Issues in EditBlock.php (3.0) - Issues in 3.0 - Icybee/module-users - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/Block/EditBlock.php (2 issues)

Labels

Deprecated Code 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of the Icybee package.
 *
 * (c) Olivier Laviale <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Icybee\Modules\Users\Block;

use Brickrouge\Group;


use Brickrouge\Document;
use Brickrouge\Element;
use Brickrouge\Form;
use Brickrouge\Text;
use Brickrouge\Widget;

use Icybee\Modules\Users\Module;
use Icybee\Modules\Users\Roles\Binding\UserBindings;
use Icybee\Modules\Users\User;

/**
 * A block to edit users.
 *
 * @property User|UserBindings $record
 * @property User $user
 */
class EditBlock extends \Icybee\Block\EditBlock
{
	static protected function add_assets(Document $document)
	{
		parent::add_assets($document);

		$document->js->add(\Icybee\Modules\Users\DIR . 'public/admin.js');
	}

	protected function get_permission()
	{
		$user = $this->user;

		if ($user->has_permission(Module::PERMISSION_MANAGE, $this->module))
		{
			return true;
		}
		else if ($user->uid == $this->record->uid && $user->has_permission('modify own profile'))
		{
			return true;
		}

		return parent::get_permission();
	}

	protected function get_user()
	{
		return $this->app->user;
	}

	protected function lazy_get_attributes()
	{
		return \ICanBoogie\array_merge_recursive(parent::lazy_get_attributes(), [

			Element::GROUPS => [

				'connection' => [ 'title' => 'Connection' ],
				'advanced' => [ 'title' => 'Advanced' ]

			]

		]);
	}

	protected function lazy_get_children()
	{
		$values = $this->values;
		$user = $this->user;
		$uid = $values[User::UID];
		$languages = $this->app->locale['languages'];

		uasort($languages, 'ICanBoogie\unaccent_compare_ci');

		$administer = $user->has_permission(Module::PERMISSION_MANAGE, $this->module);

		return array_merge(parent::lazy_get_children(), [

			#
			# name group
			#

			User::FIRSTNAME => new Text([

				Group::LABEL => 'firstname'

			]),

			User::LASTNAME => new Text([

				Group::LABEL => 'lastname'

			]),

			User::NICKNAME => new Text([

				Group::LABEL => 'Nickname'

			]),

			User::USERNAME => $administer ? new Text([

				Group::LABEL => 'username',
				Element::REQUIRED => true

			]) : null,

			User::NAME_AS => $this->create_control_for_name_as(),

			#
			# connection group
			#

			User::EMAIL => new Text([

				Group::LABEL => 'email',
				Element::GROUP => 'connection',
				Element::REQUIRED => true,
				Element::VALIDATION => 'email',

				'autocomplete' => 'off'

			]),

			User::PASSWORD => new Text([

				Element::LABEL => 'password',
				Element::LABEL_POSITION => 'above',
				Element::DESCRIPTION => 'password_' . ($uid ? 'update' : 'new'),
				Element::GROUP => 'connection',

				'autocomplete' => 'off',
				'type' => 'password',
				'value' => ''

			]),

			User::PASSWORD . '-verify' => new Text([

				Element::LABEL => 'password_confirm',
				Element::LABEL_POSITION => 'above',
				Element::DESCRIPTION => 'password_confirm',
				Element::GROUP => 'connection',

				'autocomplete' => 'off',
				'type' => 'password',
				'value' => ''

			]),

			User::IS_ACTIVATED => ($uid == 1 || !$administer) ? null : new Element(Element::TYPE_CHECKBOX, [

				Element::LABEL => 'is_activated',
				Element::GROUP => 'connection',
				Element::DESCRIPTION => 'is_activated'

			]),

			User::ROLES => $this->create_control_for_role(),

			User::LANGUAGE => new Element('select', [

				Group::LABEL => 'language',
				Element::GROUP => 'advanced',
				Element::DESCRIPTION => 'language',
				Element::OPTIONS => [ null => '' ] + $languages

			]),

			'timezone' => new Widget\TimeZone([

				Group::LABEL => 'timezone',
				Element::GROUP => 'advanced',
				Element::DESCRIPTION =>'timezone'

			]),

			User::RESTRICTED_SITES => $this->create_control_for_restricted_sites_ids()

		]);
	}

	protected function alter_actions(array $actions, array $params)
	{
		$actions = parent::alter_actions($actions, $params);

		$user = $this->user;
		$record = $this->record;

		if ($record && $record->uid == $user->uid && !$user->has_permission(Module::PERMISSION_ADMINISTER, $this->module))
		{
			unset($actions[\Icybee\OPERATION_SAVE_MODE]);
		}

		return $actions;
	}

	protected function create_control_for_role()
	{
		$user = $this->user;
		$uid = $this->values[User::UID];

		if ($uid == 1 || !$user->has_permission(Module::PERMISSION_ADMINISTER, $this->module))
		{
			return null;
		}

		$rid = [ 2 => true ];

		if ($uid)
		{
			foreach ($this->record->roles as $role)
			{
				$rid[$role->rid] = true;
			}
		}

		$options = $this->app
		->models['users.roles']
		->select('rid, name')
		->where('rid != 1')
		->order('rid')
		->pairs;

		return new Element(Element::TYPE_CHECKBOX_GROUP, [

			Form::LABEL => 'roles',

			Element::GROUP => 'advanced',
			Element::OPTIONS => $options,
			Element::OPTIONS_DISABLED => [ 2 => true ],
			Element::REQUIRED => true,
			Element::DESCRIPTION => 'roles',

			'class' => 'framed inputs-list sortable',
			'value' => $rid

		]);
	}

	/**
	 * Returns the control element for the `name_as` param.
	 *
	 * @return Element
	 */
	protected function create_control_for_name_as()
	{
		$values = $this->values;

		$options = [ '<username>' ];

		if ($values[User::USERNAME])
		{
			$options[0] = $values[User::USERNAME];
		}

		$firstname = $values[User::FIRSTNAME];

		if ($firstname)
		{
			$options[1] = $firstname;
		}

		$lastname = $values[User::LASTNAME];

		if ($lastname)
		{
			$options[2] = $lastname;
		}

		if ($firstname && $lastname)
		{
			$options[3] = $firstname . ' ' . $lastname;
			$options[4] = $lastname . ' ' . $firstname;
		}

		$nickname = $values[User::NICKNAME];

		if ($nickname)
		{
			$options[User::NAME_AS_NICKNAME] = $nickname;
		}

		return new Element('select', [

			Group::LABEL => 'name_as',
			Element::OPTIONS => $options

		]);
	}

	protected function create_control_for_restricted_sites_ids()
	{
		$user = $this->user;

		if (!$user->has_permission(Module::PERMISSION_ADMINISTER, $this->module))
		{
			return null;
		}

		$value = [];

		if ($this->record)
		{
			$value = $this->record->restricted_sites_ids;

			if ($value)
			{
				$value = array_combine($value, array_fill(0, count($value), true));
			}
		}

		$options = $this->app
		->models['sites']
		->select('site_id, IF(admin_title != "", admin_title, concat(title, ":", language))')
		->order('admin_title, title')
		->pairs;

		if (!$options)
		{
			return null;
		}

		return new Element(Element::TYPE_CHECKBOX_GROUP, [

			Form::LABEL => 'site_id',

			Element::OPTIONS => $options,
			Element::GROUP => 'advanced',
			Element::DESCRIPTION => 'site_id',

			'class' => 'inputs-list widget-bordered',
			'value' => $value

		]);
	}
}


1			<?php
2
3			/*
4			* This file is part of the Icybee package.
5			*
6			* (c) Olivier Laviale <[email protected]>
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*/
11
12			namespace Icybee\Modules\Users\Block;
13
14			use Brickrouge\Group;
15
16
17			use Brickrouge\Document;
18			use Brickrouge\Element;
19			use Brickrouge\Form;
20			use Brickrouge\Text;
21			use Brickrouge\Widget;
22
23			use Icybee\Modules\Users\Module;
24			use Icybee\Modules\Users\Roles\Binding\UserBindings;
25			use Icybee\Modules\Users\User;
26
27			/**
28			* A block to edit users.
29			*
30			* @property User\|UserBindings $record
31			* @property User $user
32			*/
33			class EditBlock extends \Icybee\Block\EditBlock
34			{
35			static protected function add_assets(Document $document)
36			{
37			parent::add_assets($document);
38
39			$document->js->add(\Icybee\Modules\Users\DIR . 'public/admin.js');
40			}
41
42			protected function get_permission()
43			{
44			$user = $this->user;
45
46			if ($user->has_permission(Module::PERMISSION_MANAGE, $this->module))
47			{
48			return true;
49			}
50			else if ($user->uid == $this->record->uid && $user->has_permission('modify own profile'))
51			{
52			return true;
53			}
54
55			return parent::get_permission();
56			}
57
58			protected function get_user()
59			{
60			return $this->app->user;
61			}
62
63			protected function lazy_get_attributes()
64			{
65			return \ICanBoogie\array_merge_recursive(parent::lazy_get_attributes(), [
66
67			Element::GROUPS => [
68
69			'connection' => [ 'title' => 'Connection' ],
70			'advanced' => [ 'title' => 'Advanced' ]
71
72			]
73
74			]);
75			}
76
77			protected function lazy_get_children()
78			{
79			$values = $this->values;
80			$user = $this->user;
81			$uid = $values[User::UID];
82			$languages = $this->app->locale['languages'];
83
84			uasort($languages, 'ICanBoogie\unaccent_compare_ci');
85
86			$administer = $user->has_permission(Module::PERMISSION_MANAGE, $this->module);
87
88			return array_merge(parent::lazy_get_children(), [
89
90			#
91			# name group
92			#
93
94			User::FIRSTNAME => new Text([
95
96			Group::LABEL => 'firstname'
97
98			]),
99
100			User::LASTNAME => new Text([
101
102			Group::LABEL => 'lastname'
103
104			]),
105
106			User::NICKNAME => new Text([
107
108			Group::LABEL => 'Nickname'
109
110			]),
111
112			User::USERNAME => $administer ? new Text([
113
114			Group::LABEL => 'username',
115			Element::REQUIRED => true
116
117			]) : null,
118
119			User::NAME_AS => $this->create_control_for_name_as(),
120
121			#
122			# connection group
123			#
124
125			User::EMAIL => new Text([
126
127			Group::LABEL => 'email',
128			Element::GROUP => 'connection',
129			Element::REQUIRED => true,
130			Element::VALIDATION => 'email',
131
132			'autocomplete' => 'off'
133
134			]),
135
136			User::PASSWORD => new Text([
137
138			Element::LABEL => 'password',
139			Element::LABEL_POSITION => 'above',
140			Element::DESCRIPTION => 'password_' . ($uid ? 'update' : 'new'),
141			Element::GROUP => 'connection',
142
143			'autocomplete' => 'off',
144			'type' => 'password',
145			'value' => ''
146
147			]),
148
149			User::PASSWORD . '-verify' => new Text([
150
151			Element::LABEL => 'password_confirm',
152			Element::LABEL_POSITION => 'above',
153			Element::DESCRIPTION => 'password_confirm',
154			Element::GROUP => 'connection',
155
156			'autocomplete' => 'off',
157			'type' => 'password',
158			'value' => ''
159
160			]),
161
162			User::IS_ACTIVATED => ($uid == 1 \|\| !$administer) ? null : new Element(Element::TYPE_CHECKBOX, [
163
164			Element::LABEL => 'is_activated',
165			Element::GROUP => 'connection',
166			Element::DESCRIPTION => 'is_activated'
167
168			]),
169
170			User::ROLES => $this->create_control_for_role(),
171
172			User::LANGUAGE => new Element('select', [
173
174			Group::LABEL => 'language',
175			Element::GROUP => 'advanced',
176			Element::DESCRIPTION => 'language',
177			Element::OPTIONS => [ null => '' ] + $languages
178
179			]),
180
181			'timezone' => new Widget\TimeZone([
182
183			Group::LABEL => 'timezone',
184			Element::GROUP => 'advanced',
185			Element::DESCRIPTION =>'timezone'
186
187			]),
188
189			User::RESTRICTED_SITES => $this->create_control_for_restricted_sites_ids()
190
191			]);
192			}
193
194			protected function alter_actions(array $actions, array $params)
195			{
196			$actions = parent::alter_actions($actions, $params);
197
198			$user = $this->user;
199			$record = $this->record;
200
201			if ($record && $record->uid == $user->uid && !$user->has_permission(Module::PERMISSION_ADMINISTER, $this->module))
202			{
203			unset($actions[\Icybee\OPERATION_SAVE_MODE]);
204			}
205
206			return $actions;
207			}
208
209			protected function create_control_for_role()
210			{
211			$user = $this->user;
212			$uid = $this->values[User::UID];
213
214			if ($uid == 1 \|\| !$user->has_permission(Module::PERMISSION_ADMINISTER, $this->module))
215			{
216			return null;
217			}
218
219			$rid = [ 2 => true ];
220
221			if ($uid)
222			{
223			foreach ($this->record->roles as $role)
224			{
225			$rid[$role->rid] = true;
226			}
227			}
228
229			$options = $this->app
230			->models['users.roles']
231			->select('rid, name')
232			->where('rid != 1')
233			->order('rid')
234			->pairs;
235
236			return new Element(Element::TYPE_CHECKBOX_GROUP, [
237
238			Form::LABEL => 'roles',
			0 ignored issues – show Deprecated Code introduced 2016-02-14 23:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this The constant `Brickrouge\Form::LABEL` has been deprecated. This class constant has been deprecated. Loading history...
239			Element::GROUP => 'advanced',
240			Element::OPTIONS => $options,
241			Element::OPTIONS_DISABLED => [ 2 => true ],
242			Element::REQUIRED => true,
243			Element::DESCRIPTION => 'roles',
244
245			'class' => 'framed inputs-list sortable',
246			'value' => $rid
247
248			]);
249			}
250
251			/**
252			* Returns the control element for the `name_as` param.
253			*
254			* @return Element
255			*/
256			protected function create_control_for_name_as()
257			{
258			$values = $this->values;
259
260			$options = [ '<username>' ];
261
262			if ($values[User::USERNAME])
263			{
264			$options[0] = $values[User::USERNAME];
265			}
266
267			$firstname = $values[User::FIRSTNAME];
268
269			if ($firstname)
270			{
271			$options[1] = $firstname;
272			}
273
274			$lastname = $values[User::LASTNAME];
275
276			if ($lastname)
277			{
278			$options[2] = $lastname;
279			}
280
281			if ($firstname && $lastname)
282			{
283			$options[3] = $firstname . ' ' . $lastname;
284			$options[4] = $lastname . ' ' . $firstname;
285			}
286
287			$nickname = $values[User::NICKNAME];
288
289			if ($nickname)
290			{
291			$options[User::NAME_AS_NICKNAME] = $nickname;
292			}
293
294			return new Element('select', [
295
296			Group::LABEL => 'name_as',
297			Element::OPTIONS => $options
298
299			]);
300			}
301
302			protected function create_control_for_restricted_sites_ids()
303			{
304			$user = $this->user;
305
306			if (!$user->has_permission(Module::PERMISSION_ADMINISTER, $this->module))
307			{
308			return null;
309			}
310
311			$value = [];
312
313			if ($this->record)
314			{
315			$value = $this->record->restricted_sites_ids;
316
317			if ($value)
318			{
319			$value = array_combine($value, array_fill(0, count($value), true));
320			}
321			}
322
323			$options = $this->app
324			->models['sites']
325			->select('site_id, IF(admin_title != "", admin_title, concat(title, ":", language))')
326			->order('admin_title, title')
327			->pairs;
328
329			if (!$options)
330			{
331			return null;
332			}
333
334			return new Element(Element::TYPE_CHECKBOX_GROUP, [
335
336			Form::LABEL => 'site_id',
			0 ignored issues – show Deprecated Code introduced 2016-02-14 23:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this The constant `Brickrouge\Form::LABEL` has been deprecated. This class constant has been deprecated. Loading history...
337			Element::OPTIONS => $options,
338			Element::GROUP => 'advanced',
339			Element::DESCRIPTION => 'site_id',
340
341			'class' => 'inputs-list widget-bordered',
342			'value' => $value
343
344			]);
345			}
346			}
347

Icybee / module-users

Issues (5)

Security Analysis not enabled

lib/Block/EditBlock.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like