This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | |||
4 | |||
5 | class PageRaterExtension_Controller extends Extension |
||
6 | { |
||
7 | |||
8 | |||
9 | /** |
||
10 | * add the default rating to each page ... |
||
11 | * @var boolean |
||
12 | */ |
||
13 | private static $items_per_page = 8; |
||
14 | |||
15 | /** |
||
16 | * @var string |
||
17 | */ |
||
18 | private static $field_title = "Click on any star to rate:"; |
||
19 | |||
20 | /** |
||
21 | * @var string |
||
22 | */ |
||
23 | private static $field_right_title = "On a scale from 1 to 5, with 5 being the best"; |
||
24 | |||
25 | /** |
||
26 | * @var boolean |
||
27 | */ |
||
28 | private static $show_average_rating_in_rating_field = false; |
||
29 | |||
30 | /** |
||
31 | * @var boolean |
||
32 | */ |
||
33 | private static $only_show_approved = false; |
||
34 | |||
35 | private static $allowed_actions = array( |
||
36 | "PageRatingForm", |
||
37 | "rateagain", |
||
38 | "dopagerating", |
||
39 | "removedefaultpageratings", |
||
40 | "removeallpageratings" |
||
41 | ); |
||
42 | |||
43 | /** |
||
44 | * action to allow use to rate again... |
||
45 | */ |
||
46 | public function rateagain($request) |
||
47 | { |
||
48 | $id = intval(Session::get('PageRated'.$this->owner->dataRecord->ID))-0; |
||
49 | $pageRating = PageRating::get()->byID($id); |
||
50 | if ($pageRating) { |
||
51 | $pageRating->delete(); |
||
52 | } |
||
53 | Session::set('PageRated'.$this->owner->dataRecord->ID, false); |
||
0 ignored issues
–
show
|
|||
54 | Session::clear('PageRated'.$this->owner->dataRecord->ID); |
||
55 | return $this->owner->redirect($this->owner->Link()); |
||
56 | } |
||
57 | |||
58 | /** |
||
59 | * @return Form |
||
60 | */ |
||
61 | public function PageRatingForm() |
||
62 | { |
||
63 | Requirements::themedCSS('PageRater', "pagerater"); |
||
64 | if ($this->owner->PageHasBeenRatedByUser()) { |
||
65 | $ratingField = LiteralField::create("RatingFor".$this->owner->dataRecord->ID, $this->owner->renderWith("PageRaterAjaxReturn")); |
||
66 | $actions = FieldList::create(); |
||
67 | $requiredFields = null; |
||
68 | } else { |
||
69 | if (Config::inst()->get("PageRaterExtension_Controller", "show_average_rating_in_rating_field")) { |
||
70 | $defaultStart = $this->owner->getStarRating(); |
||
71 | } else { |
||
72 | $defaultStart = 0; |
||
73 | } |
||
74 | $ratingField = PageRaterStarField::create( |
||
75 | 'RatingFor'.$this->owner->dataRecord->ID, |
||
76 | Config::inst()->get("PageRaterExtension_Controller", "field_title"), |
||
77 | $defaultStart, |
||
78 | PageRating::get_number_of_stars() |
||
79 | ); |
||
80 | $ratingField->setRightTitle(Config::inst()->get("PageRaterExtension_Controller", "field_right_title")); |
||
81 | $requiredFields = RequiredFields::create($ratingField->getRequiredFields()); |
||
82 | $actions = FieldList::create(FormAction::create('dopagerating', 'Submit')); |
||
83 | } |
||
84 | $fields = FieldList::create( |
||
85 | $ratingField, |
||
86 | HiddenField::create('ParentID', "ParentID", $this->owner->dataRecord->ID) |
