Issues in ArticleView.php (develop) - Issues in develop - alphadevx/alpha - Measure and Improve Code Quality continuously with Scrutinizer

Issues (195)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Alpha/View/ArticleView.php (5 issues)

Labels

Bug 5

Severity

Minor 5

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Alpha\View;

use Alpha\Util\Config\ConfigProvider;
use Alpha\Util\Extension\MarkdownFacade;
use Alpha\Util\Security\SecurityUtils;
use Alpha\View\Widget\Button;
use Alpha\Controller\Front\FrontController;

/**
 * The rendering class for the Article class.
 *
 * @since 1.0
 *
 * @author John Collins <[email protected]>
 * @license http://www.opensource.org/licenses/bsd-license.php The BSD License
 * @copyright Copyright (c) 2018, John Collins (founder of Alpha Framework).
 * All rights reserved.
 *
 * <pre>
 * Redistribution and use in source and binary forms, with or
 * without modification, are permitted provided that the
 * following conditions are met:
 *
 * * Redistributions of source code must retain the above
 *   copyright notice, this list of conditions and the
 *   following disclaimer.
 * * Redistributions in binary form must reproduce the above
 *   copyright notice, this list of conditions and the
 *   following disclaimer in the documentation and/or other
 *   materials provided with the distribution.
 * * Neither the name of the Alpha Framework nor the names
 *   of its contributors may be used to endorse or promote
 *   products derived from this software without specific
 *   prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
 * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 * </pre>
 */
class ArticleView extends View
{
    /**
     * Method to generate the markdown HTML render of the article content.
     *
     * @param array $fields Hash array of HTML fields to pass to the template.
     *
     * @since 1.0
     *
     * @return string
     */
    public function markdownView($fields = array())
    {
        $markdown = new MarkdownFacade($this->record);

        $fields['markdownContent'] = $markdown->getContent();

        return $this->loadTemplate($this->record, 'markdown', $fields);
    }

    /**
     * Adds a note to the create article screen.
     *
     * @return string
     *
     * @since 1.0
     */
    protected function after_createView_callback()
    {
        return '<p><strong>Please note</strong> that you will only be able to attach files to the article once it has been created.</p><br>';
    }

    /**
     * Renders the list view (adds the dateAdded field for the list template).
     *
     * @param array $fields hash array of HTML fields to pass to the template
     *
     * @since 1.0
     *
     * @return string
     */
    public function listView($fields = array())
    {
        $fields['dateAdded'] = $this->record->getCreateTS()->getDate();
        $fields['editButtonURL'] = FrontController::generateSecureURL('act=Alpha\Controller\ArticleController&ActiveRecordType='.get_class($this->record).'&ActiveRecordID='.$this->record->getID().'&view=edit');

        return parent::listView($fields);
    }

    /**
     * Renders the admin view for the Article, with create button pointed to the ArticleController.
     *
     * @param array $fields Hash array of fields to pass to the template
     *
     * @return string
     *
     * @since 2.0.1
     */
    public function adminView($fields = array())
    {
        $fields['createButtonURL'] = FrontController::generateSecureURL('act=Alpha\Controller\ArticleController&ActiveRecordType='.get_class($this->record).'&view=create');

        return parent::adminView($fields);
    }

    /**
     * Renders the detail view for the Article, with edit button pointed to the ArticleController.
     *
     * @param array $fields Hash array of fields to pass to the template
     *
     * @return string
     *
     * @since 2.0.1
     */
    public function detailedView($fields = array())
    {
        $fields['editButtonURL'] = FrontController::generateSecureURL('act=Alpha\Controller\ArticleController&ActiveRecordType='.get_class($this->record).'&ActiveRecordID='.$this->record->getID().'&view=edit');

        return parent::detailedView($fields);
    }

    /**
     * Renders a form to enable article editing with attachments options.
     *
     * @param array $fields hash array of HTML fields to pass to the template
     *
     * @since 1.0
     *
     * @return string
     */
    public function editView($fields = array())
    {
        if (method_exists($this, 'before_editView_callback')) {
            $this->{'before_editView_callback'}();
        }

        $config = ConfigProvider::getInstance();

        // the form action
        if (isset($fields['URI'])) {
            $fields['formAction'] = $fields['URI'];
        }

        // the form ID
        $fields['formID'] = stripslashes(get_class($this->record)).'_'.$this->record->getID();

        // buffer form fields to $formFields
        $fields['formFields'] = $this->renderAllFields('edit');

        // buffer HTML output for Create and Cancel buttons
        $button = new Button('submit', 'Save', 'saveBut');
        $fields['saveButton'] = $button->render();

        $formFieldId = ($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('ActiveRecordID')) : 'ActiveRecordID');
            
        $js = View::loadTemplateFragment('html', 'bootstrapconfirmokay.phtml', array('prompt' => 'Are you sure you wish to delete this item?', 'formFieldId' => $formFieldId, 'formFieldValue' => $this->record->getID(), 'formId' => 'deleteForm'));

        $button = new Button($js, 'Delete', 'deleteBut');
        $fields['deleteButton'] = $button->render();

        $button = new Button("document.location = '".FrontController::generateSecureURL('act=Alpha\Controller\ActiveRecordController&ActiveRecordType='.get_class($this->record).'&start=0&limit='.$config->get('app.list.page.amount'))."'", 'Back to List', 'cancelBut');
        $fields['cancelButton'] = $button->render();

        $tags = array();

        if (is_object($this->record->getPropObject('tags'))) {
            $tags = $this->record->getPropObject('tags')->getRelated();
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
        }

        if (count($tags) > 0) {
            $button = new Button("document.location = '".FrontController::generateSecureURL('act=Alpha\Controller\TagController&ActiveRecordType='.get_class($this->record).'&ActiveRecordID='.$this->record->getID())."'", 'Edit Tags', 'tagsBut');
            $fields['tagsButton'] = $button->render();
        }

        // buffer security fields to $formSecurityFields variable
        $fields['formSecurityFields'] = $this->renderSecurityFields();

        // ID will need to be posted for optimistic lock checking
        $fields['version_num'] = $this->record->getVersionNumber();

        // file attachments section
        $fields['fileAttachments'] = $this->renderFileUploadSection();

        if (method_exists($this, 'after_editView_callback')) {
            $this->{'after_editView_callback'}();
        }

        return $this->loadTemplate($this->record, 'edit', $fields);
    }

    /**
     * Renders the HTML for the file upload section.
     *
     * @return string
     *
     * @since 1.0
     */
    protected function renderFileUploadSection()
    {
        $config = ConfigProvider::getInstance();

        $html = '<div class="form-group">';
        $html .= '  <h3>File Attachments:</h3>';

        if (is_dir($this->record->getAttachmentsLocation())) {
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
            $handle = opendir($this->record->getAttachmentsLocation());
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}

            $fileCount = 0;

            $html .= '<table class="table table-bordered">';

            // loop over the attachments directory
            while (false !== ($file = readdir($handle))) {
                if ($file != '.' && $file != '..') {
                    ++$fileCount;

                    $html .= '<tr>';

                    $html .= '<td>'.$file.' <em>('.number_format(filesize($this->record->getAttachmentsLocation().'/'.$file)/1024).' KB)</em></td>';
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}

                    $js = "if(window.jQuery) {
                            BootstrapDialog.show({
                                title: 'Confirmation',
                                message: 'Are you sure you wish to delete this item?',
                                buttons: [
                                    {
                                        icon: 'glyphicon glyphicon-remove',
                                        label: 'Cancel',
                                        cssClass: 'btn btn-default btn-xs',
                                        action: function(dialogItself){
                                            dialogItself.close();
                                        }
                                    },
                                    {
                                        icon: 'glyphicon glyphicon-ok',
                                        label: 'Okay',
                                        cssClass: 'btn btn-default btn-xs',
                                        action: function(dialogItself) {
                                            $('[id=\"".($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('deletefile')) : 'deletefile')."\"]').attr('value', '".$file."');
                                            $('[id=\"".stripslashes(get_class($this->record)).'_'.$this->record->getID()."\"]').submit();
                                            dialogItself.close();
                                        }
                                    }
                                ]
                            });
                        }";
                    $button = new Button($js, 'Delete', 'delete'.$fileCount.'But');
                    $html .= '<td>'.$button->render().'</td>';
                    $html .= '</tr>';
                }
            }

            $html .= '</table>';
        } else {
            // we will take this opportunity to create the attachments folder is it does
            // not already exist.
            $this->record->createAttachmentsFolder();
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
        }

        $html .= '<span class="btn btn-default btn-file">';
        $html .= '<input name="userfile" type="file" value="Browse..."/>';
        $html .= '</span>';

        $temp = new Button('submit', 'Upload', 'uploadBut');
        $html .= $temp->render();

        $fieldname = ($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('deletefile')) : 'deletefile');
        $html .= '<input type="hidden" name="'.$fieldname.'" id="'.$fieldname.'" value=""/>';

