PRG (#233)

simonLeary42 · web-flow · commit 243c6b5a6d0b · 2025-06-04T07:48:41.000-04:00
* PRG

* add PRG into http_post function

* let header handle redirect

* more similar to original

* fix infinite loop

* clarity

* require_once -&gt; include

* remove old file

* remove from group before deleting user

* allow post to pass to header

* catch redirect exception is now in http_post
diff --git a/resources/templates/header.php b/resources/templates/header.php
@@ -2,12 +2,20 @@
 
 use UnityWebPortal\lib\UnitySite;
 
-if ((@$_SESSION["is_admin"] ?? false) == true
-    && $_SERVER["REQUEST_METHOD"] == "POST"
-    && (@$_POST["form_name"] ?? null) == "clearView"
-) {
-    unset($_SESSION["viewUser"]);
-    UnitySite::redirect($CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    if ((@$_SESSION["is_admin"] ?? false) == true
+        && (@$_POST["form_name"] ?? null) == "clearView"
+    ) {
+        unset($_SESSION["viewUser"]);
+        UnitySite::redirect($CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
+    }
+    // Webroot files need to handle their own POSTs before loading the header
+    // so that they can do UnitySite::badRequest before anything else has been printed.
+    // They also must not redirect like standard PRG practice because this
+    // header also needs to handle POST data. So this header does the PRG redirect
+    // for all pages.
+    unset($_POST); // unset ensures that header must not come before POST handling
+    UnitySite::redirect($_SERVER['PHP_SELF']);
 }
 
 if (isset($SSO)) {
diff --git a/test/functional/NewUserTest.php b/test/functional/NewUserTest.php
@@ -14,44 +14,26 @@ private function assertNumberGroupRequests(int $x)
 
     private function requestGroupCreation()
     {
-        $redirectedOrDied = false;
-        try {
-            http_post(
-                __DIR__ . "/../../webroot/panel/new_account.php",
-                ["new_user_sel" => "pi", "eula" => "agree", "confirm_pi" => "agree"]
-            );
-        } catch (\UnityWebPortal\lib\exceptions\PhpUnitNoDieException) {
-            $redirectedOrDied = true;
-        }
-        $this->assertTrue($redirectedOrDied);
+        http_post(
+            __DIR__ . "/../../webroot/panel/new_account.php",
+            ["new_user_sel" => "pi", "eula" => "agree", "confirm_pi" => "agree"]
+        );
     }
 
     private function requestGroupMembership(string $gid)
     {
-        $redirectedOrDied = false;
-        try {
-            http_post(
-                __DIR__ . "/../../webroot/panel/new_account.php",
-                ["new_user_sel" => "not_pi", "eula" => "agree", "pi" => $gid]
-            );
-        } catch (\UnityWebPortal\lib\exceptions\PhpUnitNoDieException) {
-            $redirectedOrDied = true;
-        }
-        $this->assertTrue($redirectedOrDied);
+        http_post(
+            __DIR__ . "/../../webroot/panel/new_account.php",
+            ["new_user_sel" => "not_pi", "eula" => "agree", "pi" => $gid]
+        );
     }
 
     private function cancelAllRequests()
     {
-        $redirectedOrDied = false;
-        try {
-            http_post(
-                __DIR__ . "/../../webroot/panel/new_account.php",
-                ["cancel" => "true"] // value of cancel is arbitrary
-            );
-        } catch (\UnityWebPortal\lib\exceptions\PhpUnitNoDieException) {
-            $redirectedOrDied = true;
-        }
-        $this->assertTrue($redirectedOrDied);
+        http_post(
+            __DIR__ . "/../../webroot/panel/new_account.php",
+            ["cancel" => "true"] // value of cancel is arbitrary
+        );
     }
 
     // delete requests made by that user
@@ -63,15 +45,15 @@ private function ensureUserDoesNotExist()
     {
         global $USER, $SQL, $LDAP;
         $SQL->deleteRequestsByUser($USER->getUID());
-        if ($USER->exists()) {
-            $USER->getLDAPUser()->delete();
-            assert(!$USER->exists());
-        }
         $org = $USER->getOrgGroup();
         if ($org->inOrg($USER)) {
             $org->removeUser($USER);
             assert(!$org->inOrg($USER));
         }
+        if ($USER->exists()) {
+            $USER->getLDAPUser()->delete();
+            assert(!$USER->exists());
+        }
         $all_users_group = $LDAP->getUserGroup();
         $all_member_uids = $all_users_group->getAttribute("memberuid");
         $new_uids = array_diff($all_member_uids, [$USER->getUID()]);
diff --git a/test/functional/ViewAsUserTest.php b/test/functional/ViewAsUserTest.php
@@ -15,15 +15,13 @@ public function _testViewAsUser(array $beforeUser, array $afterUser)
         // $this->assertTrue($USER->isAdmin());
         $beforeUid = $USER->getUID();
         // $this->assertNotEquals($afterUid, $beforeUid);
-        try {
-            http_post(
-                __DIR__ . "/../../webroot/admin/user-mgmt.php",
-                [
-                    "form_name" => "viewAsUser",
-                    "uid" => $afterUid,
-                ],
-            );
-        } catch (PhpUnitNoDieException) {}
+        http_post(
+            __DIR__ . "/../../webroot/admin/user-mgmt.php",
+            [
+                "form_name" => "viewAsUser",
+                "uid" => $afterUid,
+            ],
+        );
         $this->assertArrayHasKey("viewUser", $_SESSION);
         // redirect means that php process dies and user's browser will initiate a new one
         // this makes `require_once autoload.php` run again and init.php changes $USER
@@ -32,12 +30,10 @@ public function _testViewAsUser(array $beforeUser, array $afterUser)
         // now we should be new user
         $this->assertEquals($afterUid, $USER->getUID());
         // $this->assertTrue($_SESSION["user_exists"]);
-        try {
-            http_post(
-                __DIR__ . "/../../resources/templates/header.php",
-                ["form_name" => "clearView"],
-            );
-        } catch (PhpUnitNoDieException) {}
+        http_post(
+            __DIR__ . "/../../resources/templates/header.php",
+            ["form_name" => "clearView"],
+        );
         $this->assertArrayNotHasKey("viewUser", $_SESSION);
         // redirect means that php process dies and user's browser will initiate a new one
         // this makes `require_once autoload.php` run again and init.php changes $USER
@@ -69,15 +65,13 @@ public function testNonAdminViewAsAdmin()
         $adminUid = $USER->getUID();
         $this->assertTrue($USER->isAdmin());
         switchUser(...getNormalUser());
-        try {
-            http_post(
-                __DIR__ . "/../../webroot/admin/user-mgmt.php",
-                [
-                    "form_name" => "viewAsUser",
-                    "uid" => $adminUid,
-                ],
-            );
-        } catch (PhpUnitNoDieException) {}
+        http_post(
+            __DIR__ . "/../../webroot/admin/user-mgmt.php",
+            [
+                "form_name" => "viewAsUser",
+                "uid" => $adminUid,
+            ],
+        );
         $this->assertArrayNotHasKey("viewUser", $_SESSION);
     }
 }
diff --git a/test/phpunit-bootstrap.php b/test/phpunit-bootstrap.php
@@ -87,13 +87,18 @@ function http_post(string $phpfile, array $post_data): void
     $_SERVER["PHP_SELF"] = preg_replace("/.*webroot\//", "/", $phpfile);
     $_POST = $post_data;
     ob_start();
+    $post_did_redirect_or_die = false;
     try {
         include $phpfile;
+    } catch (UnityWebPortal\lib\exceptions\PhpUnitNoDieException $e) {
+        $post_did_redirect_or_die = true;
     } finally {
         ob_get_clean(); // discard output
         unset($_POST);
         $_SERVER = $_PREVIOUS_SERVER;
     }
+    // https://en.wikipedia.org/wiki/Post/Redirect/Get
+    assert($post_did_redirect_or_die, "post did not redirect or die!");
 }
 
 function http_get(string $phpfile, array $get_data = array()): void
diff --git a/webroot/index.php b/webroot/index.php
@@ -2,7 +2,7 @@
 
 require_once __DIR__ . "/../resources/autoload.php";
 
-require_once $LOC_HEADER;
+include $LOC_HEADER;
 ?>
 
 
diff --git a/webroot/panel/account.php b/webroot/panel/account.php
@@ -4,8 +4,6 @@
 
 use UnityWebPortal\lib\UnitySite;
 
-require_once $LOC_HEADER;
-
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
     switch (UnitySite::arrayGetOrBadRequest($_POST, "form_type")) {
         case "addKey":
@@ -73,6 +71,8 @@
             break;
     }
 }
+
+include $LOC_HEADER;
 ?>
 
 <h1>Account Settings</h1>
diff --git a/webroot/panel/new_account.php b/webroot/panel/new_account.php
@@ -39,12 +39,9 @@
                 $pi_group->cancelGroupJoinRequest($user=$USER);
             }
         }
-    } else {
-        UnitySite::badRequest("neither 'new_user_sel' or 'cancel' are set!");
     }
-    UnitySite::redirect($_SERVER['PHP_SELF']);
 }
-require_once $LOC_HEADER;
+include $LOC_HEADER;
 ?>
 
 <h1>Request Account</h1>
diff --git a/webroot/panel/support.php b/webroot/panel/support.php
@@ -2,7 +2,7 @@
 
 require "../../resources/autoload.php";
 
-require_once $LOC_HEADER;
+include $LOC_HEADER;
 ?>
 
 <h1>Support</h1>

Original file line number	Diff line number	Diff line change
`@@ -4,8 +4,6 @@`
`4`	`4`
`5`	`5`	`use UnityWebPortal\lib\UnitySite;`
`6`	`6`
`7`		`-require_once $LOC_HEADER;`
`8`		`-`
`9`	`7`	`if ($_SERVER['REQUEST_METHOD'] == "POST") {`
`10`	`8`	`switch (UnitySite::arrayGetOrBadRequest($_POST, "form_type")) {`
`11`	`9`	`case "addKey":`
`@@ -73,6 +71,8 @@`
`73`	`71`	`break;`
`74`	`72`	`}`
`75`	`73`	`}`
	`74`	`+`
	`75`	`+include $LOC_HEADER;`
`76`	`76`	`?>`
`77`	`77`
`78`	`78`	`<h1>Account Settings</h1>`
Original file line number	Diff line number	Diff line change
`@@ -39,12 +39,9 @@`
`39`	`39`	`$pi_group->cancelGroupJoinRequest($user=$USER);`
`40`	`40`	`}`
`41`	`41`	`}`
`42`		`- } else {`
`43`		`- UnitySite::badRequest("neither 'new_user_sel' or 'cancel' are set!");`
`44`	`42`	`}`
`45`		`- UnitySite::redirect($_SERVER['PHP_SELF']);`
`46`	`43`	`}`
`47`		`-require_once $LOC_HEADER;`
	`44`	`+include $LOC_HEADER;`
`48`	`45`	`?>`
`49`	`46`
`50`	`47`	`<h1>Request Account</h1>`