Issues in SettingsController.php (master) - Issues in master - 2amigos/yii2-usuario - Measure and Improve Code Quality continuously with Scrutinizer

Issues (103)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/User/Controller/SettingsController.php (7 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of the 2amigos/yii2-usuario project.
 *
 * (c) 2amigOS! <http://2amigos.us/>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace Da\User\Controller;

use Da\User\Contracts\MailChangeStrategyInterface;
use Da\User\Event\GdprEvent;
use Da\User\Event\ProfileEvent;
use Da\User\Event\SocialNetworkConnectEvent;
use Da\User\Event\UserEvent;
use Da\User\Form\GdprDeleteForm;
use Da\User\Form\SettingsForm;
use Da\User\Helper\SecurityHelper;
use Da\User\Model\Profile;
use Da\User\Model\SocialNetworkAccount;
use Da\User\Model\User;
use Da\User\Module;
use Da\User\Query\ProfileQuery;
use Da\User\Query\SocialNetworkAccountQuery;
use Da\User\Query\UserQuery;
use Da\User\Service\EmailChangeService;
use Da\User\Service\TwoFactorQrCodeUriGeneratorService;
use Da\User\Traits\ContainerAwareTrait;
use Da\User\Traits\ModuleAwareTrait;
use Da\User\Validator\AjaxRequestModelValidator;
use Da\User\Validator\TwoFactorCodeValidator;
use Yii;
use yii\base\DynamicModel;
use yii\filters\AccessControl;
use yii\filters\VerbFilter;
use yii\helpers\ArrayHelper;
use yii\web\Controller;
use yii\web\ForbiddenHttpException;
use yii\web\NotFoundHttpException;
use yii\web\Response;

class SettingsController extends Controller
{
    use ContainerAwareTrait;
    use ModuleAwareTrait;

    /**
     * {@inheritdoc}
     */
    public $defaultAction = 'profile';

    protected $profileQuery;
    protected $userQuery;
    protected $socialNetworkAccountQuery;

    /**
     * SettingsController constructor.
     *
     * @param string                    $id
     * @param Module                    $module
     * @param ProfileQuery              $profileQuery
     * @param UserQuery                 $userQuery
     * @param SocialNetworkAccountQuery $socialNetworkAccountQuery
     * @param array                     $config
     */
    public function __construct(
        $id,
        Module $module,
        ProfileQuery $profileQuery,
        UserQuery $userQuery,
        SocialNetworkAccountQuery $socialNetworkAccountQuery,
        array $config = []
    ) {
        $this->profileQuery = $profileQuery;
        $this->userQuery = $userQuery;
        $this->socialNetworkAccountQuery = $socialNetworkAccountQuery;
        parent::__construct($id, $module, $config);
    }

    /**
     * {@inheritdoc}
     */
    public function behaviors()
    {
        return [
            'verbs' => [
                'class' => VerbFilter::class,
                'actions' => [
                    'disconnect' => ['post'],
                    'delete' => ['post'],
                    'two-factor-disable' => ['post']
                ],
            ],
            'access' => [
                'class' => AccessControl::class,
                'rules' => [
                    [
                        'allow' => true,
                        'actions' => [
                            'profile',
                            'account',
                            'export',
                            'networks',
                            'privacy',
                            'gdpr-consent',
                            'gdpr-delete',
                            'disconnect',
                            'delete',
                            'two-factor',
                            'two-factor-enable',
                            'two-factor-disable'
                        ],
                        'roles' => ['@'],
                    ],
                    [
                        'allow' => true,
                        'actions' => ['confirm'],
                        'roles' => ['?', '@'],
                    ],
                ],
            ],
        ];
    }

    /**
     * @throws \yii\base\InvalidConfigException
     * @return string|Response
     */
    public function actionProfile()
    {
        $profile = $this->profileQuery->whereUserId(Yii::$app->user->identity->getId())->one();

        if ($profile === null) {
            $profile = $this->make(Profile::class);
            $profile->link('user', Yii::$app->user->identity);
        }

        /** @var ProfileEvent $event */
        $event = $this->make(ProfileEvent::class, [$profile]);

        $this->make(AjaxRequestModelValidator::class, [$profile])->validate();

        if ($profile->load(Yii::$app->request->post())) {
            $this->trigger(UserEvent::EVENT_BEFORE_PROFILE_UPDATE, $event);
            if ($profile->save()) {
                Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'Your profile has been updated'));
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
                $this->trigger(UserEvent::EVENT_AFTER_PROFILE_UPDATE, $event);

                return $this->refresh();
            }
        }

        return $this->render(
            'profile',
            [
                'model' => $profile,
            ]
        );
    }

    /**
     * @throws NotFoundHttpException
     * @return string
     */
    public function actionPrivacy()
    {
        if (!$this->module->enableGdprCompliance) {
            throw new NotFoundHttpException();
        }
        return $this->render('privacy', [
            'module' => $this->module
        ]);
    }

    /**
     * @throws NotFoundHttpException
     * @throws \Throwable
     * @throws \yii\base\Exception
     * @throws \yii\base\InvalidConfigException
     * @throws \yii\db\StaleObjectException
     * @throws ForbiddenHttpException
     * @return string|Response
     */
    public function actionGdprDelete()
    {
        if (!$this->module->enableGdprCompliance) {
            throw new NotFoundHttpException();
        }
        /** @var GdprDeleteForm $form */
        $form = $this->make(GdprDeleteForm::class);

        $user = $form->getUser();
        /* @var $event GdprEvent */
        $event = $this->make(GdprEvent::class, [$user]);

        if ($form->load(Yii::$app->request->post()) && $form->validate()) {
            $this->trigger(GdprEvent::EVENT_BEFORE_DELETE, $event);

            if ($event->isValid) {
                Yii::$app->user->logout();
                //Disconnect social networks
                $networks = $this->socialNetworkAccountQuery->where(['user_id' => $user->id])->all();
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}
                foreach ($networks as $network) {
                    $this->disconnectSocialNetwork($network->id);
                }

                /* @var $security SecurityHelper */
                $security = $this->make(SecurityHelper::class);
                $anonymReplacement = $this->module->gdprAnonymizePrefix . $user->id;
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}

                $user->updateAttributes([
                    'email' => $anonymReplacement . "@example.com",
                    'username' => $anonymReplacement,
                    'gdpr_deleted' => 1,
                    'blocked_at' => time(),
                    'auth_key' => $security->generateRandomString()
                ]);
                $user->profile->updateAttributes([
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}
                    'public_email' => $anonymReplacement . "@example.com",
                    'name' => $anonymReplacement,
                    'gravatar_email' => $anonymReplacement . "@example.com",
                    'location' => $anonymReplacement,
                    'website' => $anonymReplacement . ".tld",
                    'bio' => Yii::t('usuario', 'Deleted by GDPR request')
                ]);
            }
            $this->trigger(GdprEvent::EVENT_AFTER_DELETE, $event);

            Yii::$app->session->setFlash('info', Yii::t('usuario', 'Your personal information has been removed'));

            return $this->goHome();
        }

        return $this->render('gdpr-delete', [
            'model' => $form,
        ]);
    }

    public function actionGdprConsent()
    {
        /** @var User $user */
        $user = Yii::$app->user->identity;
        if ($user->gdpr_consent) {
            return $this->redirect(['profile']);
        }
        $model = new DynamicModel(['gdpr_consent']);
        $model->addRule('gdpr_consent', 'boolean');
        $model->addRule('gdpr_consent', 'default', ['value' => 0, 'skipOnEmpty' => false]);
        $model->addRule('gdpr_consent', 'compare', [
            'compareValue' => true,
            'message' => Yii::t('usuario', 'Your consent is required to work with this site'),
            'when' => function () {
                return $this->module->enableGdprCompliance;
            },
        ]);
        if ($model->load(Yii::$app->request->post()) && $model->validate()) {
            $user->updateAttributes([
                'gdpr_consent' => 1,
                'gdpr_consent_date' => time(),
            ]);
            return $this->redirect(['profile']);
        }

        return $this->render('gdpr-consent', [
            'model' => $model,
            'gdpr_consent_hint' => $this->module->getConsentMessage(),
        ]);
    }

    /**
     * Exports the data from the current user in a mechanical readable format (csv). Properties exported can be defined
     * in the module configuration.
     * @throws NotFoundHttpException if gdpr compliance is not enabled
     * @throws \Exception
     * @throws \Throwable
     */
    public function actionExport()
    {
        if (!$this->module->enableGdprCompliance) {
            throw new NotFoundHttpException();
        }
        try {
            $properties = $this->module->gdprExportProperties;
            $user = Yii::$app->user->identity;
            $data = [$properties, []];

            $formatter = Yii::$app->formatter;
            // override the default html-specific format for nulls
            $formatter->nullDisplay = "";

            foreach ($properties as $property) {
                $data[1][] = $formatter->asText(ArrayHelper::getValue($user, $property));
            }

            array_walk($data[0], function (&$value, $key) {

                $splitted = explode('.', $value);
                $value = array_pop($splitted);
            });

            Yii::$app->response->headers->removeAll();
            Yii::$app->response->headers->add('Content-type', 'text/csv');
            Yii::$app->response->headers->add('Content-Disposition', 'attachment;filename=gdpr-data.csv');
            Yii::$app->response->send();
            $f = fopen('php://output', 'w');
            foreach ($data as $line) {
                fputcsv($f, $line);
            }
        } catch (\Exception $e) {
            throw $e;
        } catch (\Throwable $e) {
            throw $e;
        }
    }

    public function actionAccount()
    {
        /** @var SettingsForm $form */
        $form = $this->make(SettingsForm::class);
        $event = $this->make(UserEvent::class, [$form->getUser()]);

        $this->make(AjaxRequestModelValidator::class, [$form])->validate();

        if ($form->load(Yii::$app->request->post())) {
            $this->trigger(UserEvent::EVENT_BEFORE_ACCOUNT_UPDATE, $event);

            if ($form->save()) {
                Yii::$app->getSession()->setFlash(
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
                    'success',
                    Yii::t('usuario', 'Your account details have been updated')
                );
                $this->trigger(UserEvent::EVENT_AFTER_ACCOUNT_UPDATE, $event);

                return $this->refresh();
            }
        }

        return $this->render(
            'account',
            [
                'model' => $form,
            ]
        );
    }

    public function actionConfirm($id, $code)
    {
        $user = $this->userQuery->whereId($id)->one();

        if ($user === null || MailChangeStrategyInterface::TYPE_INSECURE === $this->module->emailChangeStrategy) {
            throw new NotFoundHttpException();
        }
        $event = $this->make(UserEvent::class, [$user]);

        $this->trigger(UserEvent::EVENT_BEFORE_CONFIRMATION, $event);
        if ($this->make(EmailChangeService::class, [$code, $user])->run()) {
            $this->trigger(UserEvent::EVENT_AFTER_CONFIRMATION, $event);
        }

        return $this->redirect(['account']);
    }

    public function actionNetworks()
    {
        return $this->render(
            'networks',
            [
                'user' => Yii::$app->user->identity,
            ]
        );
    }

    public function actionDisconnect($id)
    {
        $this->disconnectSocialNetwork($id);
        return $this->redirect(['networks']);
    }

    public function actionDelete()
    {
        if (!$this->module->allowAccountDelete) {
            throw new NotFoundHttpException(Yii::t('usuario', 'Not found'));
        }

        /** @var User $user */
        $user = Yii::$app->user->identity;
        $event = $this->make(UserEvent::class, [$user]);
        Yii::$app->user->logout();

        $this->trigger(UserEvent::EVENT_BEFORE_DELETE, $event);
        $user->delete();
        $this->trigger(UserEvent::EVENT_AFTER_DELETE, $event);

