for testing and deploying your application
for finding and fixing issues
for empowering human code reviews
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
<?php
namespace Waca\Router;
use Exception;
use Waca\Pages\Page404;
use Waca\Pages\PageBan;
use Waca\Pages\PageEditComment;
use Waca\Pages\PageEmailManagement;
use Waca\Pages\PageForgotPassword;
use Waca\Pages\PageLog;
use Waca\Pages\PageLogin;
use Waca\Pages\PageLogout;
use Waca\Pages\PageMain;
use Waca\Pages\PageOAuth;
use Waca\Pages\PagePreferences;
use Waca\Pages\PageRegister;
use Waca\Pages\PageSearch;
use Waca\Pages\PageSiteNotice;
use Waca\Pages\PageTeam;
use Waca\Pages\PageUserManagement;
use Waca\Pages\PageViewRequest;
use Waca\Pages\PageWelcomeTemplateManagement;
use Waca\Pages\RequestAction\PageBreakReservation;
use Waca\Pages\RequestAction\PageCloseRequest;
use Waca\Pages\RequestAction\PageComment;
use Waca\Pages\RequestAction\PageCustomClose;
use Waca\Pages\RequestAction\PageDeferRequest;
use Waca\Pages\RequestAction\PageDropRequest;
use Waca\Pages\RequestAction\PageReservation;
use Waca\Pages\RequestAction\PageSendToUser;
use Waca\Pages\Statistics\StatsFastCloses;
use Waca\Pages\Statistics\StatsInactiveUsers;
use Waca\Pages\Statistics\StatsMain;
use Waca\Pages\Statistics\StatsMonthlyStats;
use Waca\Pages\Statistics\StatsReservedRequests;
use Waca\Pages\Statistics\StatsTemplateStats;
use Waca\Pages\Statistics\StatsTopCreators;
use Waca\Pages\Statistics\StatsUsers;
use Waca\Tasks\IRoutedTask;
use Waca\WebRequest;
/**
* Request router
* @package Waca\Router
* @category Security-Critical
*/
class RequestRouter implements IRequestRouter
{
* This is the core routing table for the application. The basic idea is:
*
* array(
* "foo" =>
* "class" => PageFoo::class,
* "actions" => array("bar", "other")
* ),
* );
* Things to note:
* - If no page is requested, we go to PageMain. PageMain can't have actions defined.
* - If a page is defined and requested, but no action is requested, go to that page's main() method
* - If a page is defined and requested, and an action is defined and requested, go to that action's method.
* - If a page is defined and requested, and an action NOT defined and requested, go to Page404 and it's main()
* method.
* - If a page is NOT defined and requested, go to Page404 and it's main() method.
* - Query parameters are ignored.
* The key point here is request routing with validation that this is allowed, before we start hitting the
* filesystem through the AutoLoader, and opening random files. Also, so that we validate the action requested
* before we start calling random methods through the web UI.
* Examples:
* /internal.php => returns instance of PageMain, routed to main()
* /internal.php?query => returns instance of PageMain, routed to main()
* /internal.php/foo => returns instance of PageFoo, routed to main()
* /internal.php/foo?query => returns instance of PageFoo, routed to main()
* /internal.php/foo/bar => returns instance of PageFoo, routed to bar()
* /internal.php/foo/bar?query => returns instance of PageFoo, routed to bar()
* /internal.php/foo/baz => returns instance of Page404, routed to main()
* /internal.php/foo/baz?query => returns instance of Page404, routed to main()
* /internal.php/bar => returns instance of Page404, routed to main()
* /internal.php/bar?query => returns instance of Page404, routed to main()
* /internal.php/bar/baz => returns instance of Page404, routed to main()
* /internal.php/bar/baz?query => returns instance of Page404, routed to main()
* Take care when changing this - a lot of places rely on the array key for redirects and other links. If you need
* to change the key, then you'll likely have to update a lot of files.
* @var array
private $routeMap = array(
//////////////////////////////////////////////////////////////////////////////////////////////////
// Login and registration
'logout' =>
array(
'class' => PageLogout::class,
'actions' => array(),
),
'login' =>
'class' => PageLogin::class,
'forgotPassword' =>
'class' => PageForgotPassword::class,
'actions' => array('reset'),
'register' =>
'class' => PageRegister::class,
'actions' => array('done'),
// Discovery
'search' =>
'class' => PageSearch::class,
'logs' =>
'class' => PageLog::class,
// Administration
'bans' =>
'class' => PageBan::class,
'actions' => array('set', 'remove'),
'userManagement' =>
'class' => PageUserManagement::class,
'actions' => array(
'approve',
'decline',
'rename',
'editUser',
'suspend',
'promote',
'demote',
'siteNotice' =>
'class' => PageSiteNotice::class,
'emailManagement' =>
'class' => PageEmailManagement::class,
'actions' => array('create', 'edit', 'view'),
// Personal preferences
'preferences' =>
'class' => PagePreferences::class,
'actions' => array('changePassword'),
'oauth' =>
'class' => PageOAuth::class,
'actions' => array('detach', 'attach'),
// Welcomer configuration
'welcomeTemplates' =>
'class' => PageWelcomeTemplateManagement::class,
'actions' => array('select', 'edit', 'delete', 'add', 'view'),
// Statistics
'statistics' =>
'class' => StatsMain::class,
'statistics/fastCloses' =>
'class' => StatsFastCloses::class,
'statistics/inactiveUsers' =>
'class' => StatsInactiveUsers::class,
'statistics/monthlyStats' =>
'class' => StatsMonthlyStats::class,
'statistics/reservedRequests' =>
'class' => StatsReservedRequests::class,
'statistics/templateStats' =>
'class' => StatsTemplateStats::class,
'statistics/topCreators' =>
'class' => StatsTopCreators::class,
'statistics/users' =>
'class' => StatsUsers::class,
'actions' => array('detail'),
// Zoom page
'viewRequest' =>
'class' => PageViewRequest::class,
'viewRequest/reserve' =>
'class' => PageReservation::class,
'viewRequest/breakReserve' =>
'class' => PageBreakReservation::class,
'viewRequest/defer' =>
'class' => PageDeferRequest::class,
'viewRequest/comment' =>
'class' => PageComment::class,
'viewRequest/sendToUser' =>
'class' => PageSendToUser::class,
'viewRequest/close' =>
'class' => PageCloseRequest::class,
'viewRequest/drop' =>
'class' => PageDropRequest::class,
'viewRequest/custom' =>
'class' => PageCustomClose::class,
'editComment' =>
'class' => PageEditComment::class,
// Misc stuff
'team' =>
'class' => PageTeam::class,
);
* @return IRoutedTask
* @throws Exception
final public function route()
$pathInfo = WebRequest::pathInfo();
list($pageClass, $action) = $this->getRouteFromPath($pathInfo);
/** @var IRoutedTask $page */
$page = new $pageClass();
// Dynamic creation, so we've got to be careful here. We can't use built-in language type protection, so
// let's use our own.
if (!($page instanceof IRoutedTask)) {
throw new Exception('Expected a page, but this is not a page.');
}
// OK, I'm happy at this point that we know we're running a page, and we know it's probably what we want if it
// inherits PageBase and has been created from the routing map.
$page->setRoute($action);
return $page;
* @param $pathInfo
* @return array
protected function getRouteFromPath($pathInfo)
if (count($pathInfo) === 0) {
// No pathInfo, so no page to load. Load the main page.
return $this->getDefaultRoute();
elseif (count($pathInfo) === 1) {
// Exactly one path info segment, it's got to be a page.
$classSegment = $pathInfo[0];
return $this->routeSinglePathSegment($classSegment);
// OK, we have two or more segments now.
if (count($pathInfo) > 2) {
// Let's handle more than two, and collapse it down into two.
$requestedAction = array_pop($pathInfo);
$classSegment = implode('/', $pathInfo);
else {
// Two path info segments.
$requestedAction = $pathInfo[1];
$routeMap = $this->routePathSegments($classSegment, $requestedAction);
if ($routeMap[0] === Page404::class) {
$routeMap = $this->routeSinglePathSegment($classSegment . '/' . $requestedAction);
return $routeMap;
* @param $classSegment
final protected function routeSinglePathSegment($classSegment)
$routeMap = $this->getRouteMap();
if (array_key_exists($classSegment, $routeMap)) {
// Route exists, but we don't have an action in path info, so default to main.
$pageClass = $routeMap[$classSegment]['class'];
$action = 'main';
return array($pageClass, $action);
// Doesn't exist in map. Fall back to 404
$pageClass = Page404::class;
$action = "main";
* @param $requestedAction
final protected function routePathSegments($classSegment, $requestedAction)
if (isset($routeMap[$classSegment]['actions'])
&& array_search($requestedAction, $routeMap[$classSegment]['actions']) !== false
) {
// Action exists in allowed action list. Allow both the page and the action
$action = $requestedAction;
// Valid page, invalid action. 404 our way out.
// Class doesn't exist in map. Fall back to 404
protected function getRouteMap()
return $this->routeMap;
* @return callable
string[]
This check looks for the generic type array as a return type and suggests a more specific type. This type is inferred from the actual code.
array
protected function getDefaultRoute()
return array(PageMain::class, "main");
stwalkerster /
waca
Simon Walker
This check looks for the generic type
arrayas a return type and suggests a more specific type. This type is inferred from the actual code.