From 76e804fe4377f3df43d4658cb5bc465f075ac66a Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 14:44:49 -0500 Subject: [PATCH 1/9] phpstan for webroot --- phpstan.neon | 6 ++++++ webroot/admin/ajax/get_group_members.php | 1 + webroot/admin/ajax/get_page_contents.php | 1 + webroot/admin/user-mgmt.php | 1 - 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/phpstan.neon b/phpstan.neon index 74333f8c..58f16ccc 100644 --- a/phpstan.neon +++ b/phpstan.neon @@ -2,6 +2,7 @@ parameters: level: 4 paths: - resources + - webroot - test ignoreErrors: # $this, $data comes from UnityMailer @@ -35,3 +36,8 @@ parameters: - '#Property UnityWebPortal\\lib\\UnityWebhook::\$Subject is never written, only read\.#' paths: - resources/lib/UnityWebhook.php + # init.php sets these when the user is logged in + - messages: + - '#Variable \$(LDAP|SQL|MAILER|WEBHOOK|GITHUB|SSO|OPERATOR|USER|SEND_PIMESG_TO_ADMINS|LOC_HEADER|LOC_FOOTER) might not be defined.#' + paths: + - webroot/* diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index 02dc3233..7d0dbde8 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -4,6 +4,7 @@ use UnityWebPortal\lib\UnityGroup; use UnityWebPortal\lib\UnityHTTPD; +use UnityWebPortal\lib\UserFlag; if (!$USER->getFlag(UserFlag::ADMIN)) { UnityHTTPD::forbidden("not an admin"); diff --git a/webroot/admin/ajax/get_page_contents.php b/webroot/admin/ajax/get_page_contents.php index f384c1de..9852d7aa 100644 --- a/webroot/admin/ajax/get_page_contents.php +++ b/webroot/admin/ajax/get_page_contents.php @@ -3,6 +3,7 @@ require_once __DIR__ . "/../../../resources/autoload.php"; use UnityWebPortal\lib\UnityHTTPD; +use UnityWebPortal\lib\UserFlag; if (!$USER->getFlag(UserFlag::ADMIN)) { UnityHTTPD::forbidden("not an admin"); diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 9032a4b9..6b9b2773 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -15,7 +15,6 @@ case "viewAsUser": $_SESSION["viewUser"] = $_POST["uid"]; UnityHTTPD::redirect(getURL("panel/account.php")); - break; } } From d85050bfb368583960565ea5058a31ca83c50cd6 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 14:57:21 -0500 Subject: [PATCH 2/9] fix complaints --- webroot/admin/pi-mgmt.php | 15 ++++++++------- webroot/panel/groups.php | 39 +++++++++++++++++++++------------------ webroot/panel/pi.php | 9 ++++----- 3 files changed, 33 insertions(+), 30 deletions(-) diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php index 75b128b2..a494d67e 100644 --- a/webroot/admin/pi-mgmt.php +++ b/webroot/admin/pi-mgmt.php @@ -12,14 +12,16 @@ UnityHTTPD::forbidden("not an admin"); } +$getUserFromPost = function () { + global $LDAP, $SQL, $MAILER, $WEBHOOK; + return new UnityUser(UnityHTTPD::getPostData("uid"), $LDAP, $SQL, $MAILER, $WEBHOOK); +}; + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); - if (isset($_POST["uid"])) { - $form_user = new UnityUser($_POST["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); - } - switch ($_POST["form_type"]) { case "req": + $form_user = $getUserFromPost(); if ($_POST["action"] == "Approve") { $group = $form_user->getPIGroup(); $group->approveGroup($OPERATOR); @@ -27,21 +29,20 @@ $group = $form_user->getPIGroup(); $group->denyGroup($OPERATOR); } - break; case "reqChild": + $form_user = $getUserFromPost(); $parent_group = new UnityGroup($_POST["pi"], $LDAP, $SQL, $MAILER, $WEBHOOK); if ($_POST["action"] == "Approve") { $parent_group->approveUser($form_user); } elseif ($_POST["action"] == "Deny") { $parent_group->denyUser($form_user); } - break; case "remUserChild": + $form_user = $getUserFromPost(); $parent = new UnityGroup($_POST["pi"], $LDAP, $SQL, $MAILER, $WEBHOOK); $parent->removeUser($form_user); - break; } } diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index 562c6d0f..f9067450 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -6,29 +6,30 @@ use UnityWebPortal\lib\UnityGroup; use UnityWebPortal\lib\UnityHTTPD; +$getPIGroupFromPost = function () { + global $LDAP, $SQL, $MAILER, $WEBHOOK; + $gid = UnityHTTPD::getPostData("pi"); + if (substr($gid, 0, 3) !== "pi_" && str_contains($gid, "@")) { + try { + $gid = UnityGroup::ownerMail2GID($gid); + } catch (EntryNotFoundException) { + // oh well, we tried + } + } + $pi_group = new UnityGroup($gid, $LDAP, $SQL, $MAILER, $WEBHOOK); + if (!$pi_group->exists()) { + UnityHTTPD::messageError("This PI Doesn't Exist", $gid); + UnityHTTPD::redirect(); + } + return $pi_group; +}; + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); if (isset($_POST["form_type"])) { - if (isset($_POST["pi"])) { - $pi_groupname = $_POST["pi"]; - if (substr($pi_groupname, 0, 3) !== "pi_" && str_contains($pi_groupname, "@")) { - try { - $pi_groupname = UnityGroup::ownerMail2GID($pi_groupname); - } catch (EntryNotFoundException) { - } - } - $pi_account = new UnityGroup($pi_groupname, $LDAP, $SQL, $MAILER, $WEBHOOK); - if (!$pi_account->exists()) { - UnityHTTPD::messageError( - "Invalid Group Membership Request", - "This PI doesn't exist" - ); - UnityHTTPD::redirect(); - } - } - switch ($_POST["form_type"]) { case "addPIform": + $pi_account = $getPIGroupFromPost(); if (!isset($_POST["tos"]) || $_POST["tos"] != "agree") { UnityHTTPD::badRequest("user did not agree to terms of service"); } @@ -52,10 +53,12 @@ UnityHTTPD::redirect(); break; case "removePIForm": + $pi_account = $getPIGroupFromPost(); $pi_account->removeUser($USER); UnityHTTPD::redirect(); break; case "cancelPIForm": + $pi_account = $getPIGroupFromPost(); $pi_account->cancelGroupJoinRequest($USER); UnityHTTPD::redirect(); break; diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php index 7cdd3f58..dc8bfd74 100644 --- a/webroot/panel/pi.php +++ b/webroot/panel/pi.php @@ -13,20 +13,19 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); - if (isset($_POST["uid"])) { - $form_user = new UnityUser($_POST["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); - } - switch ($_POST["form_type"]) { case "userReq": + $uid = UnityHTTPD::getPostData("uid"); + $form_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); if ($_POST["action"] == "Approve") { $group->approveUser($form_user); } elseif ($_POST["action"] == "Deny") { $group->denyUser($form_user); } - break; case "remUser": + $uid = UnityHTTPD::getPostData("uid"); + $form_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); // remove user button clicked $group->removeUser($form_user); From 002605fc3bcc1386253e8684c76753db93a40ab8 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 14:59:08 -0500 Subject: [PATCH 3/9] ignore dead code --- webroot/panel/groups.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index f9067450..e7b01508 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -51,17 +51,17 @@ } $pi_account->newUserRequest($USER); UnityHTTPD::redirect(); - break; + break; /** @phpstan-ignore deadCode.unreachable */ case "removePIForm": $pi_account = $getPIGroupFromPost(); $pi_account->removeUser($USER); UnityHTTPD::redirect(); - break; + break; /** @phpstan-ignore deadCode.unreachable */ case "cancelPIForm": $pi_account = $getPIGroupFromPost(); $pi_account->cancelGroupJoinRequest($USER); UnityHTTPD::redirect(); - break; + break; /** @phpstan-ignore deadCode.unreachable */ } } } From e9238b5a527b2f1bccf7ccf1345cc65650b541a3 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 15:01:12 -0500 Subject: [PATCH 4/9] getUserFromPost --- webroot/panel/pi.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php index dc8bfd74..fc031d64 100644 --- a/webroot/panel/pi.php +++ b/webroot/panel/pi.php @@ -11,12 +11,16 @@ UnityHTTPD::forbidden("not a PI"); } +$getUserFromPost = function () { + global $LDAP, $SQL, $MAILER, $WEBHOOK; + return new UnityUser(UnityHTTPD::getPostData("uid"), $LDAP, $SQL, $MAILER, $WEBHOOK); +}; + if ($_SERVER["REQUEST_METHOD"] == "POST") { UnityHTTPD::validatePostCSRFToken(); switch ($_POST["form_type"]) { case "userReq": - $uid = UnityHTTPD::getPostData("uid"); - $form_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); + $form_user = $getUserFromPost(); if ($_POST["action"] == "Approve") { $group->approveUser($form_user); } elseif ($_POST["action"] == "Deny") { @@ -24,8 +28,7 @@ } break; case "remUser": - $uid = UnityHTTPD::getPostData("uid"); - $form_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); + $form_user = $getUserFromPost(); // remove user button clicked $group->removeUser($form_user); From 7157cb2a44701eb40c021cd7298036c9d33ab0f7 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 15:07:49 -0500 Subject: [PATCH 5/9] swap title and message --- test/functional/PIMemberRequestTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/functional/PIMemberRequestTest.php b/test/functional/PIMemberRequestTest.php index 5d3975f1..43c581be 100644 --- a/test/functional/PIMemberRequestTest.php +++ b/test/functional/PIMemberRequestTest.php @@ -48,8 +48,8 @@ public function testRequestMembership() $this->requestMembership("asdlkjasldkj"); $this->assertMessageExists( UnityHTTPDMessageLevel::ERROR, - "/.*/", "/^This PI doesn't exist$/", + "/.*/", ); $this->requestMembership($pi_group->getOwner()->getMail()); $this->assertTrue($SQL->requestExists($uid, $gid)); From 1e69c6dfef5d8e7c966b8c3100098feee15df7c9 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 15:08:57 -0500 Subject: [PATCH 6/9] caps --- test/functional/PIMemberRequestTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/functional/PIMemberRequestTest.php b/test/functional/PIMemberRequestTest.php index 43c581be..1686bf21 100644 --- a/test/functional/PIMemberRequestTest.php +++ b/test/functional/PIMemberRequestTest.php @@ -48,7 +48,7 @@ public function testRequestMembership() $this->requestMembership("asdlkjasldkj"); $this->assertMessageExists( UnityHTTPDMessageLevel::ERROR, - "/^This PI doesn't exist$/", + "/^This PI Doesn't Exist$/", "/.*/", ); $this->requestMembership($pi_group->getOwner()->getMail()); From 518d978170cfe9026652e66a72d74d54f71ce231 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 15:17:42 -0500 Subject: [PATCH 7/9] getPostData getQueryParameter return string --- resources/lib/UnityHTTPD.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php index 5db5fd5a..cb3ae64d 100644 --- a/resources/lib/UnityHTTPD.php +++ b/resources/lib/UnityHTTPD.php @@ -228,7 +228,7 @@ public static function errorHandler(int $severity, string $message, string $file return false; } - public static function getPostData(string $key): mixed + public static function getPostData(string $key): string { if (!array_key_exists("REQUEST_METHOD", $_SERVER)) { throw new RuntimeException('$_SERVER has no array key "REQUEST_METHOD"'); @@ -243,7 +243,7 @@ public static function getPostData(string $key): mixed } /* returns null if not found and not $throw_if_not_found */ - public static function getQueryParameter(string $key, bool $throw_if_not_found = true): mixed + public static function getQueryParameter(string $key, bool $throw_if_not_found = true): ?string { if (!array_key_exists($key, $_GET)) { if ($throw_if_not_found) { From 790fb00dffa24b8e3d20eb6dc8b231a77d2f8bab Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 15:20:46 -0500 Subject: [PATCH 8/9] put back break --- webroot/admin/user-mgmt.php | 1 + 1 file changed, 1 insertion(+) diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 6b9b2773..f005f50d 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -15,6 +15,7 @@ case "viewAsUser": $_SESSION["viewUser"] = $_POST["uid"]; UnityHTTPD::redirect(getURL("panel/account.php")); + break; /** @phpstan-ignore deadCode.unreachable */ } } From 414372f20db5b14105892232e0c4c49457701bad Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Fri, 19 Dec 2025 15:21:31 -0500 Subject: [PATCH 9/9] rename var --- webroot/panel/groups.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index e7b01508..7fcceb16 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -8,17 +8,17 @@ $getPIGroupFromPost = function () { global $LDAP, $SQL, $MAILER, $WEBHOOK; - $gid = UnityHTTPD::getPostData("pi"); - if (substr($gid, 0, 3) !== "pi_" && str_contains($gid, "@")) { + $gid_or_mail = UnityHTTPD::getPostData("pi"); + if (substr($gid_or_mail, 0, 3) !== "pi_" && str_contains($gid_or_mail, "@")) { try { - $gid = UnityGroup::ownerMail2GID($gid); + $gid_or_mail = UnityGroup::ownerMail2GID($gid_or_mail); } catch (EntryNotFoundException) { // oh well, we tried } } - $pi_group = new UnityGroup($gid, $LDAP, $SQL, $MAILER, $WEBHOOK); + $pi_group = new UnityGroup($gid_or_mail, $LDAP, $SQL, $MAILER, $WEBHOOK); if (!$pi_group->exists()) { - UnityHTTPD::messageError("This PI Doesn't Exist", $gid); + UnityHTTPD::messageError("This PI Doesn't Exist", $gid_or_mail); UnityHTTPD::redirect(); } return $pi_group;