        Yii::$app->session->setFlash('info', Yii::t('usuario', 'Your account has been completely deleted'));

        return $this->goHome();
    }

    public function actionTwoFactor($id)
    {
        /** @var User $user */
        $user = $this->userQuery->whereId($id)->one();

        if (null === $user) {
            throw new NotFoundHttpException();
        }

        $uri = $this->make(TwoFactorQrCodeUriGeneratorService::class, [$user])->run();

        return $this->renderAjax('two-factor', ['id' => $id, 'uri' => $uri]);
    }

    public function actionTwoFactorEnable($id)
    {
        Yii::$app->response->format = Response::FORMAT_JSON;

        /** @var User $user */
        $user = $this->userQuery->whereId($id)->one();

        if (null === $user) {
            return [
                'success' => false,
                'message' => Yii::t('usuario', 'User not found.')
            ];
        }
        $code = Yii::$app->request->get('code');

        $success = $this
            ->make(TwoFactorCodeValidator::class, [$user, $code, $this->module->twoFactorAuthenticationCycles])
            ->validate();

        $success = $success && $user->updateAttributes(['auth_tf_enabled' => '1']);

        return [
            'success' => $success,
            'message' => $success
                ? Yii::t('usuario', 'Two factor authentication successfully enabled.')
                : Yii::t('usuario', 'Verification failed. Please, enter new code.')
        ];
    }

    public function actionTwoFactorDisable($id)
    {
        /** @var User $user */
        $user = $this->userQuery->whereId($id)->one();

        if (null === $user) {
            throw new NotFoundHttpException();
        }

        if ($user->updateAttributes(['auth_tf_enabled' => '0'])) {
            Yii::$app
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
                ->getSession()
                ->setFlash('success', Yii::t('usuario', 'Two factor authentication has been disabled.'));
        } else {
            Yii::$app
                ->getSession()
                ->setFlash('danger', Yii::t('usuario', 'Unable to disable Two factor authentication.'));
        }

        $this->redirect(['account']);
    }

    /**
     * @param $id
     * @throws ForbiddenHttpException
     * @throws NotFoundHttpException
     * @throws \Exception
     * @throws \Throwable
     * @throws \yii\db\StaleObjectException
     */
    protected function disconnectSocialNetwork($id)
    {
        /** @var SocialNetworkAccount $account */
        $account = $this->socialNetworkAccountQuery->whereId($id)->one();

        if ($account === null) {
            throw new NotFoundHttpException();
        }
        if ($account->user_id !== Yii::$app->user->id) {
            throw new ForbiddenHttpException();
        }
        $event = $this->make(SocialNetworkConnectEvent::class, [Yii::$app->user->identity, $account]);

        $this->trigger(SocialNetworkConnectEvent::EVENT_BEFORE_DISCONNECT, $event);
        $account->delete();
        $this->trigger(SocialNetworkConnectEvent::EVENT_AFTER_DISCONNECT, $event);
    }
}


Issues (103)

Security Analysis not enabled

src/User/Controller/SettingsController.php (7 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Available Fixes

1		<?php
2
3		/*
4		* This file is part of the 2amigos/yii2-usuario project.
5		*
6		* (c) 2amigOS! <http://2amigos.us/>
7		*
8		* For the full copyright and license information, please view
9		* the LICENSE file that was distributed with this source code.
10		*/
11
12		namespace Da\User\Controller;
13
14		use Da\User\Contracts\MailChangeStrategyInterface;
15		use Da\User\Event\GdprEvent;
16		use Da\User\Event\ProfileEvent;
17		use Da\User\Event\SocialNetworkConnectEvent;
18		use Da\User\Event\UserEvent;
19		use Da\User\Form\GdprDeleteForm;
20		use Da\User\Form\SettingsForm;
21		use Da\User\Helper\SecurityHelper;
22		use Da\User\Model\Profile;
23		use Da\User\Model\SocialNetworkAccount;
24		use Da\User\Model\User;
25		use Da\User\Module;
26		use Da\User\Query\ProfileQuery;
27		use Da\User\Query\SocialNetworkAccountQuery;
28		use Da\User\Query\UserQuery;
29		use Da\User\Service\EmailChangeService;
30		use Da\User\Service\TwoFactorQrCodeUriGeneratorService;
31		use Da\User\Traits\ContainerAwareTrait;
32		use Da\User\Traits\ModuleAwareTrait;
33		use Da\User\Validator\AjaxRequestModelValidator;
34		use Da\User\Validator\TwoFactorCodeValidator;
35		use Yii;
36		use yii\base\DynamicModel;
37		use yii\filters\AccessControl;
38		use yii\filters\VerbFilter;
39		use yii\helpers\ArrayHelper;
40		use yii\web\Controller;
41		use yii\web\ForbiddenHttpException;
42		use yii\web\NotFoundHttpException;
43		use yii\web\Response;
44
45		class SettingsController extends Controller
46		{
47		use ContainerAwareTrait;
48		use ModuleAwareTrait;
49
50		/**
51		* {@inheritdoc}
52		*/
53		public $defaultAction = 'profile';
54
55		protected $profileQuery;
56		protected $userQuery;
57		protected $socialNetworkAccountQuery;
58
59		/**
60		* SettingsController constructor.
61		*
62		* @param string $id
63		* @param Module $module
64		* @param ProfileQuery $profileQuery
65		* @param UserQuery $userQuery
66		* @param SocialNetworkAccountQuery $socialNetworkAccountQuery
67		* @param array $config
68		*/
69	4	public function __construct(
70		$id,
71		Module $module,
72		ProfileQuery $profileQuery,
73		UserQuery $userQuery,
74		SocialNetworkAccountQuery $socialNetworkAccountQuery,
75		array $config = []
76		) {
77	4	$this->profileQuery = $profileQuery;
78	4	$this->userQuery = $userQuery;
79	4	$this->socialNetworkAccountQuery = $socialNetworkAccountQuery;
80	4	parent::__construct($id, $module, $config);
81	4	}
82
83		/**
84		* {@inheritdoc}
85		*/
86	4	public function behaviors()
87		{
88		return [
89	4	'verbs' => [
90		'class' => VerbFilter::class,
91		'actions' => [
92		'disconnect' => ['post'],
93		'delete' => ['post'],
94		'two-factor-disable' => ['post']
95		],
96		],
97		'access' => [
98		'class' => AccessControl::class,
99		'rules' => [
100		[
101		'allow' => true,
102		'actions' => [
103		'profile',
104		'account',
105		'export',
106		'networks',
107		'privacy',
108		'gdpr-consent',
109		'gdpr-delete',
110		'disconnect',
111		'delete',
112		'two-factor',
113		'two-factor-enable',
114		'two-factor-disable'
115		],
116		'roles' => ['@'],
117		],
118		[
119		'allow' => true,
120		'actions' => ['confirm'],
121		'roles' => ['?', '@'],
122		],
123		],
124		],
125		];
126		}
127
128		/**
129		* @throws \yii\base\InvalidConfigException
130		* @return string\|Response
131		*/
132	1	public function actionProfile()
133		{
134	1	$profile = $this->profileQuery->whereUserId(Yii::$app->user->identity->getId())->one();
135
136	1	if ($profile === null) {
137		$profile = $this->make(Profile::class);
138		$profile->link('user', Yii::$app->user->identity);
139		}
140
141		/** @var ProfileEvent $event */
142	1	$event = $this->make(ProfileEvent::class, [$profile]);
143
144	1	$this->make(AjaxRequestModelValidator::class, [$profile])->validate();
145
146	1	if ($profile->load(Yii::$app->request->post())) {
147		$this->trigger(UserEvent::EVENT_BEFORE_PROFILE_UPDATE, $event);
148		if ($profile->save()) {
149		Yii::$app->getSession()->setFlash('success', Yii::t('usuario', 'Your profile has been updated'));
		0 ignored issues – show Bug introduced 2016-12-20 20:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getSession` does only exist in `yii\web\Application`, but not in `yii\console\Application`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
150		$this->trigger(UserEvent::EVENT_AFTER_PROFILE_UPDATE, $event);
151
152		return $this->refresh();
153		}
154		}
155
156	1	return $this->render(
157	1	'profile',
158		[
159	1	'model' => $profile,
160		]
161		);
162		}
163
164		/**
165		* @throws NotFoundHttpException
166		* @return string
167		*/
168	2	public function actionPrivacy()
169		{
170	2	if (!$this->module->enableGdprCompliance) {
171	1	throw new NotFoundHttpException();
172		}
173	1	return $this->render('privacy', [
174	1	'module' => $this->module
175		]);
176		}
177
178		/**
179		* @throws NotFoundHttpException
180		* @throws \Throwable
181		* @throws \yii\base\Exception
182		* @throws \yii\base\InvalidConfigException
183		* @throws \yii\db\StaleObjectException
184		* @throws ForbiddenHttpException
185		* @return string\|Response
186		*/
187	1	public function actionGdprDelete()
188		{
189	1	if (!$this->module->enableGdprCompliance) {
190		throw new NotFoundHttpException();
191		}
192		/** @var GdprDeleteForm $form */
193	1	$form = $this->make(GdprDeleteForm::class);
194
195	1	$user = $form->getUser();
196		/* @var $event GdprEvent */
197	1	$event = $this->make(GdprEvent::class, [$user]);
198
199	1	if ($form->load(Yii::$app->request->post()) && $form->validate()) {
200	1	$this->trigger(GdprEvent::EVENT_BEFORE_DELETE, $event);
201
202	1	if ($event->isValid) {
203	1	Yii::$app->user->logout();
204		//Disconnect social networks
205	1	$networks = $this->socialNetworkAccountQuery->where(['user_id' => $user->id])->all();
		0 ignored issues – show Bug introduced 2018-09-20 14:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Accessing `id` on the interface `yii\web\IdentityInterface` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
206	1	foreach ($networks as $network) {
207		$this->disconnectSocialNetwork($network->id);
208		}
209
210		/* @var $security SecurityHelper */
211	1	$security = $this->make(SecurityHelper::class);
212	1	$anonymReplacement = $this->module->gdprAnonymizePrefix . $user->id;
		0 ignored issues – show Bug introduced 2018-09-20 14:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Accessing `id` on the interface `yii\web\IdentityInterface` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
213
214	1	$user->updateAttributes([
215	1	'email' => $anonymReplacement . "@example.com",
216	1	'username' => $anonymReplacement,
217	1	'gdpr_deleted' => 1,
218	1	'blocked_at' => time(),
219	1	'auth_key' => $security->generateRandomString()
220		]);
221	1	$user->profile->updateAttributes([
		0 ignored issues – show Bug introduced 2018-09-20 14:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Accessing `profile` on the interface `yii\web\IdentityInterface` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
222	1	'public_email' => $anonymReplacement . "@example.com",
223	1	'name' => $anonymReplacement,
224	1	'gravatar_email' => $anonymReplacement . "@example.com",
225	1	'location' => $anonymReplacement,
226	1	'website' => $anonymReplacement . ".tld",
227	1	'bio' => Yii::t('usuario', 'Deleted by GDPR request')
228		]);
229		}
230	1	$this->trigger(GdprEvent::EVENT_AFTER_DELETE, $event);
231
232	1	Yii::$app->session->setFlash('info', Yii::t('usuario', 'Your personal information has been removed'));
233
234	1	return $this->goHome();
235		}
236
237	1	return $this->render('gdpr-delete', [
238	1	'model' => $form,
239		]);
240		}
241
242	1	public function actionGdprConsent()
243		{
244		/** @var User $user */
245	1	$user = Yii::$app->user->identity;
246	1	if ($user->gdpr_consent) {
247		return $this->redirect(['profile']);
248		}
249	1	$model = new DynamicModel(['gdpr_consent']);
250	1	$model->addRule('gdpr_consent', 'boolean');
251	1	$model->addRule('gdpr_consent', 'default', ['value' => 0, 'skipOnEmpty' => false]);
252	1	$model->addRule('gdpr_consent', 'compare', [
253	1	'compareValue' => true,
254	1	'message' => Yii::t('usuario', 'Your consent is required to work with this site'),
255		'when' => function () {
256	1	return $this->module->enableGdprCompliance;
257	1	},
258		]);
259	1	if ($model->load(Yii::$app->request->post()) && $model->validate()) {
260	1	$user->updateAttributes([
261	1	'gdpr_consent' => 1,
262	1	'gdpr_consent_date' => time(),
263		]);
264	1	return $this->redirect(['profile']);
265		}
266
267	1	return $this->render('gdpr-consent', [
268	1	'model' => $model,
269	1	'gdpr_consent_hint' => $this->module->getConsentMessage(),
270		]);
271		}
272
273		/**
274		* Exports the data from the current user in a mechanical readable format (csv). Properties exported can be defined
275		* in the module configuration.
276		* @throws NotFoundHttpException if gdpr compliance is not enabled
277		* @throws \Exception
278		* @throws \Throwable
279		*/
280		public function actionExport()
281		{
282		if (!$this->module->enableGdprCompliance) {
283		throw new NotFoundHttpException();
284		}
285		try {
286		$properties = $this->module->gdprExportProperties;
287		$user = Yii::$app->user->identity;
288		$data = [$properties, []];
289
290		$formatter = Yii::$app->formatter;
291		// override the default html-specific format for nulls
292		$formatter->nullDisplay = "";
293
294		foreach ($properties as $property) {
295		$data[1][] = $formatter->asText(ArrayHelper::getValue($user, $property));
296		}
297
298		array_walk($data[0], function (&$value, $key) {
		0 ignored issues – show Unused Code introduced 2018-09-20 14:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$key` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
299		$splitted = explode('.', $value);
300		$value = array_pop($splitted);
301		});
302
303		Yii::$app->response->headers->removeAll();
304		Yii::$app->response->headers->add('Content-type', 'text/csv');
305		Yii::$app->response->headers->add('Content-Disposition', 'attachment;filename=gdpr-data.csv');
306		Yii::$app->response->send();
307		$f = fopen('php://output', 'w');
308		foreach ($data as $line) {
309		fputcsv($f, $line);
310		}
311		} catch (\Exception $e) {
312		throw $e;
313		} catch (\Throwable $e) {
314		throw $e;
315		}
316		}
317
318	1	public function actionAccount()
319		{
320		/** @var SettingsForm $form */
321	1	$form = $this->make(SettingsForm::class);
322	1	$event = $this->make(UserEvent::class, [$form->getUser()]);
323
324	1	$this->make(AjaxRequestModelValidator::class, [$form])->validate();
325
326	1	if ($form->load(Yii::$app->request->post())) {
327	1	$this->trigger(UserEvent::EVENT_BEFORE_ACCOUNT_UPDATE, $event);
328
329	1	if ($form->save()) {
330	1	Yii::$app->getSession()->setFlash(
		0 ignored issues – show Bug introduced 2017-06-11 21:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getSession` does only exist in `yii\web\Application`, but not in `yii\console\Application`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
331	1	'success',
332	1	Yii::t('usuario', 'Your account details have been updated')
333		);
334	1	$this->trigger(UserEvent::EVENT_AFTER_ACCOUNT_UPDATE, $event);
335
336	1	return $this->refresh();
337		}
338		}
339
340	1	return $this->render(
341	1	'account',
342		[
343	1	'model' => $form,
344		]
345		);
346		}
347
348		public function actionConfirm($id, $code)
349		{
350		$user = $this->userQuery->whereId($id)->one();
351
352		if ($user === null \|\| MailChangeStrategyInterface::TYPE_INSECURE === $this->module->emailChangeStrategy) {
353		throw new NotFoundHttpException();
354		}
355		$event = $this->make(UserEvent::class, [$user]);
356
357		$this->trigger(UserEvent::EVENT_BEFORE_CONFIRMATION, $event);
358		if ($this->make(EmailChangeService::class, [$code, $user])->run()) {
359		$this->trigger(UserEvent::EVENT_AFTER_CONFIRMATION, $event);
360		}
361
362		return $this->redirect(['account']);
363		}
364
365		public function actionNetworks()
366		{
367		return $this->render(
368		'networks',
369		[
370		'user' => Yii::$app->user->identity,
371		]
372		);
373		}
374
375		public function actionDisconnect($id)
376		{
377		$this->disconnectSocialNetwork($id);
378		return $this->redirect(['networks']);
379		}
380
381		public function actionDelete()
382		{
383		if (!$this->module->allowAccountDelete) {
384		throw new NotFoundHttpException(Yii::t('usuario', 'Not found'));
385		}
386
387		/** @var User $user */
388		$user = Yii::$app->user->identity;
389		$event = $this->make(UserEvent::class, [$user]);
390		Yii::$app->user->logout();
391
392		$this->trigger(UserEvent::EVENT_BEFORE_DELETE, $event);
393		$user->delete();
394		$this->trigger(UserEvent::EVENT_AFTER_DELETE, $event);
395
396		Yii::$app->session->setFlash('info', Yii::t('usuario', 'Your account has been completely deleted'));
397
398		return $this->goHome();
399		}
400
401		public function actionTwoFactor($id)
402		{
403		/** @var User $user */
404		$user = $this->userQuery->whereId($id)->one();
405
406		if (null === $user) {
407		throw new NotFoundHttpException();
408		}
409
410		$uri = $this->make(TwoFactorQrCodeUriGeneratorService::class, [$user])->run();
411
412		return $this->renderAjax('two-factor', ['id' => $id, 'uri' => $uri]);
413		}
414
415		public function actionTwoFactorEnable($id)
416		{
417		Yii::$app->response->format = Response::FORMAT_JSON;
418
419		/** @var User $user */
420		$user = $this->userQuery->whereId($id)->one();
421
422		if (null === $user) {
423		return [
424		'success' => false,
425		'message' => Yii::t('usuario', 'User not found.')
426		];
427		}
428		$code = Yii::$app->request->get('code');
429
430		$success = $this
431		->make(TwoFactorCodeValidator::class, [$user, $code, $this->module->twoFactorAuthenticationCycles])
432		->validate();
433
434		$success = $success && $user->updateAttributes(['auth_tf_enabled' => '1']);
435
436		return [
437		'success' => $success,
438		'message' => $success
439		? Yii::t('usuario', 'Two factor authentication successfully enabled.')
440		: Yii::t('usuario', 'Verification failed. Please, enter new code.')
441		];
442		}
443
444		public function actionTwoFactorDisable($id)
445		{
446		/** @var User $user */
447		$user = $this->userQuery->whereId($id)->one();
448
449		if (null === $user) {
450		throw new NotFoundHttpException();
451		}
452
453		if ($user->updateAttributes(['auth_tf_enabled' => '0'])) {
454		Yii::$app
		0 ignored issues – show Bug introduced 2017-09-21 15:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getSession` does only exist in `yii\web\Application`, but not in `yii\console\Application`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
455		->getSession()
456		->setFlash('success', Yii::t('usuario', 'Two factor authentication has been disabled.'));
457		} else {
458		Yii::$app
459		->getSession()
460		->setFlash('danger', Yii::t('usuario', 'Unable to disable Two factor authentication.'));
461		}
462
463		$this->redirect(['account']);
464		}
465
466		/**
467		* @param $id
468		* @throws ForbiddenHttpException
469		* @throws NotFoundHttpException
470		* @throws \Exception
471		* @throws \Throwable
472		* @throws \yii\db\StaleObjectException
473		*/
474		protected function disconnectSocialNetwork($id)
475		{
476		/** @var SocialNetworkAccount $account */
477		$account = $this->socialNetworkAccountQuery->whereId($id)->one();
478
479		if ($account === null) {
480		throw new NotFoundHttpException();
481		}
482		if ($account->user_id !== Yii::$app->user->id) {
483		throw new ForbiddenHttpException();
484		}
485		$event = $this->make(SocialNetworkConnectEvent::class, [Yii::$app->user->identity, $account]);
486
487		$this->trigger(SocialNetworkConnectEvent::EVENT_BEFORE_DISCONNECT, $event);
488		$account->delete();
489		$this->trigger(SocialNetworkConnectEvent::EVENT_AFTER_DISCONNECT, $event);
490		}
491		}
492

2amigos / yii2-usuario

Issues (103)

Security Analysis not enabled

src/User/Controller/SettingsController.php (7 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like