->execute(array(':user' => $this->user->getId()));
-        /** @var OAuthIdentity $obj */
-        $obj = $statement->fetchObject(OAuthIdentity::class);
-
-        if ($obj === false) {
-            // failed to load identity.
-            $this->identityLoaded = true;
-            $this->identity = null;
-
-            return;
-        }
-
-        $obj->setDatabase($this->database);
-        $this->identityLoaded = true;
-        $this->identity = $obj;
-    }
-
-    /**
-     * @return OAuthToken
-     * @throws OAuthException
-     */
-    private function loadAccessToken()
-    {
-        if (!$this->accessTokenLoaded) {
-            $this->getTokenStatement->execute(array(':user' => $this->user->getId(), ':type' => self::TOKEN_ACCESS));
-            /** @var OAuthToken $token */
-            $token = $this->getTokenStatement->fetchObject(OAuthToken::class);
-            $this->getTokenStatement->closeCursor();
-
-            if ($token === false) {
-                throw new OAuthException('Access token not found!');
-            }
-
-            $this->accessToken = $token;
-            $this->accessTokenLoaded = true;
-        }
-
-        return $this->accessToken;
-    }
+		);
+		$statement->execute(array(':type' => self::TOKEN_REQUEST, ':token' => $requestToken));
+
+		/** @var User $user */
+		$user = $statement->fetchObject(User::class);
+		$statement->closeCursor();
+
+		if ($user === false) {
+			throw new ApplicationLogicException('Token not found in store, please try again');
+		}
+
+		$user->setDatabase($database);
+
+		return $user;
+	}
+
+	private static function userIsFullyLinked(User $user, PdoDatabase $database = null)
+	{
+		if (self::$tokenCountStatement === null && $database === null) {
+			throw new ApplicationLogicException('Static link request without initialised statement');
+		}
+
+		return self::runTokenCount($user->getId(), $database, self::TOKEN_ACCESS);
+	}
+
+	private static function userIsPartiallyLinked(User $user, PdoDatabase $database = null)
+	{
+		if (self::$tokenCountStatement === null && $database === null) {
+			throw new ApplicationLogicException('Static link request without initialised statement');
+		}
+
+		if (self::userIsFullyLinked($user, $database)) {
+			return false;
+		}
+
+		return self::runTokenCount($user->getId(), $database, self::TOKEN_REQUEST)
+			|| $user->getOnWikiName() == null;
+	}
+
+	/**
+	 * @param PdoDatabase $database
+	 */
+	private static function prepareTokenCountStatement(PdoDatabase $database)
+	{
+		if (self::$tokenCountStatement === null) {
+			self::$tokenCountStatement = $database->prepare('SELECT COUNT(*) FROM oauthtoken WHERE user = :user AND type = :type');
+		}
+	}
+
+	private static function runTokenCount($userId, $database, $tokenType)
+	{
+		if (self::$tokenCountStatement === null) {
+			self::prepareTokenCountStatement($database);
+		}
+
+		self::$tokenCountStatement->execute(array(
+			':user' => $userId,
+			':type' => $tokenType,
+		));
+
+		$tokenCount = self::$tokenCountStatement->fetchColumn();
+		$linked = $tokenCount > 0;
+		self::$tokenCountStatement->closeCursor();
+
+		return $linked;
+	}
+
+	#endregion Static methods
+
+	/**
+	 * OAuthUserHelper constructor.
+	 *
+	 * @param User                 $user
+	 * @param PdoDatabase          $database
+	 * @param IOAuthProtocolHelper $oauthProtocolHelper
+	 * @param SiteConfiguration    $siteConfiguration
+	 */
+	public function __construct(
+		User $user,
+		PdoDatabase $database,
+		IOAuthProtocolHelper $oauthProtocolHelper,
+		SiteConfiguration $siteConfiguration
+	) {
+		$this->user = $user;
+		$this->database = $database;
+		$this->oauthProtocolHelper = $oauthProtocolHelper;
+
+		$this->linked = null;
+		$this->partiallyLinked = null;
+		$this->siteConfiguration = $siteConfiguration;
+
+		self::prepareTokenCountStatement($database);
+		$this->getTokenStatement = $this->database->prepare('SELECT * FROM oauthtoken WHERE user = :user AND type = :type');
+
+		$this->legacyTokens = $this->siteConfiguration->getOauthLegacyConsumerTokens();
+	}
+
+	/**
+	 * Determines if the user is fully connected to OAuth.
