Passed
Push — master ( c0a3a7...3b84a4 )
by Jeroen
58:51
created

mod/profile/actions/profile/edit.php (1 issue)

1
<?php
2
/**
3
 * Elgg profile edit action
4
 *
5
 */
6
7
elgg_make_sticky_form('profile:edit');
8
9
$guid = get_input('guid');
10
$owner = get_entity($guid);
11
12
if (!($owner instanceof ElggUser) || !$owner->canEdit()) {
13
	return elgg_error_response(elgg_echo('profile:noaccess'));
14
}
15
16
// grab the defined profile field names and their load the values from POST.
17
// each field can have its own access, so sort that too.
18
$input = [];
19
$accesslevel = get_input('accesslevel');
20
21
if (!is_array($accesslevel)) {
22
	$accesslevel = [];
23
}
24
25
$profile_fields = elgg_get_config('profile_fields');
26
foreach ($profile_fields as $shortname => $valuetype) {
27
	$value = get_input($shortname);
28
	
29
	if ($value === null) {
30
		// only submitted profile fields should be updated
31
		continue;
32
	}
33
	
34
	// the decoding is a stop gap to prevent &amp;&amp; showing up in profile fields
35
	// because it is escaped on both input (get_input()) and output (view:output/text). see #561 and #1405.
36
	// must decode in utf8 or string corruption occurs. see #1567.
37
	if (is_array($value)) {
38
		array_walk_recursive($value, function(&$v) {
39
			$v = elgg_html_decode($v);
40
		});
41
	} else {
42
		$value = elgg_html_decode($value);
43
	}
44
	
45
	// convert tags fields to array values
46
	if ($valuetype == 'tags') {
47
		$value = string_to_tag_array($value);
48
	}
49
50
	if ($value && $valuetype == 'url' && !preg_match('~^https?\://~i', $value)) {
51
		$value = "http://$value";
52
	}
53
54
	if ($valuetype == 'email' && !empty($value) && !is_email_address($value)) {
0 ignored issues
show
It seems like $value can also be of type array; however, parameter $address of is_email_address() does only seem to accept string, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

54
	if ($valuetype == 'email' && !empty($value) && !is_email_address(/** @scrutinizer ignore-type */ $value)) {
Loading history...
55
		return elgg_error_response(elgg_echo('profile:invalid_email', [elgg_echo("profile:{$shortname}")]));
56
	}
57
	
58
	$input[$shortname] = $value;
59
}
60
61
// display name is handled separately
62
$name = strip_tags(get_input('name'));
63
if ($name) {
64
	if (elgg_strlen($name) > 50) {
65
		return elgg_error_response(elgg_echo('user:name:fail'));
66
	} elseif ($owner->name !== $name) {
67
		$owner->name = $name;
68
	}
69
}
70
71
if (empty($input)) {
72
	return elgg_ok_response('', '', $owner->getUrl());
73
}
74
75
// go through custom fields
76
// fetch default access level for the user for use in fallback cases
77
$user_default_access = get_default_access($owner);
78
79
foreach ($input as $shortname => $value) {
80
	$owner->deleteAnnotations("profile:$shortname");
81
82
	// for BC, keep storing fields in MD, but we'll read annotations only
83
	elgg_delete_metadata([
84
		'guid' => $owner->guid,
85
		'metadata_name' => $shortname,
86
		'limit' => false
87
	]);
88
	
89
	if (!is_null($value) && ($value !== '')) {
90
		// only create metadata for non empty values (0 is allowed) to prevent metadata records
91
		// with empty string values #4858
92
		
93
		if (isset($accesslevel[$shortname])) {
94
			$access_id = (int) $accesslevel[$shortname];
95
		} else {
96
			// this should never be executed since the access level should always be set
97
			$access_id = $user_default_access;
98
		}
99
100
		if (!is_array($value)) {
101
			$value = [$value];
102
		}
103
		foreach ($value as $interval) {
104
			create_annotation($owner->guid, "profile:$shortname", $interval, 'text', $owner->guid, $access_id);
105
		}
106
107
		// for BC, keep storing fields in MD, but we'll read annotations only
108
		$owner->$shortname = $value;
109
	}
110
}
111
112
$owner->save();
113
114
// Notify of profile update
115
elgg_trigger_event('profileupdate', $owner->type, $owner);
116
117
elgg_clear_sticky_form('profile:edit');
118
119
return elgg_ok_response('', elgg_echo("profile:saved"), $owner->getUrl());
120