From 09a91a998ea47ae40cfa96a523b93f79ac0a4535 Mon Sep 17 00:00:00 2001
From: Alex Cabal <alex@alexcabal.com>
Date: Mon, 9 Sep 2024 20:34:30 -0500
Subject: [PATCH] Update framework standards

---
 lib/Constants.php                       |   8 +-
 lib/DbConnection.php                    |  16 +--
 lib/Enums/HttpCode.php                  |  26 ++++
 lib/{ => Enums}/HttpMethod.php          |   2 +
 lib/{ => Enums}/HttpRequestType.php     |   2 +
 lib/{ => Enums}/HttpVariableSource.php  |   2 +
 lib/{ => Enums}/HttpVariableType.php    |   2 +
 lib/HttpInput.php                       | 175 ++++++++++++++++++------
 lib/Traits/Accessor.php                 |  89 +++++++++---
 www/artworks/post.php                   |   8 +-
 www/newsletter/subscriptions/delete.php |   6 +-
 www/newsletter/subscriptions/post.php   |  18 +--
 www/polls/votes/post.php                |  10 +-
 www/sessions/post.php                   |  10 +-
 www/webhooks/github.php                 |   2 +-
 www/webhooks/postmark.php               |   2 +-
 www/webhooks/zoho.php                   |   2 +-
 17 files changed, 282 insertions(+), 98 deletions(-)
 create mode 100644 lib/Enums/HttpCode.php
 rename lib/{ => Enums}/HttpMethod.php (89%)
 rename lib/{ => Enums}/HttpRequestType.php (73%)
 rename lib/{ => Enums}/HttpVariableSource.php (82%)
 rename lib/{ => Enums}/HttpVariableType.php (86%)

diff --git a/lib/Constants.php b/lib/Constants.php
index 4fc184a8..1ee8a286 100644
--- a/lib/Constants.php
+++ b/lib/Constants.php
@@ -45,10 +45,10 @@ const CAPTCHA_IMAGE_HEIGHT = 72;
 const CAPTCHA_IMAGE_WIDTH = 230;
 
 // These are defined for convenience, so that getting HTTP input isn't so wordy
-const GET = HttpVariableSource::Get;
-const POST = HttpVariableSource::Post;
-const SESSION = HttpVariableSource::Session;
-const COOKIE = HttpVariableSource::Cookie;
+const GET = Enums\HttpVariableSource::Get;
+const POST = Enums\HttpVariableSource::Post;
+const SESSION = Enums\HttpVariableSource::Session;
+const COOKIE = Enums\HttpVariableSource::Cookie;
 
 define('NO_REPLY_EMAIL_ADDRESS', get_cfg_var('se.secrets.email.no_reply_address'));
 define('ADMIN_EMAIL_ADDRESS', get_cfg_var('se.secrets.email.admin_address'));
diff --git a/lib/DbConnection.php b/lib/DbConnection.php
index 5e9b4730..0c07774c 100644
--- a/lib/DbConnection.php
+++ b/lib/DbConnection.php
@@ -9,7 +9,7 @@ class DbConnection{
 	public int $LastQueryAffectedRowCount = 0;
 
 	/**
-	 * Create a new database connection.
+	 * Create a database connection.
 	 *
 	 * @param ?string $defaultDatabase The default database to connect to, or `null` not to define one.
 	 * @param string $host The database hostname.
@@ -28,7 +28,7 @@ class DbConnection{
 
 		$connectionString = 'mysql:';
 
-		if(stripos($host, ':') !== false){
+		if(mb_stripos($host, ':') !== false){
 			$port = null;
 			preg_match('/([^:]*):([0-9]+)/ius', $host, $matches);
 			$host = $matches[1];
@@ -113,7 +113,7 @@ class DbConnection{
 	 *
 	 * The result is an array of rows. Each row is an array of objects, with each object containing its columns and values. For example,
 	 *
-	 * ```
+	 * ```php
 	 * [
 	 *	[
 	 *		'Users' => {
@@ -123,7 +123,7 @@ class DbConnection{
 	 *		'Posts' => {
 	 *			'PostId' => 222,
 	 *			'Title' => 'Lorem Ipsum'
-	 *		},
+	 *		}
 	 *	],
 	 *	[
 	 *		'Users' => {
@@ -146,14 +146,14 @@ class DbConnection{
 	 * @param array<mixed> $params An array of parameters to bind to the SQL statement.
 	 * @param class-string<T> $class The class to instantiate for each row, or `null` to return an array of rows.
 	 *
-	 * @return array<T>|array<array<string, object>> An array of `$class` if `$class` is not `null`, otherwise an array of rows of the form `["LeftTableName" => $stdClass, "RightTableName" => $stdClass]`.
+	 * @return array<T>|array<array<string, stdClass>> An array of `$class` if `$class` is not `null`, otherwise an array of rows of the form `["LeftTableName" => $stdClass, "RightTableName" => $stdClass]`.
 	 *
-	 * @throws Exceptions\AppException If a class was specified but the class doesn't have a `FromMultiTableRow()` method.
+	 * @throws Exceptions\MultiSelectMethodNotFoundException If a class was specified but the class doesn't have a `FromMultiTableRow()` method.
 	 * @throws Exceptions\DatabaseQueryException When an error occurs during execution of the query.
 	 */
 	public function MultiTableSelect(string $sql, array $params = [], ?string $class = null): array{
 		if($class !== null && !method_exists($class, 'FromMultiTableRow')){
-			throw new Exceptions\AppException('Multi table select attempted, but class ' . $class . ' doesn\'t have a FromMultiTableRow() method.');
+			throw new Exceptions\MultiSelectMethodNotFoundException($class);
 		}
 