        $fieldname = ($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('articleID')) : 'articleID');
        $html .= '<input type="hidden" name="'.$fieldname.'" id="'.$fieldname.'" value="'.$this->record->getID().'"/>';

        $html .= '</div>';

        return $html;
    }
}


Issues (195)

Security Analysis not enabled

Alpha/View/ArticleView.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Available Fixes

1			<?php
2
3			namespace Alpha\View;
4
5			use Alpha\Util\Config\ConfigProvider;
6			use Alpha\Util\Extension\MarkdownFacade;
7			use Alpha\Util\Security\SecurityUtils;
8			use Alpha\View\Widget\Button;
9			use Alpha\Controller\Front\FrontController;
10
11			/**
12			* The rendering class for the Article class.
13			*
14			* @since 1.0
15			*
16			* @author John Collins <[email protected]>
17			* @license http://www.opensource.org/licenses/bsd-license.php The BSD License
18			* @copyright Copyright (c) 2018, John Collins (founder of Alpha Framework).
19			* All rights reserved.
20			*
21			* <pre>
22			* Redistribution and use in source and binary forms, with or
23			* without modification, are permitted provided that the
24			* following conditions are met:
25			*
26			* * Redistributions of source code must retain the above
27			* copyright notice, this list of conditions and the
28			* following disclaimer.
29			* * Redistributions in binary form must reproduce the above
30			* copyright notice, this list of conditions and the
31			* following disclaimer in the documentation and/or other
32			* materials provided with the distribution.
33			* * Neither the name of the Alpha Framework nor the names
34			* of its contributors may be used to endorse or promote
35			* products derived from this software without specific
36			* prior written permission.
37			*
38			* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
39			* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
40			* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
41			* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
42			* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
43			* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
48			* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
49			* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
50			* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
51			* </pre>
52			*/
53			class ArticleView extends View
54			{
55			/**
56			* Method to generate the markdown HTML render of the article content.
57			*
58			* @param array $fields Hash array of HTML fields to pass to the template.
59			*
60			* @since 1.0
61			*
62			* @return string
63			*/
64			public function markdownView($fields = array())
65			{
66			$markdown = new MarkdownFacade($this->record);
67
68			$fields['markdownContent'] = $markdown->getContent();
69
70			return $this->loadTemplate($this->record, 'markdown', $fields);
71			}
72
73			/**
74			* Adds a note to the create article screen.
75			*
76			* @return string
77			*
78			* @since 1.0
79			*/
80			protected function after_createView_callback()
81			{
82			return '<p><strong>Please note</strong> that you will only be able to attach files to the article once it has been created.</p><br>';
83			}
84
85			/**
86			* Renders the list view (adds the dateAdded field for the list template).
87			*
88			* @param array $fields hash array of HTML fields to pass to the template
89			*
90			* @since 1.0
91			*
92			* @return string
93			*/
94			public function listView($fields = array())
95			{
96			$fields['dateAdded'] = $this->record->getCreateTS()->getDate();
97			$fields['editButtonURL'] = FrontController::generateSecureURL('act=Alpha\Controller\ArticleController&ActiveRecordType='.get_class($this->record).'&ActiveRecordID='.$this->record->getID().'&view=edit');
98
99			return parent::listView($fields);
100			}
101
102			/**
103			* Renders the admin view for the Article, with create button pointed to the ArticleController.
104			*
105			* @param array $fields Hash array of fields to pass to the template
106			*
107			* @return string
108			*
109			* @since 2.0.1
110			*/
111			public function adminView($fields = array())
112			{
113			$fields['createButtonURL'] = FrontController::generateSecureURL('act=Alpha\Controller\ArticleController&ActiveRecordType='.get_class($this->record).'&view=create');
114
115			return parent::adminView($fields);
116			}
117
118			/**
119			* Renders the detail view for the Article, with edit button pointed to the ArticleController.
120			*
121			* @param array $fields Hash array of fields to pass to the template
122			*
123			* @return string
124			*
125			* @since 2.0.1
126			*/
127			public function detailedView($fields = array())
128			{
129			$fields['editButtonURL'] = FrontController::generateSecureURL('act=Alpha\Controller\ArticleController&ActiveRecordType='.get_class($this->record).'&ActiveRecordID='.$this->record->getID().'&view=edit');
130
131			return parent::detailedView($fields);
132			}
133
134			/**
