1 | <?php |
||||
2 | /** |
||||
3 | * Elgg profile edit action |
||||
4 | * |
||||
5 | */ |
||||
6 | |||||
7 | elgg_make_sticky_form('profile:edit'); |
||||
8 | |||||
9 | $guid = get_input('guid'); |
||||
10 | $owner = get_entity($guid); |
||||
0 ignored issues
–
show
Bug
introduced
by
Loading history...
|
|||||
11 | |||||
12 | if (!($owner instanceof ElggUser) || !$owner->canEdit()) { |
||||
13 | return elgg_error_response(elgg_echo('profile:noaccess')); |
||||
14 | } |
||||
15 | |||||
16 | // grab the defined profile field names and their load the values from POST. |
||||
17 | // each field can have its own access, so sort that too. |
||||
18 | $input = []; |
||||
19 | $accesslevel = get_input('accesslevel'); |
||||
20 | |||||
21 | if (!is_array($accesslevel)) { |
||||
22 | $accesslevel = []; |
||||
23 | } |
||||
24 | |||||
25 | $profile_fields = elgg_get_config('profile_fields'); |
||||
26 | foreach ($profile_fields as $shortname => $valuetype) { |
||||
27 | $value = get_input($shortname); |
||||
28 | |||||
29 | if ($value === null) { |
||||
30 | // only submitted profile fields should be updated |
||||
31 | continue; |
||||
32 | } |
||||
33 | |||||
34 | // the decoding is a stop gap to prevent && showing up in profile fields |
||||
35 | // because it is escaped on both input (get_input()) and output (view:output/text). see #561 and #1405. |
||||
36 | // must decode in utf8 or string corruption occurs. see #1567. |
||||
37 | if (is_array($value)) { |
||||
38 | array_walk_recursive($value, function(&$v) { |
||||
39 | $v = elgg_html_decode($v); |
||||
40 | }); |
||||
41 | } else { |
||||
42 | $value = elgg_html_decode($value); |
||||
43 | } |
||||
44 | |||||
45 | // convert tags fields to array values |
||||
46 | if ($valuetype == 'tags') { |
||||
47 | $value = string_to_tag_array($value); |
||||
48 | } |
||||
49 | |||||
50 | if ($value && $valuetype == 'url' && !preg_match('~^https?\://~i', $value)) { |
||||
0 ignored issues
–
show
It seems like
$value can also be of type array ; however, parameter $subject of preg_match() does only seem to accept string , maybe add an additional type check?
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
Loading history...
|
|||||
51 | $value = "http://$value"; |
||||
52 | } |
||||
53 | |||||
54 | if ($valuetype == 'email' && !empty($value) && !is_email_address($value)) { |
||||
55 | return elgg_error_response(elgg_echo('profile:invalid_email', [elgg_echo("profile:{$shortname}")])); |
||||
56 | } |
||||
57 | |||||
58 | $input[$shortname] = $value; |
||||
59 | } |
||||
60 | |||||
61 | // display name is handled separately |
||||
62 | $name = strip_tags(get_input('name')); |
||||
63 | if ($name) { |
||||
64 | if (elgg_strlen($name) > 50) { |
||||
65 | return elgg_error_response(elgg_echo('user:name:fail')); |
||||
66 | } elseif ($owner->name !== $name) { |
||||
67 | $owner->name = $name; |
||||
68 | } |
||||
69 | } |
||||
70 | |||||
71 | if (empty($input)) { |
||||
72 | return elgg_ok_response('', '', $owner->getUrl()); |
||||
73 | } |
||||
74 | |||||
75 | // go through custom fields |
||||
76 | // fetch default access level for the user for use in fallback cases |
||||
77 | $user_default_access = get_default_access($owner); |
||||
78 | |||||
79 | foreach ($input as $shortname => $value) { |
||||
80 | $owner->deleteAnnotations("profile:$shortname"); |
||||
81 | |||||
82 | // for BC, keep storing fields in MD, but we'll read annotations only |
||||
83 | elgg_delete_metadata([ |
||||
84 | 'guid' => $owner->guid, |
||||
85 | 'metadata_name' => $shortname, |
||||
86 | 'limit' => false |
||||
87 | ]); |
||||
88 | |||||
89 | if (!is_null($value) && ($value !== '')) { |
||||
90 | // only create metadata for non empty values (0 is allowed) to prevent metadata records |
||||
91 | // with empty string values #4858 |
||||
92 | |||||
93 | if (isset($accesslevel[$shortname])) { |
||||
94 | $access_id = (int) $accesslevel[$shortname]; |
||||
95 | } else { |
||||
96 | // this should never be executed since the access level should always be set |
||||
97 | $access_id = $user_default_access; |
||||
98 | } |
||||
99 | |||||
100 | if (!is_array($value)) { |
||||
101 | $value = [$value]; |
||||
102 | } |
||||
103 | foreach ($value as $interval) { |
||||
104 | create_annotation($owner->guid, "profile:$shortname", $interval, 'text', $owner->guid, $access_id); |
||||
105 | } |
||||
106 | |||||
107 | // for BC, keep storing fields in MD, but we'll read annotations only |
||||
108 | $owner->$shortname = $value; |
||||
109 | } |
||||
110 | } |
||||
111 | |||||
112 | $owner->save(); |
||||
113 | |||||
114 | // Notify of profile update |
||||
115 | elgg_trigger_event('profileupdate', $owner->type, $owner); |
||||
116 | |||||
117 | elgg_clear_sticky_form('profile:edit'); |
||||
118 | |||||
119 | return elgg_ok_response('', elgg_echo("profile:saved"), $owner->getUrl()); |
||||
120 |