||
87 | ); |
||
88 | |||
89 | return Form::create($this->owner, 'PageRatingForm', $fields, $actions, $requiredFields); |
||
90 | } |
||
91 | |||
92 | /** |
||
93 | * action Page Rating Form |
||
94 | */ |
||
95 | public function dopagerating($data, $form) |
||
96 | { |
||
97 | $id = $this->owner->dataRecord->ID; |
||
98 | $fieldName = "RatingFor".$id; |
||
99 | $data = Convert::raw2sql($data); |
||
100 | $pageRating = PageRating::create(); |
||
101 | $form->saveInto($pageRating); |
||
102 | $pageRating->ParentID = $this->owner->dataRecord->ID; |
||
103 | if (isset($data[$fieldName])) { |
||
104 | $pageRating->Rating = floatval($data[$fieldName]); |
||
105 | } |
||
106 | if (isset($data[$fieldName."_Comment"])) { |
||
107 | $pageRating->Comment = Convert::raw2sql($data[$fieldName."_Comment"]); |
||
108 | } |
||
109 | if (isset($data[$fieldName."_Name"])) { |
||
110 | $pageRating->Name = Convert::raw2sql($data[$fieldName."_Name"]); |
||
111 | } |
||
112 | if (isset($data[$fieldName."_Title"])) { |
||
113 | $pageRating->Title = Convert::raw2sql($data[$fieldName."_Title"]); |
||
114 | } |
||
115 | $pageRating->write(); |
||
116 | Session::set('PageRated'.$this->owner->dataRecord->ID, $pageRating->ID); |
||
117 | if (Director::is_ajax()) { |
||
118 | return $this->owner->renderWith("PageRaterAjaxReturn"); |
||
119 | } else { |
||
120 | $this->owner->redirectBack(); |
||
121 | } |
||
122 | } |
||
123 | |||
124 | |||
125 | public function removedefaultpageratings() |
||
126 | { |
||
127 | if (Permission::check("ADMIN")) { |
||
128 | DB::query("DELETE FROM PageRating WHERE IsDefault = 1;"); |
||
129 | debug::show("removed all default ratings for all pages"); |
||
130 | } else { |
||
131 | Security::permissionFailure($this->owner, _t('Security.PERMFAILURE', ' This page is secured and you need administrator rights to access it. Enter your credentials below and we will send you right along.')); |
||
0 ignored issues
–
show
$this->owner is of type object<SS_Object> , but the function expects a object<Controller>|null .
It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { }
$x = '123'; // string "123"
// Instead of
acceptsInteger($x);
// we recommend to use
acceptsInteger((integer) $x);
Loading history...
|
|||
132 | } |
||
133 | } |
||
134 | |||
135 | public function removeallpageratings() |
||
136 | { |
||
137 | if (Permission::check("ADMIN")) { |
||
138 | DB::query("DELETE FROM PageRating;"); |
||
139 | debug::show("removed all ratings for all pages"); |
||
140 | } else { |
||
141 | Security::permissionFailure($this->owner, _t('Security.PERMFAILURE', ' This page is secured and you need administrator rights to access it. Enter your credentials below and we will send you right along.')); |
||
0 ignored issues
–
show
$this->owner is of type object<SS_Object> , but the function expects a object<Controller>|null .
It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { }
$x = '123'; // string "123"
// Instead of
acceptsInteger($x);
// we recommend to use
acceptsInteger((integer) $x);
Loading history...
|
|||
142 | } |
||
143 | } |
||
144 | |||
145 | |||
146 | |||
147 | |||
148 | |||
149 | /** |
||
150 | * rating for this page ... |
||
151 | * @return ArrayList |
||
152 | */ |
||
153 | View Code Duplication | public function PageRatingResults() |
|
154 | { |
||
155 | $sqlQuery = new SQLQuery(); |
||
156 | $sqlQuery->setSelect("AVG(\"PageRating\".\"Rating\") RatingAverage, ParentID"); |
||
157 | $sqlQuery->setFrom("\"PageRating\" "); |
||
158 | if ($this->onlyShowApprovedPageRatings()) { |
||
159 | $sqlQuery->setWhere("\"ParentID\" = ".$this->owner->ID." AND \"PageRating\".\"IsApproved\" = 1"); |
||
160 | } else { |
||
161 | $sqlQuery->setWhere("\"ParentID\" = ".$this->owner->ID.""); |
||
162 | } |
||
163 | $sqlQuery->setOrderBy("RatingAverage DESC"); |
||
164 | $sqlQuery->setGroupby("\"ParentID\""); |
||
165 | $sqlQuery->setLimit(1); |
||
166 | return $this->turnPageRaterSQLIntoArrayList($sqlQuery, "PageRatingResults"); |
||
167 | } |
||
168 | |||
169 | /** |
||
170 | * rating of this page by this user ... |
||
171 | * @return ArrayList |
||
172 | */ |
||
173 | View Code Duplication | public function CurrentUserRating() |
|
174 | { |
||
175 | $sqlQuery = new SQLQuery(); |
||
176 | $sqlQuery->setSelect("AVG(\"PageRating\".\"Rating\") RatingAverage, ParentID"); |
||
177 | $sqlQuery->setFrom("\"PageRating\" "); |
||
178 | if ($this->onlyShowApprovedPageRatings()) { |
||
179 | $sqlQuery->setWhere("\"ParentID\" = ".$this->owner->ID." AND \"PageRating\".\"ID\" = '".Session::get('PageRated'.$this->owner->ID)."' AND \"PageRating\".\"IsApproved\" = 1"); |
||
180 | } else { |
||
181 | $sqlQuery->setWhere("\"ParentID\" = ".$this->owner->ID." AND \"PageRating\".\"ID\" = '".Session::get('PageRated'.$this->owner->ID)."'"); |
||
182 | } |
||
183 | |||
184 | $sqlQuery->setOrderBy("RatingAverage DESC"); |
||
185 | $sqlQuery->setGroupby("\"ParentID\""); |
||
186 | $sqlQuery->setLimit(1); |
||
187 | return $this->turnPageRaterSQLIntoArrayList($sqlQuery, "CurrentUserRating"); |
||
188 | } |
||
189 | |||
190 | /** |
||
191 | * list of all rated pages ... |
||
192 | * @return ArrayList |
||
193 | */ |
||
194 | public function PageRaterListOfAllForPage($paginated = false) |
||
195 | { |
||
196 | if ($this->owner->onlyShowApprovedPageRatings()) { |
||
197 | $list = $this->owner->turnPageRaterSQLIntoArrayList( |
||
198 | $this->owner->PageRatings()->filter(array("IsApproved" => 1)), |
||
199 | "PageRaterListOfAllForPage" |
||
200 | ); |
||
201 | } else { |
||
202 | $list = $this->owner->turnPageRaterSQLIntoArrayList( |
||
203 | $this->owner->PageRatings(), |
||
204 | "PageRaterListOfAllForPage" |
||
205 | ); |
||
206 | } |
||
207 | if ($paginated) { |
||
208 | $limit = Config::inst()->get('PageRaterExtension_Controller', 'items_per_page'); |
||
209 | if ($limit) { |
||
210 | $list = PaginatedList::create($list, $this->owner->getRequest()); |
||
211 | $list->setPageLength($limit); |
||
212 | } |
||
213 | } |
||
214 | return $list; |
||
215 | } |
||
216 | |||
217 | |||
218 | public function PageRaterListAll() |
||
219 | { |
||
220 | $sqlQuery = new SQLQuery(); |
||
221 | $sqlQuery->setSelect("\"PageRating\".\"Rating\" AS RatingAverage, \"PageRating\".\"ParentID\""); |
||
222 | if ($this->owner->onlyShowApprovedPageRatings()) { |
||
223 | $sqlQuery->setWhere("\"PageRating\".\"IsApproved\" = 1"); |
||
224 | } |
||
225 | $sqlQuery->setFrom(" \"PageRating\""); |
||
226 | $sqlQuery->addInnerJoin("SiteTree", " \"PageRating\".\"ParentID\" = \"SiteTree\".\"ID\""); |
||
227 | $sqlQuery->setOrderBy("RatingAverage DESC"); |
||
228 | $sqlQuery->setGroupby("\"SiteTree\".\"ParentID\""); |
||
229 | return $this->turnPageRaterSQLIntoArrayList($sqlQuery, "PageRaterList"); |
||
230 | } |
||
231 | |||
232 | /** |
||
233 | * @param $data $sqlQuery | DataList |
||
234 | * @param string $method |
||
235 | * |
||
236 | * @return ArrayList |
||
237 | */ |
||
238 | View Code Duplication | protected function turnPageRaterSQLIntoArrayList($data, $method = "unknown") |
|
239 | { |
||
240 | if ($data instanceof SQLQuery) { |
||
241 | $data = $data->execute(); |
||
242 | } |
||
243 | $al = new ArrayList(); |
||
244 | if ($data) { |
||
245 | foreach ($data as $record) { |
||
246 | if ($record instanceof PageRating) { |
||
247 | $record->Method = $method; |
||
248 | } else { |
||
249 | $score = $record["RatingAverage"]; |
||
250 | $parentID = $record["ParentID"]; |
||
251 | $record = PageRating::get_star_details_as_array_data($score, $parentID, $method); |
||
252 | } |
||
253 | $al->push($record); |
||
254 | } |
||
255 | } |
||
256 | return $al; |
||
257 | } |
||
258 | |||
259 | /** |
||
260 | * @return boolean |
||
261 | */ |
||
262 | public function PageHasBeenRatedByUser() |
||
263 | { |
||
264 | return Session::get('PageRated'.$this->owner->ID) ? true : false; |
||
265 | } |
||
266 | |||
267 | /** |
||
268 | * |
||
269 | * @return int |
||
270 | */ |
||
271 | View Code Duplication | public function NumberOfPageRatings() |
|
272 | { |
||
273 | $doSet = new ArrayList(); |
||
274 | $sqlQuery = new SQLQuery(); |
||
275 | $sqlQuery->setSelect("COUNT(\"PageRating\".\"Rating\") RatingCount"); |
||
276 | $sqlQuery->setFrom("\"PageRating\" "); |
||
277 | if ($this->onlyShowApprovedPageRatings()) { |
||
278 | $sqlQuery->setWhere("\"ParentID\" = ".$this->owner->ID." AND \"PageRating\".\"IsApproved\" = 1"); |
||
279 | } else { |
||
280 | $sqlQuery->setWhere("\"ParentID\" = ".$this->owner->ID.""); |
||
281 | } |
||
282 | $sqlQuery->setOrderBy("RatingCount ASC"); |
||
283 | $sqlQuery->setGroupBy("\"ParentID\""); |
||
284 | $sqlQuery->setLimit(1); |
||
285 | $data = $sqlQuery->execute(); |
||
286 | if ($data) { |
||
287 | foreach ($data as $record) { |
||
288 | return $record["RatingCount"]; |
||
289 | } |
||
290 | } |
||
291 | return 0; |
||
292 | } |
||
293 | |||
294 | protected function onlyShowApprovedPageRatings() |
||
295 | { |
||
296 | return Config::inst()->get("PageRaterExtension_Controller", "only_show_approved"); |
||
297 | } |
||
298 | |||
299 | |||
300 | /** |
||
301 | * return the average rating... |
||
302 | * @return Double |
||
303 | */ |
||
304 | public function getStarRating() |
||
305 | { |
||
306 | $ratings = $this->owner->PageRatingResults(); |
||
307 | $rating = 0; |
||
308 | if ($ratings->Count() == 1) { |
||
309 | foreach ($ratings as $ratingItem) { |
||
310 | $rating = $ratingItem->Stars; |
||
311 | } |
||
312 | } |
||
313 | return $rating; |
||
314 | } |
||
315 | } |
||
316 |
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: