This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | declare(strict_types=1); |
||
4 | |||
5 | /* |
||
6 | * This file is part of the Sonata Project package. |
||
7 | * |
||
8 | * (c) Thomas Rabaix <[email protected]> |
||
9 | * |
||
10 | * For the full copyright and license information, please view the LICENSE |
||
11 | * file that was distributed with this source code. |
||
12 | */ |
||
13 | |||
14 | namespace Sonata\AdminBundle\Action; |
||
15 | |||
16 | use Sonata\AdminBundle\Admin\Pool; |
||
17 | use Sonata\AdminBundle\Templating\TemplateRegistry; |
||
18 | use Sonata\AdminBundle\Twig\Extension\SonataAdminExtension; |
||
19 | use Symfony\Component\HttpFoundation\JsonResponse; |
||
20 | use Symfony\Component\HttpFoundation\Request; |
||
21 | use Symfony\Component\HttpFoundation\Response; |
||
22 | use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; |
||
23 | use Symfony\Component\PropertyAccess\PropertyPath; |
||
24 | use Symfony\Component\Validator\Validator\ValidatorInterface; |
||
25 | use Twig\Environment; |
||
26 | |||
27 | final class SetObjectFieldValueAction |
||
28 | { |
||
29 | /** |
||
30 | * @var Pool |
||
31 | */ |
||
32 | private $pool; |
||
33 | |||
34 | /** |
||
35 | * @var Environment |
||
36 | */ |
||
37 | private $twig; |
||
38 | |||
39 | /** |
||
40 | * @var ValidatorInterface |
||
41 | */ |
||
42 | private $validator; |
||
43 | |||
44 | public function __construct(Environment $twig, Pool $pool, ValidatorInterface $validator) |
||
45 | { |
||
46 | $this->pool = $pool; |
||
47 | $this->twig = $twig; |
||
48 | $this->validator = $validator; |
||
49 | } |
||
50 | |||
51 | /** |
||
52 | * @throws NotFoundHttpException |
||
53 | */ |
||
54 | public function __invoke(Request $request): JsonResponse |
||
55 | { |
||
56 | $field = $request->get('field'); |
||
57 | $code = $request->get('code'); |
||
58 | $objectId = $request->get('objectId'); |
||
59 | $value = $originalValue = $request->get('value'); |
||
60 | $context = $request->get('context'); |
||
61 | |||
62 | $admin = $this->pool->getInstance($code); |
||
63 | $admin->setRequest($request); |
||
64 | |||
65 | // alter should be done by using a post method |
||
66 | if (!$request->isXmlHttpRequest()) { |
||
67 | return new JsonResponse('Expected an XmlHttpRequest request header', Response::HTTP_METHOD_NOT_ALLOWED); |
||
68 | } |
||
69 | |||
70 | if (Request::METHOD_POST !== $request->getMethod()) { |
||
71 | return new JsonResponse(sprintf( |
||
72 | 'Invalid request method given "%s", %s expected', |
||
73 | $request->getMethod(), |
||
74 | Request::METHOD_POST |
||
75 | ), Response::HTTP_METHOD_NOT_ALLOWED); |
||
76 | } |
||
77 | |||
78 | $rootObject = $object = $admin->getObject($objectId); |
||
79 | |||
80 | if (!$object) { |
||
81 | return new JsonResponse('Object does not exist', Response::HTTP_NOT_FOUND); |
||
82 | } |
||
83 | |||
84 | // check user permission |
||
85 | if (false === $admin->hasAccess('edit', $object)) { |
||
86 | return new JsonResponse('Invalid permissions', Response::HTTP_FORBIDDEN); |
||
87 | } |
||
88 | |||
89 | if ('list' !== $context) { |
||
90 | return new JsonResponse('Invalid context', Response::HTTP_BAD_REQUEST); |
||
91 | } |
||
92 | |||
93 | if (!$admin->hasListFieldDescription($field)) { |
||
94 | return new JsonResponse('The field does not exist', Response::HTTP_BAD_REQUEST); |
||
95 | } |
||
96 | |||
97 | $fieldDescription = $admin->getListFieldDescription($field); |
||
98 | |||
99 | if (!$fieldDescription->getOption('editable')) { |
||
100 | return new JsonResponse('The field cannot be edited, editable option must be set to true', Response::HTTP_BAD_REQUEST); |
||
101 | } |
||
102 | |||
103 | $propertyPath = new PropertyPath($field); |
||
104 | |||
105 | // If property path has more than 1 element, take the last object in order to validate it |
||
106 | if ($propertyPath->getLength() > 1) { |
||
107 | $object = $this->pool->getPropertyAccessor()->getValue($object, $propertyPath->getParent()); |
||
0 ignored issues
–
show
|
|||
108 | |||
109 | $elements = $propertyPath->getElements(); |
||
110 | $field = end($elements); |
||
111 | $propertyPath = new PropertyPath($field); |
||
112 | } |
||
113 | |||
114 | // Handle date type has setter expect a DateTime object |
||
115 | if ('' !== $value && TemplateRegistry::TYPE_DATE === $fieldDescription->getType()) { |
||
116 | $inputTimezone = new \DateTimeZone(date_default_timezone_get()); |
||
117 | $outputTimezone = $fieldDescription->getOption('timezone'); |
||
118 | |||
119 | if ($outputTimezone && !$outputTimezone instanceof \DateTimeZone) { |
||
120 | $outputTimezone = new \DateTimeZone($outputTimezone); |
||
121 | } |
||
122 | |||
123 | $value = new \DateTime($value, $outputTimezone ?: $inputTimezone); |
||
124 | $value->setTimezone($inputTimezone); |
||
125 | } |
||
126 | |||
127 | // Handle boolean type transforming the value into a boolean |
||
128 | if ('' !== $value && TemplateRegistry::TYPE_BOOLEAN === $fieldDescription->getType()) { |
||
129 | $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); |
||
130 | } |
||
131 | |||
132 | // Handle entity choice association type, transforming the value into entity |
||
133 | if ('' !== $value |
||
134 | && TemplateRegistry::TYPE_CHOICE === $fieldDescription->getType() |
||
135 | && null !== $fieldDescription->getOption('class') |
||
136 | && $fieldDescription->getOption('class') === $fieldDescription->getTargetModel() |
||
137 | ) { |
||
138 | $value = $admin->getModelManager()->find($fieldDescription->getOption('class'), $value); |
||
139 | |||
140 | if (!$value) { |
||
141 | return new JsonResponse(sprintf( |
||
142 | 'Edit failed, object with id: %s not found in association: %s.', |
||
143 | $originalValue, |
||
144 | $field |
||
145 | ), Response::HTTP_NOT_FOUND); |
||
146 | } |
||
147 | } |
||
148 | |||
149 | $this->pool->getPropertyAccessor()->setValue($object, $propertyPath, '' !== $value ? $value : null); |
||
150 | |||
151 | $violations = $this->validator->validate($object); |
||
152 | |||
153 | if (\count($violations)) { |
||
154 | $messages = []; |
||
155 | |||
156 | foreach ($violations as $violation) { |
||
157 | $messages[] = $violation->getMessage(); |
||
158 | } |
||
159 | |||
160 | return new JsonResponse(implode("\n", $messages), Response::HTTP_BAD_REQUEST); |
||
161 | } |
||
162 | |||
163 | $admin->update($object); |
||
0 ignored issues
–
show
$object is of type object|array , but the function expects a object<Sonata\AdminBundle\Admin\object> .
It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { }
$x = '123'; // string "123"
// Instead of
acceptsInteger($x);
// we recommend to use
acceptsInteger((integer) $x);
Loading history...
|
|||
164 | |||
165 | // render the widget |
||
166 | // todo : fix this, the twig environment variable is not set inside the extension ... |
||
167 | $extension = $this->twig->getExtension(SonataAdminExtension::class); |
||
168 | \assert($extension instanceof SonataAdminExtension); |
||
169 | |||
170 | $content = $extension->renderListElement($this->twig, $rootObject, $fieldDescription); |
||
171 | |||
172 | return new JsonResponse($content, Response::HTTP_OK); |
||
173 | } |
||
174 | } |
||
175 |
Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: