flashii/misuzu
flashii/misuzu
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Authn/z rework.

Browse source
This commit is contained in:
flash 2025-03-31 15:34:20 +00:00
parent 28be4f16c2
commit e4c3e4c052
Signed by: flash
GPG key ID: 2C9C2C574D47FE3E
49 changed files with 833 additions and 664 deletions

2
public-legacy/auth/login.php
View file

@ -68,7 +68,7 @@ if($siteIsPrivate) {
}
while($_SERVER['REQUEST_METHOD'] === 'POST') {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = 'Was unable to verify the request, please try again!';
break;
}

2
public-legacy/auth/logout.php
View file

@ -7,7 +7,7 @@ if(!isset($msz) || !($msz instanceof \Misuzu\MisuzuContext))
die('Script must be called through the Misuzu route dispatcher.');
if($msz->authInfo->loggedIn) {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
Template::render('auth.logout');
return;
}

4
public-legacy/auth/password.php
View file

@ -33,7 +33,7 @@ $remainingAttempts = $msz->authCtx->loginAttempts->countRemainingAttempts($ipAdd
while($canResetPassword) {
if(!empty($_POST['verification']) && is_scalar($_POST['verification']) && !empty($userInfo)) {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = 'Was unable to verify the request, please try again!';
break;
}
@ -80,7 +80,7 @@ while($canResetPassword) {
}
if(!empty($_POST['email']) && is_scalar($_POST['email'])) {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = 'Was unable to verify the request, please try again!';
break;
}

2
public-legacy/auth/register.php
View file

@ -19,7 +19,7 @@ $countryCode = $_SERVER['COUNTRY_CODE'] ?? 'XX';
$remainingAttempts = $msz->authCtx->loginAttempts->countRemainingAttempts($ipAddress);
while($_SERVER['REQUEST_METHOD'] === 'POST') {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = 'Was unable to verify the request, please try again!';
break;
}

2
public-legacy/auth/revert.php
View file

@ -6,7 +6,7 @@ use Misuzu\Auth\AuthTokenCookie;
if(!isset($msz) || !($msz instanceof \Misuzu\MisuzuContext))
die('Script must be called through the Misuzu route dispatcher.');
if(CSRF::validateRequest()) {
if($msz->csrfCtx->verifyLegacy()) {
$tokenInfo = $msz->authInfo->tokenInfo;
if($tokenInfo->hasImpersonatedUserId) {

2
public-legacy/auth/twofactor.php
View file

@ -37,7 +37,7 @@ if($totpInfo === null) {
}
while($_SERVER['REQUEST_METHOD'] === 'POST') {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = 'Was unable to verify the request, please try again!';
break;
}

2
public-legacy/forum/posting.php
View file

@ -147,7 +147,7 @@ if(!empty($_POST)) {
$topicType = isset($_POST['type']) ? $_POST['type'] : null;
$postSignature = isset($_POST['signature']);
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = 'Could not verify request.';
} else {
$isEditingTopic = empty($topicInfo) || ($mode === 'edit' && $originalPostInfo->id == $postInfo->id);

4
public-legacy/manage/changelog/change.php
View file

@ -34,7 +34,7 @@ else
}
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
$msz->changelog->deleteChange($changeInfo);
@ -44,7 +44,7 @@ if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
}
// make errors not echos lol
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$action = !empty($_POST['cl_action']) && is_scalar($_POST['cl_action']) ? trim((string)$_POST['cl_action']) : '';
$summary = !empty($_POST['cl_summary']) && is_scalar($_POST['cl_summary']) ? trim((string)$_POST['cl_summary']) : '';
$body = !empty($_POST['cl_body']) && is_scalar($_POST['cl_body']) ? trim((string)$_POST['cl_body']) : '';

4
public-legacy/manage/changelog/tag.php
View file

@ -23,7 +23,7 @@ else
}
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
$msz->changelog->deleteTag($tagInfo);
@ -32,7 +32,7 @@ if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
return;
}
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$name = !empty($_POST['ct_name']) && is_scalar($_POST['ct_name']) ? trim((string)$_POST['ct_name']) : '';
$description = !empty($_POST['ct_desc']) && is_scalar($_POST['ct_desc']) ? trim((string)$_POST['ct_desc']) : '';
$archive = !empty($_POST['ct_archive']);

