This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * Implements the Cassava plugin's administration interface components. |
||
4 | * |
||
5 | * @version 1.0.1 |
||
6 | * @since 1.0.0 |
||
7 | */ |
||
8 | |||
9 | namespace Cassava; |
||
10 | |||
11 | /** |
||
12 | * Plugin administration class. |
||
13 | * |
||
14 | * @since 1.0.0 |
||
15 | */ |
||
16 | class Admin { |
||
17 | |||
18 | /** |
||
19 | * Instantiates the admin panel object. |
||
20 | * |
||
21 | * @uses \add_action() |
||
22 | */ |
||
23 | public function __construct () { |
||
24 | \add_action( 'admin_init', array( $this, 'admin_init' ) ); |
||
25 | \add_action( 'admin_menu', array( $this, 'admin_menu' ) ); |
||
26 | } |
||
27 | |||
28 | /** |
||
29 | * Initializes the admin panel and registers settings fields. |
||
30 | * |
||
31 | * Triggered by the `admin_init` action. |
||
32 | * |
||
33 | * @uses \add_action() |
||
34 | */ |
||
35 | public function admin_init() { |
||
36 | $this->savePermalinks(); |
||
37 | $this->addSettings(); |
||
38 | |||
39 | \add_action( 'admin_notices', array( $this, 'admin_notices' ) ); |
||
40 | } |
||
41 | |||
42 | /** |
||
43 | * Register the menu entry for the plugin's settings page. |
||
44 | * |
||
45 | * @since 1.1.0 |
||
46 | * |
||
47 | * @uses \__() |
||
48 | * @uses \add_options_page() |
||
49 | */ |
||
50 | public function admin_menu() { |
||
51 | \add_options_page( |
||
52 | __( 'Cassava CAS Server', 'wp-cas-server' ), |
||
53 | __( 'Cassava CAS Server', 'wp-cas-server' ), |
||
54 | 'manage_options', |
||
55 | Plugin::SLUG, |
||
56 | array( $this, 'pageSettings' ) |
||
57 | ); |
||
58 | } |
||
59 | |||
60 | /** |
||
61 | * Presents admin notices. |
||
62 | * |
||
63 | * Triggered by the `admin_notices` action. |
||
64 | * |
||
65 | * @uses \current_user_can() |
||
66 | * @uses \is_ssl() |
||
67 | * |
||
68 | * @uses ::adminNoticeNoSSL() |
||
69 | * |
||
70 | * @SuppressWarnings(CamelCaseMethodName) |
||
71 | */ |
||
72 | public function admin_notices() { |
||
73 | if ( ! \is_ssl() && \current_user_can( 'install_plugins' ) ) { |
||
74 | $this->adminNoticeNoSSL(); |
||
75 | } |
||
76 | } |
||
77 | |||
78 | /** |
||
79 | * Nags the user with an administration notice explaining that the plugin will only |
||
80 | * work if HTTP |
||
81 | */ |
||
82 | protected function adminNoticeNoSSL() { |
||
83 | ?> |
||
84 | <div class="update-nag"> |
||
85 | <?php _e( 'Cassava CAS Server requires that this site be configured for HTTPS. For more information, contact your system administrator or hosting provider.', 'wp-cas-server' ); ?> |
||
86 | </div> |
||
87 | <?php |
||
88 | } |
||
89 | |||
90 | /** |
||
91 | * Updates the CAS server endpoint when saving permalinks. |
||
92 | * |
||
93 | * @uses \is_admin() |
||
94 | * @uses \sanitize_text_field() |
||
95 | */ |
||
96 | protected function savePermalinks() { |
||
0 ignored issues
–
show
|
|||
97 | if ( ! \is_admin() ) { |
||
98 | return; |
||
99 | } |
||
100 | |||
101 | $option = Options::KEY . '_endpoint_slug'; |
||
102 | |||
103 | if ( false |
||
104 | || isset( $_POST['permalink_structure'] ) |
||
105 | || isset( $_POST['category_base'] ) |
||
106 | || isset( $_POST[ $option ] ) |
||
107 | ) { |
||
108 | Options::set( 'endpoint_slug', trim( \sanitize_text_field( $_POST[ $option ] ) ) ); |
||
109 | } |
||
110 | } |
||
111 | |||
112 | /** |
||
113 | * Register plugin settings. |
||
114 | * |
||
115 | * @uses \add_settings_field() |
||
116 | * @uses \add_settings_section() |
||
117 | * @uses \register_setting() |
||
118 | * |
||
119 | * @since 1.0.0 |
||
120 | */ |
||
121 | protected function addSettings() { |
||
122 | \register_setting( |
||
123 | Plugin::SLUG, |
||
124 | Options::KEY, |
||
125 | array( $this, 'validateSettings' ) |
||
126 | ); |
||
127 | |||
128 | // Default plugin settings: |
||
129 | |||
130 | \add_settings_section( 'default', '', false, Plugin::SLUG ); |
||
131 | |||
132 | \add_settings_field( |
||
133 | 'attributes', |
||
134 | __( 'User Attributes To Return', 'wp-cas-server' ), |
||
135 | array( $this, 'fieldUserAttributes' ), |
||
136 | Plugin::SLUG |
||
137 | ); |
||
138 | |||
139 | // Permalink settings: |
||
140 | |||
141 | \add_settings_field( |
||
142 | Options::KEY . '_endpoint_slug', |
||
143 | __( 'CAS server base', 'wp-cas-server' ), |
||
144 | array( $this, 'fieldPermalinksEndpointSlug' ), |
||
145 | 'permalink', |
||
146 | 'optional' |
||
147 | ); |
||
148 | |||
149 | } |
||
150 | |||
151 | /** |
||
152 | * Validates and updates CAS server plugin settings. |
||
153 | * |
||
154 | * @param array $input Unvalidated input arguments when settings are updated. |
||
155 | * |
||
156 | * @return array Validated plugin settings to be saved in the database. |
||
157 | * |
||
158 | * @since 1.1.0 |
||
159 | */ |
||
160 | public function validateSettings( $input ) { |
||
161 | $options = Options::getAll(); |
||
162 | |||
163 | $options['attributes'] = (array) $input['attributes']; |
||
164 | |||
165 | return $options; |
||
166 | } |
||
167 | |||
168 | /** |
||
169 | * Display the configuration field for the CAS endpoint. |
||
170 | * |
||
171 | * @uses \esc_attr() |
||
172 | * |
||
173 | * @since 1.0.0 |
||
174 | */ |
||
175 | public function fieldPermalinksEndpointSlug() { |
||
176 | $option = Options::KEY . '_endpoint_slug'; |
||
177 | $endpoint = Options::get( 'endpoint_slug' ); |
||
178 | ?> |
||
179 | <input id="<?php echo $option; ?>" name="<?php echo $option; ?>" |
||
180 | type="text" class="regular-text code" |
||
181 | value="<?php if ( isset( $endpoint ) ) echo \esc_attr( $endpoint ); ?>" |
||
182 | placeholder="<?php echo Plugin::ENDPOINT_SLUG; ?>" /> |
||
183 | <?php |
||
184 | } |
||
185 | |||
186 | /** |
||
187 | * Displays the CAS server settings page in the dashboard. |
||
188 | * |
||
189 | * @uses \_e() |
||
190 | * @uses \do_settings_sections() |
||
191 | * @uses \settings_fields() |
||
192 | * @uses \submit_button() |
||
193 | * |
||
194 | * @since 1.1.0 |
||
195 | */ |
||
196 | public function pageSettings() { |
||
197 | ?> |
||
198 | <div class="wrap"> |
||
199 | <h2><?php \_e( 'Cassava CAS Server Settings', 'wp-cas-server' ); ?></h2> |
||
200 | |||
201 | <p><?php \_e( 'Configuration panel for the Central Authentication Service provided by this site.', 'wp-cas-server' ); ?></p> |
||
202 | |||
203 | <form action="options.php" method="POST"> |
||
204 | <?php \do_settings_sections( Plugin::SLUG ); ?> |
||
205 | <?php \settings_fields( Plugin::SLUG ); ?> |
||
206 | <?php \submit_button(); ?> |
||
207 | </form> |
||
208 | </div> |
||
209 | <?php |
||
210 | } |
||
211 | |||
212 | /** |
||
213 | * Display the configuration fieldset for the user attributs to return on successful |
||
214 | * requests. |
||
215 | * |
||
216 | * Checked attributes for the authenticated user will be returned on successful |
||
217 | * `/validateService` request responses inside an optional `<cas:attributes></cas:attributes>` |
||
218 | * tag. |
||
219 | * |
||
220 | * @uses \_e() |
||
221 | * @uses \apply_filters() |
||
222 | * |
||
223 | * @since 1.1.0 |
||
224 | */ |
||
225 | public function fieldUserAttributes() { |
||
226 | $user = \wp_get_current_user(); |
||
227 | $attributes = Options::get( 'attributes' ); |
||
228 | |||
229 | $attributeOptions = array( |
||
230 | 'first_name' => __( 'First Name', 'wp-cas-server' ), |
||
231 | 'last_name' => __( 'Last Name', 'wp-cas-server' ), |
||
232 | 'display_name' => __( 'Public Name', 'wp-cas-server' ), |
||
233 | 'user_email' => __( 'Email', 'wp-cas-server' ), |
||
234 | 'user_url' => __( 'Website', 'wp-cas-server' ), |
||
235 | ); |
||
236 | |||
237 | /** |
||
238 | * Allows developers to change the list of user attributes that appear in the dashboard for |
||
239 | * an administrator to set to return on successful validation requests. |
||
240 | * |
||
241 | * Options are stored in an associative array, with user attribute slugs as array keys and |
||
242 | * option labels as array values. |
||
243 | * |
||
244 | * These settings are valid only for CAS 2.0 validation requests. |
||
245 | * |
||
246 | * @param array $attributeOptions Attribute options an administrator can set on the dashboard. |
||
247 | * |
||
248 | * @return array Attribute options to display. |
||
249 | * |
||
250 | * @since 1.1.0 |
||
251 | */ |
||
252 | $attributeOptions = \apply_filters( 'cas_server_settings_user_attribute_options', $attributeOptions ); |
||
253 | ?> |
||
254 | |||
255 | <fieldset> |
||
256 | <legend class="screen-reader-text"><?php _e( 'User Attributes', 'wp-cas-server' ); ?></legend> |
||
257 | <?php foreach ( $attributeOptions as $value => $label ) : ?> |
||
258 | <label> |
||
259 | <input id="<?php echo Options::KEY . '-attribute-' . $value ?>" |
||
260 | name="<?php echo Options::KEY ?>[attributes][]" |
||
261 | type="checkbox" <?php if (in_array( $value, $attributes )) echo "checked"; ?> |
||
262 | value="<?php echo $value ?>"> |
||
263 | <span><?php echo $label ?></span> |
||
264 | <?php if ( $user->get( $value ) ) : ?> |
||
265 | <span class="description"><?php |
||
266 | printf( __( '(e.g. %s)', 'wp-cas-server' ), implode( ',', (array) $user->get( $value ) ) ); |
||
267 | ?></span> |
||
268 | <?php endif; ?> |
||
269 | </label><br> |
||
270 | <?php endforeach; ?> |
||
271 | <p class="description"><?php |
||
272 | _e( 'Checked attributes are disclosed on successful validation requests (CAS 2.0 only).', 'wp-cas-server' ); |
||
273 | ?></p> |
||
274 | </fieldset> |
||
275 | <?php |
||
276 | } |
||
277 | } |
||
278 |
Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: