Inspection of "Bump spomky-labs/otphp from 10.0.3 to 11.3.0" - mdaniels5757/waca - Measure and Improve Code Quality continuously with Scrutinizer

Test Setup Failed

Push — dependabot/composer/php8/spomk... ( 914eba )

unknown

created 2024-08-17 18:13 UTC

Status

Indentation +50 added lines, -50 removed lines patch added patch discarded remove patch

@@ -14,20 +14,20 @@  discard block
 block discarded – undo
 
 class OldRequestCleanupTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $database = $this->getDatabase();
-        $expiryTime = [':expiry' => $this->getSiteConfiguration()->getEmailConfirmationExpiryDays()];
+	public function execute()
+	{
+		$database = $this->getDatabase();
+		$expiryTime = [':expiry' => $this->getSiteConfiguration()->getEmailConfirmationExpiryDays()];
 
-        // start by fetching the number of unconfirmed requests which have expired
-        $eligibleRecords = $this->getExpiredCount($database, $expiryTime);
+		// start by fetching the number of unconfirmed requests which have expired
+		$eligibleRecords = $this->getExpiredCount($database, $expiryTime);
 
-        // fetch the number of unconfirmed requests which have expired and which have no FK constraints which would
-        // otherwise prevent their deletion
-        $eligibleUnconstrainedRecords = $this->getExpiredUnconstrainedCount($database, $expiryTime);
+		// fetch the number of unconfirmed requests which have expired and which have no FK constraints which would
+		// otherwise prevent their deletion
+		$eligibleUnconstrainedRecords = $this->getExpiredUnconstrainedCount($database, $expiryTime);
 
-        // Delete any requester comments for expired requests
-        $requesterCommentDelete = <<<SQL
+		// Delete any requester comments for expired requests
+		$requesterCommentDelete = <<<SQL
             DELETE FROM comment
             WHERE 1 = 1 
                 -- only requester comments
@@ -54,12 +54,12 @@  discard block
 block discarded – undo
                         AND NOT exists (SELECT 1 FROM log l WHERE l.objectid = r.id and l.objecttype = 'Request')
                 );
 SQL;
-        $statement = $database->prepare($requesterCommentDelete);
-        $statement->execute($expiryTime);
-        $deletedComments = $statement->rowCount();
+		$statement = $database->prepare($requesterCommentDelete);
+		$statement->execute($expiryTime);
+		$deletedComments = $statement->rowCount();
 
-        // Delete any expired requests with no remaining FK constraints
-        $requestDelete = <<<SQL
+		// Delete any expired requests with no remaining FK constraints
+		$requestDelete = <<<SQL
             DELETE FROM request
             WHERE 1 = 1
               -- request date older than X days ago
@@ -77,16 +77,16 @@  discard block
 block discarded – undo
               -- no log entries for this request exist
               AND NOT exists(SELECT 1 FROM log l WHERE l.objectid = request.id and l.objecttype = 'Request');
 SQL;
-        $statement = $database->prepare($requestDelete);
-        $statement->execute($expiryTime);
-        $deletedRequests = $statement->rowCount();
+		$statement = $database->prepare($requestDelete);
+		$statement->execute($expiryTime);
+		$deletedRequests = $statement->rowCount();
 
-        // We've deleted all we can sensibly get away with. Disable the ability to email-confirm requests, and close
-        // them as stale. The purge job will pick up the clearing of any private data.
-        // Note - *very* few requests should get this far; it normally means a tool admin has overridden the
-        // email-confirmation lockout and done something to the non-confirmed request.
+		// We've deleted all we can sensibly get away with. Disable the ability to email-confirm requests, and close
+		// them as stale. The purge job will pick up the clearing of any private data.
+		// Note - *very* few requests should get this far; it normally means a tool admin has overridden the
+		// email-confirmation lockout and done something to the non-confirmed request.
 
-        $splatExpired = <<<SQL
+		$splatExpired = <<<SQL
             UPDATE request 
                 SET emailconfirm = 'Stale', status = 'Closed', updateversion = updateversion + 1
             WHERE 1 = 1
@@ -97,20 +97,20 @@  discard block
 block discarded – undo
             ;
 SQL;
 
-        $statement = $database->prepare($splatExpired);
-        $statement->execute($expiryTime);
-        $requestsMarkedStale = $statement->rowCount();
+		$statement = $database->prepare($splatExpired);
+		$statement->execute($expiryTime);
+		$requestsMarkedStale = $statement->rowCount();
 
-        // All done.
-        $database->commit();
+		// All done.
+		$database->commit();
 
-        printf('Cleanup: %d expired; %d unconstrained, %d comments deleted, %d requests deleted, %d marked stale',
-            $eligibleRecords, $eligibleUnconstrainedRecords, $deletedComments, $deletedRequests, $requestsMarkedStale);
-    }
+		printf('Cleanup: %d expired; %d unconstrained, %d comments deleted, %d requests deleted, %d marked stale',
+			$eligibleRecords, $eligibleUnconstrainedRecords, $deletedComments, $deletedRequests, $requestsMarkedStale);
+	}
 
-    private function getExpiredCount(PdoDatabase $database, array $expiryTime)
-    {
-        $statement = $database->prepare(<<<SQL
+	private function getExpiredCount(PdoDatabase $database, array $expiryTime)
+	{
+		$statement = $database->prepare(<<<SQL
             SELECT COUNT(*) FROM request r
             WHERE 1 = 1 
               -- request date older than X days ago
@@ -122,18 +122,18 @@  discard block
 block discarded – undo
               -- email confirmation was requested
               AND r.emailconfirm <> '';
 SQL
-        );
+		);
 
-        $statement->execute($expiryTime);
-        $eligibleRecords = $statement->fetchColumn();
-        $statement->closeCursor();
+		$statement->execute($expiryTime);
+		$eligibleRecords = $statement->fetchColumn();
+		$statement->closeCursor();
 
-        return $eligibleRecords;
-    }
+		return $eligibleRecords;
+	}
 
-    private function getExpiredUnconstrainedCount(PdoDatabase $database, array $expiryTime)
-    {
-        $statement = $database->prepare(<<<SQL
+	private function getExpiredUnconstrainedCount(PdoDatabase $database, array $expiryTime)
+	{
+		$statement = $database->prepare(<<<SQL
             SELECT COUNT(*) FROM request r
             WHERE 1 = 1 
                 -- request date older than X days ago
@@ -151,12 +151,12 @@  discard block
 block discarded – undo
                 -- no log entries for this request exist
                 AND NOT exists(SELECT 1 FROM log l WHERE l.objectid = r.id AND l.objecttype = 'Request');
 SQL
-        );
+		);
 
-        $statement->execute($expiryTime);
-        $eligibleRecords = $statement->fetchColumn();
-        $statement->closeCursor();
+		$statement->execute($expiryTime);
+		$eligibleRecords = $statement->fetchColumn();
+		$statement->closeCursor();
 
-        return $eligibleRecords;
-    }
+		return $eligibleRecords;
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

includes/ConsoleTasks/RefreshOAuthDataTask.php 1 patch

Indentation +46 added lines, -46 removed lines patch added patch discarded remove patch

@@ -18,60 +18,60 @@
 block discarded – undo
 
 class RefreshOAuthDataTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $database = $this->getDatabase();
+	public function execute()
+	{
+		$database = $this->getDatabase();
 
-        $idList = $database
-            ->query('SELECT user FROM oauthtoken WHERE type = \'access\' AND expiry IS NULL')
-            ->fetchAll(PDO::FETCH_COLUMN);
+		$idList = $database
+			->query('SELECT user FROM oauthtoken WHERE type = \'access\' AND expiry IS NULL')
+			->fetchAll(PDO::FETCH_COLUMN);
 
-        if (count($idList) > 0) {
-            /** @var User[] $users */
-            $users = UserSearchHelper::get($database)->inIds($idList)->fetch();
+		if (count($idList) > 0) {
+			/** @var User[] $users */
+			$users = UserSearchHelper::get($database)->inIds($idList)->fetch();
 
-            $expiredStatement = $database
-                ->prepare('UPDATE oauthtoken SET expiry = CURRENT_TIMESTAMP() WHERE user = :u AND type = \'access\'');
+			$expiredStatement = $database
+				->prepare('UPDATE oauthtoken SET expiry = CURRENT_TIMESTAMP() WHERE user = :u AND type = \'access\'');
 
-            foreach ($users as $u) {
-                try {
-                    $database->beginTransaction();
+			foreach ($users as $u) {
+				try {
+					$database->beginTransaction();
 
-                    $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(),
-                        $this->getSiteConfiguration());
+					$oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(),
+						$this->getSiteConfiguration());
 
-                    if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()
-                            ->getOAuthConsumerToken()) {
-                        // not the current consumer token. Approval from the user is *required* for this.
-                        printf("\n\nBoldly refusing to update OAuth data for user with legacy consumer: %s\n", $u->getUsername());
-                        continue;
-                    }
+					if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()
+							->getOAuthConsumerToken()) {
+						// not the current consumer token. Approval from the user is *required* for this.
+						printf("\n\nBoldly refusing to update OAuth data for user with legacy consumer: %s\n", $u->getUsername());
+						continue;
+					}
 
-                    try {
-                        $oauth->refreshIdentity();
-                    }
-                    catch (OAuthException $ex) {
-                        $expiredStatement->execute(array(':u' => $u->getId()));
-                    }
+					try {
+						$oauth->refreshIdentity();
+					}
+					catch (OAuthException $ex) {
+						$expiredStatement->execute(array(':u' => $u->getId()));
+					}
 
-                    $database->commit();
-                }
-                catch (Exception $ex) {
-                    $database->rollBack();
+					$database->commit();
+				}
+				catch (Exception $ex) {
+					$database->rollBack();
 
-                    printf("\n\nFailed updating OAuth data for %s\n", $u->getUsername());
-                    printf($ex->getMessage());
-                }
-                finally {
-                    if ($database->hasActiveTransaction()) {
-                        $database->rollBack();
-                    }
-                }
-            }
-        }
+					printf("\n\nFailed updating OAuth data for %s\n", $u->getUsername());
+					printf($ex->getMessage());
+				}
+				finally {
+					if ($database->hasActiveTransaction()) {
+						$database->rollBack();
+					}
+				}
+			}
+		}
 
-        $database->beginTransaction();
-        $database->exec('DELETE FROM oauthtoken WHERE expiry IS NOT NULL AND expiry < NOW() AND type = \'request\'');
-        $database->commit();
-    }
+		$database->beginTransaction();
+		$database->exec('DELETE FROM oauthtoken WHERE expiry IS NOT NULL AND expiry < NOW() AND type = \'request\'');
+		$database->commit();
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

includes/ConsoleTasks/ClearOldDataTask.php 1 patch

Indentation +25 added lines, -25 removed lines patch added patch discarded remove patch

@@ -13,50 +13,50 @@
 block discarded – undo
 
 class ClearOldDataTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $dataClearInterval = $this->getSiteConfiguration()->getDataClearInterval();
-        $database = $this->getDatabase();
+	public function execute()
+	{
+		$dataClearInterval = $this->getSiteConfiguration()->getDataClearInterval();
+		$database = $this->getDatabase();
 
-        $query = $database->prepare(<<<SQL
+		$query = $database->prepare(<<<SQL
 UPDATE request
 SET ip = :ip, forwardedip = null, email = :mail, useragent = ''
 WHERE date < DATE_SUB(curdate(), INTERVAL {$dataClearInterval})
 AND status = 'Closed';
 SQL
-        );
+		);
 
-        $success = $query->execute(array(
-            ":ip"   => $this->getSiteConfiguration()->getDataClearIp(),
-            ":mail" => $this->getSiteConfiguration()->getDataClearEmail(),
-        ));
+		$success = $query->execute(array(
+			":ip"   => $this->getSiteConfiguration()->getDataClearIp(),
+			":mail" => $this->getSiteConfiguration()->getDataClearEmail(),
+		));
 
-        if (!$success) {
-            throw new Exception("Error in transaction 1: Could not clear data.");
-        }
+		if (!$success) {
+			throw new Exception("Error in transaction 1: Could not clear data.");
+		}
 
-        $dataQuery = $database->prepare(<<<SQL
+		$dataQuery = $database->prepare(<<<SQL
 DELETE rd
 FROM requestdata rd
 INNER JOIN request r ON r.id = rd.request
 WHERE r.date < DATE_SUB(curdate(), INTERVAL {$dataClearInterval})
   AND r.status = 'Closed';
 SQL
-        );
+		);
 
-        $success = $dataQuery->execute();
+		$success = $dataQuery->execute();
 
-        if (!$success) {
-            throw new Exception("Error in transaction 2: Could not clear data.");
-        }
+		if (!$success) {
+			throw new Exception("Error in transaction 2: Could not clear data.");
+		}
 
-        // FIXME: domains!
-        $flaggedCommentsQuery = $database->query(<<<SQL
+		// FIXME: domains!
+		$flaggedCommentsQuery = $database->query(<<<SQL
 SELECT COUNT(1) FROM comment c INNER JOIN request r ON c.request = r.id WHERE c.flagged = 1 AND r.status = 'Closed'
 SQL
-        );
+		);
 
-        $flaggedCommentsCount = $flaggedCommentsQuery->fetchColumn();
-        $this->getNotificationHelper()->alertFlaggedComments($flaggedCommentsCount);
-    }
+		$flaggedCommentsCount = $flaggedCommentsQuery->fetchColumn();
+		$this->getNotificationHelper()->alertFlaggedComments($flaggedCommentsCount);
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

includes/ConsoleTasks/ClearOAuthDataTask.php 1 patch

Indentation +13 added lines, -13 removed lines patch added patch discarded remove patch

@@ -15,20 +15,20 @@
 block discarded – undo
 
 class ClearOAuthDataTask extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $database = $this->getDatabase();
+	public function execute()
+	{
+		$database = $this->getDatabase();
 
-        $users = UserSearchHelper::get($database)->inIds(
-            $database->query('SELECT user FROM oauthtoken WHERE type = \'access\'')->fetchAll(PDO::FETCH_COLUMN)
-        );
+		$users = UserSearchHelper::get($database)->inIds(
+			$database->query('SELECT user FROM oauthtoken WHERE type = \'access\'')->fetchAll(PDO::FETCH_COLUMN)
+		);
 
-        foreach ($users as $u) {
-            $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
-            $oauth->detach();
-        }
+		foreach ($users as $u) {
+			$oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
+			$oauth->detach();
+		}
 
-        $database->exec('DELETE FROM oauthtoken');
-        $database->exec('DELETE FROM oauthidentity');
-    }
+		$database->exec('DELETE FROM oauthtoken');
+		$database->exec('DELETE FROM oauthidentity');
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

includes/ConsoleTasks/MigrateToDomains.php 1 patch

Indentation +4 added lines, -4 removed lines patch added patch discarded remove patch

@@ -14,8 +14,8 @@
 block discarded – undo
 
 class MigrateToDomains extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        echo "This migration script must be run with the entire application at an earlier version.";
-    }
+	public function execute()
+	{
+		echo "This migration script must be run with the entire application at an earlier version.";
+	}
 }

Please login to merge, or discard this patch.

includes/ConsoleTasks/MigrateToRoles.php 1 patch

Indentation +41 added lines, -41 removed lines patch added patch discarded remove patch

@@ -16,55 +16,55 @@
 block discarded – undo
 
 class MigrateToRoles extends ConsoleTaskBase
 {
-    public function execute()
-    {
-        $communityUser = User::getCommunity();
+	public function execute()
+	{
+		$communityUser = User::getCommunity();
 
-        $database = $this->getDatabase();
-        $statement = $database->query('SELECT id, status, checkuser FROM user;');
-        $update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
+		$database = $this->getDatabase();
+		$statement = $database->query('SELECT id, status, checkuser FROM user;');
+		$update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
 
-        $users = $statement->fetchAll(PDO::FETCH_ASSOC);
+		$users = $statement->fetchAll(PDO::FETCH_ASSOC);
 
-        foreach ($users as $user) {
-            $toAdd = array('user');
+		foreach ($users as $user) {
+			$toAdd = array('user');
 
-            if ($user['status'] === 'Admin') {
-                $toAdd[] = 'admin';
-            }
+			if ($user['status'] === 'Admin') {
+				$toAdd[] = 'admin';
+			}
 
-            if ($user['checkuser'] == 1) {
-                $toAdd[] = 'checkuser';
-            }
+			if ($user['checkuser'] == 1) {
+				$toAdd[] = 'checkuser';
+			}
 
-            foreach ($toAdd as $x) {
-                $a = new UserRole();
-                $a->setUser($user['id']);
-                $a->setRole($x);
-                $a->setDatabase($database);
-                $a->save();
-            }
+			foreach ($toAdd as $x) {
+				$a = new UserRole();
+				$a->setUser($user['id']);
+				$a->setRole($x);
+				$a->setDatabase($database);
+				$a->save();
+			}
 
-            $logData = serialize(array(
-                'added' => $toAdd,
-                'removed' => array(),
-                'reason' => 'Initial migration'
-            ));
+			$logData = serialize(array(
+				'added' => $toAdd,
+				'removed' => array(),
+				'reason' => 'Initial migration'
+			));
 
-            $log = new Log();
-            $log->setDatabase($database);
-            $log->setAction('RoleChange');
-            $log->setObjectId($user['id']);
-            $log->setObjectType('User');
-            $log->setUser($communityUser);
-            $log->setComment($logData);
-            $log->save();
+			$log = new Log();
+			$log->setDatabase($database);
+			$log->setAction('RoleChange');
+			$log->setObjectId($user['id']);
+			$log->setObjectType('User');
+			$log->setUser($communityUser);
+			$log->setComment($logData);
+			$log->save();
 
-            if ($user['status'] === 'Admin' || $user['status'] === 'User') {
-                $update->execute(array('id' => $user['id']));
-            }
-        }
+			if ($user['status'] === 'Admin' || $user['status'] === 'User') {
+				$update->execute(array('id' => $user['id']));
+			}
+		}
 
-        $database->exec("UPDATE schemaversion SET version = 25;");
-    }
+		$database->exec("UPDATE schemaversion SET version = 25;");
+	}
 }

Please login to merge, or discard this patch.

includes/Security/DomainAccessManager.php 2 patches

Indentation +53 added lines, -53 removed lines patch added patch discarded remove patch

@@ -17,67 +17,67 @@
 block discarded – undo
 
 class DomainAccessManager
 {
-    /**
-     * @var SecurityManager
-     */
-    private $securityManager;
+	/**
+	 * @var SecurityManager
+	 */
+	private $securityManager;
 
-    public function __construct(SecurityManager $securityManager)
-    {
-        $this->securityManager = $securityManager;
-    }
+	public function __construct(SecurityManager $securityManager)
+	{
+		$this->securityManager = $securityManager;
+	}
 
-    /**
-     * @param User $user
-     *
-     * @return Domain[]
-     */
-    public function getAllowedDomains(User $user): array
-    {
-        if ($user->isCommunityUser()) {
-            return [];
-        }
+	/**
+	 * @param User $user
+	 *
+	 * @return Domain[]
+	 */
+	public function getAllowedDomains(User $user): array
+	{
+		if ($user->isCommunityUser()) {
+			return [];
+		}
 
-        return Domain::getDomainByUser($user->getDatabase(), $user, true);
-    }
+		return Domain::getDomainByUser($user->getDatabase(), $user, true);
+	}
 
