Add a middleware to limit actions by user level

aaab2150 · pupi1985 · Scott · 7e7ab77c · aaab2150 · aaab2150
Commit aaab2150 authored Jan 03, 2018 by pupi1985 Committed by Scott Jan 13, 2018
5 changed files
--- a/qa-src/Auth/NoPermissionException.php
+++ b/qa-src/Auth/NoPermissionException.php
+<?php
+/*
+	Question2Answer by Gideon Greenspan and contributors
+	http://www.question2answer.org/
+
+	This program is free software; you can redistribute it and/or
+	modify it under the terms of the GNU General Public License
+	as published by the Free Software Foundation; either version 2
+	of the License, or (at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	More about this license: http://www.question2answer.org/license.php
+*/
+
+namespace Q2A\Auth;
+
+use Q2A\Exceptions\ErrorMessageException;
+
+class NoPermissionException extends ErrorMessageException
+{
+	/**
+	 * NoPermissionException constructor.
+	 *
+	 * @param string $message
+	 */
+	public function __construct($message = null)
+	{
+		if (is_null($message)) {
+			$message = qa_lang_html('users/no_permission');
+		}
+
+		parent::__construct($message);
+	}
+}
--- a/qa-src/Controllers/User/UserMessages.php
+++ b/qa-src/Controllers/User/UserMessages.php
@@ -33,6 +33,12 @@ class UserMessages extends \Q2A\Controllers\BaseController
 		$this->addMiddleware(new InternalUsersOnly());
 	}

+	/**
+	 * @param string $handle
+	 *
+	 * @return array
+	 * @throws PageNotFoundException
+	 */
 	public function wall($handle)
 	{
 		$userhtml = qa_html($handle);

--- a/qa-src/Controllers/User/UserPosts.php
+++ b/qa-src/Controllers/User/UserPosts.php
@@ -30,6 +30,12 @@ class UserPosts extends \Q2A\Controllers\BaseController
 	protected $userid;
 	protected $userhtml;

+	/**
+	 * @param string $handle
+	 *
+	 * @return array
+	 * @throws PageNotFoundException
+	 */
 	public function activity($handle)
 	{
 		$this->userHtml($handle);
@@ -99,6 +105,12 @@ class UserPosts extends \Q2A\Controllers\BaseController
 		return $qa_content;
 	}

+	/**
+	 * @param string $handle
+	 *
+	 * @return array
+	 * @throws PageNotFoundException
+	 */
 	public function questions($handle)
 	{
 		$this->userHtml($handle);
@@ -172,6 +184,12 @@ class UserPosts extends \Q2A\Controllers\BaseController
 		return $qa_content;
 	}

+	/**
+	 * @param string $handle
+	 *
+	 * @return array
+	 * @throws PageNotFoundException
+	 */
 	public function answers($handle)
 	{
 		$this->userHtml($handle);
@@ -251,10 +269,14 @@ class UserPosts extends \Q2A\Controllers\BaseController
 		return $qa_content;
 	}

+	/**
+	 * Return the HTML to display for the handle, and if we're using external users, determine the userid.
+	 *
+	 * @param string $handle
+	 * @throws PageNotFoundException
+	 */
 	private function userHtml($handle)
 	{
-		// Get the HTML to display for the handle, and if we're using external users, determine the userid
-
 		if (QA_FINAL_EXTERNAL_USERS) {
 			$this->userid = qa_handle_to_userid($handle);
 			if (!isset($this->userid)) { // check the user exists

--- a/qa-src/Controllers/User/UsersList.php
+++ b/qa-src/Controllers/User/UsersList.php
@@ -18,7 +18,9 @@

 namespace Q2A\Controllers\User;

+use Q2A\Auth\NoPermissionException;
 use Q2A\Middleware\Auth\InternalUsersOnly;
+use Q2A\Middleware\Auth\MinimumUserLevel;

 require_once QA_INCLUDE_DIR . 'db/users.php';
 require_once QA_INCLUDE_DIR . 'db/selects.php';
@@ -32,6 +34,7 @@ class UsersList extends \Q2A\Controllers\BaseController
 		parent::__construct();

 		$this->addMiddleware(new InternalUsersOnly(), array('newest', 'special', 'blocked'));
+		$this->addMiddleware(new MinimumUserLevel(QA_USER_LEVEL_MODERATOR), array('blocked'));
 	}

 	/**
@@ -64,15 +67,15 @@ class UsersList extends \Q2A\Controllers\BaseController

 	/**
 	 * Display newest users page
+	 *
 	 * @return array $qa_content
+	 * @throws NoPermissionException
 	 */
 	public function newest()
 	{
 		// check we have permission to view this page (moderator or above)
 		if (qa_user_permit_error('permit_view_new_users_page')) {
-			$qa_content = qa_content_prepare();
-			$qa_content['error'] = qa_lang_html('users/no_permission');
-			return $qa_content;
+			throw new NoPermissionException();
 		}

 		// callables to fetch user data
@@ -100,15 +103,15 @@ class UsersList extends \Q2A\Controllers\BaseController

 	/**
 	 * Display special users page (admins, moderators, etc)
+	 *
 	 * @return array $qa_content
+	 * @throws NoPermissionException
 	 */
 	public function special()
 	{
 		// check we have permission to view this page (moderator or above)
 		if (qa_user_permit_error('permit_view_special_users_page')) {
-			$qa_content = qa_content_prepare();
-			$qa_content['error'] = qa_lang_html('users/no_permission');
-			return $qa_content;
+			throw new NoPermissionException();
 		}

 		// callables to fetch user data
@@ -136,13 +139,6 @@ class UsersList extends \Q2A\Controllers\BaseController
 	 */
 	public function blocked()
 	{
-		// check we have permission to view this page (moderator or above)
-		if (qa_get_logged_in_level() < QA_USER_LEVEL_MODERATOR) {
-			$qa_content = qa_content_prepare();
-			$qa_content['error'] = qa_lang_html('users/no_permission');
-			return $qa_content;
-		}
-
 		// callables to fetch user data
 		$fetchUsers = function($start, $pageSize) {
 			list($totalUsers, $users) = qa_db_select_with_pending(

--- a/qa-src/Middleware/Auth/MinimumUserLevel.php
+++ b/qa-src/Middleware/Auth/MinimumUserLevel.php
+<?php
+/*
+	Question2Answer by Gideon Greenspan and contributors
+	http://www.question2answer.org/
+
+	This program is free software; you can redistribute it and/or
+	modify it under the terms of the GNU General Public License
+	as published by the Free Software Foundation; either version 2
+	of the License, or (at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	More about this license: http://www.question2answer.org/license.php
+*/
+
+namespace Q2A\Middleware\Auth;
+
+use Q2A\Auth\NoPermissionException;
+use Q2A\Middleware\BaseMiddleware;
+
+class MinimumUserLevel extends BaseMiddleware
+{
+	private $minimumUserLevel;
+
+	/**
+	 * MinimumUserLevel constructor.
+	 *
+	 * @param int $minimumUserLevel Minimum user level allowed to perform the action
+	 */
+	public function __construct($minimumUserLevel)
+	{
+		$this->minimumUserLevel = $minimumUserLevel;
+	}
+
+	/**
+	 * Throw an exception if the current configuration is set to external users.
+	 *
+	 * @throws NoPermissionException
+	 */
+	public function handle()
+	{
+		if (qa_get_logged_in_level() < $this->minimumUserLevel) {
+			throw new NoPermissionException();
+		}
+	}
+}