This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace Kunstmaan\UserManagementBundle\Controller; |
||
4 | |||
5 | use Doctrine\ORM\EntityManager; |
||
6 | use FOS\UserBundle\Event\UserEvent; |
||
7 | use FOS\UserBundle\Model\UserInterface; |
||
8 | use FOS\UserBundle\Model\UserManager; |
||
9 | use Kunstmaan\AdminBundle\Controller\BaseSettingsController; |
||
10 | use Kunstmaan\AdminBundle\Entity\BaseUser; |
||
11 | use Kunstmaan\AdminBundle\Event\AdaptSimpleFormEvent; |
||
12 | use Kunstmaan\AdminBundle\Event\Events; |
||
13 | use Kunstmaan\AdminBundle\FlashMessages\FlashTypes; |
||
14 | use Kunstmaan\AdminBundle\Form\RoleDependentUserFormInterface; |
||
15 | use Kunstmaan\AdminListBundle\AdminList\AdminList; |
||
16 | use Kunstmaan\UserManagementBundle\Event\AfterUserDeleteEvent; |
||
17 | use Kunstmaan\UserManagementBundle\Event\UserEvents; |
||
18 | use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template; |
||
19 | use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy; |
||
20 | use Symfony\Component\HttpFoundation\RedirectResponse; |
||
21 | use Symfony\Component\HttpFoundation\Request; |
||
22 | use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; |
||
23 | use Symfony\Component\Routing\Annotation\Route; |
||
24 | use Symfony\Component\Security\Core\Exception\AccessDeniedException; |
||
25 | |||
26 | /** |
||
27 | * Settings controller handling everything related to creating, editing, deleting and listing users in an admin list |
||
28 | */ |
||
29 | class UsersController extends BaseSettingsController |
||
30 | { |
||
31 | /** |
||
32 | * List users |
||
33 | * |
||
34 | * @Route("/", name="KunstmaanUserManagementBundle_settings_users") |
||
35 | * @Template("@KunstmaanAdminList/Default/list.html.twig") |
||
36 | * |
||
37 | * @return array |
||
38 | */ |
||
39 | public function listAction(Request $request) |
||
40 | { |
||
41 | $this->denyAccessUnlessGranted('ROLE_SUPER_ADMIN'); |
||
42 | |||
43 | $em = $this->getDoctrine()->getManager(); |
||
44 | $configuratorClassName = ''; |
||
45 | if ($this->container->hasParameter('kunstmaan_user_management.user_admin_list_configurator.class')) { |
||
46 | $configuratorClassName = $this->container->getParameter( |
||
47 | 'kunstmaan_user_management.user_admin_list_configurator.class' |
||
48 | ); |
||
49 | } |
||
50 | |||
51 | $configurator = new $configuratorClassName($em); |
||
52 | |||
53 | /* @var AdminList $adminList */ |
||
54 | $adminList = $this->container->get('kunstmaan_adminlist.factory')->createList($configurator); |
||
55 | $adminList->bindRequest($request); |
||
56 | |||
57 | return [ |
||
58 | 'adminlist' => $adminList, |
||
59 | ]; |
||
60 | } |
||
61 | |||
62 | /** |
||
63 | * Get an instance of the admin user class. |
||
64 | * |
||
65 | * @return BaseUser |
||
66 | */ |
||
67 | private function getUserClassInstance() |
||
68 | { |
||
69 | $userClassName = $this->container->getParameter('fos_user.model.user.class'); |
||
70 | |||
71 | return new $userClassName(); |
||
72 | } |
||
73 | |||
74 | /** |
||
75 | * Add a user |
||
76 | * |
||
77 | * @Route("/add", name="KunstmaanUserManagementBundle_settings_users_add", methods={"GET", "POST"}) |
||
78 | * @Template("@KunstmaanUserManagement/Users/add.html.twig") |
||
79 | * |
||
80 | * @return array |
||
81 | */ |
||
82 | public function addAction(Request $request) |
||
83 | { |
||
84 | $this->denyAccessUnlessGranted('ROLE_SUPER_ADMIN'); |
||
85 | |||
86 | $user = $this->getUserClassInstance(); |
||
87 | |||
88 | $options = ['password_required' => true, 'langs' => $this->container->getParameter('kunstmaan_admin.admin_locales'), 'validation_groups' => ['Registration'], 'data_class' => \get_class($user)]; |
||
89 | $formTypeClassName = $user->getFormTypeClass(); |
||
90 | $formType = new $formTypeClassName(); |
||
91 | |||
92 | if ($formType instanceof RoleDependentUserFormInterface) { |
||
93 | // to edit groups and enabled the current user should have ROLE_SUPER_ADMIN |
||
94 | $options['can_edit_all_fields'] = $this->isGranted('ROLE_SUPER_ADMIN'); |
||
95 | } |
||
96 | |||
97 | $form = $this->createForm( |
||
98 | $formTypeClassName, |
||
99 | $user, |
||
100 | $options |
||
101 | ); |
||
102 | |||
103 | if ($request->isMethod('POST')) { |
||
104 | $form->handleRequest($request); |
||
105 | if ($form->isSubmitted() && $form->isValid()) { |
||
106 | $user->setPasswordChanged(true); |
||
107 | $user->setCreatedBy($this->getUser()->getUsername()); |
||
108 | /* @var UserManager $userManager */ |
||
109 | $userManager = $this->container->get('fos_user.user_manager'); |
||
110 | $userManager->updateUser($user, true); |
||
111 | |||
112 | $this->addFlash( |
||
113 | FlashTypes::SUCCESS, |
||
114 | $this->container->get('translator')->trans('kuma_user.users.add.flash.success.%username%', [ |
||
115 | '%username%' => $user->getUsername(), |
||
116 | ]) |
||
117 | ); |
||
118 | |||
119 | return new RedirectResponse($this->generateUrl('KunstmaanUserManagementBundle_settings_users')); |
||
120 | } |
||
121 | } |
||
122 | |||
123 | return [ |
||
124 | 'form' => $form->createView(), |
||
125 | ]; |
||
126 | } |
||
127 | |||
128 | /** |
||
129 | * Edit a user |
||
130 | * |
||
131 | * @param int $id |
||
132 | * |
||
133 | * @Route("/{id}/edit", requirements={"id" = "\d+"}, name="KunstmaanUserManagementBundle_settings_users_edit", methods={"GET", "POST"}) |
||
134 | * @Template("@KunstmaanUserManagement/Users/edit.html.twig") |
||
135 | * |
||
136 | * @return array |
||
137 | * |
||
138 | * @throws AccessDeniedException |
||
139 | */ |
||
140 | public function editAction(Request $request, $id) |
||
141 | { |
||
142 | // The logged in user should be able to change his own password/username/email and not for other users |
||
143 | if ($id == $this->container->get('security.token_storage')->getToken()->getUser()->getId()) { |
||
144 | $requiredRole = 'ROLE_ADMIN'; |
||
145 | } else { |
||
146 | $requiredRole = 'ROLE_SUPER_ADMIN'; |
||
147 | } |
||
148 | $this->denyAccessUnlessGranted($requiredRole); |
||
149 | |||
150 | /* @var EntityManager $em */ |
||
151 | $em = $this->getDoctrine()->getManager(); |
||
152 | |||
153 | /** @var UserInterface $user */ |
||
154 | $user = $em->getRepository($this->container->getParameter('fos_user.model.user.class'))->find($id); |
||
155 | if ($user === null) { |
||
156 | throw new NotFoundHttpException(sprintf('User with ID %s not found', $id)); |
||
157 | } |
||
158 | |||
159 | $userEvent = new UserEvent($user, $request); |
||
160 | $this->dispatch($userEvent, UserEvents::USER_EDIT_INITIALIZE); |
||
161 | |||
162 | $options = ['password_required' => false, 'langs' => $this->container->getParameter('kunstmaan_admin.admin_locales'), 'data_class' => \get_class($user)]; |
