Add input validation to admin pages

source/webui/pages/admin/add-incident.php

@@ -4,12 +4,13 @@ $main = StatusBoard_Main::instance();
 $request = $main->request();
 $auth = $main->auth();
 $session = $main->session();
-$messages = array();
 
 if ( ! $auth->isAuthenticated() || ! $auth->hasPermission(StatusBoard_Permission::PERM_UpdateIncidents)) {
     throw new StatusBoard_Exception_NotAuthorised();
 }
 
+$messages = array();
+
 if ($request->exists('do')) {
     
     $service_id = StatusBoard_Main::issetelse($_POST['service'], 'Sihnon_Exception_InvalidParameters');

source/webui/pages/admin/incident.php

@@ -36,25 +36,30 @@ if ($request->exists('do')) {
             $description = StatusBoard_Main::issetelse($_POST['description'], 'Sihnon_Exception_InvalidParameters');
             $estimated_end_time = StatusBoard_Main::issetelse($_POST['estimatedendtime'], 'Sihnon_Exception_InvalidParameters');
 
-            $estimated_end_time = strtotime($estimated_end_time);
+            try {
+                StatusBoard_Validation_Text::length($reference, 1, 32);
                 
-            if ($reference) {
+                $estimated_end_time = strtotime($estimated_end_time);
-                $incident->reference = $reference;
+                if ($estimated_end_time) {
-            }
+                    $incident->reference = $reference;
-            if ($description) {
+                    $incident->description = $description;
-                $incident->description = $description;
+                    $incident->estimated_end_time = $estimated_end_time;
-            }
+                    $incident->save();
-            if ($estimated_end_time) {
+                    $messages[] = array(
-                $incident->estimated_end_time = $estimated_end_time;
+                        'severity' => 'success',
-            }
+                        'content'  => 'The incident was updated succesfully.',
-            if ($reference || $description || $estimated_end_time) {
+                    );
-                $incident->save();
+                } else {
+                    $messages[] = array(
+                        'severity' => 'error',
+                        'content'  => 'The incident was not modified because the value entered for estimated end time was not understood.',
+                    );
+                }                    
+            } catch (StatusBoard_Exception_InvalidContent $e) {
                 $messages[] = array(
-                    'severity' => 'success',
+                    'severity' => 'error',
-                    'content'  => 'The incident was updated succesfully.',
+                    'content'  => 'The incident was not modified due to invalid parameters being passed.',
                 );
-            } else {
-                $messages[] = 'No changes were necessary.';
             }
 
         } break;
@@ -63,21 +68,33 @@ if ($request->exists('do')) {
             $status = StatusBoard_Main::issetelse($_POST['status'], 'Sihnon_Exception_InvalidParameters');
             $description = StatusBoard_Main::issetelse($_POST['description'], 'Sihnon_Exception_InvalidParameters');
             
-            $incident->changeStatus($status, $description);
+            try {
+                StatusBoard_Validation_Enum::validate($status, 'StatusBoard_Status', 'STATUS_');
                 
-            if ($status == StatusBoard_Status::STATUS_Resolved) {
+                $incident->changeStatus($status, $description);
-                $incident->actual_end_time = time();
+                
-                $incident->save();
+                if ($status == StatusBoard_Status::STATUS_Resolved) {
+                    $incident->actual_end_time = time();
+                    $incident->save();
+                }
+                
+                $messages[] = array(
+                    'severity' => 'success',
+                    'content'  => 'The incident status was changed successfully.',
+                );
+            } catch (StatusBoard_Exception_InvalidContent $e) {
+                $messages[] = array(
+                    'severity' => 'error',
+                    'content'  => 'The status was not modified due to invalid parameters being passed.',
+                );
             }
-            
-            $messages[] = array(
-                'severity' => 'success',
-                'content'  => 'The incident status was changed successfully.',
-            );
         } break;
 
         default: {
-
+            $messages[] = array(
+                'severity' => 'warning',
+                'content'  => "The activity '{$activity}' is not supported.",
+            );
         }
     }
     

source/webui/pages/admin/service.php

@@ -10,7 +10,7 @@ if ( ! $auth->isAuthenticated() || ! $auth->hasPermission(StatusBoard_Permission
 }
 
 $activity = null;
-$success = true;
+$messages = array();
 
 $service_id = $request->get('id', 'Sihnon_Exception_InvalidParameters');
 $service = null;
@@ -28,34 +28,43 @@ if ($request->exists('do')) {
             $name = StatusBoard_Main::issetelse($_POST['name'], 'Sihnon_Exception_InvalidParameters');
             $description = StatusBoard_Main::issetelse($_POST['description'], 'Sihnon_Exception_InvalidParameters');
             
-            if ($name) {
+            try {
+                StatusBoard_Validation_Text::length($name, 1, 255);
+                
                 $service->name = $name;
-            }
-            if ($description) {
                 $service->description = $description;
-            }
-            if ($name || $description) {
                 $service->save();
                 $messages[] = array(
                     'severity' => 'success',
                     'content'  => 'The service was updated succesfully.',
                 );
-            } else {
+            } catch (StatusBoard_Exception_InvalidContent $e) {
-                $messages[] = 'No changes were necessary.';
+                $messages[] = array(
+                    'severity' => 'error',
+                    'content'  => 'The service was not modified due to invalid parameters being passed.',
+                );
             }            
-            
         } break;        
         
         case 'add-site': {
             $name = StatusBoard_Main::issetelse($_POST['name'], 'Sihnon_Exception_InvalidParameters');
             $description = StatusBoard_Main::issetelse($_POST['description'], 'Sihnon_Exception_InvalidParameters');
 
-            $site = $service->newSite($name, $description);
+            try {
+                StatusBoard_Validation_Text::length($name, 1, 255);
                 
-            $messages[] = array(
+                $site = $service->newSite($name, $description);
-                'severity' => 'success',
+                
-                'content'  => 'The site was created succesfully.',
+                $messages[] = array(
-            );
+                    'severity' => 'success',
+                    'content'  => 'The site was created succesfully.',
+                );
+            } catch (StatusBoard_Exception_InvalidContent $e) {
+                $messages[] = array(
+                    'severity' => 'error',
+                    'content'  => 'The site was not added due to invalid parameters being passed.',
+                );
+            }
        
         } break;
 

source/webui/pages/admin/site.php

@@ -9,6 +9,8 @@ if ( ! $auth->isAuthenticated() || ! $auth->hasPermission(StatusBoard_Permission
     throw new StatusBoard_Exception_NotAuthorised();
 }
 
+$messages = array();
+
 $service_id = $request->get('service', 'Sihnon_Exception_InvalidParameters');
 $site_id = $request->get('id', 'Sihnon_Exception_InvalidParameters'); 
 
@@ -30,20 +32,21 @@ if ($request->exists('do')) {
             $name = StatusBoard_Main::issetelse($_POST['name'], 'Sihnon_Exception_InvalidParameters');
             $description = StatusBoard_Main::issetelse($_POST['description'], 'Sihnon_Exception_InvalidParameters');
 
-            if ($name) {
+            try {
+                StatusBoard_Validation_Text::length($name, 1, 255);
+                
                 $site->name = $name;
-            }
-            if ($description) {
                 $site->description = $description;
-            }
-            if ($name || $description) {
                 $site->save();
                 $messages[] = array(
                     'severity' => 'success',
                     'content'  => 'The site was updated succesfully.',
                 );
-            } else {
+            } catch (StatusBoard_Exception_InvalidContent $e) {
-                $messages[] = 'No changes were necessary.';
+                $messages[] = array(
+                    'severity' => 'error',
+                    'content'  => 'The site was not modified due to invalid parameters being passed.',
+                );
             }
 
         } break;