4
public-legacy/manage/forum/redirs.php
View file

@ -8,7 +8,7 @@ if(!$msz->authInfo->getPerms('global')->check(Perm::G_FORUM_TOPIC_REDIRS_MANAGE)
Template::throwError(403);
if($_SERVER['REQUEST_METHOD'] === 'POST') {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
throw new \Exception("Request verification failed.");
$rTopicId = !empty($_POST['topic_redir_id']) && is_scalar($_POST['topic_redir_id']) ? trim((string)$_POST['topic_redir_id']) : '';
@ -21,7 +21,7 @@ if($_SERVER['REQUEST_METHOD'] === 'POST') {
}
if(!empty($_GET['m']) && $_GET['m'] === 'explode') {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
throw new \Exception("Request verification failed.");
$rTopicId = !empty($_GET['t']) && is_scalar($_GET['t']) ? (string)$_GET['t'] : '';

2
public-legacy/manage/general/emoticon.php
View file

@ -26,7 +26,7 @@ else
}
// make errors not echos lol
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$order = !empty($_POST['em_order']) && is_scalar($_POST['em_order']) ? (int)$_POST['em_order'] : '';
$minRank = !empty($_POST['em_minrank']) && is_scalar($_POST['em_minrank']) ? (int)$_POST['em_minrank'] : '';
$url = !empty($_POST['em_url']) && is_scalar($_POST['em_url']) ? trim((string)$_POST['em_url']) : '';

2
public-legacy/manage/general/emoticons.php
View file

@ -9,7 +9,7 @@ if(!isset($msz) || !($msz instanceof \Misuzu\MisuzuContext))
if(!$msz->authInfo->getPerms('global')->check(Perm::G_EMOTES_MANAGE))
Template::throwError(403);
if(CSRF::validateRequest() && !empty($_GET['emote'])) {
if($msz->csrfCtx->verifyLegacy() && !empty($_GET['emote'])) {
$emoteId = !empty($_GET['emote']) && is_scalar($_GET['emote']) ? (string)$_GET['emote'] : '';
try {

2
public-legacy/manage/general/setting-delete.php
View file

@ -11,7 +11,7 @@ $valueInfo = $msz->config->getValueInfo(!empty($_GET['name']) && is_scalar($_GET
if($valueInfo === null)
Template::throwError(404);
if($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
if($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$msz->logsCtx->createAuthedLog('CONFIG_DELETE', [$valueInfo->name]);
$msz->config->removeValues($valueInfo->name);
Tools::redirect($msz->urls->format('manage-general-settings'));

2
public-legacy/manage/general/setting.php
View file

@ -25,7 +25,7 @@ if(!empty($sName)) {
}
}
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
if($isNew) {
$sName = !empty($_POST['conf_name']) && is_scalar($_POST['conf_name']) ? trim((string)$_POST['conf_name']) : '';
if(!DbConfig::validateName($sName)) {

4
public-legacy/manage/news/category.php
View file

@ -23,7 +23,7 @@ else
}
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
$msz->news->deleteCategory($categoryInfo);
@ -32,7 +32,7 @@ if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
return;
}
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$name = !empty($_POST['nc_name']) && is_scalar($_POST['nc_name']) ? trim((string)$_POST['nc_name']) : '';
$description = !empty($_POST['nc_desc']) && is_scalar($_POST['nc_desc']) ? trim((string)$_POST['nc_desc']) : '';
$hidden = !empty($_POST['nc_hidden']);

4
public-legacy/manage/news/post.php
View file

@ -24,7 +24,7 @@ else
}
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
$msz->news->deletePost($postInfo);
@ -33,7 +33,7 @@ if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
return;
}
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$title = !empty($_POST['np_title']) && is_scalar($_POST['np_title']) ? trim((string)$_POST['np_title']) : '';
$category = !empty($_POST['np_category']) && is_scalar($_POST['np_category']) ? trim((string)$_POST['np_category']) : '';
$featured = !empty($_POST['np_featured']);

4
public-legacy/manage/users/ban.php
View file

@ -12,7 +12,7 @@ if(!$msz->authInfo->getPerms('user')->check(Perm::U_BANS_MANAGE))
Template::throwError(403);
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
try {
@ -35,7 +35,7 @@ try {
$modInfo = $msz->authInfo->userInfo;
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$expires = !empty($_POST['ub_expires']) && is_scalar($_POST['ub_expires']) ? (int)$_POST['ub_expires'] : 0;
$expiresCustom = !empty($_POST['ub_expires_custom']) && is_scalar($_POST['ub_expires_custom']) ? trim((string)$_POST['ub_expires_custom']) : '';
$publicReason = !empty($_POST['ub_reason_pub']) && is_scalar($_POST['ub_reason_pub']) ? trim((string)$_POST['ub_reason_pub']) : '';

4
public-legacy/manage/users/note.php
View file

@ -35,7 +35,7 @@ if($hasUserId) {
}
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
$msz->usersCtx->modNotes->deleteNotes($noteInfo);
@ -48,7 +48,7 @@ if($hasUserId) {
$authorInfo = $noteInfo->authorId !== null ? $msz->usersCtx->getUserInfo($noteInfo->authorId) : null;
}
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$title = trim((string)($_POST['mn_title'] ?? ''));
$body = trim((string)($_POST['mn_body'] ?? ''));

2
public-legacy/manage/users/role.php
View file

@ -32,7 +32,7 @@ $canEditPerms = $viewerPerms->check(Perm::U_PERMS_MANAGE);
$permsInfos = $roleInfo === null ? null : $msz->perms->getPermissionInfo(roleInfo: $roleInfo, categoryNames: Perm::INFO_FOR_ROLE);
$permsLists = Perm::createList(Perm::LISTS_FOR_ROLE);
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$userRank = $msz->usersCtx->users->getUserRank($currentUser);
if(!$isNew && !$currentUser->super && $roleInfo->rank >= $userRank) {

2
public-legacy/manage/users/user.php
View file

@ -47,7 +47,7 @@ $permsInfos = $msz->perms->getPermissionInfo(userInfo: $userInfo, categoryNames:
$permsLists = Perm::createList(Perm::LISTS_FOR_USER);
$permsNeedRecalc = false;
if(CSRF::validateRequest() && $canEdit) {
if($msz->csrfCtx->verifyLegacy() && $canEdit) {
if(!empty($_POST['impersonate_user'])) {
if(!$canImpersonate) {
$notices[] = 'You must be a super user to do this.';

4
public-legacy/manage/users/warning.php
View file

@ -10,7 +10,7 @@ if(!$msz->authInfo->getPerms('user')->check(Perm::U_WARNINGS_MANAGE))
Template::throwError(403);
if($_SERVER['REQUEST_METHOD'] === 'GET' && !empty($_GET['delete'])) {
if(!CSRF::validateRequest())
if(!$msz->csrfCtx->verifyLegacy())
Template::throwError(403);
try {
@ -33,7 +33,7 @@ try {
$modInfo = $msz->authInfo->userInfo;
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$body = trim((string)($_POST['uw_body'] ?? ''));
Template::set('warn_value_body', $body);

2
public-legacy/profile.php
View file

@ -110,7 +110,7 @@ if($isEditing) {
]);
if(!empty($_POST)) {
if(!CSRF::validateRequest()) {
if(!$msz->csrfCtx->verifyLegacy()) {
$notices[] = "Couldn't verify you, please refresh the page and retry.";
} else {
if(!$perms->edit_profile) {

2
public-legacy/settings/account.php
View file

@ -16,7 +16,7 @@ $errors = [];
$userInfo = $msz->authInfo->userInfo;
$isRestricted = $msz->usersCtx->hasActiveBan($userInfo);
$hasTotp = $msz->usersCtx->totps->hasUserTotp($userInfo);
$isVerifiedRequest = CSRF::validateRequest();
$isVerifiedRequest = $msz->csrfCtx->verifyLegacy();
if(!$isRestricted && $isVerifiedRequest && !empty($_POST['role'])) {
try {

2
public-legacy/settings/sessions.php
View file

@ -13,7 +13,7 @@ $errors = [];
$currentUser = $msz->authInfo->userInfo;
$activeSessionId = $msz->authInfo->sessionId;
while($_SERVER['REQUEST_METHOD'] === 'POST' && CSRF::validateRequest()) {
while($_SERVER['REQUEST_METHOD'] === 'POST' && $msz->csrfCtx->verifyLegacy()) {
$sessionId = !empty($_POST['session']) && is_scalar($_POST['session']) ? trim((string)$_POST['session']) : '';
$activeSessionKilled = false;