for testing and deploying your application
for finding and fixing issues
for empowering human code reviews
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
<?php
require_once('class.UIDForgotEmail.php');
require_once('class.PasswordResetEmail.php');
class UsersAPI extends ProfilesAdminAPI
{
public function setup($app)
$app->get('[/]', array($this, 'listUsers'));
$app->post('[/]', array($this, 'createUser'));
$app->get('/{uid}[/]', array($this, 'showUser'));
$app->patch('/{uid}[/]', array($this, 'editUser'));
$app->delete('/{uid}[/]', array($this, 'deleteUser'));
$app->get('/{uid}/groups[/]', array($this, 'listGroupsForUser'));
$app->post('/{uid}/Actions/link[/]', array($this, 'linkUser'));
$app->post('/{uid}/Actions/reset_pass[/]', array($this, 'resetUserPassword'));
$app->post('/{uid}/Actions/ClearPosition[/]', array($this, 'clearPosition'));
$app->post('/me/Actions/RemoveEmail[/]', array($this, 'removeEmail'));
$app->post('/Actions/check_email_available[/]', array($this, 'checkEmailAvailable'));
$app->post('/Actions/check_uid_available[/]', array($this, 'checkUidAvailable'));
$app->post('/Actions/remind_uid[/]', array($this, 'remindUid'));
}
public function listUsers($request, $response)
$odata = $request->getAttribute('odata', new \ODataParams(array()));
if($this->validateIsAdmin($request, true) === false)
$users = array($this->user);
$users = $odata->filterArrayPerSelect($users);
else
$auth = AuthProvider::getInstance();
$users = $auth->getUsersByFilter($odata->filter, $odata->select, $odata->top, $odata->skip,
$odata->orderby);
return $response->withJson($users);
protected function validateCanCreateUser($proposedUser, $auth, &$message)
$user = $auth->getUsersByFilter(new \Data\Filter('mail eq '.$proposedUser['mail']));
if($user !== false && isset($user[0]))
$message = 'Email already exists!';
return false;
$user = $auth->getUsersByFilter(new \Data\Filter('uid eq '.$proposedUser['uid']));
$message = 'Username already exists!';
return true;
protected function validEmail($email)
if(filter_var($email) === false)
$pos = strpos($email, '@');
if($pos === false)
$domain = substr($email, $pos + 1);
if(checkdnsrr($domain, 'MX') === false)
protected function getFailArray($message)
return array('res'=>false, 'message'=>$message);
public function createUser($request, $response)
$this->user = $request->getAttribute('user');
//This one is different. If they are logged in fail...
if($this->user !== false)
return $response->withStatus(404);
$obj = $request->getParsedBody();
if(!isset($obj['captcha']))
return $response->withStatus(401);
$captcha = FlipSession::getVar('captcha');
if($captcha === false)
if(!$captcha->is_answer_right($obj['captcha']))
return $response->withJson($this->getFailArray('Incorrect answer to CAPTCHA!'), 412);
$message = false;
if($this->validateCanCreateUser($obj, $auth, $message) === false)
return $response->withJson($this->getFailArray($message), 412);
else if($this->validEmail($obj['mail']) === false)
return $response->withJson($this->getFailArray('Invalid Email Address!'));
$ret = $auth->createPendingUser($obj);
if($ret == false)
return $response->withJson($this->getFailArray('Failed to save user registration!'), 500);
return $response->withJson($ret);
protected function userIsMe($request, $uid)
return ($uid === 'me' || ($this->user !== false && $uid === $this->user->uid));
protected function hasLeadAccess()
return ($this->user->isInGroupNamed('Leads') || $this->user->isInGroupNamed('CC') || $this->user->isInGroupNamed('AFs'));
protected function getUserByUIDReadOnly($request, $uid)
if($this->userIsMe($request, $uid))
return $this->user;
if($this->user->isInGroupNamed('LDAPAdmins') || $this->hasLeadAccess())
$auth = \AuthProvider::getInstance();
$filter = new \Data\Filter("uid eq $uid");
$users = $auth->getUsersByFilter($filter);
if(!empty($users))
return $users[0];
protected function getUserByUID($request, $uid)
if($this->user->isInGroupNamed('LDAPAdmins'))
public function showUser($request, $response, $args)
$uid = $args['uid'];
$user = $request->getAttribute('user');
if($user === false)
if($_SERVER['SERVER_ADDR'] === $_SERVER['REMOTE_ADDR'])
$user = \AuthProvider::getInstance()->getUsersByFilter(new \Data\Filter("uid eq $uid"));
if(empty($user))
return $response->withJson($user[0]);
$user = $this->getUserByUIDReadOnly($request, $uid);
if(!is_object($user) && isset($user[0]))
$user = $user[0];
if($request->getAttribute('format') === 'vcard')
$response = $response->withHeader('Content-Type', 'text/x-vCard');
$response->getBody()->write($user->getVcard());
return $response;
return $response->withJson($user);
protected function sendPasswordResetEmail($user)
$forwardedFor = false;
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
$forwardedFor = $_SERVER['HTTP_X_FORWARDED_FOR'];
$emailMsg = new PasswordHasBeenResetEmail($user, $_SERVER['REMOTE_ADDR'], $forwardedFor);
$emailProvider = EmailProvider::getInstance();
if($emailProvider->sendEmail($emailMsg) === false)
throw new \Exception('Unable to send password reset email!');
protected function exceptionCodeToHttpCode($e)
if($e->getCode() === 3)
return 401;
return 500;
protected function getUser($request, $uid, $payload)
if($this->user === false)
if(isset($payload['hash']))
$this->user = $auth->getUserByResetHash($payload['hash']);
return $this->getUserByUID($request, $uid);
public function editUser($request, $response, $args)
$uid = 'me';
if(isset($args['uid']))
$user = $this->getUser($request, $uid, $obj);
try
if(isset($obj['old_uid']))
unset($obj['old_uid']);
unset($obj['uid']);
if(isset($obj['password']))
$obj['userPassword'] = $obj['password'];
unset($obj['password']);
$user->editUser($obj);
catch(\Exception $e)
return $response->withJson(array('error'=>array('msg'=>$e->getMessage(), 'stack'=>$e->getTraceAsString())), $this->exceptionCodeToHttpCode($e));
\FlipSession::setUser($user);
if(isset($obj->password))
$this->sendPasswordResetEmail($user);
return $response->withJson(array('success'=>true));
public function deleteUser($request, $response, $args)
$user = false;
if($this->validateIsAdmin($request, true) === false && $this->userIsMe($request, $uid))
$user = $this->user;
$user = $auth->getUsersByFilter($filter);
return $response->withJson($user->delete());
public function listGroupsForUser($request, $response, $args)
$this->validateLoggedIn($request);
$user = $this->getUserByUID($request, $uid);
$groups = $user->getGroups();
if($groups === false)
$groups = array();
return $response->withJson($groups);
public function linkUser($request, $response, $args)
$this->user->addLoginProvider($obj->provider);
AuthProvider::getInstance()->impersonateUser($this->user);
else if($this->user->isInGroupNamed("LDAPAdmins"))
$user = AuthProvider::getInstance()->getUser($uid);
$user->addLoginProvider($obj->provider);
protected function getAllUsersByFilter($filter, &$pending)
if(!empty($user))
$pending = false;
return $user[0];
$user = $auth->getPendingUsersByFilter($filter);
$pending = true;
public function checkEmailAvailable($request, $response)
$params = $request->getQueryParams();
$email = false;
if(isset($params['email']))
$email = $params['email'];
if($email === false)
$params = $request->getParsedBody();
return $response->withStatus(400);
if(filter_var($email, FILTER_VALIDATE_EMAIL) === false || strpos($email, '@') === false)
return $response->withJson(false);
if(strstr($email, '+') !== false)
//Remove everything between the + and the @
$begining = strpos($email, '+');
$end = strpos($email, '@');
$to_delete = substr($email, $begining, $end - $begining);
$email = str_replace($to_delete, '', $email);
$filter = new \Data\Filter('mail eq '.$email);
$user = $this->getAllUsersByFilter($filter, $pending);
return $response->withJson(true);
return $response->withJson(array('res'=>false, 'email'=>$user->mail, 'pending'=>$pending));
public function checkUidAvailable($request, $response)
$uid = false;
if(isset($params['uid']))
$uid = $params['uid'];
if($uid === false)
if(strpos($uid, '=') !== false || strpos($uid, ',') !== false)
$filter = new \Data\Filter('uid eq '.$uid);
return $response->withJson(array('res'=>false, 'uid'=>$user->uid, 'pending'=>$pending));
public function resetUserPassword($request, $response, $args)
$users = $auth->getUsersByFilter(new \Data\Filter('uid eq '.$uid));
if(empty($users))
$email_msg = new PasswordResetEmail($users[0]);
$email_provider = EmailProvider::getInstance();
if($email_provider->sendEmail($email_msg) === false)
throw new \Exception('Unable to send email!');
public function clearPosition($request, $response, $args)
if(!$this->user->isInGroupNamed('LDAPAdmins'))
$users[0]->editUser(array('title'=>null, 'ou'=>null));
return $response->withStatus(204);
public function removeEmail($request, $response, $args)
$args
This check looks from parameters that have been defined for a function or method, but which are not used in the method body.
if(!$this->userIsMe($request, 'me'))
if(!isset($this->user->allMail))
return $response->withJSON(array('error' => 'User does not have multiple email addresses'), 409);
$email = $obj['email'];
if(!in_array($email, $this->user->allMail))
return $response->withJSON(array('error' => 'User does not have email address '.$email), 409);
$res = $this->user->removeEmail($email);
if($res)
return $response->withStatus(500);
public function remindUid($request, $response, $args)
if(filter_var($email, FILTER_VALIDATE_EMAIL) === false)
$users = $auth->getUsersByFilter(new \Data\Filter('mail eq '.$email));
$email_msg = new UIDForgotEmail($users[0]);
/* vim: set tabstop=4 shiftwidth=4 expandtab: */
BurningFlipside /
Profiles
Problem
This check looks from parameters that have been defined for a function or method, but which are not used in the method body.