Issues in InternalPageBase.php (master) - Issues in master - stwalkerster/waca - Measure and Improve Code Quality continuously with Scrutinizer

Issues (195)

includes/Tasks/InternalPageBase.php (1 issue)

Severity

Unknown 1

<?php
/******************************************************************************
 * Wikipedia Account Creation Assistance tool                                 *
 *                                                                            *
 * All code in this file is released into the public domain by the ACC        *
 * Development Team. Please see team.json for a list of contributors.         *
 ******************************************************************************/

namespace Waca\Tasks;

use Exception;
use PDO;
use Waca\DataObjects\SiteNotice;
use Waca\DataObjects\User;
use Waca\Exceptions\AccessDeniedException;
use Waca\Exceptions\NotIdentifiedException;
use Waca\Fragments\NavigationMenuAccessControl;
use Waca\Helpers\Interfaces\IBlacklistHelper;
use Waca\Helpers\Interfaces\ITypeAheadHelper;
use Waca\Security\DomainAccessManager;
use Waca\Security\SecurityManager;
use Waca\WebRequest;

abstract class InternalPageBase extends PageBase
{
    use NavigationMenuAccessControl;

    /** @var ITypeAheadHelper */
    private $typeAheadHelper;
    /** @var SecurityManager */
    private $securityManager;
    /** @var IBlacklistHelper */
    private $blacklistHelper;
    /** @var DomainAccessManager */
    private $domainAccessManager;

    /**
     * @return ITypeAheadHelper
     */
    public function getTypeAheadHelper()
    {
        return $this->typeAheadHelper;
    }

    /**
     * @param ITypeAheadHelper $typeAheadHelper
     */
    public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper)
    {
        $this->typeAheadHelper = $typeAheadHelper;
    }

    /**
     * Runs the page code
     *
     * @throws Exception
     * @category Security-Critical
     */
    final public function execute()
    {
        if ($this->getRouteName() === null) {

            throw new Exception("Request is unrouted.");
        }

        if ($this->getSiteConfiguration() === null) {
            throw new Exception("Page has no configuration!");
        }

        $this->setupPage();

        $this->touchUserLastActive();

        $currentUser = User::getCurrent($this->getDatabase());

        // Hey, this is also a security barrier, in addition to the below. Separated out for readability.
        if (!$this->isProtectedPage()) {
            // This page is /not/ a protected page, as such we can just run it.
            $this->runPage();

            return;
        }

        // Security barrier.
        //
        // This code essentially doesn't care if the user is logged in or not, as the security manager hides all that
        // away for us
        $securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser);
        if ($securityResult === SecurityManager::ALLOWED) {
            // We're allowed to run the page, so let's run it.
            $this->runPage();
        }
        else {
            $this->handleAccessDenied($securityResult);

            // Send the headers
            $this->sendResponseHeaders();
        }
    }

    /**
     * Performs final tasks needed before rendering the page.
     */
    final public function finalisePage()
    {
        parent::finalisePage();

        $database = $this->getDatabase();
        $currentUser = User::getCurrent($database);

        // Load in the badges for the navbar
        $this->setUpNavBarBadges($currentUser, $database);

        if ($this->barrierTest('viewSiteNotice', User::getCurrent($database), 'GlobalInfo')) {
            $siteNotice = SiteNotice::get($this->getDatabase());
            $siteNoticeHash = sha1($siteNotice);

            if (WebRequest::testSiteNoticeCookieValue($siteNoticeHash)) {
                $this->assign('siteNoticeState', 'd-none');
            }
            else {
                $this->assign('siteNoticeState', 'd-block');
            }

            $this->assign('siteNoticeText', $siteNotice);
            $this->assign('siteNoticeVersion', $siteNoticeHash);
        }

        if ($this->barrierTest('viewOnlineUsers', User::getCurrent($database), 'GlobalInfo')) {
            $sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);';
            $statement = $database->query($sql);
            $activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class);
            $this->assign('onlineusers', $activeUsers);
        }

