This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | /* |
||
4 | * This file is part of the 2amigos/yii2-usuario project. |
||
5 | * |
||
6 | * (c) 2amigOS! <http://2amigos.us/> |
||
7 | * |
||
8 | * For the full copyright and license information, please view |
||
9 | * the LICENSE file that was distributed with this source code. |
||
10 | */ |
||
11 | |||
12 | namespace Da\User\Controller; |
||
13 | |||
14 | use Da\User\Event\UserEvent; |
||
15 | use Da\User\Factory\MailFactory; |
||
16 | use Da\User\Filter\AccessRuleFilter; |
||
17 | use Da\User\Model\Profile; |
||
18 | use Da\User\Model\User; |
||
19 | use Da\User\Query\UserQuery; |
||
20 | use Da\User\Search\UserSearch; |
||
21 | use Da\User\Service\PasswordExpireService; |
||
22 | use Da\User\Service\PasswordRecoveryService; |
||
23 | use Da\User\Service\SwitchIdentityService; |
||
24 | use Da\User\Service\UserBlockService; |
||
25 | use Da\User\Service\UserConfirmationService; |
||
26 | use Da\User\Service\UserCreateService; |
||
27 | use Da\User\Traits\ContainerAwareTrait; |
||
28 | use Da\User\Traits\ModuleAwareTrait; |
||
29 | use Da\User\Validator\AjaxRequestModelValidator; |
||
30 | use Yii; |
||
31 | use yii\base\Module; |
||
32 | use yii\db\ActiveRecord; |
||
33 | use yii\filters\AccessControl; |
||
34 | use yii\filters\VerbFilter; |
||
35 | use yii\helpers\Url; |
||
36 | use yii\web\Controller; |
||
37 | |||
38 | class AdminController extends Controller |
||
39 | { |
||
40 | use ContainerAwareTrait; |
||
41 | use ModuleAwareTrait; |
||
42 | |||
43 | /** |
||
44 | * @var UserQuery |
||
45 | */ |
||
46 | protected $userQuery; |
||
47 | |||
48 | /** |
||
49 | * AdminController constructor. |
||
50 | * |
||
51 | * @param string $id |
||
52 | * @param Module $module |
||
53 | * @param UserQuery $userQuery |
||
54 | * @param array $config |
||
55 | */ |
||
56 | 2 | public function __construct($id, Module $module, UserQuery $userQuery, array $config = []) |
|
57 | { |
||
58 | 2 | $this->userQuery = $userQuery; |
|
59 | 2 | parent::__construct($id, $module, $config); |
|
60 | 2 | } |
|
61 | |||
62 | /** |
||
63 | * @param \yii\base\Action $action |
||
64 | * |
||
65 | * @return bool |
||
66 | */ |
||
67 | 2 | public function beforeAction($action) |
|
68 | { |
||
69 | 2 | if (in_array($action->id, ['index', 'update', 'update-profile', 'info', 'assignments'], true)) { |
|
70 | 1 | Url::remember('', 'actions-redirect'); |
|
71 | } |
||
72 | |||
73 | 2 | return parent::beforeAction($action); |
|
74 | } |
||
75 | |||
76 | /** |
||
77 | * {@inheritdoc} |
||
78 | */ |
||
79 | 2 | public function behaviors() |
|
80 | { |
||
81 | return [ |
||
82 | 2 | 'verbs' => [ |
|
83 | 'class' => VerbFilter::class, |
||
84 | 'actions' => [ |
||
85 | 'delete' => ['post'], |
||
86 | 'confirm' => ['post'], |
||
87 | 'block' => ['post'], |
||
88 | 'switch-identity' => ['post'], |
||
89 | 'password-reset' => ['post'], |
||
90 | 'force-password-change' => ['post'], |
||
91 | ], |
||
92 | ], |
||
93 | 'access' => [ |
||
94 | 'class' => AccessControl::class, |
||
95 | 'ruleConfig' => [ |
||
96 | 'class' => AccessRuleFilter::class, |
||
97 | ], |
||
98 | 'rules' => [ |
||
99 | [ |
||
100 | 'allow' => true, |
||
101 | 'actions' => ['switch-identity'], |
||
102 | 'roles' => ['@'], |
||
103 | ], |
||
104 | [ |
||
105 | 'allow' => true, |
||
106 | 'roles' => ['admin'], |
||
107 | ], |
||
108 | ], |
||
109 | ], |
||
110 | ]; |
||
111 | } |
||
112 | |||
113 | public function actionIndex() |
||
114 | { |
||
115 | $searchModel = $this->make(UserSearch::class); |
||
116 | $dataProvider = $searchModel->search(Yii::$app->request->get()); |
||
117 | |||
118 | return $this->render( |
||
119 | 'index', |
||
120 | [ |
||
121 | 'dataProvider' => $dataProvider, |
||
122 | 'searchModel' => $searchModel, |
||
123 | ] |
||
124 | ); |
||
125 | } |
||
126 | |||
127 | 1 | public function actionCreate() |
|
128 | { |
||
129 | /** @var User $user */ |
||
130 | 1 | $user = $this->make(User::class, [], ['scenario' => 'create']); |
|
131 | |||
132 | /** @var UserEvent $event */ |
||
133 | 1 | $event = $this->make(UserEvent::class, [$user]); |
|
134 | |||
135 | 1 | $this->make(AjaxRequestModelValidator::class, [$user])->validate(); |
|
136 | |||
137 | 1 | if ($user->load(Yii::$app->request->post()) && $user->validate()) { |
|
138 | 1 | $this->trigger(UserEvent::EVENT_BEFORE_CREATE, $event); |
|
139 | |||
140 | 1 | $mailService = MailFactory::makeWelcomeMailerService($user); |
|
141 | |||
142 | 1 | if ($this->make(UserCreateService::class, [$user, $mailService])->run()) { |
|
143 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'User has been created')); |
||
0 ignored issues
–
show
|
|||
144 | $this->trigger(UserEvent::EVENT_AFTER_CREATE, $event); |
||
145 | return $this->redirect(['update', 'id' => $user->id]); |
||
146 | } |
||
147 | 1 | Yii::$app->session->setFlash('danger', Yii::t('usuario', 'User account could not be created.')); |
|
148 | } |
||
149 | |||
150 | 1 | return $this->render('create', ['user' => $user]); |
|
151 | } |
||
152 | |||
153 | 1 | public function actionUpdate($id) |
|
154 | { |
||
155 | 1 | $user = $this->userQuery->where(['id' => $id])->one(); |
|
156 | 1 | $user->setScenario('update'); |
|
157 | /** @var UserEvent $event */ |
||
158 | 1 | $event = $this->make(UserEvent::class, [$user]); |
|
159 | |||
160 | 1 | $this->make(AjaxRequestModelValidator::class, [$user])->validate(); |
|
161 | |||
162 | 1 | if ($user->load(Yii::$app->request->post())) { |
|
163 | 1 | $this->trigger(UserEvent::EVENT_BEFORE_ACCOUNT_UPDATE, $event); |
|
164 | |||
165 | 1 | if ($user->save()) { |
|
166 | 1 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'Account details have been updated')); |
|
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
167 | 1 | $this->trigger(UserEvent::EVENT_AFTER_ACCOUNT_UPDATE, $event); |
|
168 | |||
169 | 1 | return $this->refresh(); |
|
170 | } |
||
171 | } |
||
172 | |||
173 | 1 | return $this->render('_account', ['user' => $user]); |
|
174 | } |
||
175 | |||
176 | public function actionUpdateProfile($id) |
||
177 | { |
||
178 | /** @var User $user */ |
||
179 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
180 | /** @var Profile $profile */ |
||
181 | $profile = $user->profile; |
||
182 | if ($profile === null) { |
||
183 | $profile = $this->make(Profile::class); |
||
184 | $profile->link('user', $user); |
||
185 | } |
||
186 | /** @var UserEvent $event */ |
||
