Issues (4069)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

modules/Calendar/Calendar.php (1 issue)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
3
/*********************************************************************************
4
 * SugarCRM Community Edition is a customer relationship management program developed by
5
 * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
6
7
 * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
8
 * Copyright (C) 2011 - 2014 Salesagility Ltd.
9
 *
10
 * This program is free software; you can redistribute it and/or modify it under
11
 * the terms of the GNU Affero General Public License version 3 as published by the
12
 * Free Software Foundation with the addition of the following permission added
13
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
14
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
15
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
16
 *
17
 * This program is distributed in the hope that it will be useful, but WITHOUT
18
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
19
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
20
 * details.
21
 *
22
 * You should have received a copy of the GNU Affero General Public License along with
23
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
24
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
25
 * 02110-1301 USA.
26
 *
27
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
28
 * SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
29
 *
30
 * The interactive user interfaces in modified source and object code versions
31
 * of this program must display Appropriate Legal Notices, as required under
32
 * Section 5 of the GNU Affero General Public License version 3.
33
 *
34
 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
35
 * these Appropriate Legal Notices must retain the display of the "Powered by
36
 * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
37
 * reasonably feasible for  technical reasons, the Appropriate Legal Notices must
38
 * display the words  "Powered by SugarCRM" and "Supercharged by SuiteCRM".
39
 ********************************************************************************/
40
41
42
43
44
45
require_once('include/utils/activity_utils.php');
46
require_once('modules/Calendar/CalendarUtils.php');
47
require_once('modules/Calendar/CalendarActivity.php');
48
49
50
class Calendar {
51
	
52
	public $view = 'week'; // current view
53
	public $style; // calendar style (basic or advanced)
54
	public $dashlet = false; // if is displayed in dashlet	
55
	public $date_time; // current date
56
	
57
	public $show_tasks = true;
58
	public $show_calls = true;
59
	public $show_completed = true;
60
	public $enable_repeat = true;	
61
62
	public $time_step = 60; // time step of each slot in minutes
63
		
64
	public $acts_arr = array(); // Array of activities objects	
65
	public $items = array(); // Array of activities data to be displayed	
66
	public $shared_ids = array(); // ids of users for shared view
67
	
68
	
69
	public $cells_per_day; // entire 24h day count of slots 	
0 ignored issues
show
There is some trailing whitespace on this line which should be avoided as per coding-style.
Loading history...
70
	public $grid_start_ts; // start timestamp of calendar grid
71
	
72
	public $day_start_time; // working day start time in format '11:00'
73
	public $day_end_time; // working day end time in format '11:00'
74
	public $scroll_slot; // first slot of working day
75
	public $celcount; // count of slots in a working day	
76
77
    /**
78
     * @var bool $print Whether is print mode.
79
     */
80
    private $print = false;
81
		
82
	/**
83
	 * constructor
84
	 * @param string $view 
85
	 * @param array $time_arr 
86
	 */	
87
	function __construct($view = "day", $time_arr = array()){
88
		global $current_user, $timedate, $current_language;
89
		
90
		$this->view = $view;		
91
92
		if(!in_array($this->view,array('day','week','month','year','shared','mobile')))
93
			$this->view = 'week';
94
		
95
		$date_arr = array();
96
		if(!empty($_REQUEST['day']))
97
			$_REQUEST['day'] = intval($_REQUEST['day']);
98
		if(!empty($_REQUEST['month']))
99
			$_REQUEST['month'] = intval($_REQUEST['month']);
100
101
		if (!empty($_REQUEST['day']))
102
			$date_arr['day'] = $_REQUEST['day'];
103
		if (!empty($_REQUEST['month']))
104
			$date_arr['month'] = $_REQUEST['month'];
105
		if (!empty($_REQUEST['week']))
106
			$date_arr['week'] = $_REQUEST['week'];
107
		if (!empty($_REQUEST['mobile']))
108
			$date_arr['mobile'] = $_REQUEST['mobile'];
109
110
		if (!empty($_REQUEST['year'])){
111
			if ($_REQUEST['year'] > 2037 || $_REQUEST['year'] < 1970){
112
                $calendarStrings = return_module_language($current_language, 'Calendar');
113
                print($calendarStrings['ERR_YEAR_BETWEEN']);
114
				exit;
115
			}
116
			$date_arr['year'] = $_REQUEST['year'];
117
		}
118
119
		if(empty($_REQUEST['day']))
120
			$_REQUEST['day'] = "";
121
		if(empty($_REQUEST['week']))
122
			$_REQUEST['week'] = "";
123
		if(empty($_REQUEST['month']))
124
			$_REQUEST['month'] = "";
125
		if(empty($_REQUEST['year']))
126
			$_REQUEST['year'] = "";
127
		if(empty($_REQUEST['mobile']))
128
			$_REQUEST['mobile'] = "";
129
130
		// if date is not set in request use current date
131
		if(empty($date_arr) || !isset($date_arr['year']) || !isset($date_arr['month']) || !isset($date_arr['day'])){
132
			$today = $timedate->getNow(true);
133
			$date_arr = array(
134
			      'year' => $today->year,
135
			      'month' => $today->month,
136
			      'day' => $today->day,
137
			      'mobile' => $today->day,
138
			);
139
		}
140
		
141
		$current_date_db = $date_arr['year']."-".str_pad($date_arr['month'],2,"0",STR_PAD_LEFT)."-".str_pad($date_arr['day'],2,"0",STR_PAD_LEFT);
142
		$this->date_time = $GLOBALS['timedate']->fromString($current_date_db);	
143
        
144
		$this->show_tasks = $current_user->getPreference('show_tasks');
145
		if(is_null($this->show_tasks))
146
			$this->show_tasks = SugarConfig::getInstance()->get('calendar.show_tasks_by_default',true);
147
        
148
		$this->show_calls = $current_user->getPreference('show_calls');
149
		if(is_null($this->show_calls))
150
			$this->show_calls = SugarConfig::getInstance()->get('calendar.show_calls_by_default',true);
151
        
152
		// Show completed Meetings, Calls, Tasks
153
        $this->show_completed = $current_user->getPreference('show_completed');
154
        if(is_null($this->show_completed))
155
        {
156
            $this->show_completed = SugarConfig::getInstance()->get('calendar.show_completed_by_default', true);
157
        }
158
        
159
		$this->enable_repeat = SugarConfig::getInstance()->get('calendar.enable_repeat',true);	
160
161
		if(in_array($this->view,array('month','year'))){
162
			$this->style = "basic";	
163
		}else{
164
			$displayTimeslots = $GLOBALS['current_user']->getPreference('calendar_display_timeslots');
165
			if (is_null($displayTimeslots)) {
166
				$displayTimeslots = SugarConfig::getInstance()->get('calendar.display_timeslots', true);
167
			}
168
			if ($displayTimeslots) {
169
				$this->style = "advanced";
170
			} else {
171
				$this->style = "basic";
172
			}
173
		}
174
		
175
		$this->day_start_time = $current_user->getPreference('day_start_time');
176
		if(is_null($this->day_start_time))
177
			$this->day_start_time = SugarConfig::getInstance()->get('calendar.default_day_start',"08:00");
178
		$this->day_end_time = $current_user->getPreference('day_end_time');
179
		if(is_null($this->day_end_time))
180
			$this->day_end_time = SugarConfig::getInstance()->get('calendar.default_day_end',"19:00");
181
			
182
		if($this->view == "day"){
183
			$this->time_step = SugarConfig::getInstance()->get('calendar.day_timestep',15);
184
		}else if($this->view == "week" || $this->view == "shared"){
185
			$this->time_step = SugarConfig::getInstance()->get('calendar.week_timestep',30);
186
		}else if($this->view == "month"){
187
			$this->time_step = SugarConfig::getInstance()->get('calendar.month_timestep',60);
188
		}else{
189
			$this->time_step = 60;
190
		}
191
		$this->cells_per_day = 24 * (60 / $this->time_step);		
192
		$this->calculate_grid_start_ts();
193
		$this->calculate_day_range();		
194
	}
195
	
196
	/**
197
	 * Load activities data to array
198
	 */		
199
	public function load_activities(){
200
		$field_list = CalendarUtils::get_fields();
201
		
202
		foreach($this->acts_arr as $user_id => $acts){	
203
			foreach($acts as $act){
204
											
205
					$item = array();
206
					$item['user_id'] = $user_id;
207
					$item['module_name'] = $act->sugar_bean->module_dir;
208
					$item['type'] = strtolower($act->sugar_bean->object_name);
209
					$item['assigned_user_id'] = $act->sugar_bean->assigned_user_id;
210
					$item['record'] = $act->sugar_bean->id;		
211
					$item['name'] = $act->sugar_bean->name;
212
					$item['description'] = $act->sugar_bean->description;
213
214
					if(isset($act->sugar_bean->duration_hours)){
215
						$item['duration_hours'] = $act->sugar_bean->duration_hours;
216
						$item['duration_minutes'] = $act->sugar_bean->duration_minutes;
217
					}				
218
					 			
219
					$item['detail'] = 0;
220
					$item['edit'] = 0;
221
					
222
					if($act->sugar_bean->ACLAccess('DetailView'))
223
						$item['detail'] = 1;						
224
					if($act->sugar_bean->ACLAccess('Save'))
225
						$item['edit'] = 1;					
226
						
227
					if(empty($act->sugar_bean->id)){
228
						$item['detail'] = 0;
229
						$item['edit'] = 0;
230
					}
231
					
232
					if(!empty($act->sugar_bean->repeat_parent_id))
233
						$item['repeat_parent_id'] = $act->sugar_bean->repeat_parent_id;					
234
					
235
					if($item['detail'] == 1){
236
						if(isset($field_list[$item['module_name']])){
237
							foreach($field_list[$item['module_name']] as $field){
238
								if(!isset($item[$field]) && isset($act->sugar_bean->$field)){
239
									$item[$field] = $act->sugar_bean->$field;
240
									if(empty($item[$field]))
241
										$item[$field] = "";
242
								}
243
							}					
244
						}				
245
					}
246
247
                    if (!empty($act->sugar_bean->parent_type) && !empty($act->sugar_bean->parent_id)) {
248
                        $focus = BeanFactory::getBean($act->sugar_bean->parent_type, $act->sugar_bean->parent_id);
249
                        // If the bean wasn't loaded, e.g. insufficient permissions
250
                        if (!empty($focus))
251
                        {
252
                            $item['related_to'] = $focus->name;
253
                        }
254
                    }
255
256
					if(!isset($item['duration_hours']) || empty($item['duration_hours']))
257
						$item['duration_hours'] = 0;
258
					if(!isset($item['duration_minutes']) || empty($item['duration_minutes']))
259
						$item['duration_minutes'] = 0;	
260
						
261
					$item = array_merge($item,CalendarUtils::get_time_data($act->sugar_bean));			
262
			
263
					$this->items[] = $item;
264
			}
265
		}
266
	}	
267
	
268
	/**
269
	 * initialize ids of shared users
270
	 */	
271
	public function init_shared(){
272
		global $current_user;
273
		
274
		
275
		$user_ids = $current_user->getPreference('shared_ids');
276
		if(!empty($user_ids) && count($user_ids) != 0 && !isset($_REQUEST['shared_ids'])) {
277
			$this->shared_ids = $user_ids;
278
		}else if(isset($_REQUEST['shared_ids']) && count($_REQUEST['shared_ids']) > 0){
279
			$this->shared_ids = $_REQUEST['shared_ids'];
280
			$current_user->setPreference('shared_ids', $_REQUEST['shared_ids']);
281
		}else{
282
			$this->shared_ids = array($current_user->id);				
283
		}
284
	}
285
	
286
	/**
287
	 * Calculate timestamp the calendar grid should be started from 
288
	 */
289
	protected function calculate_grid_start_ts(){
290
	
291
		if($this->view == "week" || $this->view == "shared"){
292
			$week_start = CalendarUtils::get_first_day_of_week($this->date_time);
293
			$this->grid_start_ts = $week_start->format('U') + $week_start->getOffset(); 
294
		}else if($this->view == "month"){
295
			$month_start = $this->date_time->get_day_by_index_this_month(0);
296
			$week_start = CalendarUtils::get_first_day_of_week($month_start);
297
			$this->grid_start_ts = $week_start->format('U') + $week_start->getOffset(); // convert to timestamp, ignore tz
298
		}else if($this->view == "day"){
299
			$this->grid_start_ts = $this->date_time->format('U') + $this->date_time->getOffset();
300
		}	
301
	}
302
	
303
	/**
304
	 * calculate count of timeslots per visible day, calculates day start and day end in minutes 
305
	 */	
306
	function calculate_day_range(){	
307
		
308
		list($hour_start,$minute_start) =  explode(":",$this->day_start_time);		
309
		list($hour_end,$minute_end) =  explode(":",$this->day_end_time);
310
		$this->scroll_slot = intval($hour_start * (60 / $this->time_step) + ($minute_start / $this->time_step));
311
		$this->celcount = (($hour_end * 60 + $minute_end) - ($hour_start * 60 + $minute_start)) / $this->time_step;
312
	}	
313
	
314
	/**
315
	 * loads array of objects
316
	 * @param User $user user object
317
	 * @param string $type
318
	 */	
319
	public function add_activities($user,$type='sugar'){
320
		global $timedate;
321
		$start_date_time = $this->date_time;
322
		if($this->view == 'week' || $this->view == 'shared' || $this->view == 'mobile'){
323
			$start_date_time = CalendarUtils::get_first_day_of_week($this->date_time);
324
			$end_date_time = $start_date_time->get("+7 days");
325
		}else if($this->view == 'month'){
326
			$start_date_time = $this->date_time->get_day_by_index_this_month(0);	
327
			$end_date_time = $start_date_time->get("+".$start_date_time->format('t')." days");
328
			$start_date_time = CalendarUtils::get_first_day_of_week($start_date_time);
329
			$end_date_time = CalendarUtils::get_first_day_of_week($end_date_time)->get("+7 days");
330
		}else{
331
			$end_date_time = $this->date_time->get("+1 day");
332
		}
333
		
334
		$start_date_time = $start_date_time->get("-5 days"); // 5 days step back to fetch multi-day activities that
335
336
		$acts_arr = array();
337
	    	if($type == 'vfb')
338
	    	{
339
				$acts_arr = CalendarActivity::get_freebusy_activities($user, $start_date_time, $end_date_time);
340
	    	}
341
	    	else
342
	    	{
343
				$acts_arr = CalendarActivity::get_activities($user->id, $this->show_tasks, $start_date_time, $end_date_time, $this->view, $this->show_calls, $this->show_completed);
344
	    	}
345
	    	
346
	    	$this->acts_arr[$user->id] = $acts_arr;	 
347
	}
348
349
	/**
350
	 * Get date string of next or previous calendar grid
351
	 * @param string $direction next or previous
352
	 * @return string
353
	 */
354
	public function get_neighbor_date_str($direction){
355
		if($direction == "previous")
356
			$sign = "-";
357
		else 
358
			$sign = "+";
359
			
360
		if($this->view == 'month'){
361
            $day = $this->date_time->get_day_by_index_this_month(0)->get($sign."1 month")->get_day_begin(1);
362
		}else if($this->view == 'week' || $this->view == 'shared'){
363
			$day = CalendarUtils::get_first_day_of_week($this->date_time);
364
			$day = $day->get($sign."7 days");
365
		}else if($this->view == 'day'){
366
			$day = $this->date_time->get($sign."1 day")->get_day_begin();
367
		}else if($this->view == 'year'){
368
            		$day = $this->date_time->get($sign."1 year")->get_day_begin();
369
		}else{
370
            $calendarStrings = return_module_language($GLOBALS['current_language'], 'Calendar');
371
            return $calendarStrings['ERR_NEIGHBOR_DATE'];
372
		}
373
		return $day->get_date_str();
374
	}
375
376
    public function setPrint($print)
377
    {
378
        $this->print = $print;
379
    }
380
    
381
    public function isPrint()
382
    {
383
        return $this->print;
384
    }
385
386
}
387
388
?>
389