135			* Renders a form to enable article editing with attachments options.
136			*
137			* @param array $fields hash array of HTML fields to pass to the template
138			*
139			* @since 1.0
140			*
141			* @return string
142			*/
143			public function editView($fields = array())
144			{
145			if (method_exists($this, 'before_editView_callback')) {
146			$this->{'before_editView_callback'}();
147			}
148
149			$config = ConfigProvider::getInstance();
150
151			// the form action
152			if (isset($fields['URI'])) {
153			$fields['formAction'] = $fields['URI'];
154			}
155
156			// the form ID
157			$fields['formID'] = stripslashes(get_class($this->record)).'_'.$this->record->getID();
158
159			// buffer form fields to $formFields
160			$fields['formFields'] = $this->renderAllFields('edit');
161
162			// buffer HTML output for Create and Cancel buttons
163			$button = new Button('submit', 'Save', 'saveBut');
164			$fields['saveButton'] = $button->render();
165
166			$formFieldId = ($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('ActiveRecordID')) : 'ActiveRecordID');
167
168			$js = View::loadTemplateFragment('html', 'bootstrapconfirmokay.phtml', array('prompt' => 'Are you sure you wish to delete this item?', 'formFieldId' => $formFieldId, 'formFieldValue' => $this->record->getID(), 'formId' => 'deleteForm'));
169
170			$button = new Button($js, 'Delete', 'deleteBut');
171			$fields['deleteButton'] = $button->render();
172
173			$button = new Button("document.location = '".FrontController::generateSecureURL('act=Alpha\Controller\ActiveRecordController&ActiveRecordType='.get_class($this->record).'&start=0&limit='.$config->get('app.list.page.amount'))."'", 'Back to List', 'cancelBut');
174			$fields['cancelButton'] = $button->render();
175
176			$tags = array();
177
178			if (is_object($this->record->getPropObject('tags'))) {
179			$tags = $this->record->getPropObject('tags')->getRelated();
			0 ignored issues – show Bug introduced 2018-03-18 16:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a specific sub-type and not the parent class `Alpha\Model\Type\Type` as the method `getRelated()` does only exist in the following sub-classes of `Alpha\Model\Type\Type`: `Alpha\Model\Type\Relation`. Maybe you want to `instanceof` check for one of these explicitly? Let’s take a look at an example: abstract class User { /** @return string / abstract public function getPassword(); } class MyUser extends User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different sub-classes of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the parent class: abstract class User { /** @return string / abstract public function getPassword(); /* @return string */ abstract public function getDisplayName(); } Loading history...
180			}
181
182			if (count($tags) > 0) {
183			$button = new Button("document.location = '".FrontController::generateSecureURL('act=Alpha\Controller\TagController&ActiveRecordType='.get_class($this->record).'&ActiveRecordID='.$this->record->getID())."'", 'Edit Tags', 'tagsBut');
184			$fields['tagsButton'] = $button->render();
185			}
186
187			// buffer security fields to $formSecurityFields variable
188			$fields['formSecurityFields'] = $this->renderSecurityFields();
189
190			// ID will need to be posted for optimistic lock checking
191			$fields['version_num'] = $this->record->getVersionNumber();
192
193			// file attachments section
194			$fields['fileAttachments'] = $this->renderFileUploadSection();
195
196			if (method_exists($this, 'after_editView_callback')) {
197			$this->{'after_editView_callback'}();
198			}
199
200			return $this->loadTemplate($this->record, 'edit', $fields);
201			}
202
203			/**
204			* Renders the HTML for the file upload section.
205			*
206			* @return string
207			*
208			* @since 1.0
209			*/
210			protected function renderFileUploadSection()
211			{
212			$config = ConfigProvider::getInstance();
213
214			$html = '<div class="form-group">';
215			$html .= ' <h3>File Attachments:</h3>';
216
217			if (is_dir($this->record->getAttachmentsLocation())) {
			0 ignored issues – show Bug introduced 2017-01-07 21:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a specific sub-type and not the parent class `Alpha\Model\ActiveRecord` as the method `getAttachmentsLocation()` does only exist in the following sub-classes of `Alpha\Model\ActiveRecord`: `Alpha\Model\Article`. Maybe you want to `instanceof` check for one of these explicitly? Let’s take a look at an example: abstract class User { /** @return string / abstract public function getPassword(); } class MyUser extends User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different sub-classes of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the parent class: abstract class User { /** @return string / abstract public function getPassword(); /* @return string */ abstract public function getDisplayName(); } Loading history...
218			$handle = opendir($this->record->getAttachmentsLocation());
			0 ignored issues – show Bug introduced 2017-01-07 21:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a specific sub-type and not the parent class `Alpha\Model\ActiveRecord` as the method `getAttachmentsLocation()` does only exist in the following sub-classes of `Alpha\Model\ActiveRecord`: `Alpha\Model\Article`. Maybe you want to `instanceof` check for one of these explicitly? Let’s take a look at an example: abstract class User { /** @return string / abstract public function getPassword(); } class MyUser extends User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different sub-classes of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the parent class: abstract class User { /** @return string / abstract public function getPassword(); /* @return string */ abstract public function getDisplayName(); } Loading history...
219
220			$fileCount = 0;
221
222			$html .= '<table class="table table-bordered">';
223
224			// loop over the attachments directory
225			while (false !== ($file = readdir($handle))) {
226			if ($file != '.' && $file != '..') {
227			++$fileCount;
228
229			$html .= '<tr>';
230
231			$html .= '<td>'.$file.' <em>('.number_format(filesize($this->record->getAttachmentsLocation().'/'.$file)/1024).' KB)</em></td>';
			0 ignored issues – show Bug introduced 2017-01-07 21:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a specific sub-type and not the parent class `Alpha\Model\ActiveRecord` as the method `getAttachmentsLocation()` does only exist in the following sub-classes of `Alpha\Model\ActiveRecord`: `Alpha\Model\Article`. Maybe you want to `instanceof` check for one of these explicitly? Let’s take a look at an example: abstract class User { /** @return string / abstract public function getPassword(); } class MyUser extends User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different sub-classes of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the parent class: abstract class User { /** @return string / abstract public function getPassword(); /* @return string */ abstract public function getDisplayName(); } Loading history...
232
233			$js = "if(window.jQuery) {
234			BootstrapDialog.show({
235			title: 'Confirmation',
236			message: 'Are you sure you wish to delete this item?',
237			buttons: [
238			{
239			icon: 'glyphicon glyphicon-remove',
240			label: 'Cancel',
241			cssClass: 'btn btn-default btn-xs',
242			action: function(dialogItself){
243			dialogItself.close();
244			}
245			},
246			{
247			icon: 'glyphicon glyphicon-ok',
248			label: 'Okay',
249			cssClass: 'btn btn-default btn-xs',
250			action: function(dialogItself) {
251			$('[id=\"".($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('deletefile')) : 'deletefile')."\"]').attr('value', '".$file."');
252			$('[id=\"".stripslashes(get_class($this->record)).'_'.$this->record->getID()."\"]').submit();
253			dialogItself.close();
254			}
255			}
256			]
257			});
258			}";
259			$button = new Button($js, 'Delete', 'delete'.$fileCount.'But');
260			$html .= '<td>'.$button->render().'</td>';
261			$html .= '</tr>';
262			}
263			}
264
265			$html .= '</table>';
266			} else {
267			// we will take this opportunity to create the attachments folder is it does
268			// not already exist.
269			$this->record->createAttachmentsFolder();
			0 ignored issues – show Bug introduced 2017-01-07 21:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a specific sub-type and not the parent class `Alpha\Model\ActiveRecord` as the method `createAttachmentsFolder()` does only exist in the following sub-classes of `Alpha\Model\ActiveRecord`: `Alpha\Model\Article`. Maybe you want to `instanceof` check for one of these explicitly? Let’s take a look at an example: abstract class User { /** @return string / abstract public function getPassword(); } class MyUser extends User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different sub-classes of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the parent class: abstract class User { /** @return string / abstract public function getPassword(); /* @return string */ abstract public function getDisplayName(); } Loading history...
270			}
271
272			$html .= '<span class="btn btn-default btn-file">';
273			$html .= '<input name="userfile" type="file" value="Browse..."/>';
274			$html .= '</span>';
275
276			$temp = new Button('submit', 'Upload', 'uploadBut');
277			$html .= $temp->render();
278
279			$fieldname = ($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('deletefile')) : 'deletefile');
280			$html .= '<input type="hidden" name="'.$fieldname.'" id="'.$fieldname.'" value=""/>';
281
282			$fieldname = ($config->get('security.encrypt.http.fieldnames') ? base64_encode(SecurityUtils::encrypt('articleID')) : 'articleID');
283			$html .= '<input type="hidden" name="'.$fieldname.'" id="'.$fieldname.'" value="'.$this->record->getID().'"/>';
284
285			$html .= '</div>';
286
287			return $html;
288			}
289			}
290

alphadevx / alpha

Issues (195)

Security Analysis not enabled

Alpha/View/ArticleView.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like