||
163 | $formFqn = $user->getFormTypeClass(); |
||
164 | $formType = new $formFqn(); |
||
165 | |||
166 | if ($formType instanceof RoleDependentUserFormInterface) { |
||
167 | // to edit groups and enabled the current user should have ROLE_SUPER_ADMIN |
||
168 | $options['can_edit_all_fields'] = $this->isGranted('ROLE_SUPER_ADMIN'); |
||
169 | } |
||
170 | |||
171 | $event = new AdaptSimpleFormEvent($request, $formFqn, $user, $options); |
||
172 | $event = $this->dispatch($event, Events::ADAPT_SIMPLE_FORM); |
||
173 | $tabPane = $event->getTabPane(); |
||
174 | |||
175 | $form = $this->createForm($formFqn, $user, $options); |
||
176 | |||
177 | if ($request->isMethod('POST')) { |
||
178 | if ($tabPane) { |
||
179 | $tabPane->bindRequest($request); |
||
180 | $form = $tabPane->getForm(); |
||
181 | } else { |
||
182 | $form->handleRequest($request); |
||
183 | } |
||
184 | |||
185 | if ($form->isSubmitted() && $form->isValid()) { |
||
186 | /* @var UserManager $userManager */ |
||
187 | $userManager = $this->container->get('fos_user.user_manager'); |
||
188 | $userManager->updateUser($user, true); |
||
189 | |||
190 | $this->addFlash( |
||
191 | FlashTypes::SUCCESS, |
||
192 | $this->container->get('translator')->trans('kuma_user.users.edit.flash.success.%username%', [ |
||
193 | '%username%' => $user->getUsername(), |
||
194 | ]) |
||
195 | ); |
||
196 | |||
197 | return new RedirectResponse( |
||
198 | $this->generateUrl( |
||
199 | 'KunstmaanUserManagementBundle_settings_users_edit', |
||
200 | ['id' => $id] |
||
201 | ) |
||
202 | ); |
||
203 | } |
||
204 | } |
||
205 | |||
206 | $params = [ |
||
207 | 'form' => $form->createView(), |
||
208 | 'user' => $user, |
||
209 | ]; |
||
210 | |||
211 | if ($tabPane) { |
||
212 | $params = array_merge($params, ['tabPane' => $tabPane]); |
||
213 | } |
||
214 | |||
215 | return $params; |
||
216 | } |
||
217 | |||
218 | /** |
||
219 | * Delete a user |
||
220 | * |
||
221 | * @param Request $request |
||
222 | * @param int $id |
||
223 | * |
||
224 | * @Route("/{id}/delete", requirements={"id" = "\d+"}, name="KunstmaanUserManagementBundle_settings_users_delete", methods={"POST"}) |
||
225 | * |
||
226 | * @return array |
||
227 | * |
||
228 | * @throws AccessDeniedException |
||
229 | * |
||
230 | * @deprecated this method is deprecated since KunstmaanUserManagementBundle 5.6 and will be removed in KunstmaanUserManagementBundle 6.0 |
||
231 | */ |
||
232 | public function deleteAction(Request $request, $id) |
||
233 | { |
||
234 | @trigger_error('Using the deleteAction method from the UsersController is deprecated since KunstmaanUserManagementBundle 5.6 and will be replaced by the method deleteFormAction in KunstmaanUserManagementBundle 6.0. Use the correct method instead.', E_USER_DEPRECATED); |
||
0 ignored issues
–
show
|
|||
235 | $this->denyAccessUnlessGranted('ROLE_SUPER_ADMIN'); |
||
236 | |||
237 | /* @var EntityManager $em */ |
||
238 | $em = $this->getDoctrine()->getManager(); |
||
239 | /* @var UserInterface $user */ |
||
240 | $user = $em->getRepository($this->container->getParameter('fos_user.model.user.class'))->find($id); |
||
241 | if (!\is_null($user)) { |
||
242 | $userEvent = new UserEvent($user, $request); |
||
243 | $this->dispatch($userEvent, UserEvents::USER_DELETE_INITIALIZE); |
||
244 | |||
245 | $em->remove($user); |
||
246 | $em->flush(); |
||
247 | |||
248 | $this->addFlash( |
||
249 | FlashTypes::SUCCESS, |
||
250 | $this->container->get('translator')->trans('kuma_user.users.delete.flash.success.%username%', [ |
||
251 | '%username%' => $user->getUsername(), |
||
252 | ]) |
||
253 | ); |
||
254 | } |
||
255 | |||
256 | return new RedirectResponse($this->generateUrl('KunstmaanUserManagementBundle_settings_users')); |
||
257 | } |
||
258 | |||
259 | /** |
||
260 | * @Route("/form-delete/{id}", requirements={"id" = "\d+"}, name="KunstmaanUserManagementBundle_settings_users_form_delete", methods={"POST"}) |
||
261 | */ |
||
262 | public function deleteFormAction(Request $request, $id) |
||
263 | { |
||
264 | $this->denyAccessUnlessGranted('ROLE_SUPER_ADMIN'); |
||
265 | |||
266 | $submittedToken = $request->request->get('token'); |
||
267 | if (!$this->isCsrfTokenValid('delete-user', $submittedToken)) { |
||
268 | return new RedirectResponse($this->generateUrl('KunstmaanUserManagementBundle_settings_users')); |
||
269 | } |
||
270 | |||
271 | /* @var EntityManager $em */ |
||
272 | $em = $this->getDoctrine()->getManager(); |
||
273 | /* @var UserInterface $user */ |
||
274 | $user = $em->getRepository($this->container->getParameter('fos_user.model.user.class'))->find($id); |
||
275 | if (!\is_null($user)) { |
||
276 | $userEvent = new UserEvent($user, $request); |
||
277 | $afterDeleteEvent = new AfterUserDeleteEvent($user->getUsername(), $this->getUser()->getUsername()); |
||
278 | $this->dispatch($userEvent, UserEvents::USER_DELETE_INITIALIZE); |
||
279 | |||
280 | $em->remove($user); |
||
281 | $em->flush(); |
||
282 | |||
283 | $this->dispatch($afterDeleteEvent, UserEvents::AFTER_USER_DELETE); |
||
284 | |||
285 | $this->addFlash( |
||
286 | FlashTypes::SUCCESS, |
||
287 | $this->container->get('translator')->trans('kuma_user.users.delete.flash.success.%username%', [ |
||
288 | '%username%' => $user->getUsername(), |
||
289 | ]) |
||
290 | ); |
||
291 | } |
||
292 | |||
293 | return new RedirectResponse($this->generateUrl('KunstmaanUserManagementBundle_settings_users')); |
||
294 | } |
||
295 | |||
296 | /** |
||
297 | * @return \Symfony\Component\HttpFoundation\Response |
||
298 | */ |
||
299 | public function changePasswordAction() |
||
300 | { |
||
301 | // Redirect to current user edit route... |
||
302 | return new RedirectResponse( |
||
303 | $this->generateUrl( |
||
304 | 'KunstmaanUserManagementBundle_settings_users_edit', |
||
305 | [ |
||
306 | 'id' => $this->container->get('security.token_storage')->getToken()->getUser()->getId(), |
||
307 | ] |
||
308 | ) |
||
309 | ); |
||
310 | } |
||
311 | |||
312 | /** |
||
313 | * @param object $event |
||
314 | * @param string $eventName |
||
315 | * |
||
316 | * @return object |
||
317 | */ |
||
318 | View Code Duplication | private function dispatch($event, string $eventName) |
|
319 | { |
||
320 | $eventDispatcher = $this->container->get('event_dispatcher'); |
||
321 | if (class_exists(LegacyEventDispatcherProxy::class)) { |
||
322 | $eventDispatcher = LegacyEventDispatcherProxy::decorate($eventDispatcher); |
||
323 | |||
324 | return $eventDispatcher->dispatch($event, $eventName); |
||
325 | } |
||
326 | |||
327 | return $eventDispatcher->dispatch($eventName, $event); |
||
328 | } |
||
329 | } |
||
330 |
If you suppress an error, we recommend checking for the error condition explicitly: