code-monkeys
diff --git a/‎.env.example.complete‎
Lines changed: 9 additions & 1 deletion b/‎.env.example.complete‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎app/Actions/ActivityService.php‎
Lines changed: 21 additions & 4 deletions b/‎app/Actions/ActivityService.php‎
Lines changed: 21 additions & 4 deletions
diff --git a/‎app/Auth/Access/ExternalAuthService.php‎
Lines changed: 4 additions & 10 deletions b/‎app/Auth/Access/ExternalAuthService.php‎
Lines changed: 4 additions & 10 deletions
diff --git a/‎app/Auth/Access/RegistrationService.php‎
Lines changed: 2 additions & 2 deletions b/‎app/Auth/Access/RegistrationService.php‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/Auth/Access/Saml2Service.php‎
Lines changed: 0 additions & 1 deletion b/‎app/Auth/Access/Saml2Service.php‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎app/Auth/Permissions/JointPermission.php‎
Lines changed: 5 additions & 4 deletions b/‎app/Auth/Permissions/JointPermission.php‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎app/Auth/Permissions/PermissionsRepo.php‎
Lines changed: 24 additions & 37 deletions b/‎app/Auth/Permissions/PermissionsRepo.php‎
Lines changed: 24 additions & 37 deletions
diff --git a/‎app/Auth/Permissions/RolePermission.php‎
Lines changed: 3 additions & 0 deletions b/‎app/Auth/Permissions/RolePermission.php‎
Lines changed: 3 additions & 0 deletions
@@ -270,4 +270,12 @@ API_DEFAULT_ITEM_COUNT=100
 API_MAX_ITEM_COUNT=500
 
 # The number of API requests that can be made per minute by a single user.
-API_REQUESTS_PER_MIN=180
+API_REQUESTS_PER_MIN=180
+
+# Enable the logging of failed email+password logins with the given message
+# The defaul log channel below uses the php 'error_log' function which commonly
+# results in messages being output to the webserver error logs.
+# The message can contain a %u parameter which will be replaced with the login
+# user identifier (Username or email).
+LOG_FAILED_LOGIN_MESSAGE=false
+LOG_FAILED_LOGIN_CHANNEL=errorlog_plain_webserver
@@ -4,6 +4,7 @@
 use BookStack\Auth\User;
 use BookStack\Entities\Entity;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Log;
 
 class ActivityService
 {
@@ -49,7 +50,7 @@ public function addMessage(string $activityKey, string $message, ?int $bookId =
     protected function newActivityForUser(string $key, ?int $bookId = null): Activity
     {
         return $this->activity->newInstance()->forceFill([
-            'key' => strtolower($key),
+            'key'     => strtolower($key),
             'user_id' => $this->user->id,
             'book_id' => $bookId ?? 0,
         ]);
@@ -64,8 +65,8 @@ public function removeEntity(Entity $entity): Collection
     {
         $activities = $entity->activity()->get();
         $entity->activity()->update([
-            'extra' => $entity->name,
-            'entity_id' => 0,
+            'extra'       => $entity->name,
+            'entity_id'   => 0,
             'entity_type' => '',
         ]);
         return $activities;
@@ -99,7 +100,7 @@ public function entityActivity(Entity $entity, int $count = 20, int $page = 1):
             $query = $this->activity->newQuery()->where('entity_type', '=', $entity->getMorphClass())
                 ->where('entity_id', '=', $entity->id);
         }
-        
+
         $activity = $this->permissionService
             ->filterRestrictedEntityRelations($query, 'activities', 'entity_id', 'entity_type')
             ->orderBy('created_at', 'desc')
@@ -159,4 +160,20 @@ protected function setNotification(string $activityKey)
             session()->flash('success', $message);
         }
     }
+
+    /**
+     * Log out a failed login attempt, Providing the given username
+     * as part of the message if the '%u' string is used.
+     */
+    public function logFailedLogin(string $username)
+    {
+        $message = config('logging.failed_login.message');
+        if (!$message) {
+            return;
+        }
+
+        $message = str_replace("%u", $username, $message);
+        $channel = config('logging.failed_login.channel');
+        Log::channel($channel)->warning($message);
+    }
 }
@@ -3,6 +3,8 @@
 use BookStack\Auth\Role;
 use BookStack\Auth\User;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\DB;
 
 class ExternalAuthService
 {
@@ -39,22 +41,14 @@ protected function externalIdMatchesGroupNames(string $externalId, array $groupN
     /**
      * Match an array of group names to BookStack system roles.
      * Formats group names to be lower-case and hyphenated.
-     * @param array $groupNames
-     * @return \Illuminate\Support\Collection
      */
-    protected function matchGroupsToSystemsRoles(array $groupNames)
+    protected function matchGroupsToSystemsRoles(array $groupNames): Collection
     {
         foreach ($groupNames as $i => $groupName) {
             $groupNames[$i] = str_replace(' ', '-', trim(strtolower($groupName)));
         }
 
