Issues in PrivilegeUpdater.php (developer) - Issues in developer - YetiForceCompany/YetiForceCRM - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3882)

Security Analysis 39 potential vulnerabilities

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting (9)

Response Splitting can be used to send arbitrary responses.

File Manipulation (2)

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure (7)

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection (13)

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting (8)

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/PrivilegeUpdater.php (7 issues)

Labels

Severity

<?php
/**
 * Global privileges basic class.
 *
 * @package App
 *
 * @copyright YetiForce S.A.
 * @license YetiForce Public License 6.5 (licenses/LicenseEN.txt or yetiforce.com)
 * @author Mariusz Krzaczkowski <[email protected]>
 * @author Radosław Skrzypczak <[email protected]>
 */

namespace App;

class PrivilegeUpdater
{
	private static $globalSearchPermissionsCache = [];

	/**
	 * Checking if user can search globally.
	 *
	 * @param string $moduleName
	 * @param int    $userId
	 *
	 * @return bool
	 */
	public static function checkGlobalSearchPermissions($moduleName, $userId = false)
	{
		if (!$userId) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
			$userId = User::getCurrentUserId();
		}
		if (!isset(static::$globalSearchPermissionsCache[$userId][$moduleName])) {

			$users = static::getGlobalSearchUsers();
			$return = false;
			if (isset($users[$userId]) && \in_array($moduleName, $users[$userId])) {
				$return = true;
			}

			return static::$globalSearchPermissionsCache[$userId][$moduleName] = $return;
		}
		return static::$globalSearchPermissionsCache[$userId][$moduleName];
	}

	private static $globalSearchUsersCache = false;

	/**
	 * Loading a list of modules for users with permissions for global search.
	 *
	 * @return array
	 */
	public static function getGlobalSearchUsers()
	{
		if (!static::$globalSearchUsersCache) {

			static::$globalSearchUsersCache = [];
			$dataReader = (new Db\Query())->select(['userid', 'searchunpriv'])->from('vtiger_user2role')
				->leftJoin('vtiger_role', 'vtiger_user2role.roleid = vtiger_role.roleid')
				->where(['<>', 'vtiger_role.searchunpriv', ''])
				->createCommand()->query();
			while ($row = $dataReader->read()) {
				static::$globalSearchUsersCache[$row['userid']] = explode(',', $row['searchunpriv']);
			}
		}
		return static::$globalSearchUsersCache;

	}

	/**
	 * Updating permissions to records and global search.
	 *
	 * @param int    $record
	 * @param string $moduleName
	 */
	public static function update($record, $moduleName)
	{
		$searchUsers = $recordAccessUsers = '';
		$users = Fields\Owner::getUsersIds();
		$searchable = isset(\App\RecordSearch::getSearchableModules()[$moduleName]);
		foreach ($users as &$userId) {
			if (Privilege::isPermitted($moduleName, 'DetailView', $record, $userId)) {
				$recordAccessUsers .= ',' . $userId;
				$searchUsers .= ',' . $userId;
			} elseif ($searchable && static::checkGlobalSearchPermissions($moduleName, $userId)) {
				$searchUsers .= ',' . $userId;
			}
		}
		if (!empty($recordAccessUsers)) {
			$recordAccessUsers .= ',';
		}
		$createCommand = Db::getInstance()->createCommand();
		$createCommand->update('vtiger_crmentity', ['users' => $recordAccessUsers], ['crmid' => $record])->execute();
		if ($searchable) {
			$searchUsers = $searchUsers ? $searchUsers . ',' : $searchUsers;
			$createCommand->update('u_#__crmentity_search_label', ['userid' => $searchUsers], ['crmid' => $record])->execute();
		}
	}

	/**
	 * Updating permissions to global search.
	 *
	 * @param int    $record
	 * @param string $moduleName
	 */
	public static function updateSearch($record, $moduleName)
	{
		$searchUsers = '';
		$users = Fields\Owner::getUsersIds();
		foreach ($users as $userId) {
			if (static::checkGlobalSearchPermissions($moduleName, $userId) || Privilege::isPermitted($moduleName, 'DetailView', $record, $userId)) {
				$searchUsers .= ',' . $userId;
			}
		}
		if (!empty($searchUsers)) {
			$searchUsers .= ',';
		}
		Db::getInstance()->createCommand()
			->update('u_#__crmentity_search_label', ['userid' => $searchUsers], ['crmid' => $record])->execute();
	}

	/**
	 * Updating permissions to records.
	 *
	 * @param int    $record
	 * @param string $moduleName
	 */
	public static function updateRecordAccess($record, $moduleName)
	{
		$recordAccessUsers = '';
		$users = Fields\Owner::getUsersIds();
		foreach ($users as &$userId) {
			if (Privilege::isPermitted($moduleName, 'DetailView', $record, $userId)) {
				$recordAccessUsers .= ',' . $userId;
			}
		}
		if (!empty($recordAccessUsers)) {
			$recordAccessUsers .= ',';
		}
		Db::getInstance()->createCommand()
			->update('vtiger_crmentity', [
				'users' => $recordAccessUsers,
			], 'crmid = ' . $record)
			->execute();
	}

	/**
	 * Add to global permissions update queue.
	 *
	 * @param string $moduleName Module name
	 * @param int    $record     If type = 1 starting number if type = 0 record ID
	 * @param int    $priority
	 * @param int    $type
	 */
	public static function setUpdater($moduleName, $record = false, $priority = false, $type = 1)
	{
		$params = [
			'module' => $moduleName,
			'type' => $type,
		];
		if ($record) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
			$params['crmid'] = $record;
		}
		if ($priority) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
			$params['priority'] = $priority;
		}
		$insert = $update = $row = false;

		$query = new Db\Query();
		$row = $query->from('s_#__privileges_updater')->where(['module' => $moduleName, 'type' => 1])->limit(1)->one();
		if ($row) {
			if (false === $record) {
				if (0 != $row['crmid']) {
					$update = true;
					$params['crmid'] = 0;
				}
			} elseif ($record < $row['crmid']) {
				$row = $query->from('s_#__privileges_updater')->where(['module' => $moduleName, 'type' => 0, 'crmid' => $record])->limit(1)->one();
				if (false === $row) {
					$insert = true;
				}
			}
		} elseif (false === $record) {
			$insert = true;
		} else {
			$row = $query->from('s_#__privileges_updater')->where(['module' => $moduleName, 'type' => 0, 'crmid' => $record])->limit(1)->one();
			if (false === $row) {
				$insert = true;
				$params['type'] = 0;
			}
		}
		$db = Db::getInstance('admin');
		if ($insert) {
			$db->createCommand()->insert('s_#__privileges_updater', $params)->execute();
		}
		if ($update) {
			$db->createCommand()->update('s_#__privileges_updater', $params, ['module' => $moduleName, 'type' => $type])->execute();
		}
	}

	/**
	 * Updating permissions to all modules.
	 */
	public static function setAllUpdater()
	{
		Cache::clear();
		$modules = \vtlib\Functions::getAllModules();
		foreach ($modules as $module) {
			static::setUpdater($module['name']);
		}
		PrivilegeAdvanced::reloadCache();
		if (Config::module('ModTracker', 'WATCHDOG')) {
			\Vtiger_Watchdog_Model::reloadCache();
		}
	}

	/**
	 * Update permissions while saving record.
	 *
	 * @param \Vtiger_Record_Model $record
	 */
	public static function updateOnRecordSave(\Vtiger_Record_Model $record)
	{
		if (!Config::security('CACHING_PERMISSION_TO_RECORD')) {
			return false;
		}
		static::setUpdater($record->getModuleName(), $record->getId(), 6, 0);
	}
}


1		<?php
2		/**
3		* Global privileges basic class.
4		*
5		* @package App
6		*
7		* @copyright YetiForce S.A.
8		* @license YetiForce Public License 6.5 (licenses/LicenseEN.txt or yetiforce.com)
9		* @author Mariusz Krzaczkowski <[email protected]>
10		* @author Radosław Skrzypczak <[email protected]>
11		*/
12
13		namespace App;
14
15		class PrivilegeUpdater
16		{
17		private static $globalSearchPermissionsCache = [];
18
19		/**
20		* Checking if user can search globally.
21		*
22		* @param string $moduleName
23		* @param int $userId
24	1	*
25		* @return bool
26	1	*/
27		public static function checkGlobalSearchPermissions($moduleName, $userId = false)
28		{
29	1	if (!$userId) {
		0 ignored issues – show Bug Best Practice introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$userId` of type `false\|integer` is loosely compared to `false`; this is ambiguous if the integer can be 0. You might want to explicitly use `=== false` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
30	1	$userId = User::getCurrentUserId();
31	1	}
32	1	if (!isset(static::$globalSearchPermissionsCache[$userId][$moduleName])) {
		0 ignored issues – show Bug introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this Since `$globalSearchPermissionsCache` is declared private, accessing it with `static` will lead to errors in possible sub-classes; you can either use `self`, or increase the visibility of `$globalSearchPermissionsCache` to at least protected. Loading history...
33		$users = static::getGlobalSearchUsers();
34		$return = false;
35		if (isset($users[$userId]) && \in_array($moduleName, $users[$userId])) {
36	1	$return = true;
37		}
38	1
39		return static::$globalSearchPermissionsCache[$userId][$moduleName] = $return;
40		}
41		return static::$globalSearchPermissionsCache[$userId][$moduleName];
42		}
43
44		private static $globalSearchUsersCache = false;
45
46		/**
47		* Loading a list of modules for users with permissions for global search.
48	1	*
49		* @return array
50	1	*/
51	1	public static function getGlobalSearchUsers()
52	1	{
53	1	if (!static::$globalSearchUsersCache) {
		0 ignored issues – show Bug introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this Since `$globalSearchUsersCache` is declared private, accessing it with `static` will lead to errors in possible sub-classes; you can either use `self`, or increase the visibility of `$globalSearchUsersCache` to at least protected. Loading history...
54	1	static::$globalSearchUsersCache = [];
55	1	$dataReader = (new Db\Query())->select(['userid', 'searchunpriv'])->from('vtiger_user2role')
56	1	->leftJoin('vtiger_role', 'vtiger_user2role.roleid = vtiger_role.roleid')
57		->where(['<>', 'vtiger_role.searchunpriv', ''])
58		->createCommand()->query();
59		while ($row = $dataReader->read()) {
60	1	static::$globalSearchUsersCache[$row['userid']] = explode(',', $row['searchunpriv']);
61		}
62		}
63		return static::$globalSearchUsersCache;
		0 ignored issues – show Bug Best Practice introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return static::globalSearchUsersCache` also could return the type `true` which is incompatible with the documented return type `array`. Loading history...
64		}
65
66		/**
67		* Updating permissions to records and global search.
68		*
69	1	* @param int $record
70		* @param string $moduleName
71	1	*/
72	1	public static function update($record, $moduleName)
73	1	{
74	1	$searchUsers = $recordAccessUsers = '';
75	1	$users = Fields\Owner::getUsersIds();
76	1	$searchable = isset(\App\RecordSearch::getSearchableModules()[$moduleName]);
77	1	foreach ($users as &$userId) {
78		if (Privilege::isPermitted($moduleName, 'DetailView', $record, $userId)) {
79		$recordAccessUsers .= ',' . $userId;
80		$searchUsers .= ',' . $userId;
81	1	} elseif ($searchable && static::checkGlobalSearchPermissions($moduleName, $userId)) {
82	1	$searchUsers .= ',' . $userId;
83		}
84	1	}
85	1	if (!empty($recordAccessUsers)) {
86		$recordAccessUsers .= ',';
87	1	}
88	1	$createCommand = Db::getInstance()->createCommand();
89	1	$createCommand->update('vtiger_crmentity', ['users' => $recordAccessUsers], ['crmid' => $record])->execute();
90	1	if ($searchable) {
91	1	$searchUsers = $searchUsers ? $searchUsers . ',' : $searchUsers;
92	1	$createCommand->update('u_#__crmentity_search_label', ['userid' => $searchUsers], ['crmid' => $record])->execute();
93	1	}
94	1	}
95	1
96	1	/**
97	1	* Updating permissions to global search.
98	1	*
99		* @param int $record
100		* @param string $moduleName
101		*/
102		public static function updateSearch($record, $moduleName)
103		{
104		$searchUsers = '';
105		$users = Fields\Owner::getUsersIds();
106	1	foreach ($users as $userId) {
107		if (static::checkGlobalSearchPermissions($moduleName, $userId) \|\| Privilege::isPermitted($moduleName, 'DetailView', $record, $userId)) {
108	1	$searchUsers .= ',' . $userId;
109	1	}
110	1	}
111	1	if (!empty($searchUsers)) {
112	1	$searchUsers .= ',';
113		}
114		Db::getInstance()->createCommand()
115	1	->update('u_#__crmentity_search_label', ['userid' => $searchUsers], ['crmid' => $record])->execute();
116	1	}
117
118	1	/**
119	1	* Updating permissions to records.
120	1	*
121	1	* @param int $record
122	1	* @param string $moduleName
123	1	*/
124		public static function updateRecordAccess($record, $moduleName)
125		{
126		$recordAccessUsers = '';
127		$users = Fields\Owner::getUsersIds();
128		foreach ($users as &$userId) {
129		if (Privilege::isPermitted($moduleName, 'DetailView', $record, $userId)) {
130		$recordAccessUsers .= ',' . $userId;
131		}
132		}
133		if (!empty($recordAccessUsers)) {
134		$recordAccessUsers .= ',';
135		}
136		Db::getInstance()->createCommand()
137		->update('vtiger_crmentity', [
138		'users' => $recordAccessUsers,
139		], 'crmid = ' . $record)
140		->execute();
141		}
142
143		/**
144		* Add to global permissions update queue.
145		*
146		* @param string $moduleName Module name
147		* @param int $record If type = 1 starting number if type = 0 record ID
148		* @param int $priority
149		* @param int $type
150		*/
151		public static function setUpdater($moduleName, $record = false, $priority = false, $type = 1)
152		{
153		$params = [
154		'module' => $moduleName,
155		'type' => $type,
156		];
157		if ($record) {
		0 ignored issues – show Bug Best Practice introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$record` of type `false\|integer` is loosely compared to `true`; this is ambiguous if the integer can be 0. You might want to explicitly use `!== false` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
158	14	$params['crmid'] = $record;
159		}
160		if ($priority) {
		0 ignored issues – show Bug Best Practice introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$priority` of type `false\|integer` is loosely compared to `true`; this is ambiguous if the integer can be 0. You might want to explicitly use `!== false` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
161	14	$params['priority'] = $priority;
162	14	}
163		$insert = $update = $row = false;
		0 ignored issues – show Unused Code introduced 2021-04-24 21:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$row` is dead and can be removed. Loading history...
164	14	$query = new Db\Query();
165		$row = $query->from('s_#__privileges_updater')->where(['module' => $moduleName, 'type' => 1])->limit(1)->one();
166		if ($row) {
167	14	if (false === $record) {
168		if (0 != $row['crmid']) {
169		$update = true;
170	14	$params['crmid'] = 0;
171	14	}
172	14	} elseif ($record < $row['crmid']) {
173	14	$row = $query->from('s_#__privileges_updater')->where(['module' => $moduleName, 'type' => 0, 'crmid' => $record])->limit(1)->one();
174	13	if (false === $row) {
175	13	$insert = true;
176		}
177		}
178		} elseif (false === $record) {
179		$insert = true;
180		} else {
181		$row = $query->from('s_#__privileges_updater')->where(['module' => $moduleName, 'type' => 0, 'crmid' => $record])->limit(1)->one();
182		if (false === $row) {
183		$insert = true;
184		$params['type'] = 0;
185	2	}
186	2	}
187		$db = Db::getInstance('admin');
188		if ($insert) {
189		$db->createCommand()->insert('s_#__privileges_updater', $params)->execute();
190		}
191		if ($update) {
192		$db->createCommand()->update('s_#__privileges_updater', $params, ['module' => $moduleName, 'type' => $type])->execute();
193		}
194	14	}
195	14
196	2	/**
197		* Updating permissions to all modules.
198	14	*/
199		public static function setAllUpdater()
200		{
201	14	Cache::clear();
202		$modules = \vtlib\Functions::getAllModules();
203		foreach ($modules as $module) {
204		static::setUpdater($module['name']);
205		}
206	9	PrivilegeAdvanced::reloadCache();
207		if (Config::module('ModTracker', 'WATCHDOG')) {
208	9	\Vtiger_Watchdog_Model::reloadCache();
209	9	}
210	9	}
211
212	9	/**
213	9	* Update permissions while saving record.
214	9	*
215		* @param \Vtiger_Record_Model $record
216	9	*/
217	9	public static function updateOnRecordSave(\Vtiger_Record_Model $record)
218		{
219		if (!Config::security('CACHING_PERMISSION_TO_RECORD')) {
220		return false;
221		}
222		static::setUpdater($record->getModuleName(), $record->getId(), 6, 0);
223		}
224		}
225

YetiForceCompany / YetiForceCRM

Issues (3882)

Security Analysis 39 potential vulnerabilities

app/PrivilegeUpdater.php (7 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like