Issues in Editable.php (master) - Issues in master - o5/grido - Measure and Improve Code Quality continuously with Scrutinizer

Issues (11)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Components/Columns/Editable.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * This file is part of the Grido (https://github.com/o5/grido)
 *
 * Copyright (c) 2014 Petr Bugyík (http://petr.bugyik.cz)
 *
 * For the full copyright and license information, please view
 * the file LICENSE.md that was distributed with this source code.
 */

namespace Grido\Components\Columns;

use Grido\Exception;

/**
 * An inline editable column.
 *
 * @package     Grido
 * @subpackage  Components\Columns
 * @author      Jakub Kopřiva <[email protected]>
 * @author      Petr Bugyík
 *
 * @property \Nette\Forms\IControl $editableControl
 * @property callback $editableCallback
 * @property callback $editableValueCallback
 * @property callback $editableRowCallback
 * @property bool $editable
 * @property bool $editableDisabled
 */
abstract class Editable extends Column
{
    /** @var bool */
    protected $editable = FALSE;

    /** @var bool */
    protected $editableDisabled = FALSE;

    /** @var \Nette\Forms\IControl Custom control for inline editing */
    protected $editableControl;

    /** @var callback for custom handling with edited data; function($id, $newValue, $oldValue, Editable $column) {} */
    protected $editableCallback;

    /** @var callback for custom value; function($row, Columns\Editable $column) {} */
    protected $editableValueCallback;

    /** @var callback for getting row; function($row, Columns\Editable $column) {} */
    protected $editableRowCallback;

    /**
     * Sets column as editable.
     * @param callback $callback function($id, $newValue, $oldValue, Columns\Editable $column) {}
     * @param \Nette\Forms\IControl $control
     * @return Editable
     */
    public function setEditable($callback = NULL, \Nette\Forms\IControl $control = NULL)
    {
        $this->editable = TRUE;
        $this->setClientSideOptions();

        $callback && $this->setEditableCallback($callback);
        $control && $this->setEditableControl($control);

        return $this;
    }

    /**
     * Sets control for inline editation.
     * @param \Nette\Forms\IControl $control
     * @return Editable
     */
    public function setEditableControl(\Nette\Forms\IControl $control)
    {
        $this->isEditable() ?: $this->setEditable();
        $this->editableControl = $control;

        return $this;
    }

    /**
     * Sets editable callback.
     * @param callback $callback function($id, $newValue, $oldValue, Columns\Editable $column) {}
     * @return Editable
     */
    public function setEditableCallback($callback)
    {
        $this->isEditable() ?: $this->setEditable();
        $this->editableCallback = $callback;

        return $this;
    }

    /**
     * Sets editable value callback.
     * @param callback $callback for custom value; function($row, Columns\Editable $column) {}
     * @return Editable
     */
    public function setEditableValueCallback($callback)
    {
        $this->isEditable() ?: $this->setEditable();
        $this->editableValueCallback = $callback;

        return $this;
    }

    /**
     * Sets editable row callback - it's required when used editable collumn with customRenderCallback
     * @param callback $callback for getting row; function($id, Columns\Editable $column) {}
     * @return Editable
     */
    public function setEditableRowCallback($callback)
    {
        $this->isEditable() ?: $this->setEditable();
        $this->editableRowCallback = $callback;

        return $this;
    }

    /**
     * @return Editable
     */
    public function disableEditable()
    {
        $this->editable = FALSE;
        $this->editableDisabled = TRUE;

        return $this;
    }

    /**
     * @throws Exception
     */
    protected function setClientSideOptions()
    {
        $options = $this->grid->getClientSideOptions();
        if (!isset($options['editable'])) { //only once
            $this->grid->setClientSideOptions(['editable' => TRUE]);
            $this->grid->onRender[] = function(\Grido\Grid $grid)
            {
                foreach ($grid->getComponent(Column::ID)->getComponents() as $column) {
                    if (!$column instanceof Editable || !$column->isEditable()) {
                        continue;
                    }

                    $colDb = $column->getColumn();
                    $colName = $column->getName();
                    $isMissing = function ($method) use ($grid) {
                        return $grid->model instanceof \Grido\DataSources\Model
                            ? !method_exists($grid->model->dataSource, $method)
                            : TRUE;
                    };

                    if (($column->editableCallback === NULL && (!is_string($colDb) || strpos($colDb, '.'))) ||
                        ($column->editableCallback === NULL && $isMissing('update'))
                    ) {
                        $msg = "Column '$colName' has error: You must define callback via setEditableCallback().";
                        throw new Exception($msg);
                    }

                    if ($column->editableRowCallback === NULL && $column->customRender && $isMissing('getRow')) {
                        $msg = "Column '$colName' has error: You must define callback via setEditableRowCallback().";
                        throw new Exception($msg);
                    }
                }
            };
        }
    }

    /**********************************************************************************************/

    /**
     * Returns header cell prototype (<th> html tag).
     * @return \Nette\Utils\Html
     */
    public function getHeaderPrototype()
    {
        $th = parent::getHeaderPrototype();

        if ($this->isEditable()) {
            $th->setAttribute('data-grido-editable-handler', $this->link('editable!'));
            $th->setAttribute('data-grido-editableControl-handler', $this->link('editableControl!'));
        }

        return $th;
    }

    /**
     * Returns cell prototype (<td> html tag).
     * @param mixed $row
     * @return \Nette\Utils\Html
     */
    public function getCellPrototype($row = NULL)
    {
        $td = parent::getCellPrototype($row);

        if ($this->isEditable() && $row !== NULL) {
            if (!in_array('editable', $td->class)) {
                $td->class[] = 'editable';
            }

            $value = $this->editableValueCallback === NULL
                ? $this->getValue($row)
                : call_user_func_array($this->editableValueCallback, [$row, $this]);

            $td->setAttribute('data-grido-editable-value', $value);
        }

        return $td;
    }

    /**
     * Returns control for editation.
     * @returns \Nette\Forms\Controls\TextInput
     */
    public function getEditableControl()
    {
        if ($this->editableControl === NULL) {
            $this->editableControl = new \Nette\Forms\Controls\TextInput;

            $this->editableControl->controlPrototype->class[] = 'form-control';
        }

        return $this->editableControl;
    }

    /**
     * @return callback
     * @internal
     */
    public function getEditableCallback()
    {
        return $this->editableCallback;
    }

    /**
     * @return callback
     * @internal
     */
    public function getEditableValueCallback()
    {
        return $this->editableValueCallback;
    }

    /**
     * @return callback
     * @internal
     */
    public function getEditableRowCallback()
    {
        return $this->editableRowCallback;
    }

    /**
     * @return bool
     * @internal
     */
    public function isEditable()
    {
        return $this->editable;
    }

    /**
     * @return bool
     * @internal
     */
    public function isEditableDisabled()
    {
        return $this->editableDisabled;
    }

    /**********************************************************************************************/

    /**
     * @internal
     */
    public function handleEditable($id, $newValue, $oldValue)
    {
        $this->grid->onRender($this->grid);

        if (!$this->presenter->isAjax() || !$this->isEditable()) {
            $this->presenter->terminate();
        }

        $success = $this->editableCallback
            ? call_user_func_array($this->editableCallback, [$id, $newValue, $oldValue, $this])
            : $this->grid->model->update($id, [$this->getColumn() => $newValue], $this->grid->primaryKey);

        if (is_callable($this->customRender)) {
            $row = $this->editableRowCallback
                ? call_user_func_array($this->editableRowCallback, [$id, $this])
                : $this->grid->model->getRow($id, $this->grid->primaryKey);
            $html = call_user_func_array($this->customRender, [$row]);
        } else {
            $html = $this->formatValue($newValue);
        }

        $payload = ['updated' => (bool) $success, 'html' => (string) $html];
        $response = new \Nette\Application\Responses\JsonResponse($payload);
        $this->presenter->sendResponse($response);
    }

    /**
     * @internal
     */
    public function handleEditableControl($value)
    {
        $this->grid->onRender($this->grid);

        if (!$this->presenter->isAjax() || !$this->isEditable()) {
            $this->presenter->terminate();
        }

        $control = $this->getEditableControl();
        $control->setValue($value);

        $this->getForm()->addComponent($control, 'edit' . $this->getName());

        $response = new \Nette\Application\Responses\TextResponse($control->getControl()->render());
        $this->presenter->sendResponse($response);
    }
}


1		<?php
2
3		/**
4		* This file is part of the Grido (https://github.com/o5/grido)
5		*
6		* Copyright (c) 2014 Petr Bugyík (http://petr.bugyik.cz)
7		*
8		* For the full copyright and license information, please view
9		* the file LICENSE.md that was distributed with this source code.
10		*/
11
12		namespace Grido\Components\Columns;
13
14		use Grido\Exception;
15
16		/**
17		* An inline editable column.
18		*
19		* @package Grido
20		* @subpackage Components\Columns
21		* @author Jakub Kopřiva <[email protected]>
22		* @author Petr Bugyík
23		*
24		* @property \Nette\Forms\IControl $editableControl
25		* @property callback $editableCallback
26		* @property callback $editableValueCallback
27	1	* @property callback $editableRowCallback
28		* @property bool $editable
29		* @property bool $editableDisabled
30		*/
31		abstract class Editable extends Column
32	1	{
33		/** @var bool */
34		protected $editable = FALSE;
35
36		/** @var bool */
37		protected $editableDisabled = FALSE;
38
39		/** @var \Nette\Forms\IControl Custom control for inline editing */
40		protected $editableControl;
41
42		/** @var callback for custom handling with edited data; function($id, $newValue, $oldValue, Editable $column) {} */
43		protected $editableCallback;
44
45		/** @var callback for custom value; function($row, Columns\Editable $column) {} */
46		protected $editableValueCallback;
47
48		/** @var callback for getting row; function($row, Columns\Editable $column) {} */
49		protected $editableRowCallback;
50
51		/**
52		* Sets column as editable.
53		* @param callback $callback function($id, $newValue, $oldValue, Columns\Editable $column) {}
54		* @param \Nette\Forms\IControl $control
55		* @return Editable
56		*/
57		public function setEditable($callback = NULL, \Nette\Forms\IControl $control = NULL)
58		{
59	1	$this->editable = TRUE;
60	1	$this->setClientSideOptions();
61
62	1	$callback && $this->setEditableCallback($callback);
63	1	$control && $this->setEditableControl($control);
64
65	1	return $this;
66		}
67
68		/**
69		* Sets control for inline editation.
70		* @param \Nette\Forms\IControl $control
71		* @return Editable
72		*/
73		public function setEditableControl(\Nette\Forms\IControl $control)
74		{
75	1	$this->isEditable() ?: $this->setEditable();
76	1	$this->editableControl = $control;
77
78	1	return $this;
79		}
80
81		/**
82		* Sets editable callback.
83		* @param callback $callback function($id, $newValue, $oldValue, Columns\Editable $column) {}
84		* @return Editable
85		*/
86		public function setEditableCallback($callback)
87		{
88	1	$this->isEditable() ?: $this->setEditable();
89	1	$this->editableCallback = $callback;
90
91	1	return $this;
92		}
93
94		/**
95		* Sets editable value callback.
96		* @param callback $callback for custom value; function($row, Columns\Editable $column) {}
97		* @return Editable
98		*/
99		public function setEditableValueCallback($callback)
100		{
101	1	$this->isEditable() ?: $this->setEditable();
102	1	$this->editableValueCallback = $callback;
103
104	1	return $this;
105		}
106
107		/**
108		* Sets editable row callback - it's required when used editable collumn with customRenderCallback
109		* @param callback $callback for getting row; function($id, Columns\Editable $column) {}
110		* @return Editable
111		*/
112		public function setEditableRowCallback($callback)
113		{
114	1	$this->isEditable() ?: $this->setEditable();
115	1	$this->editableRowCallback = $callback;
116
117	1	return $this;
118		}
119
120		/**
121		* @return Editable
122		*/
123		public function disableEditable()
124		{
125	1	$this->editable = FALSE;
126	1	$this->editableDisabled = TRUE;
127
128	1	return $this;
129		}
130
131		/**
132		* @throws Exception
133		*/
134		protected function setClientSideOptions()
135		{
136	1	$options = $this->grid->getClientSideOptions();
137	1	if (!isset($options['editable'])) { //only once
138	1	$this->grid->setClientSideOptions(['editable' => TRUE]);
139	1	$this->grid->onRender[] = function(\Grido\Grid $grid)
140		{
141	1	foreach ($grid->getComponent(Column::ID)->getComponents() as $column) {
142	1	if (!$column instanceof Editable \|\| !$column->isEditable()) {
143	1	continue;
144		}
145
146	1	$colDb = $column->getColumn();
147	1	$colName = $column->getName();
148	1	$isMissing = function ($method) use ($grid) {
149	1	return $grid->model instanceof \Grido\DataSources\Model
150	1	? !method_exists($grid->model->dataSource, $method)
151	1	: TRUE;
152	1	};
153
154	1	if (($column->editableCallback === NULL && (!is_string($colDb) \|\| strpos($colDb, '.'))) \|\|
155	1	($column->editableCallback === NULL && $isMissing('update'))
156	1	) {
157	1	$msg = "Column '$colName' has error: You must define callback via setEditableCallback().";
158	1	throw new Exception($msg);
159		}
160
161	1	if ($column->editableRowCallback === NULL && $column->customRender && $isMissing('getRow')) {
162	1	$msg = "Column '$colName' has error: You must define callback via setEditableRowCallback().";
163	1	throw new Exception($msg);
164		}
165	1	}
166	1	};
167	1	}
168	1	}
169
170		/**********************************************************************************************/
171
172		/**
173		* Returns header cell prototype (<th> html tag).
174		* @return \Nette\Utils\Html
175		*/
176		public function getHeaderPrototype()
177		{
178	1	$th = parent::getHeaderPrototype();
179
180	1	if ($this->isEditable()) {
181	1	$th->setAttribute('data-grido-editable-handler', $this->link('editable!'));
182	1	$th->setAttribute('data-grido-editableControl-handler', $this->link('editableControl!'));
183	1	}
184
185	1	return $th;
186		}
187
188		/**
189		* Returns cell prototype (<td> html tag).
190		* @param mixed $row
191		* @return \Nette\Utils\Html
192		*/
193		public function getCellPrototype($row = NULL)
194		{
195	1	$td = parent::getCellPrototype($row);
196
197	1	if ($this->isEditable() && $row !== NULL) {
198	1	if (!in_array('editable', $td->class)) {
199	1	$td->class[] = 'editable';
200	1	}
201
202	1	$value = $this->editableValueCallback === NULL
203	1	? $this->getValue($row)
204	1	: call_user_func_array($this->editableValueCallback, [$row, $this]);
205
206	1	$td->setAttribute('data-grido-editable-value', $value);
207	1	}
208
209	1	return $td;
210		}
211
212		/**
213		* Returns control for editation.
214		* @returns \Nette\Forms\Controls\TextInput
215		*/
216		public function getEditableControl()
217		{
218	1	if ($this->editableControl === NULL) {
219	1	$this->editableControl = new \Nette\Forms\Controls\TextInput;
		0 ignored issues – show Documentation Bug introduced 2018-03-21 16:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `new \Nette\Forms\Controls\TextInput()` of type `object<Nette\Forms\Controls\TextInput>` is incompatible with the declared type `object<Nette\Forms\IControl>` of property `$editableControl`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
220	1	$this->editableControl->controlPrototype->class[] = 'form-control';
221	1	}
222
223	1	return $this->editableControl;
224		}
225
226		/**
227		* @return callback
228		* @internal
229		*/
230		public function getEditableCallback()
231		{
232	1	return $this->editableCallback;
233		}
234
235		/**
236		* @return callback
237		* @internal
238		*/
239		public function getEditableValueCallback()
240		{
241	1	return $this->editableValueCallback;
242		}
243
244		/**
245		* @return callback
246		* @internal
247		*/
248		public function getEditableRowCallback()
249		{
250	1	return $this->editableRowCallback;
251		}
252
253		/**
254		* @return bool
255		* @internal
256		*/
257		public function isEditable()
258		{
259	1	return $this->editable;
260		}
261
262		/**
263		* @return bool
264		* @internal
265		*/
266		public function isEditableDisabled()
267		{
268	1	return $this->editableDisabled;
269		}
270
271		/**********************************************************************************************/
272
273		/**
274		* @internal
275		*/
276		public function handleEditable($id, $newValue, $oldValue)
277		{
278	1	$this->grid->onRender($this->grid);
279
280	1	if (!$this->presenter->isAjax() \|\| !$this->isEditable()) {
281		$this->presenter->terminate();
282		}
283
284	1	$success = $this->editableCallback
285	1	? call_user_func_array($this->editableCallback, [$id, $newValue, $oldValue, $this])
286	1	: $this->grid->model->update($id, [$this->getColumn() => $newValue], $this->grid->primaryKey);
287
288	1	if (is_callable($this->customRender)) {
289	1	$row = $this->editableRowCallback
290	1	? call_user_func_array($this->editableRowCallback, [$id, $this])
291	1	: $this->grid->model->getRow($id, $this->grid->primaryKey);
292	1	$html = call_user_func_array($this->customRender, [$row]);
293	1	} else {
294	1	$html = $this->formatValue($newValue);
295		}
296
297	1	$payload = ['updated' => (bool) $success, 'html' => (string) $html];
298	1	$response = new \Nette\Application\Responses\JsonResponse($payload);
299	1	$this->presenter->sendResponse($response);
300	1	}
301
302		/**
303		* @internal
304		*/
305		public function handleEditableControl($value)
306		{
307	1	$this->grid->onRender($this->grid);
308
309	1	if (!$this->presenter->isAjax() \|\| !$this->isEditable()) {
310		$this->presenter->terminate();
311		}
312
313	1	$control = $this->getEditableControl();
314	1	$control->setValue($value);
315
316	1	$this->getForm()->addComponent($control, 'edit' . $this->getName());
317
318	1	$response = new \Nette\Application\Responses\TextResponse($control->getControl()->render());
319	1	$this->presenter->sendResponse($response);
320	1	}
321		}
322

o5 / grido

Issues (11)

Security Analysis no request data

src/Components/Columns/Editable.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like