 		$handle = $this->PreparePdoHandle($sql, $params);
@@ -316,7 +316,7 @@ class DbConnection{
 	 * @param \PdoStatement $handle The PDO handle to execute.
 	 * @param class-string<T> $class The class to instantiate for each row, or `null` to return an array of rows.
 	 *
-	 * @return array<T>|array<array<string, object>> An array of `$class` if `$class` is not `null`, otherwise an array of rows of the form `["LeftTableName" => $stdClass, "RightTableName" => $stdClass]`.
+	 * @return array<T>|array<array<string, stdClass>> An array of `$class` if `$class` is not `null`, otherwise an array of rows of the form `["LeftTableName" => $stdClass, "RightTableName" => $stdClass]`.
 	 *
 	 * @throws \PDOException When an error occurs during execution of the query.
 	 */
diff --git a/lib/Enums/HttpCode.php b/lib/Enums/HttpCode.php
new file mode 100644
index 00000000..afa489fe
--- /dev/null
+++ b/lib/Enums/HttpCode.php
@@ -0,0 +1,26 @@
+<?
+namespace Enums;
+
+enum HttpCode: int{
+	case Ok = 200;
+	case Created = 201;
+	case Accepted = 202;
+	case NoContent = 204;
+
+	case MovedPermanently = 301; // Permanent redirect
+	case Found = 302; // Temporary redirect
+	case SeeOther = 303;
+
+	case BadRequest = 400;
+	case Unauthorized = 401;
+	case PaymentRequired = 402;
+	case Forbidden = 403;
+	case NotFound = 404;
+	case MethodNotAllowed = 405;
+	case Conflict = 409;
+	case Gone = 410;
+	case UnprocessableContent = 422;
+
+	case InternalServerError = 500;
+	case ServiceUnavailable = 503;
+}
diff --git a/lib/HttpMethod.php b/lib/Enums/HttpMethod.php
similarity index 89%
rename from lib/HttpMethod.php
rename to lib/Enums/HttpMethod.php
index f06e4b8a..633b3dfe 100644
--- a/lib/HttpMethod.php
+++ b/lib/Enums/HttpMethod.php
@@ -1,4 +1,6 @@
 <?
+namespace Enums;
+
 enum HttpMethod: string{
 	case Delete = 'DELETE';
 	case Get = 'GET';
diff --git a/lib/HttpRequestType.php b/lib/Enums/HttpRequestType.php
similarity index 73%
rename from lib/HttpRequestType.php
rename to lib/Enums/HttpRequestType.php
index 72cc7379..dd5e87aa 100644
--- a/lib/HttpRequestType.php
+++ b/lib/Enums/HttpRequestType.php
@@ -1,4 +1,6 @@
 <?
+namespace Enums;
+
 enum HttpRequestType{
 	case Rest;
 	case Web;
diff --git a/lib/HttpVariableSource.php b/lib/Enums/HttpVariableSource.php
similarity index 82%
rename from lib/HttpVariableSource.php
rename to lib/Enums/HttpVariableSource.php
index 249adc5f..b1861e1c 100644
--- a/lib/HttpVariableSource.php
+++ b/lib/Enums/HttpVariableSource.php
@@ -1,4 +1,6 @@
 <?
+namespace Enums;
+
 enum HttpVariableSource{
 	case Get;
 	case Post;
diff --git a/lib/HttpVariableType.php b/lib/Enums/HttpVariableType.php
similarity index 86%
rename from lib/HttpVariableType.php
rename to lib/Enums/HttpVariableType.php
index 2ce585bd..3673bd7e 100644
--- a/lib/HttpVariableType.php
+++ b/lib/Enums/HttpVariableType.php
@@ -1,4 +1,6 @@
 <?
+namespace Enums;
+
 enum HttpVariableType{
 	case Array;
 	case Boolean;
diff --git a/lib/HttpInput.php b/lib/HttpInput.php
index aa4456c9..062b3a3a 100644
--- a/lib/HttpInput.php
+++ b/lib/HttpInput.php
@@ -2,19 +2,56 @@
 use Safe\DateTimeImmutable;
 
 use function Safe\ini_get;
+use function Safe\glob;
 use function Safe\preg_match;
+use function Safe\preg_replace;
+use function Safe\mb_convert_encoding;
 
 class HttpInput{
 	/**
-	 * Check that the request's HTTP method is in a list of allowed HTTP methods.
-	 * @param ?array<HttpMethod> $allowedHttpMethods An array containing a list of allowed HTTP methods, or null if any valid HTTP method is allowed.
-	 * @param bool $throwException If the request HTTP method isn't allowed, then throw an exception; otherwise, output HTTP 405 and exit the script immediately.
-	 * @throws Exceptions\InvalidHttpMethodException If the HTTP method is not recognized and `$throwException` is `true`.
-	 * @throws Exceptions\HttpMethodNotAllowedException If the HTTP method is not in the list of allowed methods and `$throwException` is `true`.
+	 * Calculate the HTTP method of the request, then include `<METHOD>.php` and exit.
 	 */
-	public static function ValidateRequestMethod(?array $allowedHttpMethods = null, bool $throwException = false): HttpMethod{
+	public static function DispatchRest(): void{
 		try{
-			$requestMethod = HttpMethod::from($_POST['_method'] ?? $_SERVER['REQUEST_METHOD']);
+			$httpMethod = HttpInput::ValidateRequestMethod(null, true);
+
+			$filename = mb_strtolower($httpMethod->value) . '.php';
+
+			if(!file_exists($filename)){
+				throw new Exceptions\InvalidHttpMethodException();
+			}
+
+			if($httpMethod == Enums\HttpMethod::Post){
+				// If we're a HTTP POST, then we got here from a POST request initially, so just continue
+				return;
+			}
+
+			include($filename);
+
+			exit();
+		}
+		catch(Exceptions\InvalidHttpMethodException | Exceptions\HttpMethodNotAllowedException){
+			$filenames = glob('{delete,get,patch,post,put}.php', GLOB_BRACE);
+
+			if(sizeof($filenames) > 0){
+				header('Allow: ' . implode(',', array_map(fn($filename): string => mb_strtoupper(preg_replace('/^([a-z]+)[\.\-].+$/i', '\1', $filename)), $filenames)));
+			}
+
+			http_response_code(Enums\HttpCode::MethodNotAllowed->value);
+			exit();
+		}
+	}
+
+	/**
+	 * Check that the request's HTTP method is in a list of allowed HTTP methods.
+	 * @param ?array<Enums\HttpMethod> $allowedHttpMethods An array containing a list of allowed HTTP methods, or null if any valid HTTP method is allowed.
+	 * @param bool $throwException If the request HTTP method isn't allowed, then throw an exception; otherwise, output HTTP 405 and exit the script immediately.
+	 * @throws Exceptions\InvalidHttpMethodException If the HTTP method is not recognized, and `$throwException` is `true`.
+	 * @throws Exceptions\HttpMethodNotAllowedException If the HTTP method is recognized but not allowed, and `$throwException` is `true`.
+	 */
+	public static function ValidateRequestMethod(?array $allowedHttpMethods = null, bool $throwException = false): Enums\HttpMethod{
+		try{
+			$requestMethod = Enums\HttpMethod::from($_POST['_method'] ?? $_GET['_method'] ?? $_SERVER['REQUEST_METHOD']);
 			if($allowedHttpMethods !== null){
 				$isRequestMethodAllowed = false;
 				foreach($allowedHttpMethods as $allowedHttpMethod){
@@ -41,7 +78,7 @@ class HttpInput{
 				if($allowedHttpMethods !== null){
 					header('Allow: ' . implode(',', array_map(fn($httpMethod): string => $httpMethod->value, $allowedHttpMethods)));
 				}
-				http_response_code(405);
+				http_response_code(Enums\HttpCode::MethodNotAllowed->value);
 				exit();
 			}
 		}
@@ -53,7 +90,7 @@ class HttpInput{
 	 * @return int The maximum size for an HTTP POST request, in bytes.
 	 */
 	public static function GetMaxPostSize(): int{
-		$post_max_size = ini_get('post_max_size');
+		$post_max_size = ini_get('upload_max_filesize');
 		$unit = substr($post_max_size, -1);
 		$size = (int) substr($post_max_size, 0, -1);
 
