for testing and deploying your application
for finding and fixing issues
for empowering human code reviews
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
<?php
class UsersAPI extends Http\Rest\RestAPI
{
protected $user;
public function setup($app)
$app->get('[/]', array($this, 'listUsers'));
$app->post('[/]', array($this, 'createUser'));
$app->get('/{uid}[/]', array($this, 'showUser'));
$app->patch('/{uid}[/]', array($this, 'editUser'));
$app->delete('/{uid}[/]', array($this, 'deleteUser'));
$app->get('/{uid}/groups[/]', array($this, 'listGroupsForUser'));
$app->post('/{uid}/Actions/link[/]', array($this, 'linkUser'));
$app->post('/{uid}/Actions/reset_pass[/]', array($this, 'resetUserPassword'));
$app->post('/Actions/check_email_available[/]', array($this, 'checkEmailAvailable'));
$app->post('/Actions/check_uid_available[/]', array($this, 'checkUidAvailable'));
$app->post('/Actions/remind_uid[/]', array($this, 'remindUid'));
}
public function validateIsAdmin($request, $nonFatal = false)
$this->user = $request->getAttribute('user');
if($this->user === false)
throw new Exception('Must be logged in', \Http\Rest\ACCESS_DENIED);
if(!$this->user->isInGroupNamed('LDAPAdmins'))
if($nonFatal)
return false;
throw new Exception('Must be Admin', \Http\Rest\ACCESS_DENIED);
return true;
public function listUsers($request, $response, $args)
$users = false;
$odata = $request->getAttribute('odata', new \ODataParams(array()));
if($this->validateIsAdmin($request, true) === false)
$users = array($this->user);
$users = $odata->filterArrayPerSelect($users);
else
$auth = AuthProvider::getInstance();
$users = $auth->getUsersByFilter($odata->filter, $odata->select, $odata->top, $odata->skip,
$odata->orderby);
return $response->withJson($users);
protected function validateCanCreateUser($proposedUser, $auth, &$message)
$user = $auth->getUsersByFilter(new \Data\Filter('mail eq '.$proposedUser->mail));
if($user !== false && isset($user[0]))
$message = 'Email already exists!';
$user = $auth->getUsersByFilter(new \Data\Filter('uid eq '.$proposedUser->uid));
$message = 'Username already exists!';
protected function validEmail($email)
if(filter_var($email) === false)
$pos = strpos($email, '@');
if($pos === false)
$domain = substr($email, $pos + 1);
if(checkdnsrr($domain, 'MX') === false)
public function createUser($request, $response, $args)
//This one is different. If they are logged in fail...
if($this->user !== false)
return $response->withStatus(404);
$obj = $request->getParsedBody();
if(!isset($obj->captcha))
return $response->withStatus(401);
$captcha = FlipSession::getVar('captcha');
if($captcha === false)
if(!$captcha->is_answer_right($obj->captcha))
return $response->withJson(array('res'=>false, 'message'=>'Incorrect answer to CAPTCHA!'), 412);
$message = false;
if($this->validateCanCreateUser($obj, $auth, $message) === false)
return $response->withJson(array('res'=>false, 'message'=>$message), 412);
else if($this->validEmail($obj->mail) === false)
return $response->withJson(array('res'=>false, 'message'=>'Invalid Email Address!'));
$ret = $auth->createPendingUser($obj);
if($ret == false)
return $response->withJson(array('res'=>false, 'message'=>'Failed to save user registration!'), 500);
return $response->withJson($ret);
protected function userIsMe($request, $uid)
return ($uid === 'me' || ($this->user !== false && $uid === $this->user->uid));
protected function getUserByUIDReadOnly($request, $uid)
if($this->userIsMe($request, $uid))
return $this->user;
if($this->user->isInGroupNamed('LDAPAdmins') || $this->hasLeadAccess($request))
$auth = \AuthProvider::getInstance();
$filter = new \Data\Filter("uid eq $uid");
$users = $auth->getUsersByFilter($filter);
if($users !== false && isset($users[0]))
return $users[0];
protected function getUserByUID($request, $uid)
if($this->user->isInGroupNamed('LDAPAdmins'))
public function showUser($request, $response, $args)
$uid = $args['uid'];
$user = $request->getAttribute('user');
if($user === false)
if($_SERVER['SERVER_ADDR'] === $_SERVER['REMOTE_ADDR'])
$user = \AuthProvider::getInstance()->getUsersByFilter(new \Data\Filter("uid eq $uid"));
if($user === false || !isset($user[0]))
return $response->withJson($user[0]);
$user = $this->getUserByUIDReadOnly($request, $uid);
if(!is_object($user) && isset($user[0]))
$user = $user[0];
if($request->getAttribute('format') === 'vcard')
$response = $response->withHeader('Content-Type', 'text/x-vCard');
$response->getBody()->write($user->getVcard());
return $response;
return $response->withJson($user);
protected function sendPasswordResetEmail($user)
$forwardedFor = false;
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
$forwardedFor = $_SERVER['HTTP_X_FORWARDED_FOR'];
$emailMsg = new PasswordHasBeenResetEmail($user, $_SERVER['REMOTE_ADDR'], $forwardedFor);
$emailProvider = EmailProvider::getInstance();
if($emailProvider->sendEmail($emailMsg) === false)
throw new \Exception('Unable to send password reset email!');
protected function exceptionCodeToHttpCode($e)
if($e->getCode() === 3)
return 401;
return 500;
protected function getUser($request, $uid, $payload)
if(isset($payload->hash))
$this->user = $auth->getUserByResetHash($payload->hash);
return $this->getUserByUID($request, $uid);
public function editUser($request, $response, $args)
$uid = 'me';
if(isset($args['uid']))
$user = $this->getUser($request, $uid, $obj);
try
if(isset($obj->old_uid))
unset($obj->old_uid);
$user->editUser($obj);
catch(\Exception $e)
return $response->withJson($e, exceptionCodeToHttpCode($e));
\FlipSession::setUser($user);
if(isset($obj->password))
$this->sendPasswordResetEmail($user);
return $response->withJson(array('success'=>true));
public function deleteUser($request, $response, $args)
$user = false;
if($this->validateIsAdmin($request, true) === false && $this->userIsMe($request, $uid))
$user = $this->user;
$user = $auth->getUsersByFilter($filter);
if(empty($user))
return $response->withJson($user->delete());
public function listGroupsForUser($request, $response, $args)
$this->validateLoggedIn($request);
$user = $this->getUserByUID($request, $uid);
$groups = $user->getGroups();
if($groups === false)
$groups = array();
return $response->withJson($groups);
public function linkUser($request, $response, $args)
$this->user->addLoginProvider($obj->provider);
AuthProvider::getInstance()->impersonateUser($this->user);
else if($this->user->isInGroupNamed("LDAPAdmins"))
$user = AuthProvider::getInstance()->getUser($uid);
$user->addLoginProvider($obj->provider);
protected function getAllUsersByFilter($filter, &$pending)
$pending = false;
return $user[0];
$user = $auth->getPendingUsersByFilter($filter);
$pending = true;
public function checkEmailAvailable($request, $response, $args)
$params = $request->getQueryParams();
$email = false;
if(isset($params['email']))
$email = $params['email'];
if($email === false)
return $response->withStatus(400);
if(filter_var($email, FILTER_VALIDATE_EMAIL) === false || strpos($email, '@') === false)
return $response->withJson(false);
if(strstr($email, '+') !== false)
//Remove everything between the + and the @
$begining = strpos($email, '+');
$end = strpos($email, '@');
$to_delete = substr($email, $begining, $end - $begining);
$email = str_replace($to_delete, '', $email);
$filter = new \Data\Filter('mail eq '.$email);
$user = $this->getAllUsersByFilter($filter, $pending);
return $response->withJson(true);
return $response->withJson(array('res'=>false, 'email'=>$user->mail, 'pending'=>$pending));
public function checkUidAvailable($request, $response, $args)
$uid = false;
if(isset($params['uid']))
$uid = $params['uid'];
if($uid === false)
if(strpos($uid, '=') !== false || strpos($uid, ',') !== false)
$filter = new \Data\Filter('uid eq '.$uid);
return $response->withJson(array('res'=>false, 'uidl'=>$user->uid, 'pending'=>$pending));
public function resetUserPassword($request, $response, $args)
$users = $auth->getUsersByFilter(new \Data\Filter('uid eq '.$uid));
if($users === false || !isset($users[0]))
$email_msg = new PasswordResetEmail($users[0]);
$email_provider = EmailProvider::getInstance();
if($email_provider->sendEmail($email_msg) === false)
throw new \Exception('Unable to send email!');
public function remindUid($request, $response, $args)
$args
This check looks from parameters that have been defined for a function or method, but which are not used in the method body.
if(filter_var($email, FILTER_VALIDATE_EMAIL) === false)
$users = $auth->getUsersByFilter(new \Data\Filter('mail eq '.$email));
$email_msg = new UIDForgotEmail($users[0]);
/* vim: set tabstop=4 shiftwidth=4 expandtab: */
BurningFlipside /
Profiles
Problem
This check looks from parameters that have been defined for a function or method, but which are not used in the method body.