This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace SilverStripe\ContentReview\Extensions; |
||
4 | |||
5 | use SilverStripe\Admin\LeftAndMain; |
||
6 | use SilverStripe\Admin\LeftAndMainExtension; |
||
7 | use SilverStripe\CMS\Model\SiteTree; |
||
8 | use SilverStripe\ContentReview\Forms\ReviewContentHandler; |
||
9 | use SilverStripe\Control\HTTPRequest; |
||
10 | use SilverStripe\Control\HTTPResponse; |
||
11 | use SilverStripe\Control\HTTPResponse_Exception; |
||
12 | use SilverStripe\Core\Convert; |
||
13 | use SilverStripe\Forms\Form; |
||
14 | use SilverStripe\ORM\ValidationResult; |
||
15 | use SilverStripe\Security\Security; |
||
16 | |||
17 | /** |
||
18 | * CMSPageEditController extension to receive the additional action button from |
||
19 | * SiteTreeContentReview::updateCMSActions() |
||
20 | */ |
||
21 | class ContentReviewCMSExtension extends LeftAndMainExtension |
||
22 | { |
||
23 | private static $allowed_actions = [ |
||
0 ignored issues
–
show
Comprehensibility
introduced
by
Loading history...
|
|||
24 | 'ReviewContentForm', |
||
25 | 'savereview', |
||
26 | ]; |
||
27 | |||
28 | /** |
||
29 | * URL handler for the "content due for review" form |
||
30 | * |
||
31 | * @param HTTPRequest $request |
||
32 | * @return Form|null |
||
33 | */ |
||
34 | public function ReviewContentForm(HTTPRequest $request) |
||
35 | { |
||
36 | // Get ID either from posted back value, or url parameter |
||
37 | $id = $request->param('ID') ?: $request->postVar('ID'); |
||
38 | return $this->getReviewContentForm($id); |
||
39 | } |
||
40 | |||
41 | /** |
||
42 | * Return a handler for "content due for review" forms, according to the given object ID |
||
43 | * |
||
44 | * @param int $id |
||
45 | * @return Form|null |
||
46 | */ |
||
47 | public function getReviewContentForm($id) |
||
48 | { |
||
49 | $page = $this->findRecord(['ID' => $id]); |
||
50 | $user = Security::getCurrentUser(); |
||
51 | if (!$page->canEdit() || ($page->hasMethod('canBeReviewedBy') && !$page->canBeReviewedBy($user))) { |
||
52 | $this->owner->httpError(403, _t( |
||
53 | __CLASS__.'.ErrorItemPermissionDenied', |
||
54 | 'It seems you don\'t have the necessary permissions to review this content' |
||
55 | )); |
||
56 | return null; |
||
57 | } |
||
58 | |||
59 | $form = $this->getReviewContentHandler()->Form($page); |
||
60 | $form->setValidationResponseCallback(function (ValidationResult $errors) use ($form, $id) { |
||
61 | $schemaId = $this->owner->join_links($this->owner->Link('schema/ReviewContentForm'), $id); |
||
62 | return $this->getSchemaResponse($schemaId, $form, $errors); |
||
63 | }); |
||
64 | |||
65 | return $form; |
||
66 | } |
||
67 | |||
68 | /** |
||
69 | * Action handler for processing the submitted content review |
||
70 | * |
||
71 | * @param array $data |
||
72 | * @param Form $form |
||
73 | * @return DBHTMLText|HTTPResponse|null |
||
74 | */ |
||
75 | public function savereview($data, Form $form) |
||
76 | { |
||
77 | $page = $this->findRecord($data); |
||
78 | |||
79 | $results = $this->getReviewContentHandler()->submitReview($page, $data); |
||
80 | if (is_null($results)) { |
||
81 | return null; |
||
82 | } |
||
83 | if ($this->getSchemaRequested()) { |
||
84 | // Send extra "message" data with schema response |
||
85 | $extraData = ['message' => $results]; |
||
86 | $schemaId = $this->owner->join_links($this->owner->Link('schema/ReviewContentForm'), $page->ID); |
||
87 | return $this->getSchemaResponse($schemaId, $form, null, $extraData); |
||
88 | } |
||
89 | |||
90 | return $results; |
||
91 | } |
||
92 | |||
93 | /** |
||
94 | * Return a handler or reviewing content |
||
95 | * |
||
96 | * @return ReviewContentHandler |
||
97 | */ |
||
98 | protected function getReviewContentHandler() |
||
99 | { |
||
100 | return ReviewContentHandler::create($this->owner); |
||
101 | } |
||
102 | |||
103 | /** |
||
104 | * Find the page this form is updating |
||
105 | * |
||
106 | * @param array $data Form data |
||
107 | * @return SiteTree Record |
||
108 | * @throws HTTPResponse_Exception |
||
109 | */ |
||
110 | protected function findRecord($data) |
||
111 | { |
||
112 | if (empty($data["ID"])) { |
||
113 | throw new HTTPResponse_Exception("No record ID", 404); |
||
114 | } |
||
115 | $page = null; |
||
116 | $id = $data["ID"]; |
||
117 | if (is_numeric($id)) { |
||
118 | $page = SiteTree::get()->byID($id); |
||
119 | } |
||
120 | if (!$page || !$page->ID) { |
||
121 | throw new HTTPResponse_Exception("Bad record ID #{$id}", 404); |
||
122 | } |
||
123 | return $page; |
||
124 | } |
||
125 | |||
126 | /** |
||
127 | * Check if the current request has a X-Formschema-Request header set. |
||
128 | * Used by conditional logic that responds to validation results |
||
129 | * |
||
130 | * @todo Remove duplication. See https://github.com/silverstripe/silverstripe-admin/issues/240 |
||
131 | * |
||
132 | * @return bool |
||
133 | */ |
||
134 | protected function getSchemaRequested() |
||
135 | { |
||
136 | $parts = $this->owner->getRequest()->getHeader(LeftAndMain::SCHEMA_HEADER); |
||
137 | return !empty($parts); |
||
138 | } |
||
139 | |||
140 | /** |
||
141 | * Generate schema for the given form based on the X-Formschema-Request header value |
||
142 | * |
||
143 | * @todo Remove duplication. See https://github.com/silverstripe/silverstripe-admin/issues/240 |
||
144 | * |
||
145 | * @param string $schemaID ID for this schema. Required. |
||
146 | * @param Form $form Required for 'state' or 'schema' response |
||
147 | * @param ValidationResult $errors Required for 'error' response |
||
148 | * @param array $extraData Any extra data to be merged with the schema response |
||
149 | * @return HTTPResponse |
||
150 | */ |
||
151 | protected function getSchemaResponse($schemaID, $form = null, ValidationResult $errors = null, $extraData = []) |
||
152 | { |
||
153 | $parts = $this->owner->getRequest()->getHeader(LeftAndMain::SCHEMA_HEADER); |
||
154 | $data = $this->owner |
||
155 | ->getFormSchema() |
||
156 | ->getMultipartSchema($parts, $schemaID, $form, $errors); |
||
157 | |||
158 | if ($extraData) { |
||
0 ignored issues
–
show
The expression
$extraData of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using ! empty($expr) instead to make it clear that you intend to check for an array without elements.
This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using
Loading history...
|
|||
159 | $data = array_merge($data, $extraData); |
||
160 | } |
||
161 | |||
162 | $response = HTTPResponse::create(Convert::raw2json($data)); |
||
163 | $response->addHeader('Content-Type', 'application/json'); |
||
164 | |||
165 | return $response; |
||
166 | } |
||
167 | } |
||
168 |