From a208c0482f442726f6c7d10ff28da47722365567 Mon Sep 17 00:00:00 2001 From: Aaron van Geffen Date: Wed, 11 Mar 2020 22:23:43 +0100 Subject: [PATCH 1/2] Invoke Dispatcher::kickGuest from Session for invalid sessions. Previously, a NotAllowedException would be thrown if an invalid session was encountered. However, these exceptions were not caught, and hence would yield a fatal uncaught exception error. At this point in Kabuki, the ErrorHandler class has not been registered yet for error handling purposes. This error is therefore not visible if the PHP ini directive 'display_errors' is set to 'Off'. As this is the default production value, the script would fail with a blank page in such cases. --- models/Dispatcher.php | 4 ++-- models/Session.php | 4 ++-- public/css/default.css | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/models/Dispatcher.php b/models/Dispatcher.php index a1c3785..e755499 100644 --- a/models/Dispatcher.php +++ b/models/Dispatcher.php @@ -114,10 +114,10 @@ class Dispatcher /** * Kicks a guest to a login form, redirecting them back to this page upon login. */ - public static function kickGuest() + public static function kickGuest($title = null, $message = null) { $form = new LogInForm('Log in'); - $form->adopt(new Alert('', 'You need to be logged in to view this page.', 'error')); + $form->adopt(new Alert($title ?? '', $message ?? 'You need to be logged in to view this page.', 'error')); $form->setRedirectUrl($_SERVER['REQUEST_URI']); $page = new MainTemplate('Login required'); diff --git a/models/Session.php b/models/Session.php index 648439e..22e0844 100644 --- a/models/Session.php +++ b/models/Session.php @@ -19,13 +19,13 @@ class Session if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) { $_SESSION = []; - throw new UserFacingException('Your session failed to validate: your IP address has changed. Please re-login and try again.'); + Dispatcher::kickGuest('Your session failed to validate', 'Your IP address has changed. Please re-login and try again.'); } // Either way, require re-login if the browser identifier has changed. elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) { $_SESSION = []; - throw new UserFacingException('Your session failed to validate: your browser identifier has changed. Please re-login and try again.'); + Dispatcher::kickGuest('Your session failed to validate', 'Your browser identifier has changed. Please re-login and try again.'); } } elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent'])) diff --git a/public/css/default.css b/public/css/default.css index 861d257..ce28dad 100644 --- a/public/css/default.css +++ b/public/css/default.css @@ -437,6 +437,7 @@ textarea { width: 100%; } #login div.alert { + line-height: normal; margin: 15px 0; } #login div.buttonstrip { -- 2.46.0 From 31f4edc9969097819ca3fd7b8aa5a07508daaa48 Mon Sep 17 00:00:00 2001 From: Aaron van Geffen Date: Wed, 11 Mar 2020 22:36:21 +0100 Subject: [PATCH 2/2] Register ErrorHandler before Session start. --- app.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/app.php b/app.php index 6ef0d72..0f3b2ee 100644 --- a/app.php +++ b/app.php @@ -16,16 +16,15 @@ require_once 'vendor/autoload.php'; Registry::set('start', microtime(true)); Registry::set('db', new Database(DB_SERVER, DB_USER, DB_PASS, DB_NAME)); +// Handle errors our own way. +ErrorHandler::enable(); + // Do some authentication checks. Session::start(); $user = Authentication::isLoggedIn() ? Member::fromId($_SESSION['user_id']) : new Guest(); $user->updateAccessTime(); Registry::set('user', $user); -// Handle errors our own way. -set_error_handler('ErrorHandler::handleError'); -ini_set("display_errors", DEBUG ? "On" : "Off"); - // The real magic starts here! ob_start(); Dispatcher::dispatch(); -- 2.46.0