@@ -71,16 +108,35 @@ class HttpInput{
 				return true;
 			}
 		}
+		elseif(sizeof($_FILES) > 0){
+			// We received files but may have an error because the size exceeded our limit.
+			foreach($_FILES as $file){
+				$error = $file['error'] ?? UPLOAD_ERR_OK;
+
+				if($error == UPLOAD_ERR_INI_SIZE || $error == UPLOAD_ERR_FORM_SIZE){
+					return true;
+				}
+			}
+		}
 
 		return false;
 	}
 
-	public static function GetRequestType(): HttpRequestType{
-		return preg_match('/\btext\/html\b/ius', $_SERVER['HTTP_ACCEPT'] ?? '') ? HttpRequestType::Web : HttpRequestType::Rest;
+	public static function GetRequestType(): Enums\HttpRequestType{
+		return preg_match('/\btext\/html\b/ius', $_SERVER['HTTP_ACCEPT'] ?? '') ? Enums\HttpRequestType::Web : Enums\HttpRequestType::Rest;
 	}
 
-	public static function Str(HttpVariableSource $set, string $variable, bool $allowEmptyString = false): ?string{
-		$var = self::GetHttpVar($variable, HttpVariableType::String, $set);
+	/**
+	 * Get a string from an HTTP variable set.
+	 *
+	 * If the variable is set but empty, returns `null` unless `$allowEmptyString` is **`TRUE`**, in which case it returns an empty string.
+	 *
+	 * @param Enums\HttpVariableSource $set
+	 * @param string $variable
+	 * @param bool $allowEmptyString If the variable exists but is empty, return an empty string instead of `null`.
+	 */
+	public static function Str(Enums\HttpVariableSource $set, string $variable, bool $allowEmptyString = false): ?string{
+		$var = self::GetHttpVar($variable, Enums\HttpVariableType::String, $set);
 
 		if(is_array($var)){
 			return null;
@@ -94,24 +150,51 @@ class HttpInput{
 		return $var;
 	}
 
-	public static function Int(HttpVariableSource $set, string $variable): ?int{
+	public static function Int(Enums\HttpVariableSource $set, string $variable): ?int{
 		/** @var ?int */
-		return self::GetHttpVar($variable, HttpVariableType::Integer, $set);
+		return self::GetHttpVar($variable, Enums\HttpVariableType::Integer, $set);
 	}
 
-	public static function Bool(HttpVariableSource $set, string $variable): ?bool{
+	public static function Bool(Enums\HttpVariableSource $set, string $variable): ?bool{
 		/** @var ?bool */
-		return self::GetHttpVar($variable, HttpVariableType::Boolean, $set);
+		return self::GetHttpVar($variable, Enums\HttpVariableType::Boolean, $set);
 	}
 
-	public static function Dec(HttpVariableSource $set, string $variable): ?float{
+	public static function Dec(Enums\HttpVariableSource $set, string $variable): ?float{
 		/** @var ?float */
-		return self::GetHttpVar($variable, HttpVariableType::Decimal, $set);
+		return self::GetHttpVar($variable, Enums\HttpVariableType::Decimal, $set);
 	}
 
-	public static function Date(HttpVariableSource $set, string $variable): ?DateTimeImmutable{
+	public static function Date(Enums\HttpVariableSource $set, string $variable): ?DateTimeImmutable{
 		/** @var ?DateTimeImmutable */
-		return self::GetHttpVar($variable, HttpVariableType::DateTime, $set);
+		return self::GetHttpVar($variable, Enums\HttpVariableType::DateTime, $set);
+	}
+
+	/**
+	 * Return an object of type `$class` from `$_SESSION`, or `null` of no object of that type exists in `$_SESSION`.
+	 *
+	 * @template T of object
+	 * @param string $variable
+	 * @param class-string<T>|array<class-string<T>> $class The class of the object to return, or an array of possible classes to return.
+	 *
+	 * @return ?T An object of type `$class`, or `null` if no object of that type exists in `$_SESSION`.
+	 */
+	public static function SessionObject(string $variable, string|array $class): ?object{
+		if(!is_array($class)){
+			$class = [$class];
+		}
+
+		$object = $_SESSION[$variable] ?? null;
+
+		if($object !== null){
+			foreach($class as $c){
+				if(is_a($object, $c)){
+					return $object;
+				}
+			}
+		}
+
+		return null;
 	}
 
 	/**
@@ -137,85 +220,95 @@ class HttpInput{
 	* @param string $variable
 	* @return array<string>
 	*/
-	public static function Array(HttpVariableSource $set, string $variable): ?array{
+	public static function Array(Enums\HttpVariableSource $set, string $variable): ?array{
 		/** @var array<string> */
-		return self::GetHttpVar($variable, HttpVariableType::Array, $set);
+		return self::GetHttpVar($variable, Enums\HttpVariableType::Array, $set);
 	}
 
 	/**
 	 * @return array<string>|array<int>|array<float>|array<bool>|string|int|float|bool|DateTimeImmutable|null
 	 */
-	private static function GetHttpVar(string $variable, HttpVariableType $type, HttpVariableSource $set): mixed{
+	private static function GetHttpVar(string $variable, Enums\HttpVariableType $type, Enums\HttpVariableSource $set): mixed{
+		// Note that in Core.php we parse the request body of DELETE, PATCH, and PUT into $_POST.
+
 		$vars = [];
 
 		switch($set){
-			case HttpVariableSource::Get:
+			case Enums\HttpVariableSource::Get:
 				$vars = $_GET;
 				break;
-			case HttpVariableSource::Post:
+			case Enums\HttpVariableSource::Post:
 				$vars = $_POST;
 				break;
-			case HttpVariableSource::Cookie:
+			case Enums\HttpVariableSource::Cookie:
 				$vars = $_COOKIE;
 				break;
-			case HttpVariableSource::Session:
+			case Enums\HttpVariableSource::Session:
 				$vars = $_SESSION;
 				break;
 		}
 
 		if(isset($vars[$variable])){
-			if($type == HttpVariableType::Array && is_array($vars[$variable])){
+			if($type == Enums\HttpVariableType::Array && is_array($vars[$variable])){
 				// We asked for an array, and we got one
 				return $vars[$variable];
 			}
-			elseif($type !== HttpVariableType::Array && is_array($vars[$variable])){
+			elseif($type !== Enums\HttpVariableType::Array && is_array($vars[$variable])){
 				// We asked for not an array, but we got an array
 				return null;
 			}
 			elseif(is_string($vars[$variable])){
-				$var = trim($vars[$variable]);
+				// HTML `<textarea>`s encode newlines as `\r\n`, i.e. TWO characters, when submitting form data. However jQuery's `.val()` and HTML's `@maxlength` treat newlines as ONE character. So, strip `\r` here so that character lengths align between what the browser reports, and what it actually sends. This also solves column length issues when storing in the DB.
+				$var = trim(str_replace("\r", "", $vars[$variable]));
 			}
 			else{
 				$var = $vars[$variable];
 			}
 
 			switch($type){
-				case HttpVariableType::String:
-					return $var;
-				case HttpVariableType::Integer:
+				case Enums\HttpVariableType::String:
+					// Attempt to fix broken UTF8 strings, often passed by bots and scripts.
+					// Broken UTF8 can cause exceptions in functions like `preg_replace()`.
+					try{
+						return mb_convert_encoding($var, 'utf-8');
+					}
+					catch(\Safe\Exceptions\MbstringException){
+						return '';
+					}
+				case Enums\HttpVariableType::Integer:
 					// Can't use ctype_digit because we may want negative integers
-					if(is_numeric($var) && mb_strpos(strval($var), '.') === false){
+					if(is_numeric($var) && mb_strpos((string)$var, '.') === false){
 						try{
 							return intval($var);
 						}
-						catch(\Exception){
+						catch(Exception){
 							return null;
 						}
 					}
 					break;
-				case HttpVariableType::Boolean:
+				case Enums\HttpVariableType::Boolean:
 					if($var === false || $var === '0' || strtolower($var) == 'false' || strtolower($var) == 'off'){
 						return false;
 					}
 					else{
 						return true;
 					}
-				case HttpVariableType::Decimal:
+				case Enums\HttpVariableType::Decimal:
 					if(is_numeric($var)){
 						try{
 							return floatval($var);
 						}
-						catch(\Exception){
+						catch(Exception){
 							return null;
 						}
 					}
 					break;
-				case HttpVariableType::DateTime:
+				case Enums\HttpVariableType::DateTime:
 					if($var != ''){
 						try{
 							return new DateTimeImmutable($var);
 						}
-						catch(\Exception){
+						catch(Exception){
 							return null;
 						}
 					}
diff --git a/lib/Traits/Accessor.php b/lib/Traits/Accessor.php
index 62a22fe8..346fd130 100644
--- a/lib/Traits/Accessor.php
+++ b/lib/Traits/Accessor.php
@@ -1,39 +1,84 @@
 <?
 namespace Traits;
 
+/**
+ * Trait to add getters/setters for class properties.
+ *
+ * Properties are defined by PHPDoc. Their backing class properties must be either `protected` or `private` and begin with `_`. They are accessed by a protected `Get${Var}` function and set by a protected `Set${Var}` function. For example:
+ *
+ * ```php
+ * // @property string Bar
+ * class Foo{
+ *     use Traits\Accessor;
+ *
+ *     protected string $_Bar;
+ *
+ *     protected function GetBar(): string{
+ *         if(!isset($this->_Bar)){
+ *             $this->_Bar = 'baz';
+ *         }
+ *
+ *         return $this->_Bar;
+ *     }
+ *
+ *     protected function SetBar(string $value): void{
+ *         $this->_Bar = $value;
+ *     }
+ * }
+ *
+ * $foo = new Foo();
+ * print($foo->Bar); // baz
+ * $foo->Bar = 'ipsum';
+ * print($foo->Bar); // ipsum
+ * ```
+ *
+ * **Note:** Using the null coalesce `??` operator on an `Accessor` property is equivalent to calling `isset()` and short-circuiting on **`FALSE`**, *instead of calling the getter.*
+ *
+ * For example, `$object->Tag->Name ?? ''` will always return `""` if `$object->_Tag = <uninitialized>`, without calling the getter first.
+ *
+ * See <https://reddit.com/r/PHPhelp/comments/x2avqu/anyone_know_the_rules_behind_null_coalescing/>.
+ */
 trait Accessor{
 	public function __get(string $var): mixed{
-		$function = 'Get' . $var;
+		$getterFunction = 'Get' . $var;
 		$privateVar = '_' . $var;
 
-		if(method_exists($this, $function)){
-			return $this->$function();
+		if(method_exists($this, $getterFunction)){
+			return $this->$getterFunction();
 		}
-		elseif(property_exists($this, $var . 'Id') && property_exists($this, $privateVar) && method_exists($var, 'Get')){
-			// If we're asking for a private `_Var` property,
-			// and we have a public `VarId` property,
-			// and the `Var` class also has a `Var::Get` method,
-			// call that method and return the result.
-			if($this->$privateVar === null && $this->{$var . 'Id'} !== null){
-				$this->$privateVar = $var::Get($this->{$var . 'Id'});
+
+		if(property_exists($this, $privateVar)){
+			if(!isset($this->$privateVar) && isset($this->{$var . 'Id'})){
+				try{
+					$type = (new \ReflectionProperty($this, $privateVar))->getType();
+
+					if($type !== null && ($type instanceof \ReflectionNamedType)){
+						$typeName = $type->getName();
+
+						if(method_exists($typeName, 'Get')){
+							// If we're asking for a private `_Var` property, and we have a public `VarId` property, and the `Var` class also has a `Var::Get()` method, call that method and return the result.
+							$this->$privateVar = $typeName::Get($this->{$var . 'Id'});
+						}
+					}
+				}
+				catch(\ReflectionException){
+					// Pass, but let through other exceptions that may come from `Var::Get()`.
+				}
 			}
 
 			return $this->$privateVar;
 		}
-		elseif(property_exists($this, $privateVar)){
-			return $this->{$privateVar};
-		}
 		else{
 			return $this->$var;
 		}
 	}
 
 	public function __set(string $var, mixed $val): void{
-		$function = 'Set' . $var;
+		$setterFunction = 'Set' . $var;
 		$privateVar = '_' . $var;
 
-		if(method_exists($this, $function)){
-			$this->$function($val);
+		if(method_exists($this, $setterFunction)){
+			$this->$setterFunction($val);
 		}
 		elseif(property_exists($this, $privateVar)){
 			$this->$privateVar = $val;
@@ -42,4 +87,16 @@ trait Accessor{
 			$this->$var = $val;
 		}
 	}
+
+	public function __unset(string $var): void{
+		$unsetterFunction = 'Unset' . $var;
+		$privateVar = '_' . $var;
+
+		if(method_exists($this, $unsetterFunction)){
+			$this->$unsetterFunction();
+		}
+		elseif(property_exists($this, $privateVar)){
+			unset($this->$privateVar);
+		}
+	}
 }
diff --git a/www/artworks/post.php b/www/artworks/post.php
index 13c30abb..6c17b9b9 100644
--- a/www/artworks/post.php
+++ b/www/artworks/post.php
@@ -2,7 +2,7 @@
 
 try{
 	session_start();
-	$httpMethod = HttpInput::ValidateRequestMethod([HttpMethod::Post, HttpMethod::Patch, HttpMethod::Put]);
+	$httpMethod = HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post, Enums\HttpMethod::Patch, Enums\HttpMethod::Put]);
 	$exceptionRedirectUrl = '/artworks/new';
 
 	if(HttpInput::IsRequestTooLarge()){
@@ -14,7 +14,7 @@ try{
 	}
 
 	// POSTing a new artwork
-	if($httpMethod == HttpMethod::Post){
+	if($httpMethod == Enums\HttpMethod::Post){
 		if(!$GLOBALS['User']->Benefits->CanUploadArtwork){
 			throw new Exceptions\InvalidPermissionsException();
 		}
@@ -43,7 +43,7 @@ try{
 	}
 
 	// PUTing an artwork
-	if($httpMethod == HttpMethod::Put){
+	if($httpMethod == Enums\HttpMethod::Put){
 		$originalArtwork = Artwork::GetByUrl(HttpInput::Str(GET, 'artist-url-name'), HttpInput::Str(GET, 'artwork-url-name'));
 
 		if(!$originalArtwork->CanBeEditedBy($GLOBALS['User'])){
@@ -82,7 +82,7 @@ try{
 	}
 
 	// PATCHing an artwork
-	if($httpMethod == HttpMethod::Patch){
+	if($httpMethod == Enums\HttpMethod::Patch){
 		$artwork = Artwork::GetByUrl(HttpInput::Str(GET, 'artist-url-name'), HttpInput::Str(GET, 'artwork-url-name'));
 
 		$exceptionRedirectUrl = $artwork->Url;
diff --git a/www/newsletter/subscriptions/delete.php b/www/newsletter/subscriptions/delete.php
index dca5d47d..b50c8fd3 100644
--- a/www/newsletter/subscriptions/delete.php
+++ b/www/newsletter/subscriptions/delete.php
@@ -1,19 +1,19 @@
 <?
 try{
 	// We may use GET if we're called from an unsubscribe link in an email
-	HttpInput::ValidateRequestMethod([HttpMethod::Get, HttpMethod::Delete]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Get, Enums\HttpMethod::Delete]);
 
 	$requestType = HttpInput::GetRequestType();
 
 	$subscription = NewsletterSubscription::Get(HttpInput::Str(GET, 'uuid'));
 	$subscription->Delete();
 
-	if($requestType == HttpRequestType::Rest){
+	if($requestType == Enums\HttpRequestType::Rest){
 		exit();
 	}
 }
 catch(Exceptions\NewsletterSubscriptionNotFoundException){
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		Template::Emit404();
 	}
 	else{
diff --git a/www/newsletter/subscriptions/post.php b/www/newsletter/subscriptions/post.php
index 30a1aff7..dd480d8b 100644
--- a/www/newsletter/subscriptions/post.php
+++ b/www/newsletter/subscriptions/post.php
@@ -3,7 +3,7 @@ use Ramsey\Uuid\Uuid;
 use function Safe\session_unset;
 
 try{
-	HttpInput::ValidateRequestMethod([HttpMethod::Post]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post]);
 
 	session_start();
 
@@ -13,7 +13,7 @@ try{
 
 	if(HttpInput::Str(POST, 'automationtest')){
 		// A bot filled out this form field, which should always be empty. Pretend like we succeeded.
-		if($requestType == HttpRequestType::Web){
+		if($requestType == Enums\HttpRequestType::Web){
 			http_response_code(303);
 			$uuid = Uuid::uuid4();
 			$subscription->User = new User();
@@ -22,7 +22,7 @@ try{
 			header('Location: /newsletter/subscriptions/success');
 		}
 		else{
-			// Access via HttpRequestType::Rest api; 201 CREATED with location
+			// Access via Enums\HttpRequestType::Rest api; 201 CREATED with location
 			http_response_code(201);
 			header('Location: /newsletter/subscriptions/success');
 		}
@@ -43,20 +43,20 @@ try{
 
 	session_unset();
 
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		http_response_code(303);
 		$_SESSION['is-subscription-created'] = $subscription->UserId;
 		header('Location: /newsletter/subscriptions/success');
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 201 CREATED with location
+		// Access via Enums\HttpRequestType::Rest api; 201 CREATED with location
 		http_response_code(201);
 		header('Location: /newsletter/subscriptions/success');
 	}
 }
 catch(Exceptions\NewsletterSubscriptionExistsException){
 	// Subscription exists.
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		// If we're accessing from the web, update the subscription,
 		// re-sending the confirmation email if the user isn't yet confirmed
 		$existingSubscription = NewsletterSubscription::Get($subscription->User->Uuid);
@@ -77,12 +77,12 @@ catch(Exceptions\NewsletterSubscriptionExistsException){
 		}
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 409 CONFLICT
+		// Access via Enums\HttpRequestType::Rest api; 409 CONFLICT
 		http_response_code(409);
 	}
 }
 catch(Exceptions\InvalidNewsletterSubscription $ex){
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		$_SESSION['subscription'] = $subscription;
 		$_SESSION['exception'] = $ex;
 
@@ -91,7 +91,7 @@ catch(Exceptions\InvalidNewsletterSubscription $ex){
 		header('Location: /newsletter/subscriptions/new');
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 422 Unprocessable Entity
+		// Access via Enums\HttpRequestType::Rest api; 422 Unprocessable Entity
 		http_response_code(422);
 	}
 }
diff --git a/www/polls/votes/post.php b/www/polls/votes/post.php
index 17664b5f..f961bfda 100644
--- a/www/polls/votes/post.php
+++ b/www/polls/votes/post.php
@@ -2,7 +2,7 @@
 use function Safe\session_unset;
 
 try{
-	HttpInput::ValidateRequestMethod([HttpMethod::Post]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post]);
 
 	session_start();
 
@@ -16,19 +16,19 @@ try{
 
 	session_unset();
 
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		$_SESSION['is-vote-created'] = $vote->UserId;
 		http_response_code(303);
 		header('Location: ' . $vote->Url);
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 201 CREATED with location
+		// Access via Enums\HttpRequestType::Rest api; 201 CREATED with location
 		http_response_code(201);
 		header('Location: ' . $vote->Url);
 	}
 }
 catch(Exceptions\InvalidPollVoteException $ex){
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		$_SESSION['vote'] = $vote;
 		$_SESSION['exception'] = $ex;
 
@@ -37,7 +37,7 @@ catch(Exceptions\InvalidPollVoteException $ex){
 		header('Location: /polls/' . (HttpInput::Str(GET, 'pollurlname') ?? '') . '/votes/new');
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 422 Unprocessable Entity
+		// Access via Enums\HttpRequestType::Rest api; 422 Unprocessable Entity
 		http_response_code(422);
 	}
 }
diff --git a/www/sessions/post.php b/www/sessions/post.php
index 82690deb..fcd418da 100644
--- a/www/sessions/post.php
+++ b/www/sessions/post.php
@@ -2,7 +2,7 @@
 use function Safe\session_unset;
 
 try{
-	HttpInput::ValidateRequestMethod([HttpMethod::Post]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post]);
 
 	session_start();
 
@@ -21,18 +21,18 @@ try{
 
 	session_unset();
 
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		http_response_code(303);
 		header('Location: ' . $redirect);
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 201 CREATED with location
+		// Access via Enums\HttpRequestType::Rest api; 201 CREATED with location
 		http_response_code(201);
 		header('Location: ' . $session->Url);
 	}
 }
 catch(Exceptions\InvalidLoginException | Exceptions\PasswordRequiredException $ex){
-	if($requestType == HttpRequestType::Web){
+	if($requestType == Enums\HttpRequestType::Web){
 		$_SESSION['email'] = $email;
 		$_SESSION['redirect'] = $redirect;
 		$_SESSION['exception'] = $ex;
@@ -42,7 +42,7 @@ catch(Exceptions\InvalidLoginException | Exceptions\PasswordRequiredException $e
 		header('Location: /sessions/new');
 	}
 	else{
-		// Access via HttpRequestType::Rest api; 422 Unprocessable Entity
+		// Access via Enums\HttpRequestType::Rest api; 422 Unprocessable Entity
 		http_response_code(422);
 	}
 }
diff --git a/www/webhooks/github.php b/www/webhooks/github.php
index e5a85fdf..53015443 100644
--- a/www/webhooks/github.php
+++ b/www/webhooks/github.php
@@ -12,7 +12,7 @@ try{
 	$log = new Log(GITHUB_WEBHOOK_LOG_FILE_PATH);
 	$lastPushHashFlag = '';
 
-	HttpInput::ValidateRequestMethod([HttpMethod::Post]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post]);
 
 	$log->Write('Received GitHub webhook.');
 
diff --git a/www/webhooks/postmark.php b/www/webhooks/postmark.php
index 5ee1a017..8108b133 100644
--- a/www/webhooks/postmark.php
+++ b/www/webhooks/postmark.php
@@ -12,7 +12,7 @@ try{
 
 	$log->Write('Received Postmark webhook.');
 
-	HttpInput::ValidateRequestMethod([HttpMethod::Post]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post]);
 
 	$apiKey = get_cfg_var('se.secrets.postmark.api_key');
 
diff --git a/www/webhooks/zoho.php b/www/webhooks/zoho.php
index e5e9d213..624fffc3 100644
--- a/www/webhooks/zoho.php
+++ b/www/webhooks/zoho.php
@@ -9,7 +9,7 @@ use function Safe\json_decode;
 try{
 	$log = new Log(ZOHO_WEBHOOK_LOG_FILE_PATH);
 
-	HttpInput::ValidateRequestMethod([HttpMethod::Post]);
+	HttpInput::ValidateRequestMethod([Enums\HttpMethod::Post]);
 
 	$log->Write('Received Zoho webhook.');