-        $roles = Role::query()->where(function (Builder $query) use ($groupNames) {
-            $query->whereIn('name', $groupNames);
-            foreach ($groupNames as $groupName) {
-                $query->orWhere('external_auth_id', 'LIKE', '%' . $groupName . '%');
-            }
-        })->get();
-
+        $roles = Role::query()->get(['id', 'external_auth_id', 'display_name']);
         $matchedRoles = $roles->filter(function (Role $role) use ($groupNames) {
             return $this->roleMatchesGroupNames($role, $groupNames);
         });
 
@@ -71,15 +71,15 @@ public function registerUser(array $userData, ?SocialAccount $socialAccount = nu
         // Start email confirmation flow if required
         if ($this->emailConfirmationService->confirmationRequired() && !$emailConfirmed) {
             $newUser->save();
-            $message = '';
 
             try {
                 $this->emailConfirmationService->sendConfirmation($newUser);
+                session()->flash('sent-email-confirmation', true);
             } catch (Exception $e) {
                 $message = trans('auth.email_confirm_send_error');
+                throw new UserRegistrationException($message, '/register/confirm');
             }
 
-            throw new UserRegistrationException($message, '/register/confirm');
         }
 
         return $newUser;
 
@@ -311,7 +311,6 @@ protected function getSamlResponseAttribute(array $samlAttributes, string $prope
 
     /**
      * Get the user from the database for the specified details.
-     * @throws SamlException
      * @throws UserRegistrationException
      */
     protected function getOrRegisterUser(array $userDetails): ?User
 
@@ -3,25 +3,26 @@
 use BookStack\Auth\Role;
 use BookStack\Entities\Entity;
 use BookStack\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Database\Eloquent\Relations\MorphOne;
 
 class JointPermission extends Model
 {
+    protected $primaryKey = null;
     public $timestamps = false;
 
     /**
      * Get the role that this points to.
-     * @return \Illuminate\Database\Eloquent\Relations\BelongsTo
      */
-    public function role()
+    public function role(): BelongsTo
     {
         return $this->belongsTo(Role::class);
     }
 
     /**
      * Get the entity this points to.
-     * @return \Illuminate\Database\Eloquent\Relations\MorphOne
      */
-    public function entity()
+    public function entity(): MorphOne
     {
         return $this->morphOne(Entity::class, 'entity');
     }
 
@@ -1,8 +1,9 @@
 <?php namespace BookStack\Auth\Permissions;
 
-use BookStack\Auth\Permissions;
 use BookStack\Auth\Role;
 use BookStack\Exceptions\PermissionsException;
+use Exception;
+use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Support\Str;
 
 class PermissionsRepo
@@ -16,11 +17,8 @@ class PermissionsRepo
 
     /**
      * PermissionsRepo constructor.
-     * @param RolePermission $permission
-     * @param Role $role
-     * @param \BookStack\Auth\Permissions\PermissionService $permissionService
      */
-    public function __construct(RolePermission $permission, Role $role, Permissions\PermissionService $permissionService)
+    public function __construct(RolePermission $permission, Role $role, PermissionService $permissionService)
     {
         $this->permission = $permission;
         $this->role = $role;
@@ -29,46 +27,34 @@ public function __construct(RolePermission $permission, Role $role, Permissions\
 
     /**
      * Get all the user roles from the system.
-     * @return \Illuminate\Database\Eloquent\Collection|static[]
      */
-    public function getAllRoles()
+    public function getAllRoles(): Collection
     {
         return $this->role->all();
     }
 
     /**
      * Get all the roles except for the provided one.
-     * @param Role $role
-     * @return mixed
      */
-    public function getAllRolesExcept(Role $role)
+    public function getAllRolesExcept(Role $role): Collection
     {
         return $this->role->where('id', '!=', $role->id)->get();
     }
 
     /**
      * Get a role via its ID.
-     * @param $id
-     * @return mixed
      */
-    public function getRoleById($id)
+    public function getRoleById($id): Role
     {
-        return $this->role->findOrFail($id);
+        return $this->role->newQuery()->findOrFail($id);
     }
 
     /**
      * Save a new role into the system.
-     * @param array $roleData
-     * @return Role
      */
-    public function saveNewRole($roleData)
+    public function saveNewRole(array $roleData): Role
     {
         $role = $this->role->newInstance($roleData);
-        $role->name = str_replace(' ', '-', strtolower($roleData['display_name']));
-        // Prevent duplicate names
-        while ($this->role->where('name', '=', $role->name)->count() > 0) {
-            $role->name .= strtolower(Str::random(2));
-        }
         $role->save();
 
