Issues in anon_addTicket.php (master) - Issues in master - XoopsModules25x/xhelp - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1844)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

anon_addTicket.php (2 issues)

Severity

<?php declare(strict_types=1);

/*
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

/**
 * @copyright    {@link https://xoops.org/ XOOPS Project}
 * @license      {@link https://www.gnu.org/licenses/gpl-2.0.html GNU GPL 2 or later}
 * @author       Brian Wahoff <[email protected]>
 * @author       Eric Juden <[email protected]>
 * @author       XOOPS Development Team
 */

use Xmf\Request;
use XoopsModules\Xhelp;
use XoopsModules\Xhelp\Validation;

require_once __DIR__ . '/header.php';
//require_once XHELP_INCLUDE_PATH . '/events.php';

global $xoopsModule, $xhelp_module_header;

$helper       = Xhelp\Helper::getInstance();
$eventService = Xhelp\EventService::getInstance();
$session      = Xhelp\Session::getInstance();
$aDept        = [];

xoops_loadLanguage('user');

/** @var \XoopsConfigHandler $configHandler */
$configHandler   = xoops_getHandler('config');
$xoopsConfigUser = [];
$criteria        = new \CriteriaCompo(new \Criteria('conf_name', 'allow_register'), 'OR');
$criteria->add(new \Criteria('conf_name', 'activation_type'), 'OR');
$myConfigs = $configHandler->getConfigs($criteria);

foreach ($myConfigs as $myConf) {
    $xoopsConfigUser[$myConf->getVar('conf_name')] = $myConf->getVar('conf_value');
}

if (0 == $helper->getConfig('xhelp_allowAnonymous')) {
    $helper->redirect('error.php');
}

/** @var \XoopsModules\Xhelp\TicketHandler $ticketHandler */
$ticketHandler = $helper->getHandler('Ticket');
/** @var \XoopsGroupPermHandler $grouppermHandler */
$grouppermHandler = xoops_getHandler('groupperm');
/** @var \XoopsMemberHandler $memberHandler */
$memberHandler = xoops_getHandler('member');
/** @var \XoopsModules\Xhelp\TicketFieldDepartmentHandler $ticketFieldDepartmentHandler */
$ticketFieldDepartmentHandler = $helper->getHandler('TicketFieldDepartment');
$module_id                    = $xoopsModule->getVar('mid');

/** @var \XoopsModules\Xhelp\MimetypeHandler $mimetypeHandler */
$mimetypeHandler   = $helper->getHandler('Mimetype');
$allowed_mimetypes = $mimetypeHandler->getArray();

if (0 == $xoopsConfigUser['allow_register']) {    // Use to doublecheck that anonymous users are allowed to register
    $helper->redirect('error.php');
}

if (!isset($dept_id)) {
    $dept_id = Xhelp\Utility::getMeta('default_department');
}

if (isset($_POST['addTicket'])) {
    // require_once XHELP_CLASS_PATH . '/validator.php';

    $v                  = [];
    $v['subject'][]     = new Validation\ValidateLength(Request::getString('subject', '', 'POST'), 2, 255);
    $v['description'][] = new Validation\ValidateLength(Request::getString('description', '', 'POST'), 2);
    $v['email'][]       = new Validation\ValidateEmail(Request::getString('email', '', 'POST'));

    // Get current dept's custom fields
    $fields  = $ticketFieldDepartmentHandler->fieldsByDepartment((int)$dept_id, true);
    $aFields = [];

    foreach ($fields as $field) {
        $values = $field->getVar('fieldvalues');
        if (XHELP_CONTROL_YESNO == $field->getVar('controltype')) {
            $values = [1 => _YES, 0 => _NO];
        }
        $fieldname = $field->getVar('fieldname');

        if (XHELP_CONTROL_FILE != $field->getVar('controltype')) {
            $checkField = \Xmf\Request::getString($fieldname, '', 'POST');
        } else {
            $checkField = \Xmf\Request::getString($fieldname, '', 'FILES');
        }

        $v[$fieldname][] = new Validation\ValidateRegex($checkField, $field->getVar('validation'), $field->getVar('required'));

        $aFields[$field->getVar('id')] = [
            'name'         => $field->getVar('name'),
            'desc'         => $field->getVar('description'),
            'fieldname'    => $field->getVar('fieldname'),
            'defaultvalue' => $field->getVar('defaultvalue'),
            'controltype'  => $field->getVar('controltype'),
            'required'     => $field->getVar('required'),
            'fieldlength'  => $field->getVar('fieldlength'),
            'maxlength'    => $field->getVar('fieldlength') < 50 ? $field->getVar('fieldlength') : 50,
            'weight'       => $field->getVar('weight'),
            'fieldvalues'  => $values,
            'validation'   => $field->getVar('validation'),
        ];
    }

    $session->set('xhelp_ticket', [
        'uid'         => 0,
        'subject'     => \Xmf\Request::getString('subject', '', 'POST'),
        'description' => htmlspecialchars(\Xmf\Request::getString('description', '', 'POST'), ENT_QUOTES),
        'department'  => $_POST['departments'],
        'priority'    => $_POST['priority'],
    ]);

    $session->set('xhelp_user', [
        'uid'   => 0,
        'email' => \Xmf\Request::getString('email', '', 'POST'),
    ]);

    if ('' != $fields) {

        $session->set('xhelp_custFields', $fields);
    }

    // Perform each validation
    $fields = [];
    $errors = [];
    foreach ($v as $fieldname => $validator) {
        if (Xhelp\Utility::checkRules($validator, $errors)) {
            $fields[$fieldname]['haserrors'] = false;
        } else {
            //Mark field with error
            $fields[$fieldname]['haserrors'] = true;
            $fields[$fieldname]['errors']    = $errors;
        }
    }

    if (!empty($errors)) {
        $session->set('xhelp_validateError', $fields);
        $message = _XHELP_MESSAGE_VALIDATE_ERROR;
        $helper->redirect('anon_addTicket.php');
    }

    //Check email address
    $user_added = false;
    if (!$xoopsUser = Xhelp\Utility::emailIsXoopsUser(\Xmf\Request::getString('email', '', 'POST'))) {      // Email is already used by a member
        switch ($xoopsConfigUser['activation_type']) {
            case 1:
                $level = 1;
                break;
            case 0:
            case 2:
            default:
                $level = 0;
        }

        /** @var \XoopsUser $anon_user */
        $anon_user = Xhelp\Utility::getXoopsAccountFromEmail(\Xmf\Request::getString('email', '', 'POST'), '', $password, $level);
        if ($anon_user) { // If new user created

            /** @var \XoopsMemberHandler $memberHandler */
            $memberHandler = xoops_getHandler('member');
            $xoopsUser     = $memberHandler->loginUser($anon_user->getVar('uname'), $anon_user->getVar('pass'));
            $user_added    = true;
        } else {        // User not created
            $message = _XHELP_MESSAGE_NEW_USER_ERR;
            $helper->redirect('user.php', 3, $message);
        }
    }
    /** @var \XoopsModules\Xhelp\Ticket $ticket */
    $ticket = $ticketHandler->create();
    $ticket->setVar('uid', $xoopsUser->getVar('uid'));
    $ticket->setVar('subject', \Xmf\Request::getString('subject', '', 'POST'));
    $ticket->setVar('description', \Xmf\Request::getString('description', '', 'POST'));
    $ticket->setVar('department', $_POST['departments']);
    $ticket->setVar('priority', $_POST['priority']);
    $ticket->setVar('status', 1);
    $ticket->setVar('posted', time());
    $ticket->setVar('userIP', getenv('REMOTE_ADDR'));
    $ticket->setVar('overdueTime', $ticket->getVar('posted') + ($helper->getConfig('xhelp_overdueTime') * 60 * 60));

    $aUploadFiles = [];
    if ($helper->getConfig('xhelp_allowUpload')) {
        foreach ($_FILES as $key => $aFile) {
            $pos = mb_strpos($key, 'userfile');
            if (false !== $pos
                && is_uploaded_file($aFile['tmp_name'])) {     // In the userfile array and uploaded file?
                $ret = $ticket->checkUpload($key, $allowed_mimetypes, $errors);
                if ($ret) {
                    $aUploadFiles[$key] = $aFile;
                } else {
                    $errorstxt = implode('<br>', $errors);
                    $message   = sprintf(_XHELP_MESSAGE_FILE_ERROR, $errorstxt);
                    $helper->redirect('addTicket.php', 5, $message);
                }
            }
        }
    }

    if ($ticketHandler->insert($ticket)) {
        $ticket->addSubmitter($xoopsUser->getVar('email'), $xoopsUser->getVar('uid'));
        if (count($aUploadFiles) > 0) {   // Has uploaded files?
            foreach ($aUploadFiles as $key => $aFile) {
                $file = $ticket->storeUpload($key, null, $allowed_mimetypes);
                $eventService->trigger('new_file', [&$ticket, &$file]);
            }
        }

        // Add custom field values to db
        /** @var \XoopsModules\Xhelp\TicketValuesHandler $ticketValuesHandler */
        $ticketValuesHandler = $helper->getHandler('TicketValues');
        /** @var \XoopsModules\Xhelp\TicketValues $ticketValues */
        $ticketValues = $ticketValuesHandler->create();

        foreach ($aFields as $field) {
            $fieldname = $field['fieldname'];
            $fieldtype = $field['controltype'];

            if (XHELP_CONTROL_FILE == $fieldtype) {               // If custom field was a file upload
                if ($helper->getConfig('xhelp_allowUpload')) {    // If uploading is allowed
                    if (is_uploaded_file(($_FILES[$fieldname]['tmp_name'])??'')) {
                        if (!$ret = $ticket->checkUpload($fieldname, $allowed_mimetypes, $errors)) {
                            $errorstxt = implode('<br>', $errors);
                            $message   = sprintf(_XHELP_MESSAGE_FILE_ERROR, $errorstxt);
                            $helper->redirect('addTicket.php', 5, $message);
                        }
                        $file = $ticket->storeUpload($fieldname, -1, $allowed_mimetypes);
                        if ($file) {
                            $ticketValues->setVar($fieldname, $file->getVar('id') . '_' . $_FILES[$fieldname]['name']);
                        }
                    }
                }
            } else {
                $fieldvalue = \Xmf\Request::getString($fieldname, '', 'POST');
                $ticketValues->setVar($fieldname, $fieldvalue);
            }
        }
        $ticketValues->setVar('ticketid', $ticket->getVar('id'));

        if (!$ticketValuesHandler->insert($ticketValues)) {
            $message = _XHELP_MESSAGE_NO_CUSTFLD_ADDED;
        }

        $eventService->trigger('new_ticket', [&$ticket]);

        $session->del('xhelp_ticket');
        $session->del('xhelp_ticket');
        $session->del('xhelp_user');
        $session->del('xhelp_validateError');

        $message = _XHELP_MESSAGE_ADDTICKET;
    } else {
        $message = _XHELP_MESSAGE_ADDTICKET_ERROR . $ticket->getHtmlErrors();     // Unsuccessfully added new ticket
    }
    if ($user_added) {
        $eventService->trigger('new_user_by_email', [$password, $xoopsUser]);
    }

    redirect_header(XOOPS_URL . '/user.php', 3, $message);
} else {
    $GLOBALS['xoopsOption']['template_main'] = 'xhelp_anon_addTicket.tpl';             // Always set main template before including the header
    require_once XOOPS_ROOT_PATH . '/header.php';

    /** @var \XoopsModules\Xhelp\DepartmentHandler $departmentHandler */
    $departmentHandler = $helper->getHandler('Department');    // Department handler
    $criteria          = new \Criteria('', '');
    $criteria->setSort('department');
    $departments = $departmentHandler->getObjects($criteria);
    if (0 == count($departments)) {
        $message = _XHELP_MESSAGE_NO_DEPTS;
        $helper->redirect('index.php', 3, $message);
    }

    //XOOPS_GROUP_ANONYMOUS
    foreach ($departments as $dept) {
        $deptid = $dept->getVar('id');
        if ($grouppermHandler->checkRight(_XHELP_GROUP_PERM_DEPT, $deptid, XOOPS_GROUP_ANONYMOUS, $module_id)) {
            $aDept[] = [
                'id'         => $deptid,
                'department' => $dept->getVar('department'),
            ];
        }
    }
    if ($helper->getConfig('xhelp_allowUpload')) {
        // Get available mimetypes for file uploading
        /** @var \XoopsModules\Xhelp\MimetypeHandler $mimetypeHandler */
        $mimetypeHandler = $helper->getHandler('Mimetype');
        $criteria        = new \Criteria('mime_user', '1');
        $mimetypes       = $mimetypeHandler->getObjects($criteria);
        $mimes           = '';
        foreach ($mimetypes as $mime) {
            if ('' === $mimes) {
                $mimes = $mime->getVar('mime_ext');
            } else {
                $mimes .= ', ' . $mime->getVar('mime_ext');
            }
        }
        $xoopsTpl->assign('xhelp_mimetypes', $mimes);
    }

    // Get current dept's custom fields
    $fields = $ticketFieldDepartmentHandler->fieldsByDepartment((int)$dept_id, true);

    if (!$savedFields = $session->get('xhelp_custFields')) {
        $savedFields = [];
    }

    $aFields = [];
    foreach ($fields as $field) {
        $values = $field->getVar('fieldvalues');
        if (XHELP_CONTROL_YESNO == $field->getVar('controltype')) {
            $values = [1 => _YES, 0 => _NO];
        }

        // Check for values already submitted, and fill those values in
        if (array_key_exists($field->getVar('fieldname'), $savedFields)) {
            $defaultValue = $savedFields[$field->getVar('fieldname')];
        } else {
            $defaultValue = $field->getVar('defaultvalue');
        }

        $aFields[$field->getVar('id')] = [
            'name'         => $field->getVar('name'),
            'desc'         => $field->getVar('description'),
            'fieldname'    => $field->getVar('fieldname'),
            'defaultvalue' => $defaultValue,
            'controltype'  => $field->getVar('controltype'),
            'required'     => $field->getVar('required'),
            'fieldlength'  => $field->getVar('fieldlength'),
            'maxlength'    => $field->getVar('fieldlength') < 50 ? $field->getVar('fieldlength') : 50,
            'weight'       => $field->getVar('weight'),
            'fieldvalues'  => $values,
            'validation'   => $field->getVar('validation'),
        ];
    }
    $xoopsTpl->assign('xhelp_custFields', $aFields);
    if (!empty($aFields)) {
        $xoopsTpl->assign('xhelp_hasCustFields', true);
    } else {
        $xoopsTpl->assign('xhelp_hasCustFields', false);
    }

    $javascript = '<script type="text/javascript" src="' . XHELP_BASE_URL . "/include/functions.js\"></script>
<script type=\"text/javascript\" src='" . XHELP_SCRIPT_URL . "/addTicketDeptChange.php?client'></script>
<script type=\"text/javascript\">
<!--
function departments_onchange()
{
    dept = xoopsGetElementById('departments');
    var wl = new Xhelp\WebLib(fieldHandler);
    wl.customFieldsByDept(dept.value);
}

var fieldHandler = {
    customFieldsByDept: function(result){
        var tbl = gE('tblAddTicket');
        var beforeele = gE('addButtons');
        tbody = tbl.tBodies[0];
        xhelpFillCustomFlds(tbody, result, beforeele);
    }
}

function window_onload()
{
    xhelpDOMAddEvent(xoopsGetElementById('departments'), 'change', departments_onchange, true);
}

window.setTimeout('window_onload()', 1500);
//-->
</script>";

    $xoopsTpl->assign('xoops_module_header', $javascript . $xhelp_module_header);
    $xoopsTpl->assign('xhelp_allowUpload', $helper->getConfig('xhelp_allowUpload'));
    $xoopsTpl->assign('xhelp_imagePath', XOOPS_URL . '/modules/xhelp/assets/images/');
    $xoopsTpl->assign('xhelp_departments', $aDept);
    $xoopsTpl->assign('xhelp_current_file', basename(__file__));
    $xoopsTpl->assign('xhelp_priorities', [5, 4, 3, 2, 1]);
    $xoopsTpl->assign('xhelp_priorities_desc', [
        5 => _XHELP_PRIORITY5,
        4 => _XHELP_PRIORITY4,
        3 => _XHELP_PRIORITY3,
        2 => _XHELP_PRIORITY2,
        1 => _XHELP_PRIORITY1,
    ]);
    $xoopsTpl->assign('xhelp_default_priority', XHELP_DEFAULT_PRIORITY);
    $xoopsTpl->assign('xhelp_default_dept', Xhelp\Utility::getMeta('default_department'));
    $xoopsTpl->assign('xhelp_includeURL', XHELP_INCLUDE_URL);
    $xoopsTpl->assign('xhelp_numTicketUploads', $helper->getConfig('xhelp_numTicketUploads'));

    $errors         = [];
    $aElements      = [];
    $validateErrors = $session->get('xhelp_validateError');
    if ($validateErrors) {
        foreach ($validateErrors as $fieldname => $error) {
            if (!empty($error['errors'])) {
                $aElements[] = $fieldname;
                foreach ($error['errors'] as $err) {
                    $errors[$fieldname] = $err;
                }
            }
        }
        $xoopsTpl->assign('xhelp_errors', $errors);
    } else {
        $xoopsTpl->assign('xhelp_errors', null);
    }

    $elements = ['subject', 'description', 'email'];
    foreach ($elements as $element) {         // Foreach element in the predefined list
        $xoopsTpl->assign("xhelp_element_$element", 'formButton');
        foreach ($aElements as $aElement) {   // Foreach that has an error
            if ($aElement == $element) {      // If the names are equal
                $xoopsTpl->assign("xhelp_element_$element", 'validateError');
                break;
            }
        }
    }

    $ticket = $session->get('xhelp_ticket');
    if ($ticket) {
        $xoopsTpl->assign('xhelp_ticket_subject', stripslashes($ticket['subject']));
        $xoopsTpl->assign('xhelp_ticket_description', stripslashes($ticket['description']));
        $xoopsTpl->assign('xhelp_ticket_department', $ticket['department']);
        $xoopsTpl->assign('xhelp_ticket_priority', $ticket['priority']);
    } else {
        $xoopsTpl->assign('xhelp_ticket_uid', null);
        $xoopsTpl->assign('xhelp_ticket_username', null);
        $xoopsTpl->assign('xhelp_ticket_subject', null);
        $xoopsTpl->assign('xhelp_ticket_description', null);
        $xoopsTpl->assign('xhelp_ticket_department', null);
        $xoopsTpl->assign('xhelp_ticket_priority', 4);
    }

    $user = $session->get('xhelp_user');
    if ($user) {
        $xoopsTpl->assign('xhelp_uid', $user['uid']);
        $xoopsTpl->assign('xhelp_email', $user['email']);
    } else {
        $xoopsTpl->assign('xhelp_uid', null);
        $xoopsTpl->assign('xhelp_email', null);
    }
    require_once XOOPS_ROOT_PATH . '/footer.php';
}


1			<?php declare(strict_types=1);
2
3			/*
4			* You may not change or alter any portion of this comment or credits
5			* of supporting developers from this source code or any supporting source code
6			* which is considered copyrighted (c) material of the original comment or credit authors.
7			*
8			* This program is distributed in the hope that it will be useful,
9			* but WITHOUT ANY WARRANTY; without even the implied warranty of
10			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
11			*/
12
13			/**
14			* @copyright {@link https://xoops.org/ XOOPS Project}
15			* @license {@link https://www.gnu.org/licenses/gpl-2.0.html GNU GPL 2 or later}
16			* @author Brian Wahoff <[email protected]>
17			* @author Eric Juden <[email protected]>
18			* @author XOOPS Development Team
19			*/
20
21			use Xmf\Request;
22			use XoopsModules\Xhelp;
23			use XoopsModules\Xhelp\Validation;
24
25			require_once __DIR__ . '/header.php';
26			//require_once XHELP_INCLUDE_PATH . '/events.php';
27
28			global $xoopsModule, $xhelp_module_header;
29
30			$helper = Xhelp\Helper::getInstance();
31			$eventService = Xhelp\EventService::getInstance();
32			$session = Xhelp\Session::getInstance();
33			$aDept = [];
34
35			xoops_loadLanguage('user');
36
37			/** @var \XoopsConfigHandler $configHandler */
38			$configHandler = xoops_getHandler('config');
39			$xoopsConfigUser = [];
40			$criteria = new \CriteriaCompo(new \Criteria('conf_name', 'allow_register'), 'OR');
41			$criteria->add(new \Criteria('conf_name', 'activation_type'), 'OR');
42			$myConfigs = $configHandler->getConfigs($criteria);
43
44			foreach ($myConfigs as $myConf) {
45			$xoopsConfigUser[$myConf->getVar('conf_name')] = $myConf->getVar('conf_value');
46			}
47
48			if (0 == $helper->getConfig('xhelp_allowAnonymous')) {
49			$helper->redirect('error.php');
50			}
51
52			/** @var \XoopsModules\Xhelp\TicketHandler $ticketHandler */
53			$ticketHandler = $helper->getHandler('Ticket');
54			/** @var \XoopsGroupPermHandler $grouppermHandler */
55			$grouppermHandler = xoops_getHandler('groupperm');
56			/** @var \XoopsMemberHandler $memberHandler */
57			$memberHandler = xoops_getHandler('member');
58			/** @var \XoopsModules\Xhelp\TicketFieldDepartmentHandler $ticketFieldDepartmentHandler */
59			$ticketFieldDepartmentHandler = $helper->getHandler('TicketFieldDepartment');
60			$module_id = $xoopsModule->getVar('mid');
61
62			/** @var \XoopsModules\Xhelp\MimetypeHandler $mimetypeHandler */
63			$mimetypeHandler = $helper->getHandler('Mimetype');
64			$allowed_mimetypes = $mimetypeHandler->getArray();
65
66			if (0 == $xoopsConfigUser['allow_register']) { // Use to doublecheck that anonymous users are allowed to register
67			$helper->redirect('error.php');
68			}
69
70			if (!isset($dept_id)) {
71			$dept_id = Xhelp\Utility::getMeta('default_department');
72			}
73
74			if (isset($_POST['addTicket'])) {
75			// require_once XHELP_CLASS_PATH . '/validator.php';
76
77			$v = [];
78			$v['subject'][] = new Validation\ValidateLength(Request::getString('subject', '', 'POST'), 2, 255);
79			$v['description'][] = new Validation\ValidateLength(Request::getString('description', '', 'POST'), 2);
80			$v['email'][] = new Validation\ValidateEmail(Request::getString('email', '', 'POST'));
81
82			// Get current dept's custom fields
83			$fields = $ticketFieldDepartmentHandler->fieldsByDepartment((int)$dept_id, true);
84			$aFields = [];
85
86			foreach ($fields as $field) {
87			$values = $field->getVar('fieldvalues');
88			if (XHELP_CONTROL_YESNO == $field->getVar('controltype')) {
89			$values = [1 => _YES, 0 => _NO];
90			}
91			$fieldname = $field->getVar('fieldname');
92
93			if (XHELP_CONTROL_FILE != $field->getVar('controltype')) {
94			$checkField = \Xmf\Request::getString($fieldname, '', 'POST');
95			} else {
96			$checkField = \Xmf\Request::getString($fieldname, '', 'FILES');
97			}
98
99			$v[$fieldname][] = new Validation\ValidateRegex($checkField, $field->getVar('validation'), $field->getVar('required'));
100
101			$aFields[$field->getVar('id')] = [
102			'name' => $field->getVar('name'),
103			'desc' => $field->getVar('description'),
104			'fieldname' => $field->getVar('fieldname'),
105			'defaultvalue' => $field->getVar('defaultvalue'),
106			'controltype' => $field->getVar('controltype'),
107			'required' => $field->getVar('required'),
108			'fieldlength' => $field->getVar('fieldlength'),
109			'maxlength' => $field->getVar('fieldlength') < 50 ? $field->getVar('fieldlength') : 50,
110			'weight' => $field->getVar('weight'),
111			'fieldvalues' => $values,
112			'validation' => $field->getVar('validation'),
113			];
114			}
115
116			$session->set('xhelp_ticket', [
117			'uid' => 0,
118			'subject' => \Xmf\Request::getString('subject', '', 'POST'),
119			'description' => htmlspecialchars(\Xmf\Request::getString('description', '', 'POST'), ENT_QUOTES),
120			'department' => $_POST['departments'],
121			'priority' => $_POST['priority'],
122			]);
123
124			$session->set('xhelp_user', [
125			'uid' => 0,
126			'email' => \Xmf\Request::getString('email', '', 'POST'),
127			]);
128
129			if ('' != $fields) {
			0 ignored issues – show introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `'' != $fields` is always `true`. Loading history...
130			$session->set('xhelp_custFields', $fields);
131			}
132
133			// Perform each validation
134			$fields = [];
135			$errors = [];
136			foreach ($v as $fieldname => $validator) {
137			if (Xhelp\Utility::checkRules($validator, $errors)) {
138			$fields[$fieldname]['haserrors'] = false;
139			} else {
140			//Mark field with error
141			$fields[$fieldname]['haserrors'] = true;
142			$fields[$fieldname]['errors'] = $errors;
143			}
144			}
145
146			if (!empty($errors)) {
147			$session->set('xhelp_validateError', $fields);
148			$message = _XHELP_MESSAGE_VALIDATE_ERROR;
149			$helper->redirect('anon_addTicket.php');
150			}
151
152			//Check email address
153			$user_added = false;
154			if (!$xoopsUser = Xhelp\Utility::emailIsXoopsUser(\Xmf\Request::getString('email', '', 'POST'))) { // Email is already used by a member
155			switch ($xoopsConfigUser['activation_type']) {
156			case 1:
157			$level = 1;
158			break;
159			case 0:
160			case 2:
161			default:
162			$level = 0;
163			}
164
165			/** @var \XoopsUser $anon_user */
166			$anon_user = Xhelp\Utility::getXoopsAccountFromEmail(\Xmf\Request::getString('email', '', 'POST'), '', $password, $level);
167			if ($anon_user) { // If new user created
			0 ignored issues – show introduced 2022-01-13 23:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$anon_user` is of type `XoopsUser`, thus it always evaluated to `true`. Loading history...
168			/** @var \XoopsMemberHandler $memberHandler */
169			$memberHandler = xoops_getHandler('member');
170			$xoopsUser = $memberHandler->loginUser($anon_user->getVar('uname'), $anon_user->getVar('pass'));
171			$user_added = true;
172			} else { // User not created
173			$message = _XHELP_MESSAGE_NEW_USER_ERR;
174			$helper->redirect('user.php', 3, $message);
175			}
176			}
177			/** @var \XoopsModules\Xhelp\Ticket $ticket */
178			$ticket = $ticketHandler->create();
179			$ticket->setVar('uid', $xoopsUser->getVar('uid'));
180			$ticket->setVar('subject', \Xmf\Request::getString('subject', '', 'POST'));
181			$ticket->setVar('description', \Xmf\Request::getString('description', '', 'POST'));
182			$ticket->setVar('department', $_POST['departments']);
183			$ticket->setVar('priority', $_POST['priority']);
184			$ticket->setVar('status', 1);
185			$ticket->setVar('posted', time());
186			$ticket->setVar('userIP', getenv('REMOTE_ADDR'));
187			$ticket->setVar('overdueTime', $ticket->getVar('posted') + ($helper->getConfig('xhelp_overdueTime') * 60 * 60));
188
189			$aUploadFiles = [];
190			if ($helper->getConfig('xhelp_allowUpload')) {
191			foreach ($_FILES as $key => $aFile) {
192			$pos = mb_strpos($key, 'userfile');
193			if (false !== $pos
194			&& is_uploaded_file($aFile['tmp_name'])) { // In the userfile array and uploaded file?
195			$ret = $ticket->checkUpload($key, $allowed_mimetypes, $errors);
196			if ($ret) {
197			$aUploadFiles[$key] = $aFile;
198			} else {
199			$errorstxt = implode('<br>', $errors);
200			$message = sprintf(_XHELP_MESSAGE_FILE_ERROR, $errorstxt);
201			$helper->redirect('addTicket.php', 5, $message);
202			}
203			}
204			}
205			}
206
207			if ($ticketHandler->insert($ticket)) {
208			$ticket->addSubmitter($xoopsUser->getVar('email'), $xoopsUser->getVar('uid'));
209			if (count($aUploadFiles) > 0) { // Has uploaded files?
210			foreach ($aUploadFiles as $key => $aFile) {
211			$file = $ticket->storeUpload($key, null, $allowed_mimetypes);
212			$eventService->trigger('new_file', [&$ticket, &$file]);
213			}
214			}
215
216			// Add custom field values to db
217			/** @var \XoopsModules\Xhelp\TicketValuesHandler $ticketValuesHandler */
218			$ticketValuesHandler = $helper->getHandler('TicketValues');
219			/** @var \XoopsModules\Xhelp\TicketValues $ticketValues */
220			$ticketValues = $ticketValuesHandler->create();
221
222			foreach ($aFields as $field) {
223			$fieldname = $field['fieldname'];
224			$fieldtype = $field['controltype'];
225
226			if (XHELP_CONTROL_FILE == $fieldtype) { // If custom field was a file upload
227			if ($helper->getConfig('xhelp_allowUpload')) { // If uploading is allowed
228			if (is_uploaded_file(($_FILES[$fieldname]['tmp_name'])??'')) {
229			if (!$ret = $ticket->checkUpload($fieldname, $allowed_mimetypes, $errors)) {
230			$errorstxt = implode('<br>', $errors);
231			$message = sprintf(_XHELP_MESSAGE_FILE_ERROR, $errorstxt);
232			$helper->redirect('addTicket.php', 5, $message);
233			}
234			$file = $ticket->storeUpload($fieldname, -1, $allowed_mimetypes);
235			if ($file) {
236			$ticketValues->setVar($fieldname, $file->getVar('id') . '_' . $_FILES[$fieldname]['name']);
237			}
238			}
239			}
240			} else {
241			$fieldvalue = \Xmf\Request::getString($fieldname, '', 'POST');
242			$ticketValues->setVar($fieldname, $fieldvalue);
243			}
244			}
245			$ticketValues->setVar('ticketid', $ticket->getVar('id'));
246
247			if (!$ticketValuesHandler->insert($ticketValues)) {
248			$message = _XHELP_MESSAGE_NO_CUSTFLD_ADDED;
249			}
250
251			$eventService->trigger('new_ticket', [&$ticket]);
252
253			$session->del('xhelp_ticket');
254			$session->del('xhelp_ticket');
255			$session->del('xhelp_user');
256			$session->del('xhelp_validateError');
257
258			$message = _XHELP_MESSAGE_ADDTICKET;
259			} else {
260			$message = _XHELP_MESSAGE_ADDTICKET_ERROR . $ticket->getHtmlErrors(); // Unsuccessfully added new ticket
261			}
262			if ($user_added) {
263			$eventService->trigger('new_user_by_email', [$password, $xoopsUser]);
264			}
265
266			redirect_header(XOOPS_URL . '/user.php', 3, $message);
267			} else {
268			$GLOBALS['xoopsOption']['template_main'] = 'xhelp_anon_addTicket.tpl'; // Always set main template before including the header
269			require_once XOOPS_ROOT_PATH . '/header.php';
270
271			/** @var \XoopsModules\Xhelp\DepartmentHandler $departmentHandler */
272			$departmentHandler = $helper->getHandler('Department'); // Department handler
273			$criteria = new \Criteria('', '');
274			$criteria->setSort('department');
275			$departments = $departmentHandler->getObjects($criteria);
276			if (0 == count($departments)) {
277			$message = _XHELP_MESSAGE_NO_DEPTS;
278			$helper->redirect('index.php', 3, $message);
279			}
280
281			//XOOPS_GROUP_ANONYMOUS
282			foreach ($departments as $dept) {
283			$deptid = $dept->getVar('id');
284			if ($grouppermHandler->checkRight(_XHELP_GROUP_PERM_DEPT, $deptid, XOOPS_GROUP_ANONYMOUS, $module_id)) {
285			$aDept[] = [
286			'id' => $deptid,
287			'department' => $dept->getVar('department'),
288			];
289			}
290			}
291			if ($helper->getConfig('xhelp_allowUpload')) {
292			// Get available mimetypes for file uploading
293			/** @var \XoopsModules\Xhelp\MimetypeHandler $mimetypeHandler */
294			$mimetypeHandler = $helper->getHandler('Mimetype');
295			$criteria = new \Criteria('mime_user', '1');
296			$mimetypes = $mimetypeHandler->getObjects($criteria);
297			$mimes = '';
298			foreach ($mimetypes as $mime) {
299			if ('' === $mimes) {
300			$mimes = $mime->getVar('mime_ext');
301			} else {
302			$mimes .= ', ' . $mime->getVar('mime_ext');
303			}
304			}
305			$xoopsTpl->assign('xhelp_mimetypes', $mimes);
306			}
307
308			// Get current dept's custom fields
309			$fields = $ticketFieldDepartmentHandler->fieldsByDepartment((int)$dept_id, true);
310
311			if (!$savedFields = $session->get('xhelp_custFields')) {
312			$savedFields = [];
313			}
314
315			$aFields = [];
316			foreach ($fields as $field) {
317			$values = $field->getVar('fieldvalues');
318			if (XHELP_CONTROL_YESNO == $field->getVar('controltype')) {
319			$values = [1 => _YES, 0 => _NO];
320			}
321
322			// Check for values already submitted, and fill those values in
323			if (array_key_exists($field->getVar('fieldname'), $savedFields)) {
324			$defaultValue = $savedFields[$field->getVar('fieldname')];
325			} else {
326			$defaultValue = $field->getVar('defaultvalue');
327			}
328
329			$aFields[$field->getVar('id')] = [
330			'name' => $field->getVar('name'),
331			'desc' => $field->getVar('description'),
332			'fieldname' => $field->getVar('fieldname'),
333			'defaultvalue' => $defaultValue,
334			'controltype' => $field->getVar('controltype'),
335			'required' => $field->getVar('required'),
336			'fieldlength' => $field->getVar('fieldlength'),
337			'maxlength' => $field->getVar('fieldlength') < 50 ? $field->getVar('fieldlength') : 50,
338			'weight' => $field->getVar('weight'),
339			'fieldvalues' => $values,
340			'validation' => $field->getVar('validation'),
341			];
342			}
343			$xoopsTpl->assign('xhelp_custFields', $aFields);
344			if (!empty($aFields)) {
345			$xoopsTpl->assign('xhelp_hasCustFields', true);
346			} else {
347			$xoopsTpl->assign('xhelp_hasCustFields', false);
348			}
349
350			$javascript = '<script type="text/javascript" src="' . XHELP_BASE_URL . "/include/functions.js\"></script>
351			<script type=\"text/javascript\" src='" . XHELP_SCRIPT_URL . "/addTicketDeptChange.php?client'></script>
352			<script type=\"text/javascript\">
353			<!--
354			function departments_onchange()
355			{
356			dept = xoopsGetElementById('departments');
357			var wl = new Xhelp\WebLib(fieldHandler);
358			wl.customFieldsByDept(dept.value);
359			}
360
361			var fieldHandler = {
362			customFieldsByDept: function(result){
363			var tbl = gE('tblAddTicket');
364			var beforeele = gE('addButtons');
365			tbody = tbl.tBodies[0];
366			xhelpFillCustomFlds(tbody, result, beforeele);
367			}
368			}
369
370			function window_onload()
371			{
372			xhelpDOMAddEvent(xoopsGetElementById('departments'), 'change', departments_onchange, true);
373			}
374
375			window.setTimeout('window_onload()', 1500);
376			//-->
377			</script>";
378
379			$xoopsTpl->assign('xoops_module_header', $javascript . $xhelp_module_header);
380			$xoopsTpl->assign('xhelp_allowUpload', $helper->getConfig('xhelp_allowUpload'));
381			$xoopsTpl->assign('xhelp_imagePath', XOOPS_URL . '/modules/xhelp/assets/images/');
382			$xoopsTpl->assign('xhelp_departments', $aDept);
383			$xoopsTpl->assign('xhelp_current_file', basename(__file__));
384			$xoopsTpl->assign('xhelp_priorities', [5, 4, 3, 2, 1]);
385			$xoopsTpl->assign('xhelp_priorities_desc', [
386			5 => _XHELP_PRIORITY5,
387			4 => _XHELP_PRIORITY4,
388			3 => _XHELP_PRIORITY3,
389			2 => _XHELP_PRIORITY2,
390			1 => _XHELP_PRIORITY1,
391			]);
392			$xoopsTpl->assign('xhelp_default_priority', XHELP_DEFAULT_PRIORITY);
393			$xoopsTpl->assign('xhelp_default_dept', Xhelp\Utility::getMeta('default_department'));
394			$xoopsTpl->assign('xhelp_includeURL', XHELP_INCLUDE_URL);
395			$xoopsTpl->assign('xhelp_numTicketUploads', $helper->getConfig('xhelp_numTicketUploads'));
396
397			$errors = [];
398			$aElements = [];
399			$validateErrors = $session->get('xhelp_validateError');
400			if ($validateErrors) {
401			foreach ($validateErrors as $fieldname => $error) {
402			if (!empty($error['errors'])) {
403			$aElements[] = $fieldname;
404			foreach ($error['errors'] as $err) {
405			$errors[$fieldname] = $err;
406			}
407			}
408			}
409			$xoopsTpl->assign('xhelp_errors', $errors);
410			} else {
411			$xoopsTpl->assign('xhelp_errors', null);
412			}
413
414			$elements = ['subject', 'description', 'email'];
415			foreach ($elements as $element) { // Foreach element in the predefined list
416			$xoopsTpl->assign("xhelp_element_$element", 'formButton');
417			foreach ($aElements as $aElement) { // Foreach that has an error
418			if ($aElement == $element) { // If the names are equal
419			$xoopsTpl->assign("xhelp_element_$element", 'validateError');
420			break;
421			}
422			}
423			}
424
425			$ticket = $session->get('xhelp_ticket');
426			if ($ticket) {
427			$xoopsTpl->assign('xhelp_ticket_subject', stripslashes($ticket['subject']));
428			$xoopsTpl->assign('xhelp_ticket_description', stripslashes($ticket['description']));
429			$xoopsTpl->assign('xhelp_ticket_department', $ticket['department']);
430			$xoopsTpl->assign('xhelp_ticket_priority', $ticket['priority']);
431			} else {
432			$xoopsTpl->assign('xhelp_ticket_uid', null);
433			$xoopsTpl->assign('xhelp_ticket_username', null);
434			$xoopsTpl->assign('xhelp_ticket_subject', null);
435			$xoopsTpl->assign('xhelp_ticket_description', null);
436			$xoopsTpl->assign('xhelp_ticket_department', null);
437			$xoopsTpl->assign('xhelp_ticket_priority', 4);
438			}
439
440			$user = $session->get('xhelp_user');
441			if ($user) {
442			$xoopsTpl->assign('xhelp_uid', $user['uid']);
443			$xoopsTpl->assign('xhelp_email', $user['email']);
444			} else {
445			$xoopsTpl->assign('xhelp_uid', null);
446			$xoopsTpl->assign('xhelp_email', null);
447			}
448			require_once XOOPS_ROOT_PATH . '/footer.php';
449			}
450

XoopsModules25x / xhelp

Issues (1844)

Security Analysis not enabled

anon_addTicket.php (2 issues)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like