        $this->setupNavMenuAccess($currentUser);
    }

    /**
     * Configures whether the page respects roles or not. You probably want this to return true.
     *
     * Set to false for public pages. You probably want this to return true.
     *
     * This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything
     * on this page, so you probably want this to return true.
     *
     * @return bool
     * @category Security-Critical
     */
    protected function isProtectedPage()
    {
        return true;
    }

    protected function handleAccessDenied($denyReason)
    {
        $currentUser = User::getCurrent($this->getDatabase());

        // Not allowed to access this resource.
        // Firstly, let's check if we're even logged in.
        if ($currentUser->isCommunityUser()) {
            // Not logged in, redirect to login page
            WebRequest::setPostLoginRedirect();
            $this->redirect("login");

            return;
        }
        else {
            // Decide whether this was a rights failure, or an identification failure.

            if ($denyReason === SecurityManager::ERROR_NOT_IDENTIFIED) {
                // Not identified
                throw new NotIdentifiedException($this->getSecurityManager(), $this->getDomainAccessManager());
            }
            elseif ($denyReason === SecurityManager::ERROR_DENIED) {
                // Nope, plain old access denied
                throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
            }
            else {
                throw new Exception('Unknown response from security manager.');
            }
        }
    }

    /**
     * Tests the security barrier for a specified action.
     *
     * Don't use within templates
     *
     * @param string      $action
     *
     * @param User        $user
     * @param null|string $pageName
     *
     * @return bool
     * @category Security-Critical
     */
    final public function barrierTest($action, User $user, $pageName = null)
    {
        $page = get_called_class();
        if ($pageName !== null) {
            $page = $pageName;
        }

        $securityResult = $this->getSecurityManager()->allows($page, $action, $user);

        return $securityResult === SecurityManager::ALLOWED;
    }

    /**
     * Updates the lastactive timestamp
     */
    private function touchUserLastActive()
    {
        if (WebRequest::getSessionUserId() !== null) {
            $query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;';
            $this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId()));
        }
    }

    /**
     * @return SecurityManager
     */
    public function getSecurityManager()
    {
        return $this->securityManager;
    }

    /**
     * @param SecurityManager $securityManager
     */
    public function setSecurityManager(SecurityManager $securityManager)
    {
        $this->securityManager = $securityManager;
    }

    /**
     * @return IBlacklistHelper
     */
    public function getBlacklistHelper()
    {
        return $this->blacklistHelper;
    }

    /**
     * @param IBlacklistHelper $blacklistHelper
     */
    public function setBlacklistHelper(IBlacklistHelper $blacklistHelper)
    {
        $this->blacklistHelper = $blacklistHelper;
    }

    /**
     * @return DomainAccessManager
     */
    public function getDomainAccessManager(): DomainAccessManager
    {
        return $this->domainAccessManager;
    }

    /**
     * @param DomainAccessManager $domainAccessManager
     */
    public function setDomainAccessManager(DomainAccessManager $domainAccessManager): void
    {
        $this->domainAccessManager = $domainAccessManager;
    }
}


1			<?php
2			/******************************************************************************
3			* Wikipedia Account Creation Assistance tool *
4			* *
5			* All code in this file is released into the public domain by the ACC *
6			* Development Team. Please see team.json for a list of contributors. *
7			******************************************************************************/
8
9			namespace Waca\Tasks;
10
11			use Exception;
12			use PDO;
13			use Waca\DataObjects\SiteNotice;
14			use Waca\DataObjects\User;
15			use Waca\Exceptions\AccessDeniedException;
16			use Waca\Exceptions\NotIdentifiedException;
17			use Waca\Fragments\NavigationMenuAccessControl;
18			use Waca\Helpers\Interfaces\IBlacklistHelper;
19			use Waca\Helpers\Interfaces\ITypeAheadHelper;
20			use Waca\Security\DomainAccessManager;
21			use Waca\Security\SecurityManager;
22			use Waca\WebRequest;
23
24			abstract class InternalPageBase extends PageBase
25			{
26			use NavigationMenuAccessControl;
27
28			/** @var ITypeAheadHelper */
29			private $typeAheadHelper;
30			/** @var SecurityManager */
31			private $securityManager;
32			/** @var IBlacklistHelper */
33			private $blacklistHelper;
34			/** @var DomainAccessManager */
35			private $domainAccessManager;
36
37			/**
38			* @return ITypeAheadHelper
39			*/
40			public function getTypeAheadHelper()
41			{
42			return $this->typeAheadHelper;
43			}
44
45			/**
46			* @param ITypeAheadHelper $typeAheadHelper
47			*/
48			public function setTypeAheadHelper(ITypeAheadHelper $typeAheadHelper)
49			{
50			$this->typeAheadHelper = $typeAheadHelper;
51			}
52
53			/**
54			* Runs the page code
55			*
56			* @throws Exception
57			* @category Security-Critical
58			*/
59			final public function execute()
60			{
61			if ($this->getRouteName() === null) {
			0 ignored issues – show introduced 2020-05-09 22:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `$this->getRouteName() === null` is always `false`. Loading history...
62			throw new Exception("Request is unrouted.");
63			}
64
65			if ($this->getSiteConfiguration() === null) {
66			throw new Exception("Page has no configuration!");
67			}
68
69			$this->setupPage();
70
71			$this->touchUserLastActive();
72
73			$currentUser = User::getCurrent($this->getDatabase());
74
75			// Hey, this is also a security barrier, in addition to the below. Separated out for readability.
76			if (!$this->isProtectedPage()) {
77			// This page is /not/ a protected page, as such we can just run it.
78			$this->runPage();
79
80			return;
81			}
82
83			// Security barrier.
84			//
85			// This code essentially doesn't care if the user is logged in or not, as the security manager hides all that
86			// away for us
87			$securityResult = $this->getSecurityManager()->allows(get_called_class(), $this->getRouteName(), $currentUser);
88			if ($securityResult === SecurityManager::ALLOWED) {
89			// We're allowed to run the page, so let's run it.
90			$this->runPage();
91			}
92			else {
93			$this->handleAccessDenied($securityResult);
94
95			// Send the headers
96			$this->sendResponseHeaders();
97			}
98			}
99
100			/**
101			* Performs final tasks needed before rendering the page.
102			*/
103			final public function finalisePage()
104			{
105			parent::finalisePage();
106
107			$database = $this->getDatabase();
108			$currentUser = User::getCurrent($database);
109
110			// Load in the badges for the navbar
111			$this->setUpNavBarBadges($currentUser, $database);
112
113			if ($this->barrierTest('viewSiteNotice', User::getCurrent($database), 'GlobalInfo')) {
114			$siteNotice = SiteNotice::get($this->getDatabase());
115			$siteNoticeHash = sha1($siteNotice);
116
117			if (WebRequest::testSiteNoticeCookieValue($siteNoticeHash)) {
118			$this->assign('siteNoticeState', 'd-none');
119			}
120			else {
121			$this->assign('siteNoticeState', 'd-block');
122			}
123
124			$this->assign('siteNoticeText', $siteNotice);
125			$this->assign('siteNoticeVersion', $siteNoticeHash);
126			}
127
128			if ($this->barrierTest('viewOnlineUsers', User::getCurrent($database), 'GlobalInfo')) {
129			$sql = 'SELECT * FROM user WHERE lastactive > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL 5 MINUTE);';
130			$statement = $database->query($sql);
131			$activeUsers = $statement->fetchAll(PDO::FETCH_CLASS, User::class);
132			$this->assign('onlineusers', $activeUsers);
133			}
134
135			$this->setupNavMenuAccess($currentUser);
136			}
137
138			/**
139			* Configures whether the page respects roles or not. You probably want this to return true.
140			*
141			* Set to false for public pages. You probably want this to return true.
142			*
143			* This defaults to true unless you explicitly set it to false. Setting it to false means anybody can do anything
144			* on this page, so you probably want this to return true.
145			*
146			* @return bool
147			* @category Security-Critical
148			*/
149			protected function isProtectedPage()
150			{
151			return true;
152			}
153
154			protected function handleAccessDenied($denyReason)
155			{
156			$currentUser = User::getCurrent($this->getDatabase());
157
158			// Not allowed to access this resource.
159			// Firstly, let's check if we're even logged in.
160			if ($currentUser->isCommunityUser()) {
161			// Not logged in, redirect to login page
162			WebRequest::setPostLoginRedirect();
163			$this->redirect("login");
164
165			return;
166			}
167			else {
168			// Decide whether this was a rights failure, or an identification failure.
169
170			if ($denyReason === SecurityManager::ERROR_NOT_IDENTIFIED) {
171			// Not identified
172			throw new NotIdentifiedException($this->getSecurityManager(), $this->getDomainAccessManager());
173			}
174			elseif ($denyReason === SecurityManager::ERROR_DENIED) {
175			// Nope, plain old access denied
176			throw new AccessDeniedException($this->getSecurityManager(), $this->getDomainAccessManager());
177			}
178			else {
179			throw new Exception('Unknown response from security manager.');
180			}
181			}
182			}
183
184			/**
185			* Tests the security barrier for a specified action.
186			*
187			* Don't use within templates
188			*
189			* @param string $action
190			*
191			* @param User $user
192			* @param null\|string $pageName
193			*
194			* @return bool
195			* @category Security-Critical
196			*/
197			final public function barrierTest($action, User $user, $pageName = null)
198			{
199			$page = get_called_class();
200			if ($pageName !== null) {
201			$page = $pageName;
202			}
203
204			$securityResult = $this->getSecurityManager()->allows($page, $action, $user);
205
206			return $securityResult === SecurityManager::ALLOWED;
207			}
208
209			/**
210			* Updates the lastactive timestamp
211			*/
212			private function touchUserLastActive()
213			{
214			if (WebRequest::getSessionUserId() !== null) {
215			$query = 'UPDATE user SET lastactive = CURRENT_TIMESTAMP() WHERE id = :id;';
216			$this->getDatabase()->prepare($query)->execute(array(":id" => WebRequest::getSessionUserId()));
217			}
218			}
219
220			/**
221			* @return SecurityManager
222			*/
223			public function getSecurityManager()
224			{
225			return $this->securityManager;
226			}
227
228			/**
229			* @param SecurityManager $securityManager
230			*/
231			public function setSecurityManager(SecurityManager $securityManager)
232			{
233			$this->securityManager = $securityManager;
234			}
235
236			/**
237			* @return IBlacklistHelper
238			*/
239			public function getBlacklistHelper()
240			{
241			return $this->blacklistHelper;
242			}
243
244			/**
245			* @param IBlacklistHelper $blacklistHelper
246			*/
247			public function setBlacklistHelper(IBlacklistHelper $blacklistHelper)
248			{
249			$this->blacklistHelper = $blacklistHelper;
250			}
251
252			/**
253			* @return DomainAccessManager
254			*/
255			public function getDomainAccessManager(): DomainAccessManager
256			{
257			return $this->domainAccessManager;
258			}
259
260			/**
261			* @param DomainAccessManager $domainAccessManager
262			*/
263			public function setDomainAccessManager(DomainAccessManager $domainAccessManager): void
264			{
265			$this->domainAccessManager = $domainAccessManager;
266			}
267			}
268

stwalkerster / waca

Issues (195)

includes/Tasks/InternalPageBase.php (1 issue)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like