diff --git a/phpstan.neon b/phpstan.neon index 74333f8c..58f16ccc 100644 --- a/phpstan.neon +++ b/phpstan.neon @@ -2,6 +2,7 @@ parameters: level: 4 paths: - resources + - webroot - test ignoreErrors: # $this, $data comes from UnityMailer @@ -35,3 +36,8 @@ parameters: - '#Property UnityWebPortal\\lib\\UnityWebhook::\$Subject is never written, only read\.#' paths: - resources/lib/UnityWebhook.php + # init.php sets these when the user is logged in + - messages: + - '#Variable \$(LDAP|SQL|MAILER|WEBHOOK|GITHUB|SSO|OPERATOR|USER|SEND_PIMESG_TO_ADMINS|LOC_HEADER|LOC_FOOTER) might not be defined.#' + paths: + - webroot/* diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php index 5db5fd5a..cb3ae64d 100644 --- a/resources/lib/UnityHTTPD.php +++ b/resources/lib/UnityHTTPD.php @@ -228,7 +228,7 @@ public static function errorHandler(int $severity, string $message, string $file return false; } - public static function getPostData(string $key): mixed + public static function getPostData(string $key): string { if (!array_key_exists("REQUEST_METHOD", $_SERVER)) { throw new RuntimeException('$_SERVER has no array key "REQUEST_METHOD"'); @@ -243,7 +243,7 @@ public static function getPostData(string $key): mixed } /* returns null if not found and not $throw_if_not_found */ - public static function getQueryParameter(string $key, bool $throw_if_not_found = true): mixed + public static function getQueryParameter(string $key, bool $throw_if_not_found = true): ?string { if (!array_key_exists($key, $_GET)) { if ($throw_if_not_found) { diff --git a/test/functional/PIMemberRequestTest.php b/test/functional/PIMemberRequestTest.php index 5d3975f1..1686bf21 100644 --- a/test/functional/PIMemberRequestTest.php +++ b/test/functional/PIMemberRequestTest.php @@ -48,8 +48,8 @@ public function testRequestMembership() $this->requestMembership("asdlkjasldkj"); $this->assertMessageExists( UnityHTTPDMessageLevel::ERROR, + "/^This PI Doesn't Exist$/", "/.*/", - "/^This PI doesn't exist$/", ); $this->requestMembership($pi_group->getOwner()->getMail()); $this->assertTrue($SQL->requestExists($uid, $gid)); diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index 02dc3233..7d0dbde8 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -4,6 +4,7 @@ use UnityWebPortal\lib\UnityGroup; use UnityWebPortal\lib\UnityHTTPD; +use UnityWebPortal\lib\UserFlag; if (!$USER->getFlag(UserFlag::ADMIN)) { UnityHTTPD::forbidden("not an admin"); diff --git a/webroot/admin/ajax/get_page_contents.php b/webroot/admin/ajax/get_page_contents.php index f384c1de..9852d7aa 100644 --- a/webroot/admin/ajax/get_page_contents.php +++ b/webroot/admin/ajax/get_page_contents.php @@ -3,6 +3,7 @@ require_once __DIR__ . "/../../../resources/autoload.php"; use UnityWebPortal\lib\UnityHTTPD; +use UnityWebPortal\lib\UserFlag; if (!$USER->getFlag(UserFlag::ADMIN)) { UnityHTTPD::forbidden("not an admin"); diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php index 75b128b2..a494d67e 100644 --- a/webroot/admin/pi-mgmt.php +++ b/webroot/admin/pi-mgmt.php @@ -12,14 +12,16 @@ UnityHTTPD::forbidden("not an admin"); } +$getUserFromPost = function () { + global $LDAP, $SQL, $MAILER, $WEBHOOK; + return new UnityUser(UnityHTTPD::getPostData("uid"), $LDAP, $SQL, $MAILER, $WEBHOOK); +}; + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); - if (isset($_POST["uid"])) { - $form_user = new UnityUser($_POST["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); - } - switch ($_POST["form_type"]) { case "req": + $form_user = $getUserFromPost(); if ($_POST["action"] == "Approve") { $group = $form_user->getPIGroup(); $group->approveGroup($OPERATOR); @@ -27,21 +29,20 @@ $group = $form_user->getPIGroup(); $group->denyGroup($OPERATOR); } - break; case "reqChild": + $form_user = $getUserFromPost(); $parent_group = new UnityGroup($_POST["pi"], $LDAP, $SQL, $MAILER, $WEBHOOK); if ($_POST["action"] == "Approve") { $parent_group->approveUser($form_user); } elseif ($_POST["action"] == "Deny") { $parent_group->denyUser($form_user); } - break; case "remUserChild": + $form_user = $getUserFromPost(); $parent = new UnityGroup($_POST["pi"], $LDAP, $SQL, $MAILER, $WEBHOOK); $parent->removeUser($form_user); - break; } } diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 9032a4b9..f005f50d 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -15,7 +15,7 @@ case "viewAsUser": $_SESSION["viewUser"] = $_POST["uid"]; UnityHTTPD::redirect(getURL("panel/account.php")); - break; + break; /** @phpstan-ignore deadCode.unreachable */ } } diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index 562c6d0f..7fcceb16 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -6,29 +6,30 @@ use UnityWebPortal\lib\UnityGroup; use UnityWebPortal\lib\UnityHTTPD; +$getPIGroupFromPost = function () { + global $LDAP, $SQL, $MAILER, $WEBHOOK; + $gid_or_mail = UnityHTTPD::getPostData("pi"); + if (substr($gid_or_mail, 0, 3) !== "pi_" && str_contains($gid_or_mail, "@")) { + try { + $gid_or_mail = UnityGroup::ownerMail2GID($gid_or_mail); + } catch (EntryNotFoundException) { + // oh well, we tried + } + } + $pi_group = new UnityGroup($gid_or_mail, $LDAP, $SQL, $MAILER, $WEBHOOK); + if (!$pi_group->exists()) { + UnityHTTPD::messageError("This PI Doesn't Exist", $gid_or_mail); + UnityHTTPD::redirect(); + } + return $pi_group; +}; + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); if (isset($_POST["form_type"])) { - if (isset($_POST["pi"])) { - $pi_groupname = $_POST["pi"]; - if (substr($pi_groupname, 0, 3) !== "pi_" && str_contains($pi_groupname, "@")) { - try { - $pi_groupname = UnityGroup::ownerMail2GID($pi_groupname); - } catch (EntryNotFoundException) { - } - } - $pi_account = new UnityGroup($pi_groupname, $LDAP, $SQL, $MAILER, $WEBHOOK); - if (!$pi_account->exists()) { - UnityHTTPD::messageError( - "Invalid Group Membership Request", - "This PI doesn't exist" - ); - UnityHTTPD::redirect(); - } - } - switch ($_POST["form_type"]) { case "addPIform": + $pi_account = $getPIGroupFromPost(); if (!isset($_POST["tos"]) || $_POST["tos"] != "agree") { UnityHTTPD::badRequest("user did not agree to terms of service"); } @@ -50,15 +51,17 @@ } $pi_account->newUserRequest($USER); UnityHTTPD::redirect(); - break; + break; /** @phpstan-ignore deadCode.unreachable */ case "removePIForm": + $pi_account = $getPIGroupFromPost(); $pi_account->removeUser($USER); UnityHTTPD::redirect(); - break; + break; /** @phpstan-ignore deadCode.unreachable */ case "cancelPIForm": + $pi_account = $getPIGroupFromPost(); $pi_account->cancelGroupJoinRequest($USER); UnityHTTPD::redirect(); - break; + break; /** @phpstan-ignore deadCode.unreachable */ } } } diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php index 7cdd3f58..fc031d64 100644 --- a/webroot/panel/pi.php +++ b/webroot/panel/pi.php @@ -11,22 +11,24 @@ UnityHTTPD::forbidden("not a PI"); } +$getUserFromPost = function () { + global $LDAP, $SQL, $MAILER, $WEBHOOK; + return new UnityUser(UnityHTTPD::getPostData("uid"), $LDAP, $SQL, $MAILER, $WEBHOOK); +}; + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); - if (isset($_POST["uid"])) { - $form_user = new UnityUser($_POST["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); - } - switch ($_POST["form_type"]) { case "userReq": + $form_user = $getUserFromPost(); if ($_POST["action"] == "Approve") { $group->approveUser($form_user); } elseif ($_POST["action"] == "Deny") { $group->denyUser($form_user); } - break; case "remUser": + $form_user = $getUserFromPost(); // remove user button clicked $group->removeUser($form_user);