Implement document deletion

carlbennett · carlbennett · commit ca1b393e9d03 · 2016-08-01T01:56:18.000Z
diff --git a/src/controllers/Document/Delete.php b/src/controllers/Document/Delete.php
@@ -0,0 +1,115 @@
+<?php
+
+namespace BNETDocs\Controllers\Document;
+
+use \BNETDocs\Libraries\CSRF;
+use \BNETDocs\Libraries\Common;
+use \BNETDocs\Libraries\Controller;
+use \BNETDocs\Libraries\Document;
+use \BNETDocs\Libraries\Exceptions\DocumentNotFoundException;
+use \BNETDocs\Libraries\Exceptions\UnspecifiedViewException;
+use \BNETDocs\Libraries\Logger;
+use \BNETDocs\Libraries\Router;
+use \BNETDocs\Libraries\UserSession;
+use \BNETDocs\Models\Document\Delete as DocumentDeleteModel;
+use \BNETDocs\Views\Document\DeleteHtml as DocumentDeleteHtmlView;
+use \InvalidArgumentException;
+
+class Delete extends Controller {
+
+  public function run(Router &$router) {
+    switch ($router->getRequestPathExtension()) {
+      case "htm": case "html": case "":
+        $view = new DocumentDeleteHtmlView();
+      break;
+      default:
+        throw new UnspecifiedViewException();
+    }
+
+    $data                = $router->getRequestQueryArray();
+    $model               = new DocumentDeleteModel();
+    $model->csrf_id      = mt_rand();
+    $model->csrf_token   = CSRF::generate($model->csrf_id);
+    $model->document     = null;
+    $model->error        = null;
+    $model->id           = (isset($data["id"]) ? $data["id"] : null);
+    $model->title        = null;
+    $model->user_session = UserSession::load($router);
+
+    try { $model->document = new Document($model->id); }
+    catch (DocumentNotFoundException $e) { $model->document = null; }
+    catch (InvalidArgumentException $e) { $model->document = null; }
+
+    if ($model->document === null) {
+      $model->error = "NOT_FOUND";
+    } else {
+      $model->title = $model->document->getTitle();
+
+      if ($router->getRequestMethod() == "POST") {
+        $this->tryDelete($router, $model);
+      }
+    }
+
+    ob_start();
+    $view->render($model);
+    $router->setResponseCode(200);
+    $router->setResponseTTL(0);
+    $router->setResponseHeader("Content-Type", $view->getMimeType());
+    $router->setResponseContent(ob_get_contents());
+    ob_end_clean();
+  }
+
+  protected function tryDelete(Router &$router, DocumentDeleteModel &$model) {
+    if (!isset($model->user_session)) {
+      $model->error = "NOT_LOGGED_IN";
+      return;
+    }
+
+    $data       = $router->getRequestBodyArray();
+    $csrf_id    = (isset($data["csrf_id"   ]) ? $data["csrf_id"   ] : null);
+    $csrf_token = (isset($data["csrf_token"]) ? $data["csrf_token"] : null);
+    $csrf_valid = CSRF::validate($csrf_id, $csrf_token);
+
+    if (!$csrf_valid) {
+      $model->error = "INVALID_CSRF";
+      return;
+    }
+    CSRF::invalidate($csrf_id);
+
+    $model->error = false;
+
+    $id           = (int) $model->id;
+    $user_id      = $model->user_session->user_id;
+
+    try {
+
+      $success = Document::delete($id);
+
+    } catch (QueryException $e) {
+
+      // SQL error occurred. We can show a friendly message to the user while
+      // also notifying this problem to staff.
+      Logger::logException($e);
+
+      $success = false;
+
+    }
+
+    if (!$success) {
+      $model->error = "INTERNAL_ERROR";
+    } else {
+      $model->error = false;
+    }
+
+    Logger::logEvent(
+      "document_deleted",
+      $user_id,
+      getenv("REMOTE_ADDR"),
+      json_encode([
+        "error"       => $model->error,
+        "document_id" => $id,
+      ])
+    );
+  }
+
+}
diff --git a/src/controllers/News/Delete.php b/src/controllers/News/Delete.php
@@ -25,7 +25,7 @@ public function run(Router &$router) {
       default:
         throw new UnspecifiedViewException();
     }
-    
+
     $data                = $router->getRequestQueryArray();
     $model               = new NewsDeleteModel();
     $model->csrf_id      = mt_rand();
@@ -39,7 +39,7 @@ public function run(Router &$router) {
     try { $model->news_post = new NewsPost($model->id); }
     catch (NewsPostNotFoundException $e) { $model->news_post = null; }
     catch (InvalidArgumentException $e) { $model->news_post = null; }
-    
+
     if ($model->news_post === null) {
       $model->error = "NOT_FOUND";
     } else {
@@ -64,7 +64,7 @@ protected function tryDelete(Router &$router, NewsDeleteModel &$model) {
       $model->error = "NOT_LOGGED_IN";
       return;
     }
-    
+
     $data       = $router->getRequestBodyArray();
     $csrf_id    = (isset($data["csrf_id"   ]) ? $data["csrf_id"   ] : null);
     $csrf_token = (isset($data["csrf_token"]) ? $data["csrf_token"] : null);
@@ -78,15 +78,15 @@ protected function tryDelete(Router &$router, NewsDeleteModel &$model) {
 