+	 *
+	 * @return bool
+	 */
+	public function isFullyLinked()
+	{
+		if ($this->linked === null) {
+			$this->linked = self::userIsFullyLinked($this->user, $this->database);
+		}
+
+		return $this->linked;
+	}
+
+	/**
+	 * Attempts to figure out if a user is partially linked to OAuth, and therefore needs to complete the OAuth
+	 * procedure before configuring.
+	 * @return bool
+	 */
+	public function isPartiallyLinked()
+	{
+		if ($this->partiallyLinked === null) {
+			$this->partiallyLinked = self::userIsPartiallyLinked($this->user, $this->database);
+		}
+
+		return $this->partiallyLinked;
+	}
+
+	public function canCreateAccount()
+	{
+		return $this->isFullyLinked()
+			&& $this->getIdentity(true)->getGrantBasic()
+			&& $this->getIdentity(true)->getGrantHighVolume()
+			&& $this->getIdentity(true)->getGrantCreateAccount();
+	}
+
+	public function canWelcome()
+	{
+		return $this->isFullyLinked()
+			&& $this->getIdentity(true)->getGrantBasic()
+			&& $this->getIdentity(true)->getGrantHighVolume()
+			&& $this->getIdentity(true)->getGrantCreateEditMovePage();
+	}
+
+	/**
+	 * @throws OAuthException
+	 * @throws CurlException
+	 * @throws OptimisticLockFailedException
+	 * @throws Exception
+	 */
+	public function refreshIdentity()
+	{
+		$this->loadIdentity();
+
+		if ($this->identity === null) {
+			$this->identity = new OAuthIdentity();
+			$this->identity->setUserId($this->user->getId());
+			$this->identity->setDatabase($this->database);
+		}
+
+		$token = $this->loadAccessToken();
+
+		try {
+			$rawTicket = $this->oauthProtocolHelper->getIdentityTicket($token->getToken(), $token->getSecret());
+		}
+		catch (Exception $ex) {
+			if (strpos($ex->getMessage(), "mwoauthdatastore-access-token-not-found") !== false) {
+				throw new OAuthException('No approved grants for this access token.', -1, $ex);
+			}
+
+			throw $ex;
+		}
+
+		$this->identity->populate($rawTicket);
+
+		if (!$this->identityIsValid()) {
+			throw new OAuthException('Identity ticket is not valid!');
+		}
+
+		$this->identity->save();
+
+		$this->user->setOnWikiName($this->identity->getUsername());
+		$this->user->save();
+	}
+
+	/**
+	 * @return string
+	 * @throws CurlException
+	 */
+	public function getRequestToken()
+	{
+		$token = $this->oauthProtocolHelper->getRequestToken();
+
+		$this->partiallyLinked = true;
+		$this->linked = false;
+
+		$this->database
+			->prepare('DELETE FROM oauthtoken WHERE user = :user AND type = :type')
+			->execute(array(':user' => $this->user->getId(), ':type' => self::TOKEN_REQUEST));
+
+		$this->database
+			->prepare('INSERT INTO oauthtoken (user, type, token, secret, expiry) VALUES (:user, :type, :token, :secret, DATE_ADD(NOW(), INTERVAL 1 DAY))')
+			->execute(array(
+				':user'   => $this->user->getId(),
+				':type'   => self::TOKEN_REQUEST,
+				':token'  => $token->key,
+				':secret' => $token->secret,
+			));
+
+		return $this->oauthProtocolHelper->getAuthoriseUrl($token->key);
+	}
+
+	/**
+	 * @param $verificationToken
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws CurlException
+	 * @throws OAuthException
+	 * @throws OptimisticLockFailedException
+	 */
+	public function completeHandshake($verificationToken)
+	{
+		$this->getTokenStatement->execute(array(':user' => $this->user->getId(), ':type' => self::TOKEN_REQUEST));
+
+		/** @var OAuthToken $token */
+		$token = $this->getTokenStatement->fetchObject(OAuthToken::class);
+		$this->getTokenStatement->closeCursor();
+
+		if ($token === false) {
+			throw new ApplicationLogicException('Cannot find request token');
+		}
+
+		$token->setDatabase($this->database);
+
+		$accessToken = $this->oauthProtocolHelper->callbackCompleted($token->getToken(), $token->getSecret(),
+			$verificationToken);
+
+		$clearStatement = $this->database->prepare('DELETE FROM oauthtoken WHERE user = :u AND type = :t');
+		$clearStatement->execute(array(':u' => $this->user->getId(), ':t' => self::TOKEN_ACCESS));
+
+		$token->setToken($accessToken->key);
+		$token->setSecret($accessToken->secret);
+		$token->setType(self::TOKEN_ACCESS);
+		$token->setExpiry(null);
+		$token->save();
+
+		$this->partiallyLinked = false;
+		$this->linked = true;
+
+		$this->refreshIdentity();
+	}
+
+	public function detach()
+	{
+		$this->loadIdentity();
+
+		$this->identity->delete();
+		$statement = $this->database->prepare('DELETE FROM oauthtoken WHERE user = :user');
+		$statement->execute(array(':user' => $this->user->getId()));
+
+		$this->identity = null;
+		$this->linked = false;
+		$this->partiallyLinked = false;
+	}
+
+	/**
+	 * @param bool $expiredOk
+	 *
+	 * @return OAuthIdentity
+	 * @throws OAuthException
+	 */
+	public function getIdentity($expiredOk = false)
+	{
+		$this->loadIdentity();
+
+		if (!$this->identityIsValid($expiredOk)) {
+			throw new OAuthException('Stored identity is not valid.');
+		}
+
+		return $this->identity;
+	}
+
+	public function doApiCall($params, $method)
+	{
+		// Ensure we're logged in
+		$params['assert'] = 'user';
+
+		$token = $this->loadAccessToken();
+		return $this->oauthProtocolHelper->apiCall($params, $token->getToken(), $token->getSecret(), $method);
+	}
+
+	/**
+	 * @param bool $expiredOk
+	 *
+	 * @return bool
+	 */
+	private function identityIsValid($expiredOk = false)
+	{
+		$this->loadIdentity();
+
+		if ($this->identity === null) {
+			return false;
+		}
+
+		if ($this->identity->getIssuedAtTime() === false
+			|| $this->identity->getExpirationTime() === false
+			|| $this->identity->getAudience() === false
+			|| $this->identity->getIssuer() === false
+		) {
+			// this isn't populated properly.
+			return false;
+		}
+
+		$issue = DateTimeImmutable::createFromFormat("U", $this->identity->getIssuedAtTime());
+		$now = new DateTimeImmutable();
+
+		if ($issue > $now) {
+			// wat.
+			return false;
+		}
+
+		if ($this->identityExpired() && !$expiredOk) {
+			// soz.
+			return false;
+		}
+
+		if ($this->identity->getAudience() !== $this->siteConfiguration->getOAuthConsumerToken()) {
+			// token not issued for us
+
+			// we allow cases where the cache is expired and the cache is for a legacy token
+			if (!($expiredOk && in_array($this->identity->getAudience(), $this->legacyTokens))) {
+				return false;
+			}
+		}
+
+		if ($this->identity->getIssuer() !== $this->siteConfiguration->getOauthMediaWikiCanonicalServer()) {
+			// token not issued by the right person
+			return false;
+		}
+
+		// can't find a reason to not trust it
+		return true;
+	}
+
+	/**
+	 * @return bool
+	 */
+	public function identityExpired()
+	{
+		// allowed max age
+		$gracePeriod = $this->siteConfiguration->getOauthIdentityGraceTime();
+
+		$expiry = DateTimeImmutable::createFromFormat("U", $this->identity->getExpirationTime());
+		$graceExpiry = $expiry->modify($gracePeriod);
+		$now = new DateTimeImmutable();
+
+		return $graceExpiry < $now;
+	}
+
+	/**
+	 * Loads the OAuth identity from the database for the current user.
+	 */
+	private function loadIdentity()
+	{
+		if ($this->identityLoaded) {
+			return;
+		}
+
+		$statement = $this->database->prepare('SELECT * FROM oauthidentity WHERE user = :user');
+		$statement->execute(array(':user' => $this->user->getId()));
+		/** @var OAuthIdentity $obj */
+		$obj = $statement->fetchObject(OAuthIdentity::class);
+
+		if ($obj === false) {
+			// failed to load identity.
