Issues in NewsTopic.php (master) - Issues in master - XoopsModules25x/news - Measure and Improve Code Quality continuously with Scrutinizer

Issues (384)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/NewsTopic.php (4 issues)

Labels

Severity

Minor 4

<?php declare(strict_types=1);

namespace XoopsModules\News;

/*
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

/**
 * @copyright      {@link https://xoops.org/ XOOPS Project}
 * @license        {@link https://www.gnu.org/licenses/gpl-2.0.html GNU GPL 2 or later}
 * @author         XOOPS Development Team
 */

//require_once XOOPS_ROOT_PATH . '/modules/news/class/xoopsstory.php';
//require_once XOOPS_ROOT_PATH . '/modules/news/class/xoopstopic.php';
//require_once XOOPS_ROOT_PATH . '/modules/news/class/tree.php';

/**
 * Class NewsTopic
 */
class NewsTopic extends XoopsTopic
{
    public $menu;
    public $topic_description;
    public $topic_frontpage;
    public $topic_rssurl;
    public $topic_color;

    /**
     * @param int $topicid
     */
    public function __construct($topicid = 0)
    {
        /** @var \XoopsMySQLDatabase $db */
        $this->db    = \XoopsDatabaseFactory::getDatabaseConnection();
        $this->table = $this->db->prefix('news_topics');
        if (\is_array($topicid)) {
            $this->makeTopic($topicid);
        } elseif (0 != $topicid) {
            $this->getTopic((int)$topicid);
        } else {
            $this->topic_id = $topicid;
        }
    }

    /**
     * @param int    $none
     * @param        $seltopic
     * @param string $selname
     * @param string $onchange
     * @param bool   $checkRight
     * @param string $perm_type
     *
     * @return null|string
     */
    public function makeMyTopicSelBox(
        $none = 0,
        $seltopic = -1,
        $selname = '',
        $onchange = '',
        $checkRight = false,
        $perm_type = 'news_view'
    ) {
        $perms = '';
        if ($checkRight) {
            global $xoopsUser;
            /** @var \XoopsModuleHandler $moduleHandler */
            $moduleHandler    = \xoops_getHandler('module');
            $newsModule       = $moduleHandler->getByDirname('news');
            $groups           = \is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS;
            $grouppermHandler = \xoops_getHandler('groupperm');
            $topics           = $grouppermHandler->getItemIds($perm_type, $groups, $newsModule->getVar('mid'));
            if (\count($topics) > 0) {
                $topics = \implode(',', $topics);
                $perms  = ' AND topic_id IN (' . $topics . ') ';
            } else {
                return null;
            }
        }

        if (-1 != $seltopic) {
            return $this->makeMySelBox('topic_title', 'topic_title', $seltopic, $none, $selname, $onchange, $perms);
        }

        if (!empty($this->topic_id)) {
            return $this->makeMySelBox('topic_title', 'topic_title', $this->topic_id, $none, $selname, $onchange, $perms);
        }

        return $this->makeMySelBox('topic_title', 'topic_title', 0, $none, $selname, $onchange, $perms);
    }

    /**
     * makes a nicely ordered selection box
     *
     * @param        $title
     * @param string $order
     * @param int    $preset_id is used to specify a preselected item
     * @param int    $none      set $none to 1 to add an option with value 0
     *
     * @param string $sel_name
     * @param string $onchange
     * @param        $perms
     *
     * @return string
     */
    public function makeMySelBox(
        $title,
        $order,
        $preset_id,
        $none,
        $sel_name,
        $onchange,
        $perms
    ) {
        $myts      = \MyTextSanitizer::getInstance();
        $outbuffer = '';
        $outbuffer = "<select name='" . $sel_name . "'";
        if ('' !== $onchange) {
            $outbuffer .= " onchange='" . $onchange . "'";
        }
        $outbuffer .= ">\n";
        $sql       = 'SELECT topic_id, ' . $title . ' FROM ' . $this->table . ' WHERE (topic_pid=0)' . $perms;
        if ('' !== $order) {
            $sql .= " ORDER BY $order";
        }
        $result = $this->db->query($sql);
        if ($none) {
            $outbuffer .= "<option value='0'>----</option>\n";
        }
        while ([$catid, $name] = $this->db->fetchRow($result)) {
            $sel = '';
            if ($catid == $preset_id) {
                $sel = ' selected';
            }
            $name      = $myts->displayTarea($name);
            $outbuffer .= "<option value='$catid'$sel>$name</option>\n";
            $sel       = '';
            $arr       = $this->getChildTreeArray($catid, $order, $perms);
            foreach ($arr as $option) {
                $option['prefix'] = \str_replace('.', '--', $option['prefix']);
                $catpath          = $option['prefix'] . '&nbsp;' . $myts->displayTarea($option[$title]);

                if ($option['topic_id'] == $preset_id) {
                    $sel = ' selected';
                }
                $outbuffer .= "<option value='" . $option['topic_id'] . "'$sel>$catpath</option>\n";
                $sel       = '';
            }
        }
        $outbuffer .= "</select>\n";

