Issues in UserField.php (master) - Issues in master - TheBnl/event-tickets - Measure and Improve Code Quality continuously with Scrutinizer

Issues (150)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

code/model/user-fields/UserField.php (9 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * AttendeeExtraField.php
 *
 * @author Bram de Leeuw
 * Date: 24/05/17
 */

namespace Broarm\EventTickets;

use CheckboxField;
use Convert;
use DataObject;
use FieldList;
use FormField;
use ReadonlyField;
use Tab;
use TabSet;
use TextField;

/**
 * Class AttendeeExtraField
 * todo write migration from AttendeeExtraField -> UserField
 *
 * @property string  Name
 * @property string  Title
 * @property string  Default
 * @property string  ExtraClass
 * @property boolean Required
 * @property boolean Editable
 *
 * @method \CalendarEvent Event()
 */
class UserField extends DataObject
{
    /**
     * @var FormField
     */
    protected $fieldType = 'FormField';

    /**
     * Field name to be used in the AttendeeField (Composite field)
     *
     * @see AttendeeField::__construct()
     *
     * @var string
     */
    protected $fieldName;

    private static $db = array(

        'Name' => 'Varchar(255)', // mostly here for default fields lookup
        'Title' => 'Varchar(255)',
        'Default' => 'Varchar(255)',
        'ExtraClass' => 'Varchar(255)',
        'Required' => 'Boolean',
        'Editable' => 'Boolean',
        'Sort' => 'Int'
    );

    private static $defaults = array(

        'Editable' => 1
    );

    private static $default_sort = 'Sort ASC';


    private static $has_one = array(

        'Event' => 'CalendarEvent'
    );

    private static $belongs_many_many = array(

        'Attendees' => 'Broarm\EventTickets\Attendee'
    );

    private static $summary_fields = array(

        'singular_name' => 'Type of field',
        'Title' => 'Title',
        'RequiredNice' => 'Required field'
    );

    private static $translate = array(
        'Title',
        'Default'
    );

    public function getCMSFields()
    {
        $fields = new FieldList(new TabSet('Root', $mainTab = new Tab('Main')));
        $fields->addFieldsToTab('Root.Main', array(
            ReadonlyField::create('PreviewFieldType', 'Field type', $this->ClassName),
            ReadonlyField::create('Name', _t('AttendeeExtraField.Name', 'Name for this field')),
            TextField::create('Title', _t('AttendeeExtraField.Title', 'Field label or question')),
            TextField::create('ExtraClass', _t('AttendeeExtraField.ExtraClass', 'Add an extra class to the field')),
            TextField::create('Default', _t('AttendeeExtraField.Default', 'Set a default value'))
        ));

        $fields->addFieldsToTab('Root.Validation', array(
            CheckboxField::create('Required', _t(
                'AttendeeExtraField.Required',
                'This field is required'
            ))->setDisabled(!(bool)$this->Editable)
        ));

        $this->extend('updateCMSFields', $fields);
        return $fields;
    }

    public function onBeforeWrite()
    {
        // Set the title to be the name when empty
        if (empty($this->Name)) {
            $str = preg_replace('/[^a-z0-9]+/i', ' ', $this->Title);
            $str = trim($str);
            $str = ucwords($str);
            $this->Name = str_replace(" ", "", $str);
        }

        parent::onBeforeWrite();
    }

    /**
     * Get the filed type
     *
     * @return FormField
     */
    public function getFieldType()
    {
        return $this->fieldType;
    }

    /**
     * Show if the field is required in a nice format
     *
     * BUGFIX Using the shorthand Required.Nice in the summary_fields
     * made the fields, that were required (true), be set to (false)
     *
     * @return mixed
     */
    public function getRequiredNice()
    {
        return $this->dbObject('Required')->Nice();
    }

    /**
     * Get the value
     *
     * @return mixed|string
     */
    public function getValue()
    {
        return $this->getField('Value');
    }

    /**
     * Create a field from given configuration
     * These fields are created based on the set default fields @see Attendee::$default_fields
     *
     * @param $fieldName
     * @param $fieldConfig
     *
     * @return UserField|DataObject
     */
    public static function createDefaultField($fieldName, $fieldConfig)
    {
        /** @var UserField $fieldType */
        $fieldType = $fieldConfig['FieldType'];

        $field = $fieldType::create();
        $field->Name = $fieldName;
        if (is_array($fieldConfig)) {
            foreach ($fieldConfig as $property => $value) {
                $field->setField($property, $value);
            }
        }

        return $field;
    }

    /**
     * Create the actual field
     * Overwrite this on the field subclass
     *
     * @param $fieldName string Created by the AttendeeField
     * @param $defaultValue string Set a default value
     * @param $main boolean check if the field is for the main attendee
     *
     * @return FormField
     */
    public function createField($fieldName, $defaultValue = null, $main = false)
    {
        $fieldType = $this->fieldType;
        $field = $fieldType::create($fieldName, $this->Title, $defaultValue);
        $field->addExtraClass($this->ExtraClass);
        $this->extend('updateCreateField', $field);
        return $field;
    }

    /**
     * Returns the singular name without the namespaces
     *
     * @return string
     */
    public function singular_name()
    {
        $name = explode('\\', parent::singular_name());
        return trim(str_replace('User', '', end($name)));
    }

    public function canView($member = null)

    {
        return $this->Event()->canView($member);
    }

    public function canEdit($member = null)

    {
        return $this->Event()->canEdit($member);
    }

    public function canDelete($member = null)
    {
        return $this->Editable;
    }

    public function canCreate($member = null)

    {
        return $this->Event()->canCreate($member);
    }
}


1			<?php
2			/**
3			* AttendeeExtraField.php
4			*
5			* @author Bram de Leeuw
6			* Date: 24/05/17
7			*/
8
9			namespace Broarm\EventTickets;
10
11			use CheckboxField;
12			use Convert;
13			use DataObject;
14			use FieldList;
15			use FormField;
16			use ReadonlyField;
17			use Tab;
18			use TabSet;
19			use TextField;
20
21			/**
22			* Class AttendeeExtraField
23			* todo write migration from AttendeeExtraField -> UserField
24			*
25			* @property string Name
26			* @property string Title
27			* @property string Default
28			* @property string ExtraClass
29			* @property boolean Required
30			* @property boolean Editable
31			*
32			* @method \CalendarEvent Event()
33			*/
34			class UserField extends DataObject
35			{
36			/**
37			* @var FormField
38			*/
39			protected $fieldType = 'FormField';
40
41			/**
42			* Field name to be used in the AttendeeField (Composite field)
43			*
44			* @see AttendeeField::__construct()
45			*
46			* @var string
47			*/
48			protected $fieldName;
49
50			private static $db = array(
			0 ignored issues – show Comprehensibility introduced 2017-06-22 16:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different property name as you override a private property of the parent class. Loading history...
51			'Name' => 'Varchar(255)', // mostly here for default fields lookup
52			'Title' => 'Varchar(255)',
53			'Default' => 'Varchar(255)',
54			'ExtraClass' => 'Varchar(255)',
55			'Required' => 'Boolean',
56			'Editable' => 'Boolean',
57			'Sort' => 'Int'
58			);
59
60			private static $defaults = array(
			0 ignored issues – show Comprehensibility introduced 2017-05-24 16:47 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different property name as you override a private property of the parent class. Loading history...
61			'Editable' => 1
62			);
63
64			private static $default_sort = 'Sort ASC';
			0 ignored issues – show Comprehensibility introduced 2017-05-24 16:47 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different property name as you override a private property of the parent class. Loading history...
65
66			private static $has_one = array(
			0 ignored issues – show Comprehensibility introduced 2017-04-25 13:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different property name as you override a private property of the parent class. Loading history...
67			'Event' => 'CalendarEvent'
68			);
69
70			private static $belongs_many_many = array(
			0 ignored issues – show Comprehensibility introduced 2017-04-25 13:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different property name as you override a private property of the parent class. Loading history...
71			'Attendees' => 'Broarm\EventTickets\Attendee'
72			);
73
74			private static $summary_fields = array(
			0 ignored issues – show Comprehensibility introduced 2017-04-25 13:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different property name as you override a private property of the parent class. Loading history...
75			'singular_name' => 'Type of field',
76			'Title' => 'Title',
77			'RequiredNice' => 'Required field'
78			);
79
80			private static $translate = array(
81			'Title',
82			'Default'
83			);
84
85			public function getCMSFields()
86			{
87			$fields = new FieldList(new TabSet('Root', $mainTab = new Tab('Main')));
88			$fields->addFieldsToTab('Root.Main', array(
89			ReadonlyField::create('PreviewFieldType', 'Field type', $this->ClassName),
90			ReadonlyField::create('Name', _t('AttendeeExtraField.Name', 'Name for this field')),
91			TextField::create('Title', _t('AttendeeExtraField.Title', 'Field label or question')),
92			TextField::create('ExtraClass', _t('AttendeeExtraField.ExtraClass', 'Add an extra class to the field')),
93			TextField::create('Default', _t('AttendeeExtraField.Default', 'Set a default value'))
94			));
95
96			$fields->addFieldsToTab('Root.Validation', array(
97			CheckboxField::create('Required', _t(
98			'AttendeeExtraField.Required',
99			'This field is required'
100			))->setDisabled(!(bool)$this->Editable)
101			));
102
103			$this->extend('updateCMSFields', $fields);
104			return $fields;
105			}
106
107			public function onBeforeWrite()
108			{
109			// Set the title to be the name when empty
110			if (empty($this->Name)) {
111			$str = preg_replace('/[^a-z0-9]+/i', ' ', $this->Title);
112			$str = trim($str);
113			$str = ucwords($str);
114			$this->Name = str_replace(" ", "", $str);
115			}
116
117			parent::onBeforeWrite();
118			}
119
120			/**
121			* Get the filed type
122			*
123			* @return FormField
124			*/
125			public function getFieldType()
126			{
127			return $this->fieldType;
128			}
129
130			/**
131			* Show if the field is required in a nice format
132			*
133			* BUGFIX Using the shorthand Required.Nice in the summary_fields
134			* made the fields, that were required (true), be set to (false)
135			*
136			* @return mixed
137			*/
138			public function getRequiredNice()
139			{
140			return $this->dbObject('Required')->Nice();
141			}
142
143			/**
144			* Get the value
145			*
146			* @return mixed\|string
147			*/
148			public function getValue()
149			{
150			return $this->getField('Value');
151			}
152
153			/**
154			* Create a field from given configuration
155			* These fields are created based on the set default fields @see Attendee::$default_fields
156			*
157			* @param $fieldName
158			* @param $fieldConfig
159			*
160			* @return UserField\|DataObject
161			*/
162			public static function createDefaultField($fieldName, $fieldConfig)
163			{
164			/** @var UserField $fieldType */
165			$fieldType = $fieldConfig['FieldType'];
166
167			$field = $fieldType::create();
168			$field->Name = $fieldName;
169			if (is_array($fieldConfig)) {
170			foreach ($fieldConfig as $property => $value) {
171			$field->setField($property, $value);
172			}
173			}
174
175			return $field;
176			}
177
178			/**
179			* Create the actual field
180			* Overwrite this on the field subclass
181			*
182			* @param $fieldName string Created by the AttendeeField
183			* @param $defaultValue string Set a default value
184			* @param $main boolean check if the field is for the main attendee
185			*
186			* @return FormField
187			*/
188			public function createField($fieldName, $defaultValue = null, $main = false)
189			{
190			$fieldType = $this->fieldType;
191			$field = $fieldType::create($fieldName, $this->Title, $defaultValue);
192			$field->addExtraClass($this->ExtraClass);
193			$this->extend('updateCreateField', $field);
194			return $field;
195			}
196
197			/**
198			* Returns the singular name without the namespaces
199			*
200			* @return string
201			*/
202			public function singular_name()
203			{
204			$name = explode('\\', parent::singular_name());
205			return trim(str_replace('User', '', end($name)));
206			}
207
208			public function canView($member = null)
			0 ignored issues – show Documentation introduced 2017-05-24 16:47 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type could not be reliably inferred; please add a `@return` annotation. Our type inference engine in quite powerful, but sometimes the code does not provide enough clues to go by. In these cases we request you to add a `@return` annotation as described here. Loading history...
209			{
210			return $this->Event()->canView($member);
211			}
212
213			public function canEdit($member = null)
			0 ignored issues – show Documentation introduced 2017-05-09 14:47 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type could not be reliably inferred; please add a `@return` annotation. Our type inference engine in quite powerful, but sometimes the code does not provide enough clues to go by. In these cases we request you to add a `@return` annotation as described here. Loading history...
214			{
215			return $this->Event()->canEdit($member);
216			}
217
218			public function canDelete($member = null)
219			{
220			return $this->Editable;
221			}
222
223			public function canCreate($member = null)
			0 ignored issues – show Documentation introduced 2017-07-31 12:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type could not be reliably inferred; please add a `@return` annotation. Our type inference engine in quite powerful, but sometimes the code does not provide enough clues to go by. In these cases we request you to add a `@return` annotation as described here. Loading history...
224			{
225			return $this->Event()->canCreate($member);
226			}
227			}
228

TheBnl / event-tickets

Issues (150)

Security Analysis not enabled

code/model/user-fields/UserField.php (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like