+			$this->identityLoaded = true;
+			$this->identity = null;
+
+			return;
+		}
+
+		$obj->setDatabase($this->database);
+		$this->identityLoaded = true;
+		$this->identity = $obj;
+	}
+
+	/**
+	 * @return OAuthToken
+	 * @throws OAuthException
+	 */
+	private function loadAccessToken()
+	{
+		if (!$this->accessTokenLoaded) {
+			$this->getTokenStatement->execute(array(':user' => $this->user->getId(), ':type' => self::TOKEN_ACCESS));
+			/** @var OAuthToken $token */
+			$token = $this->getTokenStatement->fetchObject(OAuthToken::class);
+			$this->getTokenStatement->closeCursor();
+
+			if ($token === false) {
+				throw new OAuthException('Access token not found!');
+			}
+
+			$this->accessToken = $token;
+			$this->accessTokenLoaded = true;
+		}
+
+		return $this->accessToken;
+	}
 }

includes/Fragments/TemplateOutput.php

Indentation +126 added lines, -126 removed lines

@@ -19,130 +19,130 @@
 
 trait TemplateOutput
 {
-    /** @var Smarty */
-    private $smarty;
-
-    /**
-     * @param string $pluginsDir
-     *
-     * @return void
-     * @throws Exception
-     */
-    private function loadPlugins(string $pluginsDir): void
-    {
-        /** @var DirectoryIterator $file */
-        foreach (new DirectoryIterator($pluginsDir) as $file) {
-            if ($file->isDot()) {
-                continue;
-            }
-
-            if ($file->getExtension() != 'php') {
-                continue;
-            }
-
-            require_once $file->getPathname();
-
-            list($type, $name) = explode('.', $file->getBasename('.php'), 2);
-
-            switch ($type) {
-                case 'modifier':
-                    $this->smarty->registerPlugin(Smarty::PLUGIN_MODIFIER, $name, 'smarty_modifier_' . $name);
-                    break;
-                case 'function':
-                    $this->smarty->registerPlugin(Smarty::PLUGIN_FUNCTION, $name, 'smarty_function_' . $name);
-                    break;
-            }
-        }
-    }
-
-    /**
-     * @return SiteConfiguration
-     */
-    protected abstract function getSiteConfiguration();
-
-    /**
-     * Assigns a Smarty variable
-     *
-     * @param  array|string $name  the template variable name(s)
-     * @param  mixed        $value the value to assign
-     */
-    final protected function assign($name, $value)
-    {
-        $this->smarty->assign($name, $value);
-    }
-
-    /**
-     * Sets up the variables used by the main Smarty base template.
-     *
-     * This list is getting kinda long.
-     * @throws Exception
-     */
-    final protected function setUpSmarty()
-    {
-        $this->smarty = new Smarty();
-        $pluginsDir = $this->getSiteConfiguration()->getFilePath() . '/smarty-plugins';
-
-        // Dynamically load all plugins in the plugins directory
-        $this->loadPlugins($pluginsDir);
-
-        $this->assign('currentUser', User::getCommunity());
-        $this->assign('skin', 'auto');
-        $this->assign('currentDomain', null);
-        $this->assign('loggedIn', false);
-        $this->assign('baseurl', $this->getSiteConfiguration()->getBaseUrl());
-        $this->assign('resourceCacheEpoch', $this->getSiteConfiguration()->getResourceCacheEpoch());
-        $this->assign('serverPathInfo', WebRequest::pathInfo());
-
-        $this->assign('siteNoticeText', '');
-        $this->assign('siteNoticeVersion', 0);
-        $this->assign('siteNoticeState', 'd-none');
-        $this->assign('toolversion', Environment::getToolVersion());
-
-        // default these
-        $this->assign('onlineusers', array());
-        $this->assign('typeAheadBlock', '');
-        $this->assign('extraJs', array());
-
-        // nav menu access control
-        $this->assign('nav__canRequests', false);
-        $this->assign('nav__canLogs', false);
-        $this->assign('nav__canUsers', false);
-        $this->assign('nav__canSearch', false);
-        $this->assign('nav__canStats', false);
-        $this->assign('nav__canBan', false);
-        $this->assign('nav__canEmailMgmt', false);
-        $this->assign('nav__canWelcomeMgmt', false);
-        $this->assign('nav__canSiteNoticeMgmt', false);
-        $this->assign('nav__canUserMgmt', false);
-        $this->assign('nav__canViewRequest', false);
-        $this->assign('nav__canJobQueue', false);
-        $this->assign('nav__canFlaggedComments', false);
-        $this->assign('nav__canDomainMgmt', false);
-        $this->assign('nav__canQueueMgmt', false);
-        $this->assign('nav__canFormMgmt', false);
-        $this->assign('nav__canErrorLog', false);
-
-        // Navigation badges for concern areas.
-        $this->assign("nav__numAdmin", 0);
-        $this->assign("nav__numFlaggedComments", 0);
-        $this->assign("nav__numJobQueueFailed", 0);
-
-        // debug helpers
-        $this->assign('showDebugCssBreakpoints', $this->getSiteConfiguration()->getDebuggingCssBreakpointsEnabled());
-
-        $this->assign('page', $this);
-    }
-
-    /**
-     * Fetches a rendered Smarty template
-     *
-     * @param $template string Template file path, relative to /templates/
-     *
-     * @return string Templated HTML
-     * @throws Exception
-     */
-    final protected function fetchTemplate($template)
-    {
-        return $this->smarty->fetch($template);
-    }
+	/** @var Smarty */
+	private $smarty;
+
+	/**
+	 * @param string $pluginsDir
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	private function loadPlugins(string $pluginsDir): void
+	{
+		/** @var DirectoryIterator $file */
+		foreach (new DirectoryIterator($pluginsDir) as $file) {
+			if ($file->isDot()) {
+				continue;
+			}
+
+			if ($file->getExtension() != 'php') {
+				continue;
+			}
+
+			require_once $file->getPathname();
+
+			list($type, $name) = explode('.', $file->getBasename('.php'), 2);
+
+			switch ($type) {
+				case 'modifier':
+					$this->smarty->registerPlugin(Smarty::PLUGIN_MODIFIER, $name, 'smarty_modifier_' . $name);
+					break;
+				case 'function':
+					$this->smarty->registerPlugin(Smarty::PLUGIN_FUNCTION, $name, 'smarty_function_' . $name);
+					break;
+			}
+		}
+	}
+
+	/**
+	 * @return SiteConfiguration
+	 */
+	protected abstract function getSiteConfiguration();
+
+	/**
+	 * Assigns a Smarty variable
+	 *
+	 * @param  array|string $name  the template variable name(s)
+	 * @param  mixed        $value the value to assign
+	 */
+	final protected function assign($name, $value)
+	{
+		$this->smarty->assign($name, $value);
+	}
+
+	/**
+	 * Sets up the variables used by the main Smarty base template.
+	 *
+	 * This list is getting kinda long.
+	 * @throws Exception
+	 */
+	final protected function setUpSmarty()
+	{
+		$this->smarty = new Smarty();
+		$pluginsDir = $this->getSiteConfiguration()->getFilePath() . '/smarty-plugins';
+
+		// Dynamically load all plugins in the plugins directory
+		$this->loadPlugins($pluginsDir);
+
+		$this->assign('currentUser', User::getCommunity());
+		$this->assign('skin', 'auto');
+		$this->assign('currentDomain', null);
+		$this->assign('loggedIn', false);
+		$this->assign('baseurl', $this->getSiteConfiguration()->getBaseUrl());
+		$this->assign('resourceCacheEpoch', $this->getSiteConfiguration()->getResourceCacheEpoch());
+		$this->assign('serverPathInfo', WebRequest::pathInfo());
+
+		$this->assign('siteNoticeText', '');
+		$this->assign('siteNoticeVersion', 0);
+		$this->assign('siteNoticeState', 'd-none');
+		$this->assign('toolversion', Environment::getToolVersion());
+
+		// default these
+		$this->assign('onlineusers', array());
+		$this->assign('typeAheadBlock', '');
+		$this->assign('extraJs', array());
+
+		// nav menu access control
+		$this->assign('nav__canRequests', false);
+		$this->assign('nav__canLogs', false);
+		$this->assign('nav__canUsers', false);
+		$this->assign('nav__canSearch', false);
+		$this->assign('nav__canStats', false);
+		$this->assign('nav__canBan', false);
+		$this->assign('nav__canEmailMgmt', false);
+		$this->assign('nav__canWelcomeMgmt', false);
+		$this->assign('nav__canSiteNoticeMgmt', false);
+		$this->assign('nav__canUserMgmt', false);
+		$this->assign('nav__canViewRequest', false);
+		$this->assign('nav__canJobQueue', false);
+		$this->assign('nav__canFlaggedComments', false);
+		$this->assign('nav__canDomainMgmt', false);
+		$this->assign('nav__canQueueMgmt', false);
+		$this->assign('nav__canFormMgmt', false);
+		$this->assign('nav__canErrorLog', false);
+
+		// Navigation badges for concern areas.
+		$this->assign("nav__numAdmin", 0);
+		$this->assign("nav__numFlaggedComments", 0);
+		$this->assign("nav__numJobQueueFailed", 0);
+
+		// debug helpers
+		$this->assign('showDebugCssBreakpoints', $this->getSiteConfiguration()->getDebuggingCssBreakpointsEnabled());
+
+		$this->assign('page', $this);
+	}
+
+	/**
+	 * Fetches a rendered Smarty template
+	 *
+	 * @param $template string Template file path, relative to /templates/
+	 *
+	 * @return string Templated HTML
+	 * @throws Exception
+	 */
+	final protected function fetchTemplate($template)
+	{
+		return $this->smarty->fetch($template);
+	}
 }