        return $outbuffer;
    }

    /**
     * @param int    $sel_id
     * @param string $order
     * @param string $perms
     * @param array  $parray
     * @param string $r_prefix
     *
     * @return array
     */
    public function getChildTreeArray($sel_id = 0, $order = '', $perms = '', $parray = [], $r_prefix = '')
    {
        $sql = 'SELECT * FROM ' . $this->table . ' WHERE (topic_pid=' . $sel_id . ')' . $perms;
        if ('' !== $order) {
            $sql .= " ORDER BY $order";
        }
        $result = $this->db->query($sql);
        $count  = $this->db->getRowsNum($result);
        if (0 == $count) {
            return $parray;
        }
        while (false !== ($row = $this->db->fetchArray($result))) {
            $row['prefix'] = $r_prefix . '.';
            $parray[]      = $row;
            $parray        = $this->getChildTreeArray($row['topic_id'], $order, $perms, $parray, $row['prefix']);
        }

        return $parray;
    }

    /**
     * @param $var
     *
     * @return mixed
     */
    public function getVar($var)
    {
        if (\method_exists($this, $var)) {
            return $this->{$var}();
        }

        return $this->$var;
    }

    /**
     * Get the total number of topics in the base
     * @param bool $checkRight
     * @return mixed|null
     */
    public function getAllTopicsCount($checkRight = true)
    {
        $perms = '';
        if ($checkRight) {
            global $xoopsUser;
            /** @var \XoopsModuleHandler $moduleHandler */
            $moduleHandler    = \xoops_getHandler('module');
            $newsModule       = $moduleHandler->getByDirname('news');
            $groups           = \is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS;
            $grouppermHandler = \xoops_getHandler('groupperm');
            $topics           = $grouppermHandler->getItemIds('news_submit', $groups, $newsModule->getVar('mid'));
            if (\count($topics) > 0) {
                $topics = \implode(',', $topics);
                $perms  = ' WHERE topic_id IN (' . $topics . ') ';
            } else {
                return null;
            }
        }

        $sql   = 'SELECT count(topic_id) AS cpt FROM ' . $this->table . $perms;
        $array = $this->db->fetchArray($this->db->query($sql));

        return $array['cpt'];
    }

    /**
     * @param bool   $checkRight
     * @param string $permission
     *
     * @return array
     */
    public function getAllTopics($checkRight = true, $permission = 'news_view')
    {
        $topics_arr = [];
        /** @var \XoopsMySQLDatabase $db */
        $db    = \XoopsDatabaseFactory::getDatabaseConnection();
        $table = $db->prefix('news_topics');
        $sql   = 'SELECT * FROM ' . $table;
        if ($checkRight) {
            $topics = Utility::getMyItemIds($permission);
            if (0 == \count($topics)) {
                return [];
            }
            $topics = \implode(',', $topics);
            $sql    .= ' WHERE topic_id IN (' . $topics . ')';
        }
        $sql    .= ' ORDER BY topic_title';
        $result = $db->query($sql);
        while (false !== ($array = $db->fetchArray($result))) {
            $topic = new self();
            $topic->makeTopic($array);
            $topics_arr[$array['topic_id']] = $topic;
            unset($topic);
        }

        return $topics_arr;
    }

    /**
     * Returns the number of published news per topic
     */
    public function getNewsCountByTopic()
    {
        $ret    = [];
        $sql    = 'SELECT count(storyid) AS cpt, topicid FROM ' . $this->db->prefix('news_stories') . ' WHERE (published > 0 AND published <= ' . \time() . ') AND (expired = 0 OR expired > ' . \time() . ') GROUP BY topicid';
        $result = $this->db->query($sql);
        while (false !== ($row = $this->db->fetchArray($result))) {
            $ret[$row['topicid']] = $row['cpt'];
        }

        return $ret;
    }

    /**
     * Returns some stats about a topic
     * @param $topicid
     * @return array
     */
    public function getTopicMiniStats($topicid)
    {
        $ret          = [];
        $sql          = 'SELECT count(storyid) AS cpt1, sum(counter) AS cpt2 FROM ' . $this->db->prefix('news_stories') . ' WHERE (topicid=' . $topicid . ') AND (published>0 AND published <= ' . \time() . ') AND (expired = 0 OR expired > ' . \time() . ')';
        $result       = $this->db->query($sql);
        $row          = $this->db->fetchArray($result);
        $ret['count'] = $row['cpt1'];
        $ret['reads'] = $row['cpt2'];

        return $ret;
    }

    /**
     * @param $value
     */
    public function setMenu($value): void
    {
        $this->menu = $value;
    }

    /**
     * @param $value
     */
    public function setTopic_color($value): void
    {
        $this->topic_color = $value;
    }

    /**
     * @param $topicid
     */
    public function getTopic($topicid): void
    {
        $sql   = 'SELECT * FROM ' . $this->table . ' WHERE topic_id=' . $topicid;
        $array = $this->db->fetchArray($this->db->query($sql));
        $this->makeTopic($array);
    }

    /**
     * @param $array
     */
    public function makeTopic($array): void
    {
        if (\is_array($array)) {
            foreach ($array as $key => $value) {
                $this->$key = $value;
            }
        }
    }

    /**
     * @return bool
     */
    public function store()
    {
        $myts              = \MyTextSanitizer::getInstance();
        $title             = '';
        $imgurl            = '';
        $topic_description = $myts->censorString($this->topic_description);
        $topic_description = $GLOBALS['xoopsDB']->escape($topic_description);
        $topic_rssurl      = $GLOBALS['xoopsDB']->escape($this->topic_rssurl);
        $topic_color       = $GLOBALS['xoopsDB']->escape($this->topic_color);

        $dirname = \basename(\dirname(__DIR__));

        if (isset($this->topic_title) && '' !== $this->topic_title) {
            $title = $GLOBALS['xoopsDB']->escape($this->topic_title);
        }
        if (isset($this->topic_imgurl) && '' !== $this->topic_imgurl) {
            $imgurl = $GLOBALS['xoopsDB']->escape($this->topic_imgurl);
        }
        if (!isset($this->topic_pid) || !\is_numeric($this->topic_pid)) {
            $this->topic_pid = 0;
        }
        $topic_frontpage = (int)$this->topic_frontpage;
        $insert          = false;
        if (empty($this->topic_id)) {
            $insert         = true;
            $this->topic_id = $this->db->genId($this->table . '_topic_id_seq');
            $sql            = \sprintf(
                "INSERT INTO `%s` (topic_id, topic_pid, topic_imgurl, topic_title, menu, topic_description, topic_frontpage, topic_rssurl, topic_color) VALUES (%u, %u, '%s', '%s', %u, '%s', %d, '%s', '%s')",
                $this->table,
                (int)$this->topic_id,
                (int)$this->topic_pid,
                $imgurl,
                $title,
                (int)$this->menu,
                $topic_description,
                $topic_frontpage,
                $topic_rssurl,
                $topic_color
            );
        } else {
            $sql = \sprintf(
                "UPDATE `%s` SET topic_pid = %u, topic_imgurl = '%s', topic_title = '%s', menu=%d, topic_description='%s', topic_frontpage=%d, topic_rssurl='%s', topic_color='%s' WHERE topic_id = %u",
                $this->table,
                (int)$this->topic_pid,
                $imgurl,
                $title,
                (int)$this->menu,
                $topic_description,
                $topic_frontpage,
                $topic_rssurl,
                $topic_color,
                $this->topic_id
            );
        }
        if (!$result = $this->db->query($sql)) {
            \trigger_error("Query Failed! SQL: $sql- Error: " . $this->db->error(), E_USER_ERROR);
        } elseif ($insert) {
            $this->topic_id = $this->db->getInsertId();
        }

        if ($this->use_permission) {
            $xt            = new XoopsTree($this->table, 'topic_id', 'topic_pid');
            $parent_topics = $xt->getAllParentId($this->topic_id);
            if (!empty($this->m_groups) && \is_array($this->m_groups)) {
                foreach ($this->m_groups as $m_g) {
                    $moderate_topics = \XoopsPerms::getPermitted($this->mid, 'ModInTopic', $m_g);
                    $add             = true;
                    // only grant this permission when the group has this permission in all parent topics of the created topic
                    foreach ($parent_topics as $p_topic) {
                        if (!\in_array($p_topic, $moderate_topics, true)) {
                            $add = false;
                            continue;
                        }
                    }
                    if ($add) {
                        $xp = new \XoopsPerms();
                        $xp->setModuleId($this->mid);
                        $xp->setName('ModInTopic');
                        $xp->setItemId($this->topic_id);
                        $xp->store();
                        $xp->addGroup($m_g);
                    }
                }
            }
            if (!empty($this->s_groups) && \is_array($this->s_groups)) {
                foreach ($this->s_groups as $s_g) {
                    $submit_topics = \XoopsPerms::getPermitted($this->mid, 'SubmitInTopic', $s_g);
                    $add           = true;
                    foreach ($parent_topics as $p_topic) {
                        if (!\in_array($p_topic, $submit_topics, true)) {
                            $add = false;
                            continue;
                        }
                    }
                    if ($add) {
                        $xp = new \XoopsPerms();
                        $xp->setModuleId($this->mid);
                        $xp->setName('SubmitInTopic');
                        $xp->setItemId($this->topic_id);
                        $xp->store();
                        $xp->addGroup($s_g);
                    }
                }
            }
            if (!empty($this->r_groups) && \is_array($this->r_groups)) {
                foreach ($this->s_groups as $r_g) {
                    $read_topics = \XoopsPerms::getPermitted($this->mid, 'ReadInTopic', $r_g);
                    $add         = true;
                    foreach ($parent_topics as $p_topic) {
                        if (!\in_array($p_topic, $read_topics, true)) {
                            $add = false;
                            continue;
                        }
                    }
                    if ($add) {
                        $xp = new \XoopsPerms();
                        $xp->setModuleId($this->mid);
                        $xp->setName('ReadInTopic');
                        $xp->setItemId($this->topic_id);
                        $xp->store();
                        $xp->addGroup($r_g);
                    }
                }
            }
        }

        return true;
    }

    /**
     * @param $value
     */
    public function setTopicRssUrl($value): void
    {
        $this->topic_rssurl = $value;
    }

    /**
     * @param string $format
     *
     * @return mixed
     */
    public function topic_rssurl($format = 'S')
    {
        $myts = \MyTextSanitizer::getInstance();
        switch ($format) {
            case 'S':
                $topic_rssurl = $myts->displayTarea($this->topic_rssurl);
                break;
            case 'P':
                $topic_rssurl = $myts->previewTarea($this->topic_rssurl);
                break;
            case 'F':
            case 'E':
                $topic_rssurl = \htmlspecialchars($this->topic_rssurl, \ENT_QUOTES | \ENT_HTML5);
                break;
        }

        return $topic_rssurl;

    }

    /**
     * @param string $format
     *
     * @return mixed
     */
    public function topic_color($format = 'S')
    {
        $myts = \MyTextSanitizer::getInstance();
        switch ($format) {
            case 'S':
                $topic_color = $myts->displayTarea($this->topic_color);
                break;
            case 'P':
                $topic_color = $myts->previewTarea($this->topic_color);
                break;
            case 'F':
            case 'E':
                $topic_color = \htmlspecialchars($this->topic_color, \ENT_QUOTES | \ENT_HTML5);
                break;
        }

        return $topic_color;

    }

    /**
     * @return mixed
     */
    public function menu()
    {
        return $this->menu;
    }

    /**
     * @param string $format
     *
     * @return mixed
     */
    public function topic_description($format = 'S')
    {
        $myts = \MyTextSanitizer::getInstance();
        switch ($format) {
            case 'S':
                $topic_description = $myts->displayTarea($this->topic_description, 1);
                break;
            case 'P':
                $topic_description = $myts->previewTarea($this->topic_description);
                break;
            case 'F':
            case 'E':
                $topic_description = \htmlspecialchars($this->topic_description, \ENT_QUOTES | \ENT_HTML5);
                break;
        }

        return $topic_description;

    }

    /**
     * @param string $format
     *
     * @return mixed
     */
    public function topic_imgurl($format = 'S')
    {
        if ('' === \trim($this->topic_imgurl)) {
            $this->topic_imgurl = 'blank.png';
        }
        $myts = \MyTextSanitizer::getInstance();
        switch ($format) {
            case 'S':
                $imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES | \ENT_HTML5);
                break;
            case 'E':
                $imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES | \ENT_HTML5);
                break;
            case 'P':
                $imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES | \ENT_HTML5);
                break;
            case 'F':
                $imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES | \ENT_HTML5);
                break;
        }

        return $imgurl;

    }

    /**
     * @param $topic
     * @param $topicstitles
     *
     * @return mixed
     */
    public function getTopicTitleFromId($topic, &$topicstitles)
    {
        $myts = \MyTextSanitizer::getInstance();
        $sql  = 'SELECT topic_id, topic_title, topic_imgurl FROM ' . $this->table . ' WHERE ';
        if (!\is_array($topic)) {
            $sql .= ' topic_id=' . (int)$topic;
        } elseif (\count($topic) > 0) {
            $sql .= ' topic_id IN (' . \implode(',', $topic) . ')';
        } else {
            return null;
        }
        $result = $this->db->query($sql);
        while (false !== ($row = $this->db->fetchArray($result))) {
            $topicstitles[$row['topic_id']] = [
                'title'   => $myts->displayTarea($row['topic_title']),
                'picture' => XOOPS_URL . '/uploads/news/image/' . $row['topic_imgurl'],
            ];
        }

        return $topicstitles;
    }

    /**
     * @param bool $frontpage
     * @param bool $perms
     *
     * @return array|string
     */
    public function getTopicsList($frontpage = false, $perms = false)
    {
        $ret = [];
        $sql = 'SELECT topic_id, topic_pid, topic_title, topic_color FROM ' . $this->table . ' WHERE 1 ';
        if ($frontpage) {
            $sql .= ' AND topic_frontpage=1';
        }
        if ($perms) {
            //            $topicsids = [];
            $topicsids = Utility::getMyItemIds();
            if (0 == \count($topicsids)) {
                return '';
            }
            $topics = \implode(',', $topicsids);
            $sql    .= ' AND topic_id IN (' . $topics . ')';
        }
        $result = $this->db->query($sql);
        if ($result) {
            $myts = \MyTextSanitizer::getInstance();
            while (false !== ($myrow = $this->db->fetchArray($result))) {
                $ret[$myrow['topic_id']] = [
                    'title' => $myts->displayTarea($myrow['topic_title']),
                    'pid'   => $myrow['topic_pid'],
                    'color' => $myrow['topic_color'],
                ];
            }
        }

        return $ret;
    }

    /**
     * @param $value
     */
    public function setTopicDescription($value): void
    {
        $this->topic_description = $value;
    }

    /**
     * @return mixed
     */
    public function topic_frontpage()
    {
        return $this->topic_frontpage;
    }

    /**
     * @param $value
     */
    public function setTopicFrontpage($value): void
    {
        $this->topic_frontpage = (int)$value;
    }
}


1			<?php declare(strict_types=1);
2
3			namespace XoopsModules\News;
4
5			/*
6			* You may not change or alter any portion of this comment or credits
7			* of supporting developers from this source code or any supporting source code
8			* which is considered copyrighted (c) material of the original comment or credit authors.
9			*
10			* This program is distributed in the hope that it will be useful,
11			* but WITHOUT ANY WARRANTY; without even the implied warranty of
12			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
13			*/
14
15			/**
16			* @copyright {@link https://xoops.org/ XOOPS Project}
17			* @license {@link https://www.gnu.org/licenses/gpl-2.0.html GNU GPL 2 or later}
18			* @author XOOPS Development Team
19			*/
20
21			//require_once XOOPS_ROOT_PATH . '/modules/news/class/xoopsstory.php';
22			//require_once XOOPS_ROOT_PATH . '/modules/news/class/xoopstopic.php';
23			//require_once XOOPS_ROOT_PATH . '/modules/news/class/tree.php';
24
25			/**
26			* Class NewsTopic
27			*/
28			class NewsTopic extends XoopsTopic
29			{
30			public $menu;
31			public $topic_description;
32			public $topic_frontpage;
33			public $topic_rssurl;
34			public $topic_color;
35
36			/**
37			* @param int $topicid
38			*/
39			public function __construct($topicid = 0)
40			{
41			/** @var \XoopsMySQLDatabase $db */
42			$this->db = \XoopsDatabaseFactory::getDatabaseConnection();
43			$this->table = $this->db->prefix('news_topics');
44			if (\is_array($topicid)) {
45			$this->makeTopic($topicid);
46			} elseif (0 != $topicid) {
47			$this->getTopic((int)$topicid);
48			} else {
49			$this->topic_id = $topicid;
50			}
51			}
52
53			/**
54			* @param int $none
55			* @param $seltopic
56			* @param string $selname
57			* @param string $onchange
58			* @param bool $checkRight
59			* @param string $perm_type
60			*
61			* @return null\|string
62			*/
63			public function makeMyTopicSelBox(
64			$none = 0,
65			$seltopic = -1,
66			$selname = '',
67			$onchange = '',
68			$checkRight = false,
69			$perm_type = 'news_view'
70			) {
71			$perms = '';
72			if ($checkRight) {
73			global $xoopsUser;
74			/** @var \XoopsModuleHandler $moduleHandler */
75			$moduleHandler = \xoops_getHandler('module');
76			$newsModule = $moduleHandler->getByDirname('news');
77			$groups = \is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS;
78			$grouppermHandler = \xoops_getHandler('groupperm');
79			$topics = $grouppermHandler->getItemIds($perm_type, $groups, $newsModule->getVar('mid'));
80			if (\count($topics) > 0) {
81			$topics = \implode(',', $topics);
82			$perms = ' AND topic_id IN (' . $topics . ') ';
83			} else {
84			return null;
85			}
86			}
87
88			if (-1 != $seltopic) {
89			return $this->makeMySelBox('topic_title', 'topic_title', $seltopic, $none, $selname, $onchange, $perms);
90			}
91
92			if (!empty($this->topic_id)) {
93			return $this->makeMySelBox('topic_title', 'topic_title', $this->topic_id, $none, $selname, $onchange, $perms);
94			}
95
96			return $this->makeMySelBox('topic_title', 'topic_title', 0, $none, $selname, $onchange, $perms);
97			}
98
99			/**
100			* makes a nicely ordered selection box
101			*
102			* @param $title
103			* @param string $order
104			* @param int $preset_id is used to specify a preselected item
105			* @param int $none set $none to 1 to add an option with value 0
106			*
107			* @param string $sel_name
108			* @param string $onchange
109			* @param $perms
110			*
111			* @return string
112			*/
113			public function makeMySelBox(
114			$title,
115			$order,
116			$preset_id,
117			$none,
118			$sel_name,
119			$onchange,
120			$perms
121			) {
122			$myts = \MyTextSanitizer::getInstance();
123			$outbuffer = '';
124			$outbuffer = "<select name='" . $sel_name . "'";
125			if ('' !== $onchange) {
126			$outbuffer .= " onchange='" . $onchange . "'";
127			}
128			$outbuffer .= ">\n";
129			$sql = 'SELECT topic_id, ' . $title . ' FROM ' . $this->table . ' WHERE (topic_pid=0)' . $perms;
130			if ('' !== $order) {
131			$sql .= " ORDER BY $order";
132			}
133			$result = $this->db->query($sql);
134			if ($none) {
135			$outbuffer .= "<option value='0'>----</option>\n";
136			}
137			while ([$catid, $name] = $this->db->fetchRow($result)) {
138			$sel = '';
139			if ($catid == $preset_id) {
140			$sel = ' selected';
141			}
142			$name = $myts->displayTarea($name);
143			$outbuffer .= "<option value='$catid'$sel>$name</option>\n";
144			$sel = '';
145			$arr = $this->getChildTreeArray($catid, $order, $perms);
146			foreach ($arr as $option) {
147			$option['prefix'] = \str_replace('.', '--', $option['prefix']);
148			$catpath = $option['prefix'] . ' ' . $myts->displayTarea($option[$title]);
149
150			if ($option['topic_id'] == $preset_id) {
151			$sel = ' selected';
152			}
153			$outbuffer .= "<option value='" . $option['topic_id'] . "'$sel>$catpath</option>\n";
154			$sel = '';
155			}
156			}
157			$outbuffer .= "</select>\n";
158
159			return $outbuffer;
160			}
161
162			/**
163			* @param int $sel_id
164			* @param string $order
165			* @param string $perms
166			* @param array $parray
167			* @param string $r_prefix
168			*
169			* @return array
170			*/
171			public function getChildTreeArray($sel_id = 0, $order = '', $perms = '', $parray = [], $r_prefix = '')
172			{
173			$sql = 'SELECT * FROM ' . $this->table . ' WHERE (topic_pid=' . $sel_id . ')' . $perms;
174			if ('' !== $order) {
175			$sql .= " ORDER BY $order";
176			}
177			$result = $this->db->query($sql);
178			$count = $this->db->getRowsNum($result);
179			if (0 == $count) {
180			return $parray;
181			}
182			while (false !== ($row = $this->db->fetchArray($result))) {
183			$row['prefix'] = $r_prefix . '.';
184			$parray[] = $row;
185			$parray = $this->getChildTreeArray($row['topic_id'], $order, $perms, $parray, $row['prefix']);
186			}
187
188			return $parray;
189			}
190
191			/**
192			* @param $var
193			*
194			* @return mixed
195			*/
196			public function getVar($var)
197			{
198			if (\method_exists($this, $var)) {
199			return $this->{$var}();
200			}
201
202			return $this->$var;
203			}
204
205			/**
206			* Get the total number of topics in the base
207			* @param bool $checkRight
208			* @return mixed\|null
209			*/
210			public function getAllTopicsCount($checkRight = true)
211			{
212			$perms = '';
213			if ($checkRight) {
214			global $xoopsUser;
215			/** @var \XoopsModuleHandler $moduleHandler */
216			$moduleHandler = \xoops_getHandler('module');
217			$newsModule = $moduleHandler->getByDirname('news');
218			$groups = \is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS;
219			$grouppermHandler = \xoops_getHandler('groupperm');
220			$topics = $grouppermHandler->getItemIds('news_submit', $groups, $newsModule->getVar('mid'));
221			if (\count($topics) > 0) {
222			$topics = \implode(',', $topics);
223			$perms = ' WHERE topic_id IN (' . $topics . ') ';
224			} else {
225			return null;
226			}
227			}
228
229			$sql = 'SELECT count(topic_id) AS cpt FROM ' . $this->table . $perms;
230			$array = $this->db->fetchArray($this->db->query($sql));
231
232			return $array['cpt'];
233			}
234
235			/**
236			* @param bool $checkRight
237			* @param string $permission
238			*
239			* @return array
240			*/
241			public function getAllTopics($checkRight = true, $permission = 'news_view')
242			{
243			$topics_arr = [];
244			/** @var \XoopsMySQLDatabase $db */
245			$db = \XoopsDatabaseFactory::getDatabaseConnection();
246			$table = $db->prefix('news_topics');
247			$sql = 'SELECT * FROM ' . $table;
248			if ($checkRight) {
249			$topics = Utility::getMyItemIds($permission);
250			if (0 == \count($topics)) {
251			return [];
252			}
253			$topics = \implode(',', $topics);
254			$sql .= ' WHERE topic_id IN (' . $topics . ')';
255			}
256			$sql .= ' ORDER BY topic_title';
257			$result = $db->query($sql);
258			while (false !== ($array = $db->fetchArray($result))) {
259			$topic = new self();
260			$topic->makeTopic($array);
261			$topics_arr[$array['topic_id']] = $topic;
262			unset($topic);
263			}
264
265			return $topics_arr;
266			}
267
268			/**
269			* Returns the number of published news per topic
270			*/
271			public function getNewsCountByTopic()
272			{
273			$ret = [];
274			$sql = 'SELECT count(storyid) AS cpt, topicid FROM ' . $this->db->prefix('news_stories') . ' WHERE (published > 0 AND published <= ' . \time() . ') AND (expired = 0 OR expired > ' . \time() . ') GROUP BY topicid';
275			$result = $this->db->query($sql);
276			while (false !== ($row = $this->db->fetchArray($result))) {
277			$ret[$row['topicid']] = $row['cpt'];
278			}
279
280			return $ret;
281			}
282
283			/**
284			* Returns some stats about a topic
285			* @param $topicid
286			* @return array
287			*/
288			public function getTopicMiniStats($topicid)
289			{
290			$ret = [];
291			$sql = 'SELECT count(storyid) AS cpt1, sum(counter) AS cpt2 FROM ' . $this->db->prefix('news_stories') . ' WHERE (topicid=' . $topicid . ') AND (published>0 AND published <= ' . \time() . ') AND (expired = 0 OR expired > ' . \time() . ')';
292			$result = $this->db->query($sql);
293			$row = $this->db->fetchArray($result);
294			$ret['count'] = $row['cpt1'];
295			$ret['reads'] = $row['cpt2'];
296
297			return $ret;
298			}
299
300			/**
301			* @param $value
302			*/
303			public function setMenu($value): void
304			{
305			$this->menu = $value;
306			}
307
308			/**
309			* @param $value
310			*/
311			public function setTopic_color($value): void
312			{
313			$this->topic_color = $value;
314			}
315
316			/**
317			* @param $topicid
318			*/
319			public function getTopic($topicid): void
320			{
321			$sql = 'SELECT * FROM ' . $this->table . ' WHERE topic_id=' . $topicid;
322			$array = $this->db->fetchArray($this->db->query($sql));
323			$this->makeTopic($array);
324			}
325
326			/**
327			* @param $array
328			*/
329			public function makeTopic($array): void
330			{
331			if (\is_array($array)) {
332			foreach ($array as $key => $value) {
333			$this->$key = $value;
334			}
335			}
336			}
337
338			/**
339			* @return bool
340			*/
341			public function store()
342			{
343			$myts = \MyTextSanitizer::getInstance();
344			$title = '';
345			$imgurl = '';
346			$topic_description = $myts->censorString($this->topic_description);
347			$topic_description = $GLOBALS['xoopsDB']->escape($topic_description);
348			$topic_rssurl = $GLOBALS['xoopsDB']->escape($this->topic_rssurl);
349			$topic_color = $GLOBALS['xoopsDB']->escape($this->topic_color);
350
351			$dirname = \basename(\dirname(__DIR__));
352
353			if (isset($this->topic_title) && '' !== $this->topic_title) {
354			$title = $GLOBALS['xoopsDB']->escape($this->topic_title);
355			}
356			if (isset($this->topic_imgurl) && '' !== $this->topic_imgurl) {
357			$imgurl = $GLOBALS['xoopsDB']->escape($this->topic_imgurl);
358			}
359			if (!isset($this->topic_pid) \|\| !\is_numeric($this->topic_pid)) {
360			$this->topic_pid = 0;
361			}
362			$topic_frontpage = (int)$this->topic_frontpage;
363			$insert = false;
364			if (empty($this->topic_id)) {
365			$insert = true;
366			$this->topic_id = $this->db->genId($this->table . '_topic_id_seq');
367			$sql = \sprintf(
368			"INSERT INTO `%s` (topic_id, topic_pid, topic_imgurl, topic_title, menu, topic_description, topic_frontpage, topic_rssurl, topic_color) VALUES (%u, %u, '%s', '%s', %u, '%s', %d, '%s', '%s')",
369			$this->table,
370			(int)$this->topic_id,
371			(int)$this->topic_pid,
372			$imgurl,
373			$title,
374			(int)$this->menu,
375			$topic_description,
376			$topic_frontpage,
377			$topic_rssurl,
378			$topic_color
379			);
380			} else {
381			$sql = \sprintf(
382			"UPDATE `%s` SET topic_pid = %u, topic_imgurl = '%s', topic_title = '%s', menu=%d, topic_description='%s', topic_frontpage=%d, topic_rssurl='%s', topic_color='%s' WHERE topic_id = %u",
383			$this->table,
384			(int)$this->topic_pid,
385			$imgurl,
386			$title,
387			(int)$this->menu,
388			$topic_description,
389			$topic_frontpage,
390			$topic_rssurl,
391			$topic_color,
392			$this->topic_id
393			);
394			}
395			if (!$result = $this->db->query($sql)) {
396			\trigger_error("Query Failed! SQL: $sql- Error: " . $this->db->error(), E_USER_ERROR);
397			} elseif ($insert) {
398			$this->topic_id = $this->db->getInsertId();
399			}
400
401			if ($this->use_permission) {
402			$xt = new XoopsTree($this->table, 'topic_id', 'topic_pid');
403			$parent_topics = $xt->getAllParentId($this->topic_id);
404			if (!empty($this->m_groups) && \is_array($this->m_groups)) {
405			foreach ($this->m_groups as $m_g) {
406			$moderate_topics = \XoopsPerms::getPermitted($this->mid, 'ModInTopic', $m_g);
407			$add = true;
408			// only grant this permission when the group has this permission in all parent topics of the created topic
409			foreach ($parent_topics as $p_topic) {
410			if (!\in_array($p_topic, $moderate_topics, true)) {
411			$add = false;
412			continue;
413			}
414			}
415			if ($add) {
416			$xp = new \XoopsPerms();
417			$xp->setModuleId($this->mid);
418			$xp->setName('ModInTopic');
419			$xp->setItemId($this->topic_id);
420			$xp->store();
421			$xp->addGroup($m_g);
422			}
423			}
424			}
425			if (!empty($this->s_groups) && \is_array($this->s_groups)) {
426			foreach ($this->s_groups as $s_g) {
427			$submit_topics = \XoopsPerms::getPermitted($this->mid, 'SubmitInTopic', $s_g);
428			$add = true;
429			foreach ($parent_topics as $p_topic) {
430			if (!\in_array($p_topic, $submit_topics, true)) {
431			$add = false;
432			continue;
433			}
434			}
435			if ($add) {
436			$xp = new \XoopsPerms();
437			$xp->setModuleId($this->mid);
438			$xp->setName('SubmitInTopic');
439			$xp->setItemId($this->topic_id);
440			$xp->store();
441			$xp->addGroup($s_g);
442			}
443			}
444			}
445			if (!empty($this->r_groups) && \is_array($this->r_groups)) {
446			foreach ($this->s_groups as $r_g) {
447			$read_topics = \XoopsPerms::getPermitted($this->mid, 'ReadInTopic', $r_g);
448			$add = true;
449			foreach ($parent_topics as $p_topic) {
450			if (!\in_array($p_topic, $read_topics, true)) {
451			$add = false;
452			continue;
453			}
454			}
455			if ($add) {
456			$xp = new \XoopsPerms();
457			$xp->setModuleId($this->mid);
458			$xp->setName('ReadInTopic');
459			$xp->setItemId($this->topic_id);
460			$xp->store();
461			$xp->addGroup($r_g);
462			}
463			}
464			}
465			}
466
467			return true;
468			}
469
470			/**
471			* @param $value
472			*/
473			public function setTopicRssUrl($value): void
474			{
475			$this->topic_rssurl = $value;
476			}
477
478			/**
479			* @param string $format
480			*
481			* @return mixed
482			*/
483			public function topic_rssurl($format = 'S')
484			{
485			$myts = \MyTextSanitizer::getInstance();
486			switch ($format) {
487			case 'S':
488			$topic_rssurl = $myts->displayTarea($this->topic_rssurl);
489			break;
490			case 'P':
491			$topic_rssurl = $myts->previewTarea($this->topic_rssurl);
492			break;
493			case 'F':
494			case 'E':
495			$topic_rssurl = \htmlspecialchars($this->topic_rssurl, \ENT_QUOTES \| \ENT_HTML5);
496			break;
497			}
498
499			return $topic_rssurl;
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-11-09 07:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$topic_rssurl` does not seem to be defined for all execution paths leading up to this point. Loading history...
500			}
501
502			/**
503			* @param string $format
504			*
505			* @return mixed
506			*/
507			public function topic_color($format = 'S')
508			{
