Add permissions checks everywhere;

website/BrowserID.php

@@ -1,104 +0,0 @@
-<?php
-
-/**
- * Verification library for the BrowserID / Persona authentication system
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * @category Auth
- * @package Auth_BrowserID
- * @author Francois Marier <francois@mozilla.com>
- * @copyright 2013 Mozilla Foundation
- * @license http://mozilla.org/MPL/2.0/
- * @link http://pear.php.net/package/Auth_BrowserID
- * @since File available since Release 0.1.0
- */
-
-class Auth_BrowserID
-{
-    /**
-     * Scheme, hostname and port
-     */
-    protected $audience;
-
-    /**
-     * Verification type: 'local' or 'remote'
-     */
-    protected $type;
-
-    /**
-     * URL of the remote verifier
-     */
-    protected $verifierUrl;
-
-    /**
-     * Constructor
-     *
-     * @param string $audience The scheme, hostname and port of the server
-     * @param string $type The type of verification ('local' or 'remote')
-     * @param string $verifierUrl The URL to use for remote verification
-     */
-    public function __construct($audience, $type = 'remote', $verifierUrl = 'https://verifier.login.persona.org/verify')
-    {
-        $this->audience = $audience;
-        $this->type = $type;
-        $this->verifierUrl = $verifierUrl;
-    }
-
-    /**
-     * Verify the validity of the assertion received from the user
-     *
-     * @param string $assertion The assertion as received from the login dialog
-     * @param boolean $type The type of verification ('local' or 'remote')
-     * @return object The response from the Persona online verifier
-     */
-    public function verifyAssertion($assertion)
-    {
-        if ($this->type === 'local') {
-            return $this->verifyLocally($assertion);
-        } else {
-            return $this->verifyRemotely($assertion);
-        }
-    }
-
-    /**
-     * Contact the identity provider directly when verifying the
-     * validity of the assertion.
-     *
-     * @param string $assertion The assertion as received from the login dialog
-     * @return object The response from the Persona online verifier
-     */
-    private function verifyLocally($assertion)
-    {
-        // Mozilla currently recommends against local verification
-        // since the details of the certificate format are not yet finalized and
-        // may change.
-        throw new Exception("Not implemented.");
-    }
-
-    /**
-     * Use the verification service at verifier.login.persona.org to
-     * verify the validity of the assertion.
-     *
-     * @param string $assertion The assertion as received from the login dialog
-     * @return object The response from the Persona online verifier
-     */
-    private function verifyRemotely($assertion)
-    {
-        $postdata = 'assertion=' . urlencode($assertion) . '&audience=' . urlencode($this->audience);
-
-        $ch = curl_init();
-        curl_setopt($ch, CURLOPT_URL, $this->verifierUrl);
-        curl_setopt($ch, CURLOPT_POST, true);
-        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-        curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
-        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
-        $response = curl_exec($ch);
-        curl_close($ch);
-
-        return json_decode($response);
-    }
-}

website/UPDATE.php

@@ -6,7 +6,7 @@
 if (strpos($_SERVER['SCRIPT_FILENAME'], "UPDATE.php") !== false)
     die("Please rename this file to something more unknown.");
 
-require_once("internals.php");
+require_once("lib/internals.php");
 
 init_database();
 

website/dashboard.php

@@ -35,11 +35,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("internals.php");
-
-if (!has_permissions()) {
-    die("You need to be logged in.");
-}
+require_once("lib/internals.php");
+check_permissions();
 
 require_once("lib/DB/Mode.php");
 require_once("lib/DB/Machine.php");

website/data-info.php

@@ -3,7 +3,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("internals.php");
+require_once("lib/internals.php");
 require_once("regressions/data-func.php");
 init_database();
 
@@ -34,6 +34,7 @@ if ($subtest) {
                           WHERE score_id = ".$id." AND
                                 prev_build_id = ".$prev_build_id);
 }
+
 $data = Array("regression" => Array());
 if (mysql_num_rows($query) >= 1) {
     $result = mysql_fetch_object($query);

website/data.php

@@ -1,6 +1,6 @@
 <?php
 
-include "internals.php";
+include "lib/internals.php";
 
 global $config;
 

website/lib/internals.php

@@ -49,7 +49,7 @@ function username()
 {
     if (!isset($_SESSION['persona']))
         return "guest";
-    else
+
     return $_SESSION['persona'];
 }
 
@@ -61,20 +61,28 @@ function has_permissions()
     # Test here which persons have permission to see all benchmarks
     if (preg_match("/^[0-9A-Za-z.]*@mozilla\.com$/", $_SESSION['persona'])) {
         return true;
-    } else {
+    }
+
     $split = explode("@", $_SESSION['persona'], 2);
-		if ($split[1] == "gmail.com") {
-			if ($split[0] == "hv1989")
-				return true;
-		} else if ($split[1] == "googlemail.com") {
-			if ($split[0] == "evilpies")
+
+    if ($split[0] == 'hv1989' && split[1] == "gmail.com") {
         return true;
     }
+
+    if ($split[0] == "evilpies" && $split[1] == "googlemail.com") {
+        return true;
     }
 
     return false;
 }
 
+function check_permissions()
+{
+    if (!has_permissions()) {
+        die('You must be logged in to visit this page.');
+    }
+}
+
 function GET_bool($name)
 {
     if (isset($_GET[$name]))
@@ -192,7 +200,7 @@ function awfy_query($query)
     return $result;
 }
 
-if (!function_exists("mysql_connect")){
+if (!function_exists("mysql_connect")) {
     /* warning: fatal error "cannot redeclare" if a function was disabled in php.ini with disable_functions:
     disable_functions =mysql_connect,mysql_pconnect,mysql_select_db,mysql_ping,mysql_query,mysql_fetch_assoc,mysql_num_rows,mysql_fetch_array,mysql_error,mysql_insert_id,mysql_close,mysql_real_escape_string,mysql_data_seek,mysql_result
      */

website/overview/data-suite.php

@@ -4,7 +4,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-include "../internals.php";
+include "../lib/internals.php";
 
 init_database();
 

website/overview/data.php

@@ -6,7 +6,7 @@
 
 error_reporting(-1);
 
-include "../internals.php";
+include "../lib/internals.php";
 
 init_database();
 

website/overview/index.html

@@ -39,6 +39,7 @@
 </header>
 
 <div class='container content' ng-view><div>
+
 <script>
   (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
   (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
@@ -47,23 +48,7 @@
 
   ga('create', 'UA-58850314-2', 'auto');
   ga('send', 'pageview');
-
 </script>
-<!-- Piwik -->
-<script type="text/javascript">
-  var _paq = _paq || [];
-  _paq.push(['trackPageView']);
-  _paq.push(['enableLinkTracking']);
-  (function() {
-    var u="//arewefastyet.com/piwik/";
-    _paq.push(['setTrackerUrl', u+'piwik.php']);
-    _paq.push(['setSiteId', 1]);
-    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
-    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
-  })();
-</script>
-<noscript><p><img src="//arewefastyet.com/piwik/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript>
-<!-- End Piwik Code -->
 
 </body>
 </html>

website/regressions/add-comment.php

@@ -3,13 +3,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
 
 init_database();
 
-if (!has_permissions())
-	die();
-
 $postdata = file_get_contents("php://input");
 $request = json_decode($postdata);
 

website/regressions/change-bug.php

@@ -3,13 +3,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
 
 init_database();
 
-if (!has_permissions())
-	die();
-
 $postdata = file_get_contents("php://input");
 $request = json_decode($postdata);
 

website/regressions/change-noise.php

@@ -3,13 +3,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
 
 init_database();
 
-if (!has_permissions())
-	die();
-
 $postdata = file_get_contents("php://input");
 $request = json_decode($postdata);
 

website/regressions/change-status.php

@@ -3,13 +3,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
 
 init_database();
 
-if (!has_permissions())
-	die();
-
 $postdata = file_get_contents("php://input");
 $request = json_decode($postdata);
 
@@ -25,4 +23,3 @@ $query = mysql_query("INSERT INTO awfy_regression_status
                       VALUES
                       ('$regression_id', '$name', '$extra', UNIX_TIMESTAMP())
                       ") or die(mysql_error());
-

website/regressions/data-func.php

@@ -3,6 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+require_once("../lib/internals.php");
+check_permissions();
+
 function prev_($sort_order_id, $machine, $mode, $suite, $limit = 1) {
 	$limit = (int) $limit;
     $query = "SELECT awfy_score.id, score, cset

website/regressions/data-graph.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("data-func.php");
 init_database();
 
@@ -18,6 +20,7 @@ $query = mysql_query("SELECT awfy_regression.id, build_id FROM awfy_regression
                          mode_id = 32 or
                          mode_id = 20) AND
                   status != 'fixed' AND status != 'improvement'");
+
 while ($regs = mysql_fetch_object($query)) {
     $qScore = mysql_query("SELECT count(*) as count FROM awfy_regression_score
                            WHERE regression_id = ".$regs->id);
@@ -43,4 +46,5 @@ foreach ($amount as $key => $value) {
     $first = false;
 }
 echo "]";
+
 ?>

website/regressions/data-prev-next-stamp.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 init_database();
 
 require_once("../lib/ScoreTools.php");

website/regressions/data-regression-inbetween.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 init_database();
 
 require_once("data-func.php");

website/regressions/data-regression-range.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("../lib/DB/Regression.php");
 require_once("../lib/VersionControl.php");
 

website/regressions/data-regression-status.php

@@ -3,7 +3,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
 
 init_database();
 
@@ -15,6 +16,7 @@ $query = mysql_query("SELECT *
                       FROM awfy_regression_status
                       WHERE regression_id = '".(int)$request->id."'
                       ORDER BY stamp DESC") or die(mysql_error());
+
 $data = array();
 while ($output = mysql_fetch_assoc($query)) {
     $data[] = $output;

website/regressions/data-regression.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 init_database();
 
 require_once("data-func.php");

website/regressions/data-revision.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("data-func.php");
 init_database();
 

website/regressions/data-score.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("data-func.php");
 init_database();
 

website/regressions/data-search.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("data-func.php");
 init_database();
 

website/regressions/data-submit.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("data-func.php");
 init_database();
 

website/regressions/index.php

@@ -1,3 +1,10 @@
+<?php
+
+require_once("../lib/internals.php");
+check_permissions();
+
+?>
+
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html ng-app="awfyApp">
 <head>
@@ -58,22 +65,7 @@
 
   ga('create', 'UA-58850314-2', 'auto');
   ga('send', 'pageview');
+</script>
 
-</script>
-<!-- Piwik -->
-<script type="text/javascript">
-  var _paq = _paq || [];
-  _paq.push(['trackPageView']);
-  _paq.push(['enableLinkTracking']);
-  (function() {
-    var u="//arewefastyet.com/piwik/";
-    _paq.push(['setTrackerUrl', u+'piwik.php']);
-    _paq.push(['setSiteId', 1]);
-    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
-    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
-  })();
-</script>
-<noscript><p><img src="//arewefastyet.com/piwik/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript>
-<!-- End Piwik Code -->
 </body>
 </html>

website/regressions/retrigger.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("../lib/RetriggerController.php");
 
 init_database();
@@ -22,4 +24,3 @@ $retrigger = RetriggerController::fromMachine($machine_id, $mode_id);
 $retrigger->convertToRevision($mode_id, $revision, $run_before_id, $run_after_id);
 $retrigger->selectBenchmarks($benchmarks);
 $retrigger->enqueueNow();
-

website/retrigger/data-benchmarks.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("../lib/RetriggerController.php");
 require_once("../lib/VersionControl/HGWeb.php");
 require_once("../lib/DB/ControlTasks.php");

website/retrigger/data-machines.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("../lib/RetriggerController.php");
 require_once("../lib/VersionControl/HGWeb.php");
 require_once("../lib/DB/ControlTasks.php");

website/retrigger/data-submit.php

@@ -3,7 +3,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("../internals.php");
+require_once("../lib/internals.php");
+check_permissions();
+
 require_once("../lib/RetriggerController.php");
 require_once("../lib/VersionControl/HGWeb.php");
 require_once("../lib/DB/ControlTasks.php");

website/retrigger/index.php

@@ -1,3 +1,10 @@
+<?php
+
+require_once("../lib/internals.php");
+check_permissions();
+
+?>
+
 <html>
 <head>
 <style>

website/schedule.php

@@ -41,14 +41,14 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("internals.php");
+require_once("lib/internals.php");
+check_permissions();
+
 require_once("lib/DB/QueuedTask.php");
 require_once("lib/DB/TaskRecipe.php");
 
 init_database();
-if (!has_permissions()) {
-	die("You need to be logged in.");
-} else if (isset($_POST["task"])) {
+if (isset($_POST["task"])) {
 
     $recipe = new TaskRecipe((int)$_POST["task"]);
     $task = $recipe->fill($_POST);
@@ -69,7 +69,7 @@ if (!has_permissions()) {
             "inputs" => $recipe->inputs()
         );
     }
-	?>
+?>
     <script>
     var recipes = <?php echo json_encode($recipes_json); ?>
     </script>
@@ -79,7 +79,7 @@ if (!has_permissions()) {
             <script src='schedule.js'></script>
             <script>init_schedule();</script>
         </form>
-	<?php
+<?php
 }
 ?>
 </div>

website/task.php

@@ -3,7 +3,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("internals.php");
+require_once("lib/internals.php");
 require_once("lib/RetriggerController.php");
 require_once("lib/DB/TaskQueue.php");
 require_once("lib/DB/QueuedTask.php");

website/task_info.php

@@ -35,11 +35,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-require_once("internals.php");
-
-if (!has_permissions()) {
-    die("You need to be logged in.");
-}
+require_once("lib/internals.php");
+check_permissions();
 
 require_once("lib/RetriggerController.php");
 require_once("lib/DB/TaskQueue.php");