-    public function switchDomain(User $user, Domain $newDomain): void
-    {
-        $mapToId = function(DataObject $object) {
-            return $object->getId();
-        };
+	public function switchDomain(User $user, Domain $newDomain): void
+	{
+		$mapToId = function(DataObject $object) {
+			return $object->getId();
+		};
 
-        $allowed = in_array($newDomain->getId(), array_map($mapToId, self::getAllowedDomains($user)));
+		$allowed = in_array($newDomain->getId(), array_map($mapToId, self::getAllowedDomains($user)));
 
-        if ($allowed) {
-            WebRequest::setActiveDomain($newDomain);
-        }
-        else {
-            throw new AccessDeniedException($this->securityManager, $this);
-        }
-    }
+		if ($allowed) {
+			WebRequest::setActiveDomain($newDomain);
+		}
+		else {
+			throw new AccessDeniedException($this->securityManager, $this);
+		}
+	}
 
-    public function switchToDefaultDomain(User $user): void
-    {
-        $domains = $this->getAllowedDomains($user);
-        $preferenceManager = new PreferenceManager($user->getDatabase(), $user->getId(), null);
-        $defaultDomainPreference = $preferenceManager->getPreference(PreferenceManager::PREF_DEFAULT_DOMAIN);
+	public function switchToDefaultDomain(User $user): void
+	{
+		$domains = $this->getAllowedDomains($user);
+		$preferenceManager = new PreferenceManager($user->getDatabase(), $user->getId(), null);
+		$defaultDomainPreference = $preferenceManager->getPreference(PreferenceManager::PREF_DEFAULT_DOMAIN);
 
-        $chosenDomain = null;
-        foreach ($domains as $d) {
-            if ($d->getId() == $defaultDomainPreference) {
-                $chosenDomain = $d;
-                break;
-            }
-        }
+		$chosenDomain = null;
+		foreach ($domains as $d) {
+			if ($d->getId() == $defaultDomainPreference) {
+				$chosenDomain = $d;
+				break;
+			}
+		}
 
-        if ($chosenDomain !== null) {
-            WebRequest::setActiveDomain($chosenDomain);
-            return;
-        }
+		if ($chosenDomain !== null) {
+			WebRequest::setActiveDomain($chosenDomain);
+			return;
+		}
 
-        if (count($domains) > 0) {
-            WebRequest::setActiveDomain($domains[0]);
-        }
-    }
+		if (count($domains) > 0) {
+			WebRequest::setActiveDomain($domains[0]);
+		}
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

Braces +3 added lines, -3 removed lines patch added patch discarded remove patch

@@ -43,7 +43,8 @@  discard block
 block discarded – undo
 
     public function switchDomain(User $user, Domain $newDomain): void
     {
-        $mapToId = function(DataObject $object) {
+        $mapToId = function(DataObject $object)
+        {
             return $object->getId();
         };
 
@@ -51,8 +52,7 @@  discard block
 block discarded – undo
 
         if ($allowed) {
             WebRequest::setActiveDomain($newDomain);
-        }
-        else {
+        } else {
             throw new AccessDeniedException($this->securityManager, $this);
         }
     }

Please login to merge, or discard this patch.

includes/Security/CredentialProviders/PasswordCredentialProvider.php 1 patch

Indentation +122 added lines, -122 removed lines patch added patch discarded remove patch

@@ -20,136 +20,136 @@
 block discarded – undo
 
 class PasswordCredentialProvider extends CredentialProviderBase
 {
-    const PASSWORD_COST = 10;
-    const PASSWORD_ALGO = PASSWORD_BCRYPT;
-
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
-    {
-        parent::__construct($database, $configuration, 'password');
-    }
-
-    public function authenticate(User $user, $data)
-    {
-        $storedData = $this->getCredentialData($user->getId());
-        if ($storedData === null) {
-            // No available credential matching these parameters
-            return false;
-        }
-
-        if ($storedData->getVersion() !== 2) {
-            // Non-2 versions are not supported.
-            return false;
-        }
-
-        if (!password_verify($data, $storedData->getData())) {
-            return false;
-        }
-
-        if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
-            array('cost' => self::PASSWORD_COST))) {
-            try {
-                $this->reallySetCredential($user, $storedData->getFactor(), $data);
-            }
-            catch (OptimisticLockFailedException $e) {
-                // optimistic lock failed, but no biggie. We'll catch it on the next login.
-            }
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+	const PASSWORD_COST = 10;
+	const PASSWORD_ALGO = PASSWORD_BCRYPT;
+
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
+	{
+		parent::__construct($database, $configuration, 'password');
+	}
+
+	public function authenticate(User $user, $data)
+	{
+		$storedData = $this->getCredentialData($user->getId());
+		if ($storedData === null) {
+			// No available credential matching these parameters
+			return false;
+		}
+
+		if ($storedData->getVersion() !== 2) {
+			// Non-2 versions are not supported.
+			return false;
+		}
+
+		if (!password_verify($data, $storedData->getData())) {
+			return false;
+		}
+
+		if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
+			array('cost' => self::PASSWORD_COST))) {
+			try {
+				$this->reallySetCredential($user, $storedData->getFactor(), $data);
+			}
+			catch (OptimisticLockFailedException $e) {
+				// optimistic lock failed, but no biggie. We'll catch it on the next login.
+			}
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 1 || CommonPasswords::isCommon($data) || mb_strlen($data) < 8) {
-            // prevent login for extremely weak passwords
-            // at this point the user has authenticated via password, so they *know* it's weak.
-            SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
-            return false;
-        }
-
-        $this->revokePasswordResetTokens($user->getId());
-
-        return true;
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws OptimisticLockFailedException
-     */
-    private function reallySetCredential(User $user, int $factor, string $password) : void {
-        $storedData = $this->getCredentialData($user->getId());
-
-        if ($storedData === null) {
-            $storedData = $this->createNewCredential($user);
-        }
-
-        $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
-        $storedData->setFactor($factor);
-        $storedData->setVersion(2);
-
-        $storedData->save();
-    }
-
-    /**
-     * @param User   $user
-     * @param int    $factor
-     * @param string $password
-     *
-     * @throws ApplicationLogicException
-     * @throws OptimisticLockFailedException
-     */
-    public function setCredential(User $user, $factor, $password)
-    {
-        if (CommonPasswords::isCommon($password)) {
-            throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
-        }
-
-        $strengthTester = new Zxcvbn();
-        $strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
-
-        /*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
+		if ($strength['score'] <= 1 || CommonPasswords::isCommon($data) || mb_strlen($data) < 8) {
+			// prevent login for extremely weak passwords
+			// at this point the user has authenticated via password, so they *know* it's weak.
+			SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
+			return false;
+		}
+
+		$this->revokePasswordResetTokens($user->getId());
+
+		return true;
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws OptimisticLockFailedException
+	 */
+	private function reallySetCredential(User $user, int $factor, string $password) : void {
+		$storedData = $this->getCredentialData($user->getId());
+
+		if ($storedData === null) {
+			$storedData = $this->createNewCredential($user);
+		}
+
+		$storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
+		$storedData->setFactor($factor);
+		$storedData->setVersion(2);
+
+		$storedData->save();
+	}
+
+	/**
+	 * @param User   $user
+	 * @param int    $factor
+	 * @param string $password
+	 *
+	 * @throws ApplicationLogicException
+	 * @throws OptimisticLockFailedException
+	 */
+	public function setCredential(User $user, $factor, $password)
+	{
+		if (CommonPasswords::isCommon($password)) {
+			throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
+		}
+
+		$strengthTester = new Zxcvbn();
+		$strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
+
+		/*  0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
             1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
             2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
             3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
             4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario         */
 
-        if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
-            throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
-        }
-
-        if ($strength['score'] <= 3) {
-            SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
-        }
-
-        $this->reallySetCredential($user, $factor, $password);
-    }
-
-    /**
-     * @param User $user
-     *
-     * @throws ApplicationLogicException
-     */
-    public function deleteCredential(User $user)
-    {
-        throw new ApplicationLogicException('Deletion of password credential is not allowed.');
-    }
-
-    private function revokePasswordResetTokens(int $userId)
-    {
-        $statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
-        $statement->execute([':user' => $userId]);
-        $existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
-
-        foreach ($existing as $c) {
-            $c->setDatabase($this->getDatabase());
-            $c->delete();
-        }
-    }
+		if ($strength['score'] <= 2 || mb_strlen($password) < 8) {
+			throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
+		}
+
+		if ($strength['score'] <= 3) {
+			SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
+		}
+
+		$this->reallySetCredential($user, $factor, $password);
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @throws ApplicationLogicException
+	 */
+	public function deleteCredential(User $user)
+	{
+		throw new ApplicationLogicException('Deletion of password credential is not allowed.');
+	}
+
+	private function revokePasswordResetTokens(int $userId)
+	{
+		$statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
+		$statement->execute([':user' => $userId]);
+		$existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
+
+		foreach ($existing as $c) {
+			$c->setDatabase($this->getDatabase());
+			$c->delete();
+		}
+	}
 }

Please login to merge, or discard this patch.

includes/Security/CredentialProviders/CredentialProviderBase.php 2 patches

Indentation +135 added lines, -135 removed lines patch added patch discarded remove patch

@@ -15,139 +15,139 @@
 block discarded – undo
 
 abstract class CredentialProviderBase implements ICredentialProvider
 {
-    /**
-     * @var PdoDatabase
-     */
-    private $database;
-    /**
-     * @var SiteConfiguration
-     */
-    private $configuration;
-    /** @var string */
-    private $type;
-
-    /**
-     * CredentialProviderBase constructor.
-     *
-     * @param PdoDatabase       $database
-     * @param SiteConfiguration $configuration
-     * @param string            $type
-     */
-    public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
-    {
-        $this->database = $database;
-        $this->configuration = $configuration;
-        $this->type = $type;
-    }
-
-    /**
-     * @param int  $userId
-     *
-     * @param bool $disabled
-     *
-     * @return Credential
-     */
-    protected function getCredentialData($userId, $disabled = false)
-    {
-        $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
-        $parameters = array(
-            ':u' => $userId,
-            ':t' => $this->type
-        );
-
-        if ($disabled !== null) {
-            $sql .= ' AND disabled = :d';
-            $parameters[':d'] = $disabled ? 1 : 0;
-        }
-
-        $statement = $this->database->prepare($sql);
-        $statement->execute($parameters);
-
-        /** @var Credential $obj */
-        $obj = $statement->fetchObject(Credential::class);
-
-        if ($obj === false) {
-            return null;
-        }
-
-        $obj->setDatabase($this->database);
-
-        $statement->closeCursor();
-
-        return $obj;
-    }
-
-    /**
-     * @return PdoDatabase
-     */
-    public function getDatabase()
-    {
-        return $this->database;
-    }
-
-    /**
-     * @return SiteConfiguration
-     */
-    public function getConfiguration()
-    {
-        return $this->configuration;
-    }
-
-    public function deleteCredential(User $user)
-    {
-        // get this factor
-        $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
-        $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
-        /** @var Credential $credential */
-        $credential = $statement->fetchObject(Credential::class);
-        $credential->setDatabase($this->database);
-        $statement->closeCursor();
-
-        $stage = $credential->getFactor();
-
-        $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
-        $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        $alternates = $statement->fetchColumn();
-        $statement->closeCursor();
-
-        if ($alternates <= 1) {
-            // decrement the factor for every stage above this
-            $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
-            $statement = $this->database->prepare($sql);
-            $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
-            // There are other auth factors at this point. Don't renumber the factors just yet.
-        }
-
-        // delete this credential.
-        $credential->delete();
-    }
-
-    /**
-     * @param User $user
-     *
-     * @return Credential
-     */
-    protected function createNewCredential(User $user)
-    {
-        $credential = new Credential();
-        $credential->setDatabase($this->getDatabase());
-        $credential->setUserId($user->getId());
-        $credential->setType($this->type);
-
-        return $credential;
-    }
-
-    /**
-     * @param int $userId
-     *
-     * @return bool
-     */
-    public function userIsEnrolled($userId)
-    {
-        $cred = $this->getCredentialData($userId);
-
-        return $cred !== null;
-    }
+	/**
+	 * @var PdoDatabase
+	 */
+	private $database;
+	/**
+	 * @var SiteConfiguration
+	 */
+	private $configuration;
+	/** @var string */
+	private $type;
+
+	/**
+	 * CredentialProviderBase constructor.
+	 *
+	 * @param PdoDatabase       $database
+	 * @param SiteConfiguration $configuration
+	 * @param string            $type
+	 */
+	public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
+	{
+		$this->database = $database;
+		$this->configuration = $configuration;
+		$this->type = $type;
+	}
+
+	/**
+	 * @param int  $userId
+	 *
+	 * @param bool $disabled
+	 *
+	 * @return Credential
+	 */
+	protected function getCredentialData($userId, $disabled = false)
+	{
+		$sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
+		$parameters = array(
+			':u' => $userId,
+			':t' => $this->type
+		);
+
+		if ($disabled !== null) {
+			$sql .= ' AND disabled = :d';
+			$parameters[':d'] = $disabled ? 1 : 0;
+		}
+
+		$statement = $this->database->prepare($sql);
+		$statement->execute($parameters);
+
+		/** @var Credential $obj */
+		$obj = $statement->fetchObject(Credential::class);
+
+		if ($obj === false) {
+			return null;
+		}
+
+		$obj->setDatabase($this->database);
+
+		$statement->closeCursor();
+
+		return $obj;
+	}
+
+	/**
+	 * @return PdoDatabase
+	 */
+	public function getDatabase()
+	{
+		return $this->database;
+	}
+
+	/**
+	 * @return SiteConfiguration
+	 */
+	public function getConfiguration()
+	{
+		return $this->configuration;
+	}
+
+	public function deleteCredential(User $user)
+	{
+		// get this factor
+		$statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
+		$statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
+		/** @var Credential $credential */
+		$credential = $statement->fetchObject(Credential::class);
+		$credential->setDatabase($this->database);
+		$statement->closeCursor();
+
+		$stage = $credential->getFactor();
+
+		$statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
+		$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		$alternates = $statement->fetchColumn();
+		$statement->closeCursor();
+
+		if ($alternates <= 1) {
+			// decrement the factor for every stage above this
+			$sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
+			$statement = $this->database->prepare($sql);
+			$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
+		}
+		else {
+			// There are other auth factors at this point. Don't renumber the factors just yet.
+		}
+
+		// delete this credential.
+		$credential->delete();
+	}
+
+	/**
+	 * @param User $user
+	 *
+	 * @return Credential
+	 */
+	protected function createNewCredential(User $user)
+	{
+		$credential = new Credential();
+		$credential->setDatabase($this->getDatabase());
+		$credential->setUserId($user->getId());
+		$credential->setType($this->type);
+
+		return $credential;
+	}
+
+	/**
+	 * @param int $userId
+	 *
+	 * @return bool
+	 */
+	public function userIsEnrolled($userId)
+	{
+		$cred = $this->getCredentialData($userId);
+
+		return $cred !== null;
+	}
 }
\ No newline at end of file

Please login to merge, or discard this patch.

Braces +1 added lines, -2 removed lines patch added patch discarded remove patch

@@ -115,8 +115,7 @@
 block discarded – undo
             $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
             $statement = $this->database->prepare($sql);
             $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
-        }
-        else {
+        } else {
             // There are other auth factors at this point. Don't renumber the factors just yet.
         }
 

Please login to merge, or discard this patch.

		@@ -14,20 +14,20 @@ discard block
		block discarded – undo
14	14
15	15	class OldRequestCleanupTask extends ConsoleTaskBase
16	16	{
17		- public function execute()
18		- {
19		- $database = $this->getDatabase();
20		- $expiryTime = [':expiry' => $this->getSiteConfiguration()->getEmailConfirmationExpiryDays()];
	17	+ public function execute()
	18	+ {
	19	+ $database = $this->getDatabase();
	20	+ $expiryTime = [':expiry' => $this->getSiteConfiguration()->getEmailConfirmationExpiryDays()];
21	21
22		- // start by fetching the number of unconfirmed requests which have expired
23		- $eligibleRecords = $this->getExpiredCount($database, $expiryTime);
	22	+ // start by fetching the number of unconfirmed requests which have expired
	23	+ $eligibleRecords = $this->getExpiredCount($database, $expiryTime);
24	24
25		- // fetch the number of unconfirmed requests which have expired and which have no FK constraints which would
26		- // otherwise prevent their deletion
27		- $eligibleUnconstrainedRecords = $this->getExpiredUnconstrainedCount($database, $expiryTime);
	25	+ // fetch the number of unconfirmed requests which have expired and which have no FK constraints which would
	26	+ // otherwise prevent their deletion
	27	+ $eligibleUnconstrainedRecords = $this->getExpiredUnconstrainedCount($database, $expiryTime);
28	28
29		- // Delete any requester comments for expired requests
30		- $requesterCommentDelete = <<<SQL
	29	+ // Delete any requester comments for expired requests
	30	+ $requesterCommentDelete = <<<SQL
31	31	DELETE FROM comment
32	32	WHERE 1 = 1
33	33	-- only requester comments
		@@ -54,12 +54,12 @@ discard block
		block discarded – undo
54	54	AND NOT exists (SELECT 1 FROM log l WHERE l.objectid = r.id and l.objecttype = 'Request')
55	55	);
56	56	SQL;
57		- $statement = $database->prepare($requesterCommentDelete);
58		- $statement->execute($expiryTime);
59		- $deletedComments = $statement->rowCount();
	57	+ $statement = $database->prepare($requesterCommentDelete);
	58	+ $statement->execute($expiryTime);
	59	+ $deletedComments = $statement->rowCount();
60	60
61		- // Delete any expired requests with no remaining FK constraints
62		- $requestDelete = <<<SQL
	61	+ // Delete any expired requests with no remaining FK constraints
	62	+ $requestDelete = <<<SQL
63	63	DELETE FROM request
64	64	WHERE 1 = 1
65	65	-- request date older than X days ago
		@@ -77,16 +77,16 @@ discard block
		block discarded – undo
77	77	-- no log entries for this request exist
78	78	AND NOT exists(SELECT 1 FROM log l WHERE l.objectid = request.id and l.objecttype = 'Request');
79	79	SQL;
80		- $statement = $database->prepare($requestDelete);
81		- $statement->execute($expiryTime);
82		- $deletedRequests = $statement->rowCount();
	80	+ $statement = $database->prepare($requestDelete);
	81	+ $statement->execute($expiryTime);
	82	+ $deletedRequests = $statement->rowCount();
83	83
84		- // We've deleted all we can sensibly get away with. Disable the ability to email-confirm requests, and close
85		- // them as stale. The purge job will pick up the clearing of any private data.
86		- // Note - very few requests should get this far; it normally means a tool admin has overridden the
87		- // email-confirmation lockout and done something to the non-confirmed request.
	84	+ // We've deleted all we can sensibly get away with. Disable the ability to email-confirm requests, and close
	85	+ // them as stale. The purge job will pick up the clearing of any private data.
	86	+ // Note - very few requests should get this far; it normally means a tool admin has overridden the
	87	+ // email-confirmation lockout and done something to the non-confirmed request.
88	88
89		- $splatExpired = <<<SQL
	89	+ $splatExpired = <<<SQL
90	90	UPDATE request
91	91	SET emailconfirm = 'Stale', status = 'Closed', updateversion = updateversion + 1
92	92	WHERE 1 = 1
		@@ -97,20 +97,20 @@ discard block
		block discarded – undo
97	97	;
98	98	SQL;
99	99
100		- $statement = $database->prepare($splatExpired);
101		- $statement->execute($expiryTime);
102		- $requestsMarkedStale = $statement->rowCount();
	100	+ $statement = $database->prepare($splatExpired);
	101	+ $statement->execute($expiryTime);
	102	+ $requestsMarkedStale = $statement->rowCount();
103	103
104		- // All done.
105		- $database->commit();
	104	+ // All done.
	105	+ $database->commit();
106	106
107		- printf('Cleanup: %d expired; %d unconstrained, %d comments deleted, %d requests deleted, %d marked stale',
108		- $eligibleRecords, $eligibleUnconstrainedRecords, $deletedComments, $deletedRequests, $requestsMarkedStale);
109		- }
	107	+ printf('Cleanup: %d expired; %d unconstrained, %d comments deleted, %d requests deleted, %d marked stale',
	108	+ $eligibleRecords, $eligibleUnconstrainedRecords, $deletedComments, $deletedRequests, $requestsMarkedStale);
	109	+ }
110	110
111		- private function getExpiredCount(PdoDatabase $database, array $expiryTime)
112		- {
113		- $statement = $database->prepare(<<<SQL
	111	+ private function getExpiredCount(PdoDatabase $database, array $expiryTime)
	112	+ {
	113	+ $statement = $database->prepare(<<<SQL
114	114	SELECT COUNT(*) FROM request r
115	115	WHERE 1 = 1
116	116	-- request date older than X days ago
		@@ -122,18 +122,18 @@ discard block
		block discarded – undo
122	122	-- email confirmation was requested
123	123	AND r.emailconfirm <> '';
124	124	SQL
125		- );
	125	+ );
126	126
127		- $statement->execute($expiryTime);
128		- $eligibleRecords = $statement->fetchColumn();
129		- $statement->closeCursor();
	127	+ $statement->execute($expiryTime);
	128	+ $eligibleRecords = $statement->fetchColumn();
	129	+ $statement->closeCursor();
130	130
131		- return $eligibleRecords;
132		- }
	131	+ return $eligibleRecords;
	132	+ }
133	133
134		- private function getExpiredUnconstrainedCount(PdoDatabase $database, array $expiryTime)
135		- {
136		- $statement = $database->prepare(<<<SQL
	134	+ private function getExpiredUnconstrainedCount(PdoDatabase $database, array $expiryTime)
	135	+ {
	136	+ $statement = $database->prepare(<<<SQL
137	137	SELECT COUNT(*) FROM request r
138	138	WHERE 1 = 1
139	139	-- request date older than X days ago
		@@ -151,12 +151,12 @@ discard block
		block discarded – undo
151	151	-- no log entries for this request exist
152	152	AND NOT exists(SELECT 1 FROM log l WHERE l.objectid = r.id AND l.objecttype = 'Request');
153	153	SQL
154		- );
	154	+ );
155	155
156		- $statement->execute($expiryTime);
157		- $eligibleRecords = $statement->fetchColumn();
158		- $statement->closeCursor();
	156	+ $statement->execute($expiryTime);
	157	+ $eligibleRecords = $statement->fetchColumn();
	158	+ $statement->closeCursor();
159	159
160		- return $eligibleRecords;
161		- }
	160	+ return $eligibleRecords;
	161	+ }
162	162	}
163	163	\ No newline at end of file

		@@ -18,60 +18,60 @@
		block discarded – undo
18	18
19	19	class RefreshOAuthDataTask extends ConsoleTaskBase
20	20	{
21		- public function execute()
22		- {
23		- $database = $this->getDatabase();
	21	+ public function execute()
	22	+ {
	23	+ $database = $this->getDatabase();
24	24
25		- $idList = $database
26		- ->query('SELECT user FROM oauthtoken WHERE type = \'access\' AND expiry IS NULL')
27		- ->fetchAll(PDO::FETCH_COLUMN);
	25	+ $idList = $database
	26	+ ->query('SELECT user FROM oauthtoken WHERE type = \'access\' AND expiry IS NULL')
	27	+ ->fetchAll(PDO::FETCH_COLUMN);
28	28
29		- if (count($idList) > 0) {
30		- /** @var User[] $users */
31		- $users = UserSearchHelper::get($database)->inIds($idList)->fetch();
	29	+ if (count($idList) > 0) {
	30	+ /** @var User[] $users */
	31	+ $users = UserSearchHelper::get($database)->inIds($idList)->fetch();
32	32
33		- $expiredStatement = $database
34		- ->prepare('UPDATE oauthtoken SET expiry = CURRENT_TIMESTAMP() WHERE user = :u AND type = \'access\'');
	33	+ $expiredStatement = $database
	34	+ ->prepare('UPDATE oauthtoken SET expiry = CURRENT_TIMESTAMP() WHERE user = :u AND type = \'access\'');
35	35
36		- foreach ($users as $u) {
37		- try {
38		- $database->beginTransaction();
	36	+ foreach ($users as $u) {
	37	+ try {
	38	+ $database->beginTransaction();
39	39
40		- $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(),
41		- $this->getSiteConfiguration());
	40	+ $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(),
	41	+ $this->getSiteConfiguration());
42	42
43		- if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()
44		- ->getOAuthConsumerToken()) {
45		- // not the current consumer token. Approval from the user is required for this.
46		- printf("\n\nBoldly refusing to update OAuth data for user with legacy consumer: %s\n", $u->getUsername());
47		- continue;
48		- }
	43	+ if ($oauth->getIdentity(true)->getAudience() !== $this->getSiteConfiguration()
	44	+ ->getOAuthConsumerToken()) {
	45	+ // not the current consumer token. Approval from the user is required for this.
	46	+ printf("\n\nBoldly refusing to update OAuth data for user with legacy consumer: %s\n", $u->getUsername());
	47	+ continue;
	48	+ }
49	49
50		- try {
51		- $oauth->refreshIdentity();
52		- }
53		- catch (OAuthException $ex) {
54		- $expiredStatement->execute(array(':u' => $u->getId()));
55		- }
	50	+ try {
	51	+ $oauth->refreshIdentity();
	52	+ }
	53	+ catch (OAuthException $ex) {
	54	+ $expiredStatement->execute(array(':u' => $u->getId()));
	55	+ }
56	56
57		- $database->commit();
58		- }
59		- catch (Exception $ex) {
60		- $database->rollBack();
	57	+ $database->commit();
	58	+ }
	59	+ catch (Exception $ex) {
	60	+ $database->rollBack();
61	61
62		- printf("\n\nFailed updating OAuth data for %s\n", $u->getUsername());
63		- printf($ex->getMessage());
64		- }
65		- finally {
66		- if ($database->hasActiveTransaction()) {
67		- $database->rollBack();
68		- }
69		- }
70		- }
71		- }
	62	+ printf("\n\nFailed updating OAuth data for %s\n", $u->getUsername());
	63	+ printf($ex->getMessage());
	64	+ }
	65	+ finally {
	66	+ if ($database->hasActiveTransaction()) {
	67	+ $database->rollBack();
	68	+ }
	69	+ }
	70	+ }
	71	+ }
72	72
73		- $database->beginTransaction();
74		- $database->exec('DELETE FROM oauthtoken WHERE expiry IS NOT NULL AND expiry < NOW() AND type = \'request\'');
75		- $database->commit();
76		- }
	73	+ $database->beginTransaction();
	74	+ $database->exec('DELETE FROM oauthtoken WHERE expiry IS NOT NULL AND expiry < NOW() AND type = \'request\'');
	75	+ $database->commit();
	76	+ }
77	77	}
78	78	\ No newline at end of file

		@@ -13,50 +13,50 @@
		block discarded – undo
13	13
14	14	class ClearOldDataTask extends ConsoleTaskBase
15	15	{
16		- public function execute()
17		- {
18		- $dataClearInterval = $this->getSiteConfiguration()->getDataClearInterval();
19		- $database = $this->getDatabase();
	16	+ public function execute()
	17	+ {
	18	+ $dataClearInterval = $this->getSiteConfiguration()->getDataClearInterval();
	19	+ $database = $this->getDatabase();
20	20
21		- $query = $database->prepare(<<<SQL
	21	+ $query = $database->prepare(<<<SQL
22	22	UPDATE request
23	23	SET ip = :ip, forwardedip = null, email = :mail, useragent = ''
24	24	WHERE date < DATE_SUB(curdate(), INTERVAL {$dataClearInterval})
25	25	AND status = 'Closed';
26	26	SQL
27		- );
	27	+ );
28	28
29		- $success = $query->execute(array(
30		- ":ip" => $this->getSiteConfiguration()->getDataClearIp(),
31		- ":mail" => $this->getSiteConfiguration()->getDataClearEmail(),
32		- ));
	29	+ $success = $query->execute(array(
	30	+ ":ip" => $this->getSiteConfiguration()->getDataClearIp(),
	31	+ ":mail" => $this->getSiteConfiguration()->getDataClearEmail(),
	32	+ ));
33	33
34		- if (!$success) {
35		- throw new Exception("Error in transaction 1: Could not clear data.");
36		- }
	34	+ if (!$success) {
	35	+ throw new Exception("Error in transaction 1: Could not clear data.");
	36	+ }
37	37
38		- $dataQuery = $database->prepare(<<<SQL
	38	+ $dataQuery = $database->prepare(<<<SQL
39	39	DELETE rd
40	40	FROM requestdata rd
41	41	INNER JOIN request r ON r.id = rd.request
42	42	WHERE r.date < DATE_SUB(curdate(), INTERVAL {$dataClearInterval})
43	43	AND r.status = 'Closed';
44	44	SQL
45		- );
	45	+ );
46	46
47		- $success = $dataQuery->execute();
	47	+ $success = $dataQuery->execute();
48	48
49		- if (!$success) {
50		- throw new Exception("Error in transaction 2: Could not clear data.");
51		- }
	49	+ if (!$success) {
	50	+ throw new Exception("Error in transaction 2: Could not clear data.");
	51	+ }
52	52
53		- // FIXME: domains!
54		- $flaggedCommentsQuery = $database->query(<<<SQL
	53	+ // FIXME: domains!
	54	+ $flaggedCommentsQuery = $database->query(<<<SQL
55	55	SELECT COUNT(1) FROM comment c INNER JOIN request r ON c.request = r.id WHERE c.flagged = 1 AND r.status = 'Closed'
56	56	SQL
57		- );
	57	+ );
58	58
59		- $flaggedCommentsCount = $flaggedCommentsQuery->fetchColumn();
60		- $this->getNotificationHelper()->alertFlaggedComments($flaggedCommentsCount);
61		- }
	59	+ $flaggedCommentsCount = $flaggedCommentsQuery->fetchColumn();
	60	+ $this->getNotificationHelper()->alertFlaggedComments($flaggedCommentsCount);
	61	+ }
62	62	}
63	63	\ No newline at end of file

		@@ -15,20 +15,20 @@
		block discarded – undo
15	15
16	16	class ClearOAuthDataTask extends ConsoleTaskBase
17	17	{
18		- public function execute()
19		- {
20		- $database = $this->getDatabase();
	18	+ public function execute()
	19	+ {
	20	+ $database = $this->getDatabase();
21	21
22		- $users = UserSearchHelper::get($database)->inIds(
23		- $database->query('SELECT user FROM oauthtoken WHERE type = \'access\'')->fetchAll(PDO::FETCH_COLUMN)
24		- );
	22	+ $users = UserSearchHelper::get($database)->inIds(
	23	+ $database->query('SELECT user FROM oauthtoken WHERE type = \'access\'')->fetchAll(PDO::FETCH_COLUMN)
	24	+ );
25	25
26		- foreach ($users as $u) {
27		- $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
28		- $oauth->detach();
29		- }
	26	+ foreach ($users as $u) {
	27	+ $oauth = new OAuthUserHelper($u, $database, $this->getOAuthProtocolHelper(), $this->getSiteConfiguration());
	28	+ $oauth->detach();
	29	+ }
30	30
31		- $database->exec('DELETE FROM oauthtoken');
32		- $database->exec('DELETE FROM oauthidentity');
33		- }
	31	+ $database->exec('DELETE FROM oauthtoken');
	32	+ $database->exec('DELETE FROM oauthidentity');
	33	+ }
34	34	}
35	35	\ No newline at end of file

		@@ -14,8 +14,8 @@
		block discarded – undo
14	14
15	15	class MigrateToDomains extends ConsoleTaskBase
16	16	{
17		- public function execute()
18		- {
19		- echo "This migration script must be run with the entire application at an earlier version.";
20		- }
	17	+ public function execute()
	18	+ {
	19	+ echo "This migration script must be run with the entire application at an earlier version.";
	20	+ }
21	21	}

		@@ -16,55 +16,55 @@
		block discarded – undo
16	16
17	17	class MigrateToRoles extends ConsoleTaskBase
18	18	{
19		- public function execute()
20		- {
21		- $communityUser = User::getCommunity();
	19	+ public function execute()
	20	+ {
	21	+ $communityUser = User::getCommunity();
22	22
23		- $database = $this->getDatabase();
24		- $statement = $database->query('SELECT id, status, checkuser FROM user;');
25		- $update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
	23	+ $database = $this->getDatabase();
	24	+ $statement = $database->query('SELECT id, status, checkuser FROM user;');
	25	+ $update = $database->prepare("UPDATE user SET status = 'Active' WHERE id = :id;");
26	26
27		- $users = $statement->fetchAll(PDO::FETCH_ASSOC);
	27	+ $users = $statement->fetchAll(PDO::FETCH_ASSOC);
28	28
29		- foreach ($users as $user) {
30		- $toAdd = array('user');
	29	+ foreach ($users as $user) {
	30	+ $toAdd = array('user');
31	31
32		- if ($user['status'] === 'Admin') {
33		- $toAdd[] = 'admin';
34		- }
	32	+ if ($user['status'] === 'Admin') {
	33	+ $toAdd[] = 'admin';
	34	+ }
35	35
36		- if ($user['checkuser'] == 1) {
37		- $toAdd[] = 'checkuser';
38		- }
	36	+ if ($user['checkuser'] == 1) {
	37	+ $toAdd[] = 'checkuser';
	38	+ }
39	39
40		- foreach ($toAdd as $x) {
41		- $a = new UserRole();
42		- $a->setUser($user['id']);
43		- $a->setRole($x);
44		- $a->setDatabase($database);
45		- $a->save();
46		- }
	40	+ foreach ($toAdd as $x) {
	41	+ $a = new UserRole();
	42	+ $a->setUser($user['id']);
	43	+ $a->setRole($x);
	44	+ $a->setDatabase($database);
	45	+ $a->save();
	46	+ }
47	47
48		- $logData = serialize(array(
49		- 'added' => $toAdd,
50		- 'removed' => array(),
51		- 'reason' => 'Initial migration'
52		- ));
	48	+ $logData = serialize(array(
	49	+ 'added' => $toAdd,
	50	+ 'removed' => array(),
	51	+ 'reason' => 'Initial migration'
	52	+ ));
53	53
54		- $log = new Log();
55		- $log->setDatabase($database);
56		- $log->setAction('RoleChange');
57		- $log->setObjectId($user['id']);
58		- $log->setObjectType('User');
59		- $log->setUser($communityUser);
60		- $log->setComment($logData);
61		- $log->save();
	54	+ $log = new Log();
	55	+ $log->setDatabase($database);
	56	+ $log->setAction('RoleChange');
	57	+ $log->setObjectId($user['id']);
	58	+ $log->setObjectType('User');
	59	+ $log->setUser($communityUser);
	60	+ $log->setComment($logData);
	61	+ $log->save();
62	62
63		- if ($user['status'] === 'Admin' \|\| $user['status'] === 'User') {
64		- $update->execute(array('id' => $user['id']));
65		- }
66		- }
	63	+ if ($user['status'] === 'Admin' \|\| $user['status'] === 'User') {
	64	+ $update->execute(array('id' => $user['id']));
	65	+ }
	66	+ }
67	67
68		- $database->exec("UPDATE schemaversion SET version = 25;");
69		- }
	68	+ $database->exec("UPDATE schemaversion SET version = 25;");
	69	+ }
70	70	}

		@@ -17,67 +17,67 @@
		block discarded – undo
17	17
18	18	class DomainAccessManager
19	19	{
20		- /**
21		- * @var SecurityManager
22		- */
23		- private $securityManager;
	20	+ /**
	21	+ * @var SecurityManager
	22	+ */
	23	+ private $securityManager;
24	24
25		- public function __construct(SecurityManager $securityManager)
26		- {
27		- $this->securityManager = $securityManager;
28		- }
	25	+ public function __construct(SecurityManager $securityManager)
	26	+ {
	27	+ $this->securityManager = $securityManager;
	28	+ }
29	29
30		- /**
31		- * @param User $user
32		- *
33		- * @return Domain[]
34		- */
35		- public function getAllowedDomains(User $user): array
36		- {
37		- if ($user->isCommunityUser()) {
38		- return [];
39		- }
	30	+ /**
	31	+ * @param User $user
	32	+ *
	33	+ * @return Domain[]
	34	+ */
	35	+ public function getAllowedDomains(User $user): array
	36	+ {
	37	+ if ($user->isCommunityUser()) {
	38	+ return [];
	39	+ }
40	40
41		- return Domain::getDomainByUser($user->getDatabase(), $user, true);
42		- }
	41	+ return Domain::getDomainByUser($user->getDatabase(), $user, true);
	42	+ }
43	43
44		- public function switchDomain(User $user, Domain $newDomain): void
45		- {
46		- $mapToId = function(DataObject $object) {
47		- return $object->getId();
48		- };
	44	+ public function switchDomain(User $user, Domain $newDomain): void
	45	+ {
	46	+ $mapToId = function(DataObject $object) {
	47	+ return $object->getId();
	48	+ };
49	49
50		- $allowed = in_array($newDomain->getId(), array_map($mapToId, self::getAllowedDomains($user)));
	50	+ $allowed = in_array($newDomain->getId(), array_map($mapToId, self::getAllowedDomains($user)));
51	51
52		- if ($allowed) {
53		- WebRequest::setActiveDomain($newDomain);
54		- }
55		- else {
56		- throw new AccessDeniedException($this->securityManager, $this);
57		- }
58		- }
	52	+ if ($allowed) {
	53	+ WebRequest::setActiveDomain($newDomain);
	54	+ }
	55	+ else {
	56	+ throw new AccessDeniedException($this->securityManager, $this);
	57	+ }
	58	+ }
59	59
60		- public function switchToDefaultDomain(User $user): void
61		- {
62		- $domains = $this->getAllowedDomains($user);
63		- $preferenceManager = new PreferenceManager($user->getDatabase(), $user->getId(), null);
64		- $defaultDomainPreference = $preferenceManager->getPreference(PreferenceManager::PREF_DEFAULT_DOMAIN);
	60	+ public function switchToDefaultDomain(User $user): void
	61	+ {
	62	+ $domains = $this->getAllowedDomains($user);
	63	+ $preferenceManager = new PreferenceManager($user->getDatabase(), $user->getId(), null);
	64	+ $defaultDomainPreference = $preferenceManager->getPreference(PreferenceManager::PREF_DEFAULT_DOMAIN);
65	65
66		- $chosenDomain = null;
67		- foreach ($domains as $d) {
68		- if ($d->getId() == $defaultDomainPreference) {
69		- $chosenDomain = $d;
70		- break;
71		- }
72		- }
	66	+ $chosenDomain = null;
	67	+ foreach ($domains as $d) {
	68	+ if ($d->getId() == $defaultDomainPreference) {
	69	+ $chosenDomain = $d;
	70	+ break;
	71	+ }
	72	+ }
73	73
74		- if ($chosenDomain !== null) {
75		- WebRequest::setActiveDomain($chosenDomain);
76		- return;
77		- }
	74	+ if ($chosenDomain !== null) {
	75	+ WebRequest::setActiveDomain($chosenDomain);
	76	+ return;
	77	+ }
78	78
79		- if (count($domains) > 0) {
80		- WebRequest::setActiveDomain($domains[0]);
81		- }
82		- }
	79	+ if (count($domains) > 0) {
	80	+ WebRequest::setActiveDomain($domains[0]);
	81	+ }
	82	+ }
83	83	}
84	84	\ No newline at end of file

		@@ -43,7 +43,8 @@ discard block
		block discarded – undo
43	43
44	44	public function switchDomain(User $user, Domain $newDomain): void
45	45	{
46		- $mapToId = function(DataObject $object) {
	46	+ $mapToId = function(DataObject $object)
	47	+ {
47	48	return $object->getId();
48	49	};
49	50
		@@ -51,8 +52,7 @@ discard block
		block discarded – undo
51	52
52	53	if ($allowed) {
53	54	WebRequest::setActiveDomain($newDomain);
54		- }
55		- else {
	55	+ } else {
56	56	throw new AccessDeniedException($this->securityManager, $this);
57	57	}
58	58	}

		@@ -20,136 +20,136 @@
		block discarded – undo
20	20
21	21	class PasswordCredentialProvider extends CredentialProviderBase
22	22	{
23		- const PASSWORD_COST = 10;
24		- const PASSWORD_ALGO = PASSWORD_BCRYPT;
25		-
26		- public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
27		- {
28		- parent::__construct($database, $configuration, 'password');
29		- }
30		-
31		- public function authenticate(User $user, $data)
32		- {
33		- $storedData = $this->getCredentialData($user->getId());
34		- if ($storedData === null) {
35		- // No available credential matching these parameters
36		- return false;
37		- }
38		-
39		- if ($storedData->getVersion() !== 2) {
40		- // Non-2 versions are not supported.
41		- return false;
42		- }
43		-
44		- if (!password_verify($data, $storedData->getData())) {
45		- return false;
46		- }
47		-
48		- if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
49		- array('cost' => self::PASSWORD_COST))) {
50		- try {
51		- $this->reallySetCredential($user, $storedData->getFactor(), $data);
52		- }
53		- catch (OptimisticLockFailedException $e) {
54		- // optimistic lock failed, but no biggie. We'll catch it on the next login.
55		- }
56		- }
57		-
58		- $strengthTester = new Zxcvbn();
59		- $strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
60		-
61		- /* 0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
	23	+ const PASSWORD_COST = 10;
	24	+ const PASSWORD_ALGO = PASSWORD_BCRYPT;
	25	+
	26	+ public function __construct(PdoDatabase $database, SiteConfiguration $configuration)
	27	+ {
	28	+ parent::__construct($database, $configuration, 'password');
	29	+ }
	30	+
	31	+ public function authenticate(User $user, $data)
	32	+ {
	33	+ $storedData = $this->getCredentialData($user->getId());
	34	+ if ($storedData === null) {
	35	+ // No available credential matching these parameters
	36	+ return false;
	37	+ }
	38	+
	39	+ if ($storedData->getVersion() !== 2) {
	40	+ // Non-2 versions are not supported.
	41	+ return false;
	42	+ }
	43	+
	44	+ if (!password_verify($data, $storedData->getData())) {
	45	+ return false;
	46	+ }
	47	+
	48	+ if (password_needs_rehash($storedData->getData(), self::PASSWORD_ALGO,
	49	+ array('cost' => self::PASSWORD_COST))) {
	50	+ try {
	51	+ $this->reallySetCredential($user, $storedData->getFactor(), $data);
	52	+ }
	53	+ catch (OptimisticLockFailedException $e) {
	54	+ // optimistic lock failed, but no biggie. We'll catch it on the next login.
	55	+ }
	56	+ }
	57	+
	58	+ $strengthTester = new Zxcvbn();
	59	+ $strength = $strengthTester->passwordStrength($data, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
	60	+
	61	+ /* 0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
62	62	1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
63	63	2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
64	64	3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
65	65	4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario */
66	66
67		- if ($strength['score'] <= 1 \|\| CommonPasswords::isCommon($data) \|\| mb_strlen($data) < 8) {
68		- // prevent login for extremely weak passwords
69		- // at this point the user has authenticated via password, so they know it's weak.
70		- SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
71		- return false;
72		- }
73		-
74		- $this->revokePasswordResetTokens($user->getId());
75		-
76		- return true;
77		- }
78		-
79		- /**
80		- * @param User $user
81		- * @param int $factor
82		- * @param string $password
83		- *
84		- * @throws OptimisticLockFailedException
85		- */
86		- private function reallySetCredential(User $user, int $factor, string $password) : void {
87		- $storedData = $this->getCredentialData($user->getId());
88		-
89		- if ($storedData === null) {
90		- $storedData = $this->createNewCredential($user);
91		- }
92		-
93		- $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
94		- $storedData->setFactor($factor);
95		- $storedData->setVersion(2);
96		-
97		- $storedData->save();
98		- }
99		-
100		- /**
101		- * @param User $user
102		- * @param int $factor
103		- * @param string $password
104		- *
105		- * @throws ApplicationLogicException
106		- * @throws OptimisticLockFailedException
107		- */
108		- public function setCredential(User $user, $factor, $password)
109		- {
110		- if (CommonPasswords::isCommon($password)) {
111		- throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
112		- }
113		-
114		- $strengthTester = new Zxcvbn();
115		- $strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
116		-
117		- /* 0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
	67	+ if ($strength['score'] <= 1 \|\| CommonPasswords::isCommon($data) \|\| mb_strlen($data) < 8) {
	68	+ // prevent login for extremely weak passwords
	69	+ // at this point the user has authenticated via password, so they know it's weak.
	70	+ SessionAlert::error('Your password is too weak to permit login. Please choose the "forgotten your password" option below and set a new one.', null);
	71	+ return false;
	72	+ }
	73	+
	74	+ $this->revokePasswordResetTokens($user->getId());
	75	+
	76	+ return true;
	77	+ }
	78	+
	79	+ /**
	80	+ * @param User $user
	81	+ * @param int $factor
	82	+ * @param string $password
	83	+ *
	84	+ * @throws OptimisticLockFailedException
	85	+ */
	86	+ private function reallySetCredential(User $user, int $factor, string $password) : void {
	87	+ $storedData = $this->getCredentialData($user->getId());
	88	+
	89	+ if ($storedData === null) {
	90	+ $storedData = $this->createNewCredential($user);
	91	+ }
	92	+
	93	+ $storedData->setData(password_hash($password, self::PASSWORD_ALGO, array('cost' => self::PASSWORD_COST)));
	94	+ $storedData->setFactor($factor);
	95	+ $storedData->setVersion(2);
	96	+
	97	+ $storedData->save();
	98	+ }
	99	+
	100	+ /**
	101	+ * @param User $user
	102	+ * @param int $factor
	103	+ * @param string $password
	104	+ *
	105	+ * @throws ApplicationLogicException
	106	+ * @throws OptimisticLockFailedException
	107	+ */
	108	+ public function setCredential(User $user, $factor, $password)
	109	+ {
	110	+ if (CommonPasswords::isCommon($password)) {
	111	+ throw new ApplicationLogicException("Your new password is listed in the top 100,000 passwords. Please choose a stronger one.", null);
	112	+ }
	113	+
	114	+ $strengthTester = new Zxcvbn();
	115	+ $strength = $strengthTester->passwordStrength($password, [$user->getUsername(), $user->getOnWikiName(), $user->getEmail()]);
	116	+
	117	+ /* 0 means the password is extremely guessable (within 10^3 guesses), dictionary words like 'password' or 'mother' score a 0
118	118	1 is still very guessable (guesses < 10^6), an extra character on a dictionary word can score a 1
119	119	2 is somewhat guessable (guesses < 10^8), provides some protection from unthrottled online attacks
120	120	3 is safely unguessable (guesses < 10^10), offers moderate protection from offline slow-hash scenario
121	121	4 is very unguessable (guesses >= 10^10) and provides strong protection from offline slow-hash scenario */
122	122
123		- if ($strength['score'] <= 2 \|\| mb_strlen($password) < 8) {
124		- throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
125		- }
126		-
127		- if ($strength['score'] <= 3) {
128		- SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
129		- }
130		-
131		- $this->reallySetCredential($user, $factor, $password);
132		- }
133		-
134		- /**
135		- * @param User $user
136		- *
137		- * @throws ApplicationLogicException
138		- */
139		- public function deleteCredential(User $user)
140		- {
141		- throw new ApplicationLogicException('Deletion of password credential is not allowed.');
142		- }
143		-
144		- private function revokePasswordResetTokens(int $userId)
145		- {
146		- $statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
147		- $statement->execute([':user' => $userId]);
148		- $existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
149		-
150		- foreach ($existing as $c) {
151		- $c->setDatabase($this->getDatabase());
152		- $c->delete();
153		- }
154		- }
	123	+ if ($strength['score'] <= 2 \|\| mb_strlen($password) < 8) {
	124	+ throw new ApplicationLogicException("Your new password is too weak. Please choose a stronger one.", null);
	125	+ }
	126	+
	127	+ if ($strength['score'] <= 3) {
	128	+ SessionAlert::warning("Your new password is not as strong as it could be. Consider replacing it with a stronger password.", null);
	129	+ }
	130	+
	131	+ $this->reallySetCredential($user, $factor, $password);
	132	+ }
	133	+
	134	+ /**
	135	+ * @param User $user
	136	+ *
	137	+ * @throws ApplicationLogicException
	138	+ */
	139	+ public function deleteCredential(User $user)
	140	+ {
	141	+ throw new ApplicationLogicException('Deletion of password credential is not allowed.');
	142	+ }
	143	+
	144	+ private function revokePasswordResetTokens(int $userId)
	145	+ {
	146	+ $statement = $this->getDatabase()->prepare("SELECT * FROM credential WHERE type = 'reset' AND user = :user;");
	147	+ $statement->execute([':user' => $userId]);
	148	+ $existing = $statement->fetchAll(PdoDatabase::FETCH_CLASS, Credential::class);
	149	+
	150	+ foreach ($existing as $c) {
	151	+ $c->setDatabase($this->getDatabase());
	152	+ $c->delete();
	153	+ }
	154	+ }
155	155	}

		@@ -15,139 +15,139 @@
		block discarded – undo
15	15
16	16	abstract class CredentialProviderBase implements ICredentialProvider
17	17	{
18		- /**
19		- * @var PdoDatabase
20		- */
21		- private $database;
22		- /**
23		- * @var SiteConfiguration
24		- */
25		- private $configuration;
26		- /** @var string */
27		- private $type;
28		-
29		- /**
30		- * CredentialProviderBase constructor.
31		- *
32		- * @param PdoDatabase $database
33		- * @param SiteConfiguration $configuration
34		- * @param string $type
35		- */
36		- public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
37		- {
38		- $this->database = $database;
39		- $this->configuration = $configuration;
40		- $this->type = $type;
41		- }
42		-
43		- /**
44		- * @param int $userId
45		- *
46		- * @param bool $disabled
47		- *
48		- * @return Credential
49		- */
50		- protected function getCredentialData($userId, $disabled = false)
51		- {
52		- $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
53		- $parameters = array(
54		- ':u' => $userId,
55		- ':t' => $this->type
56		- );
57		-
58		- if ($disabled !== null) {
59		- $sql .= ' AND disabled = :d';
60		- $parameters[':d'] = $disabled ? 1 : 0;
61		- }
62		-
63		- $statement = $this->database->prepare($sql);
64		- $statement->execute($parameters);
65		-
66		- /** @var Credential $obj */
67		- $obj = $statement->fetchObject(Credential::class);
68		-
69		- if ($obj === false) {
70		- return null;
71		- }
72		-
73		- $obj->setDatabase($this->database);
74		-
75		- $statement->closeCursor();
76		-
77		- return $obj;
78		- }
79		-
80		- /**
81		- * @return PdoDatabase
82		- */
83		- public function getDatabase()
84		- {
85		- return $this->database;
86		- }
87		-
88		- /**
89		- * @return SiteConfiguration
90		- */
91		- public function getConfiguration()
92		- {
93		- return $this->configuration;
94		- }
95		-
96		- public function deleteCredential(User $user)
97		- {
98		- // get this factor
99		- $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
100		- $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
101		- /** @var Credential $credential */
102		- $credential = $statement->fetchObject(Credential::class);
103		- $credential->setDatabase($this->database);
104		- $statement->closeCursor();
105		-
106		- $stage = $credential->getFactor();
107		-
108		- $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
109		- $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
110		- $alternates = $statement->fetchColumn();
111		- $statement->closeCursor();
112		-
113		- if ($alternates <= 1) {
114		- // decrement the factor for every stage above this
115		- $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
116		- $statement = $this->database->prepare($sql);
117		- $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
118		- }
119		- else {
120		- // There are other auth factors at this point. Don't renumber the factors just yet.
121		- }
122		-
123		- // delete this credential.
124		- $credential->delete();
125		- }
126		-
127		- /**
128		- * @param User $user
129		- *
130		- * @return Credential
131		- */
132		- protected function createNewCredential(User $user)
133		- {
134		- $credential = new Credential();
135		- $credential->setDatabase($this->getDatabase());
136		- $credential->setUserId($user->getId());
137		- $credential->setType($this->type);
138		-
139		- return $credential;
140		- }
141		-
142		- /**
143		- * @param int $userId
144		- *
145		- * @return bool
146		- */
147		- public function userIsEnrolled($userId)
148		- {
149		- $cred = $this->getCredentialData($userId);
150		-
151		- return $cred !== null;
152		- }
	18	+ /**
	19	+ * @var PdoDatabase
	20	+ */
	21	+ private $database;
	22	+ /**
	23	+ * @var SiteConfiguration
	24	+ */
	25	+ private $configuration;
	26	+ /** @var string */
	27	+ private $type;
	28	+
	29	+ /**
	30	+ * CredentialProviderBase constructor.
	31	+ *
	32	+ * @param PdoDatabase $database
	33	+ * @param SiteConfiguration $configuration
	34	+ * @param string $type
	35	+ */
	36	+ public function __construct(PdoDatabase $database, SiteConfiguration $configuration, $type)
	37	+ {
	38	+ $this->database = $database;
	39	+ $this->configuration = $configuration;
	40	+ $this->type = $type;
	41	+ }
	42	+
	43	+ /**
	44	+ * @param int $userId
	45	+ *
	46	+ * @param bool $disabled
	47	+ *
	48	+ * @return Credential
	49	+ */
	50	+ protected function getCredentialData($userId, $disabled = false)
	51	+ {
	52	+ $sql = 'SELECT * FROM credential WHERE type = :t AND user = :u';
	53	+ $parameters = array(
	54	+ ':u' => $userId,
	55	+ ':t' => $this->type
	56	+ );
	57	+
	58	+ if ($disabled !== null) {
	59	+ $sql .= ' AND disabled = :d';
	60	+ $parameters[':d'] = $disabled ? 1 : 0;
	61	+ }
	62	+
	63	+ $statement = $this->database->prepare($sql);
	64	+ $statement->execute($parameters);
	65	+
	66	+ /** @var Credential $obj */
	67	+ $obj = $statement->fetchObject(Credential::class);
	68	+
	69	+ if ($obj === false) {
	70	+ return null;
	71	+ }
	72	+
	73	+ $obj->setDatabase($this->database);
	74	+
	75	+ $statement->closeCursor();
	76	+
	77	+ return $obj;
	78	+ }
	79	+
	80	+ /**
	81	+ * @return PdoDatabase
	82	+ */
	83	+ public function getDatabase()
	84	+ {
	85	+ return $this->database;
	86	+ }
	87	+
	88	+ /**
	89	+ * @return SiteConfiguration
	90	+ */
	91	+ public function getConfiguration()
	92	+ {
	93	+ return $this->configuration;
	94	+ }
	95	+
	96	+ public function deleteCredential(User $user)
	97	+ {
	98	+ // get this factor
	99	+ $statement = $this->database->prepare('SELECT * FROM credential WHERE user = :user AND type = :type');
	100	+ $statement->execute(array(':user' => $user->getId(), ':type' => $this->type));
	101	+ /** @var Credential $credential */
	102	+ $credential = $statement->fetchObject(Credential::class);
	103	+ $credential->setDatabase($this->database);
	104	+ $statement->closeCursor();
	105	+
	106	+ $stage = $credential->getFactor();
	107	+
	108	+ $statement = $this->database->prepare('SELECT COUNT(*) FROM credential WHERE user = :user AND factor = :factor');
	109	+ $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
	110	+ $alternates = $statement->fetchColumn();
	111	+ $statement->closeCursor();
	112	+
	113	+ if ($alternates <= 1) {
	114	+ // decrement the factor for every stage above this
	115	+ $sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
	116	+ $statement = $this->database->prepare($sql);
	117	+ $statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
	118	+ }
	119	+ else {
	120	+ // There are other auth factors at this point. Don't renumber the factors just yet.
	121	+ }
	122	+
	123	+ // delete this credential.
	124	+ $credential->delete();
	125	+ }
	126	+
	127	+ /**
	128	+ * @param User $user
	129	+ *
	130	+ * @return Credential
	131	+ */
	132	+ protected function createNewCredential(User $user)
	133	+ {
	134	+ $credential = new Credential();
	135	+ $credential->setDatabase($this->getDatabase());
	136	+ $credential->setUserId($user->getId());
	137	+ $credential->setType($this->type);
	138	+
	139	+ return $credential;
	140	+ }
	141	+
	142	+ /**
	143	+ * @param int $userId
	144	+ *
	145	+ * @return bool
	146	+ */
	147	+ public function userIsEnrolled($userId)
	148	+ {
	149	+ $cred = $this->getCredentialData($userId);
	150	+
	151	+ return $cred !== null;
	152	+ }
153	153	}
154	154	\ No newline at end of file

		@@ -115,8 +115,7 @@
		block discarded – undo
115	115	$sql = 'UPDATE credential SET factor = factor - 1 WHERE user = :user AND factor > :factor';
116	116	$statement = $this->database->prepare($sql);
117	117	$statement->execute(array(':user' => $user->getId(), ':factor' => $stage));
118		- }
119		- else {
	118	+ } else {
120	119	// There are other auth factors at this point. Don't renumber the factors just yet.
121	120	}
122	121

mdaniels5757 / waca

Push — dependabot/composer/php8/spomk... ( 914eba )

Status

Category

Indentation +50 added lines, -50 removed lines patch added patch discarded remove patch

Indentation +46 added lines, -46 removed lines patch added patch discarded remove patch

Indentation +25 added lines, -25 removed lines patch added patch discarded remove patch

Indentation +13 added lines, -13 removed lines patch added patch discarded remove patch

Indentation +4 added lines, -4 removed lines patch added patch discarded remove patch

Indentation +41 added lines, -41 removed lines patch added patch discarded remove patch

Indentation +53 added lines, -53 removed lines patch added patch discarded remove patch

Braces +3 added lines, -3 removed lines patch added patch discarded remove patch

Indentation +122 added lines, -122 removed lines patch added patch discarded remove patch

Indentation +135 added lines, -135 removed lines patch added patch discarded remove patch

Braces +1 added lines, -2 removed lines patch added patch discarded remove patch