509			$myts = \MyTextSanitizer::getInstance();
510			switch ($format) {
511			case 'S':
512			$topic_color = $myts->displayTarea($this->topic_color);
513			break;
514			case 'P':
515			$topic_color = $myts->previewTarea($this->topic_color);
516			break;
517			case 'F':
518			case 'E':
519			$topic_color = \htmlspecialchars($this->topic_color, \ENT_QUOTES \| \ENT_HTML5);
520			break;
521			}
522
523			return $topic_color;
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-11-09 07:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$topic_color` does not seem to be defined for all execution paths leading up to this point. Loading history...
524			}
525
526			/**
527			* @return mixed
528			*/
529			public function menu()
530			{
531			return $this->menu;
532			}
533
534			/**
535			* @param string $format
536			*
537			* @return mixed
538			*/
539			public function topic_description($format = 'S')
540			{
541			$myts = \MyTextSanitizer::getInstance();
542			switch ($format) {
543			case 'S':
544			$topic_description = $myts->displayTarea($this->topic_description, 1);
545			break;
546			case 'P':
547			$topic_description = $myts->previewTarea($this->topic_description);
548			break;
549			case 'F':
550			case 'E':
551			$topic_description = \htmlspecialchars($this->topic_description, \ENT_QUOTES \| \ENT_HTML5);
552			break;
553			}
554
555			return $topic_description;
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-11-09 07:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$topic_description` does not seem to be defined for all execution paths leading up to this point. Loading history...
556			}
557
558			/**
559			* @param string $format
560			*
561			* @return mixed
562			*/
563			public function topic_imgurl($format = 'S')
564			{
565			if ('' === \trim($this->topic_imgurl)) {
566			$this->topic_imgurl = 'blank.png';
567			}
568			$myts = \MyTextSanitizer::getInstance();
569			switch ($format) {
570			case 'S':
571			$imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES \| \ENT_HTML5);
572			break;
573			case 'E':
574			$imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES \| \ENT_HTML5);
575			break;
576			case 'P':
577			$imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES \| \ENT_HTML5);
578			break;
579			case 'F':
580			$imgurl = \htmlspecialchars($this->topic_imgurl, \ENT_QUOTES \| \ENT_HTML5);
581			break;
582			}
583
584			return $imgurl;
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-11-09 07:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$imgurl` does not seem to be defined for all execution paths leading up to this point. Loading history...
585			}
586
587			/**
588			* @param $topic
589			* @param $topicstitles
590			*
591			* @return mixed
592			*/
593			public function getTopicTitleFromId($topic, &$topicstitles)
594			{
595			$myts = \MyTextSanitizer::getInstance();
596			$sql = 'SELECT topic_id, topic_title, topic_imgurl FROM ' . $this->table . ' WHERE ';
597			if (!\is_array($topic)) {
598			$sql .= ' topic_id=' . (int)$topic;
599			} elseif (\count($topic) > 0) {
600			$sql .= ' topic_id IN (' . \implode(',', $topic) . ')';
601			} else {
602			return null;
603			}
604			$result = $this->db->query($sql);
605			while (false !== ($row = $this->db->fetchArray($result))) {
606			$topicstitles[$row['topic_id']] = [
607			'title' => $myts->displayTarea($row['topic_title']),
608			'picture' => XOOPS_URL . '/uploads/news/image/' . $row['topic_imgurl'],
609			];
610			}
611
612			return $topicstitles;
613			}
614
615			/**
616			* @param bool $frontpage
617			* @param bool $perms
618			*
619			* @return array\|string
620			*/
621			public function getTopicsList($frontpage = false, $perms = false)
622			{
623			$ret = [];
624			$sql = 'SELECT topic_id, topic_pid, topic_title, topic_color FROM ' . $this->table . ' WHERE 1 ';
625			if ($frontpage) {
626			$sql .= ' AND topic_frontpage=1';
627			}
628			if ($perms) {
629			// $topicsids = [];
630			$topicsids = Utility::getMyItemIds();
631			if (0 == \count($topicsids)) {
632			return '';
633			}
634			$topics = \implode(',', $topicsids);
635			$sql .= ' AND topic_id IN (' . $topics . ')';
636			}
637			$result = $this->db->query($sql);
638			if ($result) {
639			$myts = \MyTextSanitizer::getInstance();
640			while (false !== ($myrow = $this->db->fetchArray($result))) {
641			$ret[$myrow['topic_id']] = [
642			'title' => $myts->displayTarea($myrow['topic_title']),
643			'pid' => $myrow['topic_pid'],
644			'color' => $myrow['topic_color'],
645			];
646			}
647			}
648
649			return $ret;
650			}
651
652			/**
653			* @param $value
654			*/
655			public function setTopicDescription($value): void
656			{
657			$this->topic_description = $value;
658			}
659
660			/**
661			* @return mixed
662			*/
663			public function topic_frontpage()
664			{
665			return $this->topic_frontpage;
666			}
667
668			/**
669			* @param $value
670			*/
671			public function setTopicFrontpage($value): void
672			{
673			$this->topic_frontpage = (int)$value;
674			}
675			}
676

XoopsModules25x / news

Issues (384)

Security Analysis not enabled

class/NewsTopic.php (4 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like