         $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
@@ -80,13 +66,11 @@ public function saveNewRole($roleData)
     /**
      * Updates an existing role.
      * Ensure Admin role always have core permissions.
-     * @param $roleId
-     * @param $roleData
-     * @throws PermissionsException
      */
-    public function updateRole($roleId, $roleData)
+    public function updateRole($roleId, array $roleData)
     {
-        $role = $this->role->findOrFail($roleId);
+        /** @var Role $role */
+        $role = $this->role->newQuery()->findOrFail($roleId);
 
         $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
         if ($role->system_name === 'admin') {
@@ -108,16 +92,19 @@ public function updateRole($roleId, $roleData)
 
     /**
      * Assign an list of permission names to an role.
-     * @param Role $role
-     * @param array $permissionNameArray
      */
-    public function assignRolePermissions(Role $role, $permissionNameArray = [])
+    public function assignRolePermissions(Role $role, array $permissionNameArray = [])
     {
         $permissions = [];
         $permissionNameArray = array_values($permissionNameArray);
-        if ($permissionNameArray && count($permissionNameArray) > 0) {
-            $permissions = $this->permission->whereIn('name', $permissionNameArray)->pluck('id')->toArray();
+
+        if ($permissionNameArray) {
+            $permissions = $this->permission->newQuery()
+                ->whereIn('name', $permissionNameArray)
+                ->pluck('id')
+                ->toArray();
         }
+
         $role->permissions()->sync($permissions);
     }
 
@@ -126,13 +113,13 @@ public function assignRolePermissions(Role $role, $permissionNameArray = [])
      * Check it's not an admin role or set as default before deleting.
      * If an migration Role ID is specified the users assign to the current role
      * will be added to the role of the specified id.
-     * @param $roleId
-     * @param $migrateRoleId
      * @throws PermissionsException
+     * @throws Exception
      */
     public function deleteRole($roleId, $migrateRoleId)
     {
-        $role = $this->role->findOrFail($roleId);
+        /** @var Role $role */
+        $role = $this->role->newQuery()->findOrFail($roleId);
 
         // Prevent deleting admin role or default registration role.
         if ($role->system_name && in_array($role->system_name, $this->systemRoles)) {
@@ -142,9 +129,9 @@ public function deleteRole($roleId, $migrateRoleId)
         }
 
         if ($migrateRoleId) {
-            $newRole = $this->role->find($migrateRoleId);
+            $newRole = $this->role->newQuery()->find($migrateRoleId);
             if ($newRole) {
-                $users = $role->users->pluck('id')->toArray();
+                $users = $role->users()->pluck('id')->toArray();
                 $newRole->users()->sync($users);
             }
         }
 
@@ -3,6 +3,9 @@
 use BookStack\Auth\Role;
 use BookStack\Model;
 
+/**
+ * @property int $id
+ */
 class RolePermission extends Model
 {
     /**
Original file line number	Diff line number	Diff line change
`@@ -3,25 +3,26 @@`
`3`	`3`	`use BookStack\Auth\Role;`
`4`	`4`	`use BookStack\Entities\Entity;`
`5`	`5`	`use BookStack\Model;`
	`6`	`+use Illuminate\Database\Eloquent\Relations\BelongsTo;`
	`7`	`+use Illuminate\Database\Eloquent\Relations\MorphOne;`
`6`	`8`
`7`	`9`	`class JointPermission extends Model`
`8`	`10`	`{`
	`11`	`+ protected $primaryKey = null;`
`9`	`12`	`public $timestamps = false;`
`10`	`13`
`11`	`14`	`/**`
`12`	`15`	`* Get the role that this points to.`
`13`		`- * @return \Illuminate\Database\Eloquent\Relations\BelongsTo`
`14`	`16`	`*/`
`15`		`- public function role()`
	`17`	`+ public function role(): BelongsTo`
`16`	`18`	`{`
`17`	`19`	`return $this->belongsTo(Role::class);`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`/**`
`21`	`23`	`* Get the entity this points to.`
`22`		`- * @return \Illuminate\Database\Eloquent\Relations\MorphOne`
`23`	`24`	`*/`
`24`		`- public function entity()`
	`25`	`+ public function entity(): MorphOne`
`25`	`26`	`{`
`26`	`27`	`return $this->morphOne(Entity::class, 'entity');`
`27`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,9 @@`
`3`	`3`	`use BookStack\Auth\Role;`
`4`	`4`	`use BookStack\Model;`
`5`	`5`
	`6`	`+/**`
	`7`	`+ * @property int $id`
	`8`	`+ */`
`6`	`9`	`class RolePermission extends Model`
`7`	`10`	`{`
`8`	`11`	`/**`