Issues in functions.php (master) - Issues in master - cantico/absences - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1940)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

programs/functions.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/************************************************************************
 * OVIDENTIA http://www.ovidentia.org                                   *
 ************************************************************************
 * Copyright (c) 2003 by CANTICO ( http://www.cantico.fr )              *
 *                                                                      *
 * This file is part of Ovidentia.                                      *
 *                                                                      *
 * Ovidentia is free software; you can redistribute it and/or modify    *
 * it under the terms of the GNU General Public License as published by *
 * the Free Software Foundation; either version 2, or (at your option)  *
 * any later version.													*
 *																		*
 * This program is distributed in the hope that it will be useful, but  *
 * WITHOUT ANY WARRANTY; without even the implied warranty of			*
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.					*
 * See the  GNU General Public License for more details.				*
 *																		*
 * You should have received a copy of the GNU General Public License	*
 * along with this program; if not, write to the Free Software			*
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,*
 * USA.																	*
************************************************************************/



include_once dirname(__FILE__).'/define.php';

if ($icons = bab_functionality::get('Icons')) {
    /*@var $icons Func_Icons */
    
    try {
        $icons->includeCss();
    } catch(Exception $e) {
        bab_debug($e->getMessage());
    }
}

/**
 * Translate
 * @param string $str
 * @return string
 */
function absences_translate($str, $str_plurals = null, $number = null)
{


	if ($translate = bab_functionality::get('Translate/Gettext'))
	{
		/* @var $translate Func_Translate_Gettext */
		$translate->setAddonName('absences');
		
		return $translate->translate($str, $str_plurals, $number);
	}
	
	return $str;
}


/**
* @return bab_addonInfos
*/
function absences_addon()
{
	return bab_getAddonInfosInstance('absences');
}



/**
 * Vacation access
 * @return multitype:boolean

 */
function absences_vacationsAccess()
{
	require_once dirname(__FILE__).'/utilit/agent.class.php';
	
	$agent = absences_Agent::getCurrentUser();

	$array = array();

	if($agent->isInPersonnel())
	{
		$array['user'] = true;
	}

	if ($agent->isManager())
	{
		$array['manager'] = true;
	}
	
	if ($agent->isApprover())
	{
		$array['approver'] = true;
	}
	
	return $array;
}



function absences_kinds()
{
	return array(
		absences_Right::REGULAR 	=> absences_translate('Regular'),
		absences_Right::FIXED 		=> absences_translate('Fixed dates'),
		absences_Right::CET 		=> absences_translate('Time savings account'),
		absences_Right::INCREMENT 	=> absences_translate('Monthly variable right'),
		absences_Right::RECOVERY 	=> absences_translate('Recovery right'),
		absences_Right::REPORT 		=> absences_translate('Report right')
	);
}


function absences_syncStatus()
{
	return array(
		absences_Right::SYNC_CLIENT 		=> absences_translate('Synchronization activated'),
		absences_Right::SYNC_CLIENT_END 	=> absences_translate('No synchronization, the right is not available on server'),
		absences_Right::SYNC_CLIENT_ERROR 	=> absences_translate('Synchronization failed because of an error'),
		absences_Right::SYNC_SERVER 		=> absences_translate('Shared right')
	);
}


/**
 * 
 * @param string $date		Datepicker date
 * @param string $hour
 */
function absences_dateTimeForm($date, $hour)
{
	$W = bab_Widgets();
	$datePicker = $W->DatePicker();
	
	$dateiso = $datePicker->getISODate($date);
	
	return $dateiso.' '.$hour;
}





/**
 * @return bool
 */
function absences_lockedForMainteance()
{
	$agent = absences_Agent::getCurrentUser();
	
	if ($agent->isManager())
	{
		return false;
	}
	
	return (bool) absences_getVacationOption('maintenance');
}


function absences_getMaintenanceMessage()
{
	return absences_translate('This feature is not available at this time because a maintenance action is in progress');
}



/**
 * Display a menu to create vacation request, CET request, workingdays recovery request
 *
 */
function absences_getToolbar()
{
    require_once $GLOBALS['babInstallPath'] . 'utilit/toolbar.class.php';
    $babBody = bab_getBody();
    $babBody->addStyleSheet('toolbar.css');

    $toolbar = new BAB_Toolbar();
    return $toolbar;
}


/**
 * @return int
 */
function absences_getRecoveryType()
{
    global $babDB;

    $res = $babDB->db_query("SELECT id FROM absences_types WHERE recover='1'");

    if ($babDB->db_num_rows($res) == 0) {
        return 0;
    }

    $row = $babDB->db_fetch_assoc($res);

    return (int) $row['id'];
}


function absences_addSpoofButton($type, $label)
{


    require_once $GLOBALS['babInstallPath'] . 'utilit/toolbar.class.php';
    $babBody = bab_getBody();
    $toolbar = new BAB_Toolbar();
    $sImgPath = $GLOBALS['babInstallPath'] . 'skins/ovidentia/images/Puces/';
    $toolbar->addToolbarItem(
        new BAB_ToolbarItem($label, absences_addon()->getUrl().'spoofing&request_type='.$type,
            $sImgPath . 'edit_add.png', '', '', '')
    );
    
    $babBody->addStyleSheet('toolbar.css');
    $babBody->babEcho($toolbar->printTemplate());
}




function absences_deleteAgentsWithNoUser()
{
    global $babDB;
    require_once dirname(__FILE__).'/utilit/agent.class.php';
    
    $res = $babDB->db_query('SELECT a.id_user FROM absences_personnel a LEFT JOIN bab_users u ON u.id=a.id_user WHERE u.id IS NULL');
    while ($arr = $babDB->db_fetch_assoc($res)) {
        if ($arr['id_user']) {
            $agent = absences_Agent::getFromIdUser($arr['id_user']);
            $agent->delete();
        }
    }
}

/**
 * function from the orgchart addon to force one primary role
 */
function absence_rePrimary()
{
    if(!bab_isUserAdministrator()){
        return false;
    }

    global $babDB;

    $sql = "SELECT id
            FROM bab_oc_roles_users

            WHERE id_user NOT IN (
                SELECT id_user FROM bab_oc_roles_users WHERE isprimary = 'Y'
            )

            GROUP BY id_user
            ";

    $res = $babDB->db_query($sql);

    while($arr = $babDB->db_fetch_array($res)){
        $babDB->db_query("update bab_oc_roles_users set isprimary='Y' where id=".$babDB->quote($arr['id']));
    }
}



function absences_fixRequestLastMovement($table, $className)
{
    global $babDB;
    
    $res = $babDB->db_query("SELECT e.id, l.createdOn, l.id movement , e.status
	       FROM
	           ".$table." e
	            LEFT JOIN  absences_movement l ON l.id_request= e.id AND request_class=".$babDB->quote($className)."
	    INNER JOIN
    (SELECT max(createdOn) createdOn FROM absences_movement WHERE request_class=".$babDB->quote($className)." AND status IS NOT NULL GROUP BY id_request) m
	    ON m.createdOn=l.createdOn
	  
	    WHERE
	       e.status<>l.status
	    ");
    while ($arr = $babDB->db_fetch_assoc($res)) {
        bab_installWindow::message("Wrong status in movements history for $className ".$arr['id'].', fixing last movement');
        $babDB->db_query('UPDATE absences_movement SET status='.$babDB->quote($arr['status']).' WHERE id='.$babDB->quote($arr['movement']));
    }
}



1		<?php
2		/************************************************************************
3		* OVIDENTIA http://www.ovidentia.org *
4		************************************************************************
5		* Copyright (c) 2003 by CANTICO ( http://www.cantico.fr ) *
6		* *
7		* This file is part of Ovidentia. *
8		* *
9		* Ovidentia is free software; you can redistribute it and/or modify *
10		* it under the terms of the GNU General Public License as published by *
11		* the Free Software Foundation; either version 2, or (at your option) *
12		* any later version. *
13		* *
14		* This program is distributed in the hope that it will be useful, but *
15		* WITHOUT ANY WARRANTY; without even the implied warranty of *
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
17		* See the GNU General Public License for more details. *
18		* *
19		* You should have received a copy of the GNU General Public License *
20		* along with this program; if not, write to the Free Software *
21		* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,*
22		* USA. *
23		************************************************************************/
24
25
26
27		include_once dirname(__FILE__).'/define.php';
28
29		if ($icons = bab_functionality::get('Icons')) {
30		/@var $icons Func_Icons /
31
32		try {
33		$icons->includeCss();
34		} catch(Exception $e) {
35		bab_debug($e->getMessage());
36		}
37		}
38
39		/**
40		* Translate
41		* @param string $str
42		* @return string
43		*/
44		function absences_translate($str, $str_plurals = null, $number = null)
45		{
46
47
48		if ($translate = bab_functionality::get('Translate/Gettext'))
49		{
50		/* @var $translate Func_Translate_Gettext */
51		$translate->setAddonName('absences');
52
53		return $translate->translate($str, $str_plurals, $number);
54		}
55
56		return $str;
57		}
58
59
60		/**
61		* @return bab_addonInfos
62		*/
63		function absences_addon()
64		{
65		return bab_getAddonInfosInstance('absences');
66		}
67
68
69
70		/**
71		* Vacation access
72		* @return multitype:boolean
		0 ignored issues – show Documentation introduced 2015-11-30 13:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `multitype:boolean` could not be parsed: Unknown type name "multitype:boolean" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
73		*/
74		function absences_vacationsAccess()
75		{
76		require_once dirname(__FILE__).'/utilit/agent.class.php';
77
78		$agent = absences_Agent::getCurrentUser();
79
80		$array = array();
81
82		if($agent->isInPersonnel())
83		{
84		$array['user'] = true;
85		}
86
87		if ($agent->isManager())
88		{
89		$array['manager'] = true;
90		}
91
92		if ($agent->isApprover())
93		{
94		$array['approver'] = true;
95		}
96
97		return $array;
98		}
99
100
101
102		function absences_kinds()
103		{
104		return array(
105		absences_Right::REGULAR => absences_translate('Regular'),
106		absences_Right::FIXED => absences_translate('Fixed dates'),
107		absences_Right::CET => absences_translate('Time savings account'),
108		absences_Right::INCREMENT => absences_translate('Monthly variable right'),
109		absences_Right::RECOVERY => absences_translate('Recovery right'),
110		absences_Right::REPORT => absences_translate('Report right')
111		);
112		}
113
114
115		function absences_syncStatus()
116		{
117		return array(
118		absences_Right::SYNC_CLIENT => absences_translate('Synchronization activated'),
119		absences_Right::SYNC_CLIENT_END => absences_translate('No synchronization, the right is not available on server'),
120		absences_Right::SYNC_CLIENT_ERROR => absences_translate('Synchronization failed because of an error'),
121		absences_Right::SYNC_SERVER => absences_translate('Shared right')
122		);
123		}
124
125
126		/**
127		*
128		* @param string $date Datepicker date
129		* @param string $hour
130		*/
131		function absences_dateTimeForm($date, $hour)
132		{
133		$W = bab_Widgets();
134		$datePicker = $W->DatePicker();
135
136		$dateiso = $datePicker->getISODate($date);
137
138		return $dateiso.' '.$hour;
139		}
140
141
142
143
144
145		/**
146		* @return bool
147		*/
148		function absences_lockedForMainteance()
149		{
150		$agent = absences_Agent::getCurrentUser();
151
152		if ($agent->isManager())
153		{
154		return false;
155		}
156
157		return (bool) absences_getVacationOption('maintenance');
158		}
159
160
161		function absences_getMaintenanceMessage()
162		{
163		return absences_translate('This feature is not available at this time because a maintenance action is in progress');
164		}
165
166
167
168		/**
169		* Display a menu to create vacation request, CET request, workingdays recovery request
170		*
171		*/
172		function absences_getToolbar()
173		{
174		require_once $GLOBALS['babInstallPath'] . 'utilit/toolbar.class.php';
175		$babBody = bab_getBody();
176		$babBody->addStyleSheet('toolbar.css');
177
178		$toolbar = new BAB_Toolbar();
179		return $toolbar;
180		}
181
182
183		/**
184		* @return int
185		*/
186		function absences_getRecoveryType()
187		{
188		global $babDB;
189
190		$res = $babDB->db_query("SELECT id FROM absences_types WHERE recover='1'");
191
192		if ($babDB->db_num_rows($res) == 0) {
193		return 0;
194		}
195
196		$row = $babDB->db_fetch_assoc($res);
197
198		return (int) $row['id'];
199		}
200
201
202		function absences_addSpoofButton($type, $label)
203		{
204
205
206		require_once $GLOBALS['babInstallPath'] . 'utilit/toolbar.class.php';
207		$babBody = bab_getBody();
208		$toolbar = new BAB_Toolbar();
209		$sImgPath = $GLOBALS['babInstallPath'] . 'skins/ovidentia/images/Puces/';
210		$toolbar->addToolbarItem(
211		new BAB_ToolbarItem($label, absences_addon()->getUrl().'spoofing&request_type='.$type,
212		$sImgPath . 'edit_add.png', '', '', '')
213		);
214
215		$babBody->addStyleSheet('toolbar.css');
216		$babBody->babEcho($toolbar->printTemplate());
217		}
218
219
220
221
222		function absences_deleteAgentsWithNoUser()
223		{
224		global $babDB;
225		require_once dirname(__FILE__).'/utilit/agent.class.php';
226
227		$res = $babDB->db_query('SELECT a.id_user FROM absences_personnel a LEFT JOIN bab_users u ON u.id=a.id_user WHERE u.id IS NULL');
228		while ($arr = $babDB->db_fetch_assoc($res)) {
229		if ($arr['id_user']) {
230		$agent = absences_Agent::getFromIdUser($arr['id_user']);
231		$agent->delete();
232		}
233		}
234		}
235
236		/**
237		* function from the orgchart addon to force one primary role
238		*/
239		function absence_rePrimary()
240		{
241		if(!bab_isUserAdministrator()){
242		return false;
243		}
244
245		global $babDB;
246
247		$sql = "SELECT id
248		FROM bab_oc_roles_users
249
250		WHERE id_user NOT IN (
251		SELECT id_user FROM bab_oc_roles_users WHERE isprimary = 'Y'
252		)
253
254		GROUP BY id_user
255		";
256
257		$res = $babDB->db_query($sql);
258
259		while($arr = $babDB->db_fetch_array($res)){
260		$babDB->db_query("update bab_oc_roles_users set isprimary='Y' where id=".$babDB->quote($arr['id']));
261		}
262		}
263
264
265
266		function absences_fixRequestLastMovement($table, $className)
267		{
268		global $babDB;
269
270		$res = $babDB->db_query("SELECT e.id, l.createdOn, l.id movement , e.status
271		FROM
272		".$table." e
273		LEFT JOIN absences_movement l ON l.id_request= e.id AND request_class=".$babDB->quote($className)."
274		INNER JOIN
275		(SELECT max(createdOn) createdOn FROM absences_movement WHERE request_class=".$babDB->quote($className)." AND status IS NOT NULL GROUP BY id_request) m
276		ON m.createdOn=l.createdOn
277
278		WHERE
279		e.status<>l.status
280		");
281	View Code Duplication	while ($arr = $babDB->db_fetch_assoc($res)) {
282		bab_installWindow::message("Wrong status in movements history for $className ".$arr['id'].', fixing last movement');
283		$babDB->db_query('UPDATE absences_movement SET status='.$babDB->quote($arr['status']).' WHERE id='.$babDB->quote($arr['movement']));
284		}
285		}
286
287

cantico / absences

Issues (1940)

Security Analysis not enabled

programs/functions.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like