187 | $event = $this->make(UserEvent::class, [$user]); |
||
188 | |||
189 | $this->make(AjaxRequestModelValidator::class, [$profile])->validate(); |
||
190 | |||
191 | if ($profile->load(Yii::$app->request->post())) { |
||
192 | if ($profile->save()) { |
||
193 | $this->trigger(UserEvent::EVENT_BEFORE_PROFILE_UPDATE, $event); |
||
194 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'Profile details have been updated')); |
||
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
195 | $this->trigger(UserEvent::EVENT_AFTER_PROFILE_UPDATE, $event); |
||
196 | |||
197 | return $this->refresh(); |
||
198 | } |
||
199 | } |
||
200 | |||
201 | return $this->render( |
||
202 | '_profile', |
||
203 | [ |
||
204 | 'user' => $user, |
||
205 | 'profile' => $profile, |
||
206 | ] |
||
207 | ); |
||
208 | } |
||
209 | |||
210 | public function actionInfo($id) |
||
211 | { |
||
212 | /** @var User $user */ |
||
213 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
214 | |||
215 | return $this->render( |
||
216 | '_info', |
||
217 | [ |
||
218 | 'user' => $user, |
||
219 | ] |
||
220 | ); |
||
221 | } |
||
222 | |||
223 | public function actionAssignments($id) |
||
224 | { |
||
225 | /** @var User $user */ |
||
226 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
227 | |||
228 | return $this->render( |
||
229 | '_assignments', |
||
230 | [ |
||
231 | 'user' => $user, |
||
232 | 'params' => Yii::$app->request->post(), |
||
233 | ] |
||
234 | ); |
||
235 | } |
||
236 | |||
237 | public function actionConfirm($id) |
||
238 | { |
||
239 | /** @var User $user */ |
||
240 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
241 | /** @var UserEvent $event */ |
||
242 | $event = $this->make(UserEvent::class, [$user]); |
||
243 | |||
244 | $this->trigger(UserEvent::EVENT_BEFORE_CONFIRMATION, $event); |
||
245 | |||
246 | if ($this->make(UserConfirmationService::class, [$user])->run()) { |
||
247 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'User has been confirmed')); |
||
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
248 | $this->trigger(UserEvent::EVENT_AFTER_CONFIRMATION, $event); |
||
249 | } else { |
||
250 | Yii::$app->getSession()->setFlash( |
||
251 | 'warning', |
||
252 | Yii::t('usuario', 'Unable to confirm user. Please, try again.') |
||
253 | ); |
||
254 | } |
||
255 | |||
256 | return $this->redirect(Url::previous('actions-redirect')); |
||
257 | } |
||
258 | |||
259 | public function actionDelete($id) |
||
260 | { |
||
261 | if ((int)$id === Yii::$app->user->getId()) { |
||
262 | Yii::$app->getSession()->setFlash('danger', Yii::t('usuario', 'You cannot remove your own account')); |
||
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
263 | } else { |
||
264 | /** @var User $user */ |
||
265 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
266 | /** @var UserEvent $event */ |
||
267 | $event = $this->make(UserEvent::class, [$user]); |
||
268 | $this->trigger(ActiveRecord::EVENT_BEFORE_DELETE, $event); |
||
269 | |||
270 | if ($user->delete()) { |
||
0 ignored issues
–
show
The expression
$user->delete() of type false|integer is loosely compared to true ; this is ambiguous if the integer can be zero. You might want to explicitly use !== null instead.
In PHP, under loose comparison (like For 0 == false // true
0 == null // true
123 == false // false
123 == null // false
// It is often better to use strict comparison
0 === false // false
0 === null // false
Loading history...
|
|||
271 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'User has been deleted')); |
||
272 | $this->trigger(ActiveRecord::EVENT_AFTER_DELETE, $event); |
||
273 | } else { |
||
274 | Yii::$app->getSession()->setFlash( |
||
275 | 'warning', |
||
276 | Yii::t('usuario', 'Unable to delete user. Please, try again later.') |
||
277 | ); |
||
278 | } |
||
279 | } |
||
280 | |||
281 | return $this->redirect(['index']); |
||
282 | } |
||
283 | |||
284 | public function actionBlock($id) |
||
285 | { |
||
286 | if ((int)$id === Yii::$app->user->getId()) { |
||
287 | Yii::$app->getSession()->setFlash('danger', Yii::t('usuario', 'You cannot remove your own account')); |
||
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
288 | } else { |
||
289 | /** @var User $user */ |
||
290 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
291 | /** @var UserEvent $event */ |
||
292 | $event = $this->make(UserEvent::class, [$user]); |
||
293 | |||
294 | if ($this->make(UserBlockService::class, [$user, $event, $this])->run()) { |
||
295 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'User block status has been updated.')); |
||
296 | } else { |
||
297 | Yii::$app->getSession()->setFlash('danger', Yii::t('usuario', 'Unable to update block status.')); |
||
298 | } |
||
299 | } |
||
300 | |||
301 | return $this->redirect(Url::previous('actions-redirect')); |
||
302 | } |
||
303 | |||
304 | public function actionSwitchIdentity($id = null) |
||
305 | { |
||
306 | if (false === $this->module->enableSwitchIdentities) { |
||
307 | Yii::$app->getSession()->setFlash('danger', Yii::t('usuario', 'Switch identities is disabled.')); |
||
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
308 | |||
309 | return $this->redirect(['index']); |
||
310 | } |
||
311 | |||
312 | $this->make(SwitchIdentityService::class, [$this, 2 => $id])->run(); |
||
313 | |||
314 | return $this->goHome(); |
||
315 | } |
||
316 | |||
317 | public function actionPasswordReset($id) |
||
318 | { |
||
319 | /** @var User $user */ |
||
320 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
321 | $mailService = MailFactory::makeRecoveryMailerService($user->email); |
||
322 | if ($this->make(PasswordRecoveryService::class, [$user->email, $mailService])->run()) { |
||
323 | Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'Recovery message sent')); |
||
0 ignored issues
–
show
The method
getSession does only exist in yii\web\Application , but not in yii\console\Application .
It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A
{
public function foo() { }
}
class B extends A
{
public function bar() { }
}
/**
* @param A|B $x
*/
function someFunction($x)
{
$x->foo(); // This call is fine as the method exists in A and B.
$x->bar(); // This method only exists in B and might cause an error.
}
Available Fixes
Loading history...
|
|||
324 | } else { |
||
325 | Yii::$app->getSession()->setFlash( |
||
326 | 'danger', |
||
327 | Yii::t('usuario', 'Unable to send recovery message to the user') |
||
328 | ); |
||
329 | } |
||
330 | |||
331 | return $this->redirect(['index']); |
||
332 | } |
||
333 | |||
334 | /** |
||
335 | * Forces the user to change password at next login |
||
336 | * @param integer $id |
||
337 | */ |
||
338 | public function actionForcePasswordChange($id) |
||
339 | { |
||
340 | /** @var User $user */ |
||
341 | $user = $this->userQuery->where(['id' => $id])->one(); |
||
342 | if ($this->make(PasswordExpireService::class, [$user])->run()) { |
||
343 | Yii::$app->session->setFlash("success", Yii::t('usuario', 'User will be required to change password at next login')); |
||
344 | } else { |
||
345 | Yii::$app->session->setFlash("danger", Yii::t('usuario', 'There was an error in saving user')); |
||
346 | } |
||
347 | $this->redirect(['index']); |
||
348 | } |
||
349 | } |
||
350 |
It seems like the method you are trying to call exists only in some of the possible types.
Let’s take a look at an example:
Available Fixes
Add an additional type-check:
Only allow a single type to be passed if the variable comes from a parameter: