Issues in TeamController.php (master) - Issues in master - allejo/bzion - Measure and Improve Code Quality continuously with Scrutinizer

Issues (273)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

controllers/TeamController.php (3 issues)

Labels

Duplication 3

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

use BZIon\Event as Event;
use BZIon\Event\Events;
use BZIon\Form\Creator\TeamRestorationFormCreator;
use Symfony\Component\Form\FormError;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;

class TeamController extends CRUDController
{
    /**
     * The new leader if we're changing them
     * @var null|Player
     */
    private $newLeader = null;

    public function showAction(Team $team)
    {
        $creationDate = $team->getCreationDate()->setTimezone('UTC')->startOfMonth();

        $matches = Match::getQueryBuilder()
            ->with($team)
            ->getSummary($creationDate);

        $wins = Match::getQueryBuilder()
            ->with($team, "win")
            ->getSummary($creationDate);

        return [
            'matches' => $matches,
            'wins'    => $wins,
            'team'    => $team
        ];
    }

    public function listAction(Request $request)
    {
        $teamQB = Team::getQueryBuilder()
            ->active()
            ->sortBy('elo')->reverse()
        ;

        // Cache team captains so we don't fetch each manually
        $captains = $teamQB->getArray('leader');
        $captIDs = array_column($captains, 'leader');
        Player::getQueryBuilder()
            ->where('id')->isOneOf($captIDs)
            ->addToCache()
        ;

        return [
            'teams'   => $teamQB->withMatchActivity()->getModels($fast = true),
            'showAll' => (bool)$request->get('showAll', false),
        ];
    }

    public function createAction(Player $me)
    {
        return $this->create($me);
    }

    public function editAction(Player $me, Team $team)

    {
        // TODO: Generating this response is unnecessary
        $response = $this->edit($team, $me, "team");

        if ($this->newLeader) {
            // Redirect to a confirmation form if we are assigning a new leader
            $url = Service::getGenerator()->generate('team_assign_leader', array(
                'team'   => $team->getAlias(),
                'player' => $this->newLeader->getAlias()
            ));

            return new RedirectResponse($url);
        }

        return $response;
    }

    public function deleteAction(Player $me, Team $team)
    {
        $members = $team->getMembers();

        return $this->delete($team, $me, function () use ($team, $me, $members) {
            $event = new Event\TeamDeleteEvent($team, $me, $members);
            Service::getDispatcher()->dispatch(Events::TEAM_DELETE, $event);
        });
    }

    public function restoreAction(Player $me, Team $team)
    {
        if (!$this->canDelete($me, $team)) {
            throw new ForbiddenException("You do not have permissions to restore \"{$team->getName()}\"");
        }

        if (!$team->isDeleted()) {
            throw new LogicException('You cannot restore an object that is not marked as deleted.');
        }

        $creator = new TeamRestorationFormCreator($team, $me, $this);
        $form = $creator->create()->handleRequest(self::getRequest());

        if ($form->isSubmitted()) {
            $this->validate($form);

            if ($form->isValid()) {
                $clickedButton = $form->getClickedButton()->getName();

                if ($clickedButton === 'submit') {
                    $model = $creator->enter($form);

                    self::getFlashBag()->add('success', "\"{$model->getName()}\" has been restored.");

                    return $this->redirectTo($model);
                }

                return (new RedirectResponse($this->getPreviousURL()));
            }
        }

        return [
            'form' => $form->createView(),
            'team' => $team,
        ];
    }

    public function joinAction(Team $team, Player $me)

    {
        $this->requireLogin();
        if (!$me->isTeamless()) {
            throw new ForbiddenException("You are already a member of a team");
        } elseif ($team->getStatus() != 'open') {
            throw new ForbiddenException("This team is not accepting new members without an invitation");
        }

        return $this->showConfirmationForm(function () use ($team, $me) {
            $team->addMember($me->getId());
            Service::getDispatcher()->dispatch(Events::TEAM_JOIN,  new Event\TeamJoinEvent($team, $me));

            return new RedirectResponse($team->getUrl());
        },  "Are you sure you want to join {$team->getEscapedName()}?",
            "You are now a member of {$team->getName()}");
    }

    public function kickAction(Team $team, Player $player, Player $me)
    {
        $this->assertCanEdit($me, $team, "You are not allowed to kick a player off that team!");

        if ($team->getLeader()->isSameAs($player)) {
            throw new ForbiddenException("You can't kick the leader off their team.");
        }

        if (!$team->isMember($player->getId())) {
            throw new ForbiddenException("The specified player is not a member of that team.");
        }

        return $this->showConfirmationForm(function () use ($me, $team, $player) {
            $team->removeMember($player->getId());
            $event = new Event\TeamKickEvent($team, $player, $me);
            Service::getDispatcher()->dispatch(Events::TEAM_KICK, $event);

            return new RedirectResponse($team->getUrl());
        },  "Are you sure you want to kick {$player->getEscapedUsername()} from {$team->getEscapedName()}?",
            "Player {$player->getUsername()} has been kicked from {$team->getName()}", "Kick");
    }

    public function abandonAction(Team $team, Player $me)

    {
        if (!$team->isMember($me->getId())) {
            throw new ForbiddenException("You are not a member of that team!");
        }

        if ($team->getLeader()->isSameAs($me)) {
            throw new ForbiddenException("You can't abandon the team you are leading.");
        }

        return $this->showConfirmationForm(function () use ($team, $me) {
            $team->removeMember($me->getId());
            Service::getDispatcher()->dispatch(Events::TEAM_ABANDON, new Event\TeamAbandonEvent($team, $me));

            return new RedirectResponse($team->getUrl());
        },  "Are you sure you want to abandon {$team->getEscapedName()}?",
            "You have left {$team->getName()}", "Abandon");
    }

    public function assignLeaderAction(Team $team, Player $me, Player $player)
    {
        $this->assertCanEdit($me, $team, "You are not allowed to change the leader of this team.");

        if (!$team->isMember($player->getId())) {
            throw new ForbiddenException("The specified player is not a member of {$team->getName()}");
        } elseif ($team->getLeader()->isSameAs($player)) {
            throw new ForbiddenException("{$player->getUsername()} is already the leader of {$team->getName()}");
        }

        return $this->showConfirmationForm(function () use ($player, $team) {
            $event = new Event\TeamLeaderChangeEvent($team, $player, $team->getLeader());
            $team->setLeader($player->getId());
            Service::getDispatcher()->dispatch(Events::TEAM_LEADER_CHANGE, $event);

            return new RedirectResponse($team->getUrl());
        }, "Are you sure you want to transfer the leadership of the team to <strong>{$player->getEscapedUsername()}</strong>?",
        "{$player->getUsername()} is now leading {$team->getName()}",
        "Appoint leadership");
    }

    /**
     * Show a confirmation form to confirm that the user wants to assign a new
     * leader to a team
     *
     * @param Player $leader The new leader
     */
    public function newLeader($leader)
    {
        $this->newLeader = $leader;
    }

    protected function validateNew($form)
    {
        $name = $form->get('name');
        $team = Team::getFromName($name->getData());

        // The name for the team that the user gave us already exists
        // TODO: This takes deleted teams into account, do we want that?
        if ($team->isValid()) {
            $name->addError(new FormError("A team called {$team->getName()} already exists"));
        }
    }

    protected function canCreate($player)
    {
        if ($player->getTeam()->isValid()) {
            throw new ForbiddenException("You need to abandon your current team before you can create a new one");
        }

        return parent::canCreate($player);
    }

    /**
     * Make sure that a player can edit a team
     *
     * Throws an exception if a player is not an admin or the leader of a team
     * @param  Player        $player  The player to test
     * @param  Team          $team    The team
     * @param  string        $message The error message to show
     * @throws HTTPException
     * @return void
     */
    private function assertCanEdit(Player $player, Team $team, $message = "You are not allowed to edit that team")
    {
        if (!$player->canEdit($team)) {
            throw new ForbiddenException($message);
        }
    }
}


1			<?php
2
3			use BZIon\Event as Event;
4			use BZIon\Event\Events;
5			use BZIon\Form\Creator\TeamRestorationFormCreator;
6			use Symfony\Component\Form\FormError;
7			use Symfony\Component\HttpFoundation\RedirectResponse;
8			use Symfony\Component\HttpFoundation\Request;
9
10			class TeamController extends CRUDController
11			{
12			/**
13			* The new leader if we're changing them
14			* @var null\|Player
15			*/
16	1		private $newLeader = null;
17
18	1		public function showAction(Team $team)
19			{
20	1		$creationDate = $team->getCreationDate()->setTimezone('UTC')->startOfMonth();
21	1
22	1		$matches = Match::getQueryBuilder()
23			->with($team)
24	1		->getSummary($creationDate);
25	1
26	1		$wins = Match::getQueryBuilder()
27			->with($team, "win")
28			->getSummary($creationDate);
29	1
30	1		return [
31	1		'matches' => $matches,
32			'wins' => $wins,
33			'team' => $team
34			];
35	1		}
36
37	1		public function listAction(Request $request)
38	1		{
39	1		$teamQB = Team::getQueryBuilder()
40	1		->active()
41			->sortBy('elo')->reverse()
42	1		;
43	1
44	1		// Cache team captains so we don't fetch each manually
45			$captains = $teamQB->getArray('leader');
46			$captIDs = array_column($captains, 'leader');
47	1		Player::getQueryBuilder()
48			->where('id')->isOneOf($captIDs)
49			->addToCache()
50			;
51
52			return [
53			'teams' => $teamQB->withMatchActivity()->getModels($fast = true),
54			'showAll' => (bool)$request->get('showAll', false),
55			];
56			}
57
58			public function createAction(Player $me)
59			{
60			return $this->create($me);
61			}
62
63		View Code Duplication	public function editAction(Player $me, Team $team)
			0 ignored issues – show Duplication introduced 2017-08-01 20:41 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
64			{
65			// TODO: Generating this response is unnecessary
66			$response = $this->edit($team, $me, "team");
67
68			if ($this->newLeader) {
69			// Redirect to a confirmation form if we are assigning a new leader
70			$url = Service::getGenerator()->generate('team_assign_leader', array(
71			'team' => $team->getAlias(),
72			'player' => $this->newLeader->getAlias()
73			));
74	1
75			return new RedirectResponse($url);
76	1		}
77
78			return $response;
79	1		}
80	1
81	1		public function deleteAction(Player $me, Team $team)
82			{
83			$members = $team->getMembers();
84
85			return $this->delete($team, $me, function () use ($team, $me, $members) {
86			$event = new Event\TeamDeleteEvent($team, $me, $members);
87			Service::getDispatcher()->dispatch(Events::TEAM_DELETE, $event);
88			});
89			}
90
91			public function restoreAction(Player $me, Team $team)
92			{
93			if (!$this->canDelete($me, $team)) {
94			throw new ForbiddenException("You do not have permissions to restore \"{$team->getName()}\"");
95			}
96
97			if (!$team->isDeleted()) {
98			throw new LogicException('You cannot restore an object that is not marked as deleted.');
99			}
100
101			$creator = new TeamRestorationFormCreator($team, $me, $this);
102	1		$form = $creator->create()->handleRequest(self::getRequest());
103
104	1		if ($form->isSubmitted()) {
105			$this->validate($form);
106	1
107			if ($form->isValid()) {
108			$clickedButton = $form->getClickedButton()->getName();
109
110	1		if ($clickedButton === 'submit') {
111			$model = $creator->enter($form);
112
113			self::getFlashBag()->add('success', "\"{$model->getName()}\" has been restored.");
114
115	1		return $this->redirectTo($model);
116	1		}
117	1
118			return (new RedirectResponse($this->getPreviousURL()));
119	1		}
120	1		}
121	1
122			return [
123			'form' => $form->createView(),
124	1		'team' => $team,
125			];
126	1		}
127
128		View Code Duplication	public function joinAction(Team $team, Player $me)
			0 ignored issues – show Duplication introduced 2017-08-01 20:41 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
129			{
130	1		$this->requireLogin();
131	1		if (!$me->isTeamless()) {
132			throw new ForbiddenException("You are already a member of a team");
133			} elseif ($team->getStatus() != 'open') {
134			throw new ForbiddenException("This team is not accepting new members without an invitation");
135	1		}
136	1
137			return $this->showConfirmationForm(function () use ($team, $me) {
138	1		$team->addMember($me->getId());
139	1		Service::getDispatcher()->dispatch(Events::TEAM_JOIN, new Event\TeamJoinEvent($team, $me));
140	1
141			return new RedirectResponse($team->getUrl());
142			}, "Are you sure you want to join {$team->getEscapedName()}?",
143			"You are now a member of {$team->getName()}");
144			}
145
146			public function kickAction(Team $team, Player $player, Player $me)
147			{
148			$this->assertCanEdit($me, $team, "You are not allowed to kick a player off that team!");
149
150			if ($team->getLeader()->isSameAs($player)) {
151			throw new ForbiddenException("You can't kick the leader off their team.");
152			}
153
154			if (!$team->isMember($player->getId())) {
155			throw new ForbiddenException("The specified player is not a member of that team.");
156			}
157
158			return $this->showConfirmationForm(function () use ($me, $team, $player) {
159			$team->removeMember($player->getId());
160			$event = new Event\TeamKickEvent($team, $player, $me);
161			Service::getDispatcher()->dispatch(Events::TEAM_KICK, $event);
162
163			return new RedirectResponse($team->getUrl());
164			}, "Are you sure you want to kick {$player->getEscapedUsername()} from {$team->getEscapedName()}?",
165			"Player {$player->getUsername()} has been kicked from {$team->getName()}", "Kick");
166			}
167
168		View Code Duplication	public function abandonAction(Team $team, Player $me)
			0 ignored issues – show Duplication introduced 2017-08-01 20:41 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
169			{
170			if (!$team->isMember($me->getId())) {
171			throw new ForbiddenException("You are not a member of that team!");
172			}
173
174			if ($team->getLeader()->isSameAs($me)) {
175			throw new ForbiddenException("You can't abandon the team you are leading.");
176			}
177
178			return $this->showConfirmationForm(function () use ($team, $me) {
179			$team->removeMember($me->getId());
180			Service::getDispatcher()->dispatch(Events::TEAM_ABANDON, new Event\TeamAbandonEvent($team, $me));
181
182			return new RedirectResponse($team->getUrl());
183			}, "Are you sure you want to abandon {$team->getEscapedName()}?",
184			"You have left {$team->getName()}", "Abandon");
185			}
186
187			public function assignLeaderAction(Team $team, Player $me, Player $player)
188			{
189			$this->assertCanEdit($me, $team, "You are not allowed to change the leader of this team.");
190
191			if (!$team->isMember($player->getId())) {
192			throw new ForbiddenException("The specified player is not a member of {$team->getName()}");
193			} elseif ($team->getLeader()->isSameAs($player)) {
194			throw new ForbiddenException("{$player->getUsername()} is already the leader of {$team->getName()}");
195			}
196
197			return $this->showConfirmationForm(function () use ($player, $team) {
198			$event = new Event\TeamLeaderChangeEvent($team, $player, $team->getLeader());
199			$team->setLeader($player->getId());
200			Service::getDispatcher()->dispatch(Events::TEAM_LEADER_CHANGE, $event);
201
202			return new RedirectResponse($team->getUrl());
203			}, "Are you sure you want to transfer the leadership of the team to <strong>{$player->getEscapedUsername()}</strong>?",
204			"{$player->getUsername()} is now leading {$team->getName()}",
205			"Appoint leadership");
206	1		}
207
208	1		/**
209			* Show a confirmation form to confirm that the user wants to assign a new
210			* leader to a team
211	1		*
212			* @param Player $leader The new leader
213			*/
214			public function newLeader($leader)
215			{
216			$this->newLeader = $leader;
217			}
218
219			protected function validateNew($form)
220			{
221			$name = $form->get('name');
222			$team = Team::getFromName($name->getData());
223
224			// The name for the team that the user gave us already exists
225			// TODO: This takes deleted teams into account, do we want that?
226			if ($team->isValid()) {
227			$name->addError(new FormError("A team called {$team->getName()} already exists"));
228			}
229			}
230
231			protected function canCreate($player)
232			{
233			if ($player->getTeam()->isValid()) {
234			throw new ForbiddenException("You need to abandon your current team before you can create a new one");
235			}
236
237			return parent::canCreate($player);
238			}
239
240			/**
241			* Make sure that a player can edit a team
242			*
243			* Throws an exception if a player is not an admin or the leader of a team
244			* @param Player $player The player to test
245			* @param Team $team The team
246			* @param string $message The error message to show
247			* @throws HTTPException
248			* @return void
249			*/
250			private function assertCanEdit(Player $player, Team $team, $message = "You are not allowed to edit that team")
251			{
252			if (!$player->canEdit($team)) {
253			throw new ForbiddenException($message);
254			}
255			}
256			}
257

allejo / bzion

Issues (273)

Security Analysis not enabled

controllers/TeamController.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like