     $model->error = false;
 
-    $id           = (int) $model->id;    
+    $id           = (int) $model->id;
     $user_id      = $model->user_session->user_id;
 
     try {
 
       $success = NewsPost::delete($id);
 
     } catch (QueryException $e) {
-      
+
       // SQL error occurred. We can show a friendly message to the user while
       // also notifying this problem to staff.
       Logger::logException($e);
diff --git a/src/libraries/Router.php b/src/libraries/Router.php
@@ -6,6 +6,7 @@
 use \BNETDocs\Controllers\Comment\Create as CommentCreateController;
 use \BNETDocs\Controllers\Credits as CreditsController;
 use \BNETDocs\Controllers\Document\Create as DocumentCreateController;
+use \BNETDocs\Controllers\Document\Delete as DocumentDeleteController;
 use \BNETDocs\Controllers\Document\Edit as DocumentEditController;
 use \BNETDocs\Controllers\Document\Index as DocumentIndexController;
 use \BNETDocs\Controllers\Document\Popular as DocumentPopularController;
@@ -288,6 +289,9 @@ public function route(Pair &$redirect = null) {
               case "create":
                 $controller = new DocumentCreateController();
               break;
+              case "delete": case "delete.htm": case "delete.html":
+                $controller = new DocumentDeleteController();
+              break;
               case "edit": case "edit.htm": case "edit.html":
                 $controller = new DocumentEditController();
               break;
diff --git a/src/models/Document/Delete.php b/src/models/Document/Delete.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace BNETDocs\Models\Document;
+
+use \BNETDocs\Libraries\Model;
+
+class Delete extends Model {
+
+  public $acl_allowed;
+  public $csrf_id;
+  public $csrf_token;
+  public $document;
+  public $error;
+  public $id;
+  public $title;
+  public $user;
+  public $user_session;
+
+  public function __construct() {
+    parent::__construct();
+    $this->acl_allowed  = null;
+    $this->csrf_id      = null;
+    $this->csrf_token   = null;
+    $this->document     = null;
+    $this->error        = null;
+    $this->id           = null;
+    $this->title        = null;
+    $this->user         = null;
+    $this->user_session = null;
+  }
+
+}
diff --git a/src/templates/Document/Delete.phtml b/src/templates/Document/Delete.phtml
@@ -0,0 +1,66 @@
+<?php
+namespace BNETDocs\Templates;
+
+use \BNETDocs\Libraries\Pair;
+
+$title       = "Delete Document";
+$description = "This form allows an individual to delete a document.";
+
+$this->opengraph->attach(new Pair("url", "/document/delete"));
+$this->opengraph->attach(new Pair("type", "article"));
+
+switch ($this->getContext()->error) {
+  case "ACL_NOT_SET":
+    $message = "You do not have the privilege to delete documents.";
+    break;
+  case "NOT_FOUND":
+    $message = "Cannot find document by that id.";
+    break;
+  case "NOT_LOGGED_IN":
+    $message = "You must be logged in to delete documents.";
+    break;
+  case "INVALID_CSRF":
+    $message = "The Cross-Site Request Forgery token was invalid. Either the "
+      . "delete document form expired, or this may have been a malicious "
+      . "attempt to delete a document.";
+    break;
+  case "INTERNAL_ERROR":
+    $message = "An internal error occurred while processing your request. "
+      . "Our staff has been notified of the issue. Try again later.";
+    break;
+  default:
+    $message = $this->getContext()->error;
+}
+
+$this->additional_css[] = "/a/forms.css";
+require("./header.inc.phtml");
+?>
+      <article>
+<?php if (is_null($this->getContext()->error)) { ?>
+        <header>Delete Document</header>
+        <form method="POST" action="?id=<?php echo
+            htmlspecialchars($this->getContext()->id, ENT_HTML5, "UTF-8"); ?>">
+          <input type="hidden" name="csrf_id" value="<?php echo $this->getContext()->csrf_id; ?>"/>
+          <input type="hidden" name="csrf_token" value="<?php echo $this->getContext()->csrf_token; ?>"/>
+          <section>
+            <p>Are you sure you wish to delete this document?</p>
+            <p><input type="text" readonly="readonly" value="<?php echo filter_var($this->getContext()->title, FILTER_SANITIZE_STRING); ?>" tabindex="1"/></p>
+            <p><input type="submit" value="Delete Document" tabindex="2" autofocus="autofocus"/></p>
+          </section>
+        </form>
+<?php } else if ($this->getContext()->error === false) { ?>
+        <header class="green">Document Deleted</header>
+        <section class="green">
+          <p>You have successfully deleted the document!</p>
+          <p>Use the navigation to the left to move to another page.</p>
+        </section>
+<?php } else { ?>
+        <header class="red">Delete Document</header>
+        <section class="red">
+          <p>An error occurred while attempting to delete the document.</p>
+          <p><?php echo $message; ?></p>
+          <p>Use the navigation to the left to move to another page.</p>
+        </section>
+<?php } ?>
+      </article>
+<?php require("./footer.inc.phtml"); ?>
diff --git a/src/templates/News/Delete.phtml b/src/templates/News/Delete.phtml
@@ -44,7 +44,7 @@ require("./header.inc.phtml");
           <input type="hidden" name="csrf_token" value="<?php echo $this->getContext()->csrf_token; ?>"/>
           <section>
             <p>Are you sure you wish to delete this news post?</p>
-            <p><input type="text" readonly="readonly" value="<?php echo htmlspecialchars($this->getContext()->title, ENT_HTML5, "UTF-8"); ?>" tabindex="1"/></p>
+            <p><input type="text" readonly="readonly" value="<?php echo filter_var($this->getContext()->title, FILTER_SANITIZE_STRING); ?>" tabindex="1"/></p>
             <p><input type="submit" value="Delete News Post" tabindex="2" autofocus="autofocus"/></p>
           </section>
         </form>
diff --git a/src/views/Document/DeleteHtml.php b/src/views/Document/DeleteHtml.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace BNETDocs\Views\Document;
+
+use \BNETDocs\Libraries\Common;
+use \BNETDocs\Libraries\Exceptions\IncorrectModelException;
+use \BNETDocs\Libraries\Model;
+use \BNETDocs\Libraries\Template;
+use \BNETDocs\Libraries\View;
+use \BNETDocs\Models\Document\Delete as DocumentDeleteModel;
+
+class DeleteHtml extends View {
+
+  public function getMimeType() {
+    return "text/html;charset=utf-8";
+  }
+
+  public function render(Model &$model) {
+    if (!$model instanceof DocumentDeleteModel) {
+      throw new IncorrectModelException();
+    }
+    (new Template($model, "Document/Delete"))->render();
+  }
+
+}
