Issues in FrontEndCMS.php (master) - Issues in master - sunnysideup/silverstripe-wiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (34)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

code/FrontEndCMS.php (3 issues)

Labels

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @author nicolaas [at] sunnysideup.co.nz
 *
 */

class FrontEndCMS extends SiteTreeDecorator {
namespace YourVendor;

class YourClass { }

	protected static $member_email_fieldname_array = array("Email", "AlternativeEmail");
		static function set_member_email_fieldname_array (array $var) {self::$member_email_fieldname_array = $var;}

	protected static $group_title = 'Business Members';
		static function set_group_title ($var) { self::$group_title = $var;}

	protected static $group_code = 'business-members';
		static function set_group_code ($var) { self::$group_code = $var;}

	protected static $access_code = 'ACCESS_BUSINESS';
		static function set_access_code ($var) { self::$access_code = $var;}

	protected static $other_groups_to_which_members_should_be_added = array("forum-members");
		static function set_other_groups_to_which_members_should_be_added (array $var) {self::$other_groups_to_which_members_should_be_added = $var;}

	protected static $filter_many_many_table_in_CMS = true;
		static function set_filter_many_many_table_in_CMS ($var) { self::$filter_many_many_table_in_CMS = $var;}

	protected static $editable_child_combination = array("BusinessPage" => "ProductPage");
		static function set_editable_child_combination (array $var) {self::$editable_child_combination = $var;}

	protected static $editor_details_tab_name = "Editors";
		static function set_editor_details_tab_name ($var) { self::$editor_details_tab_name = $var;}
		static function get_editor_details_tab_name ($var) { return $editor_details_tab_name;}

	private static $is_editor = array();

	/**
	 * Fields and CMS
	 */

	public function extraStatics() {
		$emailArray = array();
		if(is_array(self::$member_email_fieldname_array) && count(self::$member_email_fieldname_array)) {
			foreach(self::$member_email_fieldname_array as $email) {
				$emailArray[$email] = "Varchar(255)";
			}
			return array(
				'db' => $emailArray,
				'many_many' => array(
					'Members' => 'Member'
				)
			);
		}
		else {
			user_error('You need to specify at least one  email field in static $member_email_fieldname_array', E_USER_NOTICE);
		}
	}

	public function updateCMSFields(FieldSet &$fields) {
		// TO DO: this should not be added if the fields are front-end.
		if($this->isEditablePage()) {
			foreach(self::$member_email_fieldname_array as $field) {
				$fields->addFieldToTab("Root.Content.".self::$editor_details_tab_name, new TextField($field, $field));
			}
			if(self::$filter_many_many_table_in_CMS) {
				$list = $this->owner->Members();
				$memberIdArray = array();
				foreach($list as $item) {
					if($item instanceOf Member) {
						$memberIdArray[$item->ID] = $item->MemberID;
					}
				}
				if(count($memberIdArray)) {
					$filterString = implode(",", $memberIdArray);
					$sourceFilter = "`MemberID` IN (".$filterString.')';
				}
				else {
					$sourceFilter = "`MemberID` < 0";
				}
			}
			else {
				$sourceFilter = "";
			}
			$membersField = new ManyManyComplexTableField(
				$controller = $this->owner,
				$name = 'Members',
				$sourceClass = 'Member', //Classname
				$fieldList = array(
					'Email'=>'Email',
					'FirstName'=>'First Name',
					'Surname'=>'Surname'
				),
				'getCMSFields',
				$sourceFilter
			);
			$membersField->setPermissions(array());
			$membersField->pageSize = 500;
			$membersField->setParentClass($this->owner->class);
			$fields->addFieldToTab("Root.Content.".self::$editor_details_tab_name, new HeaderField('Please note: These members will be able to edit this page',4));
			$fields->addFieldToTab("Root.Content.".self::$editor_details_tab_name, $membersField);
		}
		return $fields; //needed??
	}

	//checks if we need to add them to CMS (i.e. do we want this page to be edited at all?
	public function isEditablePage() {
		if($this->canEdit()) {
			if(is_array(self::$editable_child_combination) && count(self::$editable_child_combination)) {
				foreach(self::$editable_child_combination as $key => $value) {
					if($key == $this->owner->class || $this->owner->class == $value) {
						return true;
					}
				}
			}
		}
		return false;
	}

	/**
	 * Can functions
	 */

	//we add this here to do all the checking for canEdit in the DOD.
	public function getCanEditType() {
		return "OnlyTheseUsers";
	}

	public function canEdit($member = null) {
	/* this code maybe useful
		if(Permission::checkMember($member, "ADMIN")) return true;
		// decorated access checks
		$results = $this->extend('canEdit', $member);
		if($results && is_array($results)) if(!min($results)) return false;
		// if page can't be viewed, don't grant edit permissions
		if(!$this->canView()) return false;
		// check for empty spec
		if(!$this->CanEditType || $this->CanEditType == 'Anyone') return true;
		// check for inherit
		if($this->CanEditType == 'Inherit') {
			if($this->ParentID) return $this->Parent()->canEdit($member);
			else return Permission::checkMember($member, 'CMS_ACCESS_CMSMain');
		}
		// check for any logged-in users
		if($this->CanEditType == 'LoggedInUsers' && Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) return true;
		// check for specific groups
		if($this->CanEditType == 'OnlyTheseUsers' && $member && $member->inGroups($this->EditorGroups())) return true;
		if($this->Members('MemberID = '.$member->ID)) return true;
		//Debug::message('About to fail');
		return false;
	*/

		// hack to make sure that there is no denial because some other page is called.
		/*
		if(Director::currentPage()->ID != $this->owner->ID) {
			return true;
		}
		*/
		if(isset(self::$is_editor[$this->owner->ID])) {
			return self::$is_editor[$this->owner->ID];
		}
		self::$is_editor[$this->owner->ID] = false;
		if(!$member) {$member = Member::currentUser();}
		if(!$member) {return false;}
		if($member->isAdmin()) {return true;}
		else {
			// Check for business member
			$pageMembers = $this->owner->Members();
			if($pageMembers->count()) {
				foreach($pageMembers as $pageMember) {
					if($pageMember->ID == $member->ID) {
						self::$is_editor[$this->owner->ID] = true;
					}
				}
			}
		}
		return self::$is_editor[$this->owner->ID];
	}

	public function canDelete($member = null) {
		if ($this->dependableChild()) return true;
		return false;
	}

	public function canCreate($member = null) {
		if ($this->dependableChild()) return true;
		return false;
	}

	/**
	 * Links
	 */

	public function Link($action = null) {/* this was required at some stage */
		return $this->owner->Link($action);
	}

	public function AddDependableChildLink() {
	  if($this->addibleChildClass()) {
			return $this->Link('adddependablechild');
		}
	}

	public function EditLink() {
	  if($this->canEdit()) {
			Requirements::javascript("frontendcms/javascript/greybox.js");
			Requirements::css("frontendcms/css/greybox.css");
			Requirements::javascript("frontendcms/javascript/frontendcms.js");
			return this->Link('edit');
		}
	}

	public function DeleteLink() {
	  if($this->canDelete()) {
			return this->Link('deletefromfrontend');
		}
	}

	public function BackLink() {
		return urlencode(Director::absoluteURL($this->Link(), true));
	}

	/**
	 * Status functions
	 */

	public function dependableChild() {
		$member = Member::currentUser();
		if($member) {
			if($member->isAdmin()) {
				return true;
			}
		}
		if(is_array(self::$editable_child_combination) && count(self::$editable_child_combination)) {
			foreach(self::$editable_child_combination as $parentClass => $childClass) {
				if($this->owner->class == $childClass) {
					if($this->owner->Parent()->class == $parentClass) {
						if($this->owner->Parent()->canEdit()) {
							return true;
						}
					}
				}
			}
		}
		return false;
	}

	public function addibleChildClass() {
		if(is_array(self::$editable_child_combination) && count(self::$editable_child_combination)) {
			foreach(self::$editable_child_combination as $parentClass => $childClass) {
				if($this->owner->class == $parentClass) {
					return $childClass;
				}
			}
		}
		return false;
	}

	/**
	*	delete section
	**/

	//nothing here at present - see controller

	/**
	*	add members to pages
	**/

	function onAfterWrite() {
		$fieldArrayValues = array();
		foreach(self::$member_email_fieldname_array as $field) {
			$fieldArrayValues[] = $this->owner->$field;
		}
		//add new members
		foreach ($fieldArrayValues as $email) {
			if ($email) {
				$member = DataObject::get_one('Member', "Email = '$email'");

				if (!$member) {
					$member = new Member();
					$member->Email = $email;
					$member->FirstName = $this->owner->Title;
					$member->Surname = $this->owner->Title;
					$member->Nickname = $this->owner->Title;
					$pwd = Member::create_new_password();
					$member->Password = $pwd;
					$member->write();
				}
				// Add user as BusinessMember
				$this->owner->Members()->add($member);
				foreach(self::$other_groups_to_which_members_should_be_added as $group) {
					Group::addToGroupByName($member, $group);
				}
				Group::addToGroupByName($member, self::$group_code);
			}
		}
		// Delete old members
		$whereString = '';
		foreach(self::$member_email_fieldname_array as $key=>$field) {
			if($key) {
				$whereString .= ' AND ';
			}
			$whereString .= '`Email` != "'.$this->owner->$field.'" ';
		}
		$members = $this->owner->Members($whereString);
		foreach ($members as $member) {
			$member->delete();
		}
		if($editGroup = DataObject::get_one("Group", 'Code = "'.self::$group_code.'"')) {
			$this->owner->EditorGroups()->add($editGroup->ID);
		}
		if($AdminGroup = DataObject::get_one("Group", 'Code = "administrators"')) {
			$this->owner->EditorGroups()->add($AdminGroup->ID);
		}
		parent::onAfterWrite();
	}

	/**
	*	add editor group
	**/

	function requireDefaultRecords() {
		parent::requireDefaultRecords();
		if(!$editorGroup = DataObject::get_one("Group", 'Code = "'.self::$group_code.'"')) {
			$editorGroup = new Group();
			$editorGroup->Code = self::$group_code;
			$editorGroup->Title = self::$group_title;
			$editorGroup->write();
			Permission::grant( $editorGroup->ID, self::$access_code );
			Database::alteration_message(self::$group_title.' - created with access group '.self::$access_code ,"created");
		}
		else if(DB::query('SELECT * FROM Permission WHERE `GroupID` = '.$editorGroup->ID.' AND `Code` LIKE "'.self::$access_code.'"')->numRecords() == 0 ) {
			Permission::grant($editorGroup->ID, self::$access_code);
		}
	}
}

class FrontEndCMS_Controller extends Extension {
namespace YourVendor;

class YourClass { }

	static $allowed_actions = array(
		'edit',
		'frontendcms',
		'dosave',
		'deletefromfrontend',
		'DeleteForm',
		'adddependablechild',
	);

	protected static $requirements_to_block = array();
		static function set_requirements_to_block(array $requirementFileArray) {self::$requirements_to_block = $requirementFileArray;}
		static function add_requirement_to_block($requirementFile) {self::$requirements_to_block[] = $requirementFile;}

	protected static $field_names_to_remove = array();
		function set_field_names_to_remove (array $var) {self::$field_names_to_remove = $var;}

	static function add_field_name_to_remove($field) {
		self::$field_names_to_remove[] = $field;
	}

	protected static $field_names_to_replace = array();
		function set_field_names_to_replace ($var) {self::$field_names_to_replace = $var;}

	static function add_field_names_to_replace($oldFieldName, $newFieldTypeOrObject) {
		self::$field_names_to_replace[$oldFieldName] = $newFieldTypeOrObject;
	}

	protected static $use_cms_fields = false;
		static function set_use_cms_fields($var) {self::$use_cms_fields = $var;}

	protected $frontEndFieldSet = null;

	private $ownerRecord = null;

	/**
	 * Render actions
	 */

	public function edit() {
	  if(!$this->ownerRecord()->canEdit()) return Security::permissionFailure();
		return $this->owner->renderWith(array("EditPagePopup"));
	}

	/**
	 * assisting functions
	 */

	protected function fieldReplacer($fieldSet) {
		if(!$this->frontEndFieldSet) {
			$this->frontEndFieldSet = new FieldSet();
		}
		$i = 0;
		foreach($fieldSet as $field) {
			$i++;
			if("TabSet" == $field->class) {
				$this->frontEndFieldSet->push(new HeaderField("section".$i, "header".$field->rightTitle.$field->leftTitle.$field->title.$field->name ));
				if($field->children) {
					$this->fieldReplacer($field->children);
				}
			}
			else {
				$this->frontEndFieldSet->push($field);
			}
		}
		return $this->frontEndFieldSet;
	}

	private function ownerRecord() {
		if($this->ownerRecord) {
			return $this->ownerRecord;
		}
		else {
			$this->ownerRecord = $this->owner->data();
			return $this->ownerRecord;
		}
	}

	/**
	 * forms
	 **/

	public function frontendcms() {
		$record = $this->ownerRecord();
		if (self::$use_cms_fields) $fieldset = $record->getCMSFields();
		else $fieldset = $record->getFrontEndFields();
		// the next three lines can be removed once the editor fields are no longer added
		if(is_array(FrontEndCMS::$member_email_fieldname_array) && count(FrontEndCMS::$member_email_fieldname_array)) {
			self::add_field_names_to_remove(array(FrontEndCMS::get_editor_details_tab_name()));
		}
		foreach(self::$field_names_to_remove as $fieldName) {
			if($fieldset->dataFieldByName($fieldName)) {
				$fieldset->removeByName($fieldName, $dataFieldOnly = true);
			}
			else {
				$fieldset->removeByName($fieldName, $dataFieldOnly = false);
			}
		}
		foreach(self::$field_names_to_replace as $fieldName => $replacement) {
			if (is_string($replacement)) $newField = new $replacement($fieldName, $fieldName);
			else $newField = $replacement;
			$fieldset->replaceField($fieldName, $newField);
		}
		if (self::$use_cms_fields) {
			Requirements::css('frontendcms/css/FrontEndCMS.css');
			Requirements::css('cms/css/cms_right.css');
			Requirements::css('cms/css/typography.css');
			Requirements::css('cms/css/TinyMCEImageEnhancement.css');
		}
		if(is_array(self::$requirements_to_block) && count(self::$requirements_to_block) ) {
			foreach(self::$requirements_to_block as $file) {
				Requirements::block($file);
			}
		}
		Requirements::block("jsparty/jquery/plugins/greybox/greybox.js");
		Requirements::block("jsparty/jquery/plugins/greybox/greybox.css");
		Requirements::block("frontendcms/javascript/frontendcms.js");
		//Requirements::themedCSS('FrontEndCMS');
		$form = new Form(
			$controller = $this->owner,
			$name = "frontendcms",
			$fields = $fieldset,
			$actions = new fieldSet(new FormAction("dosave", "Save"))
		);
		$form->loadDataFrom($record);
		Requirements::css("cms/css/cms_right.css");
		return $form;
	}

	public function dosave($data, $form) {
		$record = $this->ownerRecord();
		if(!$record->canEdit()) return Security::permissionFailure();

		$form->saveInto($record);
		//$record->write();
		$record->writeToStage('Stage');$record->publish('Stage', 'Live');$record->flushCache();
		//Director::redirect($record->Link());
		return $this->owner->renderWith(
			array("EditPagePopup"),
			array('SavedSuccess'=>true)
		);
	}

	public function LostPasswordForm($number = 1) {
		$number = intval($number);
		if(is_int($number)) {
			$number--;
			if(isset( FrontEndCMS::$member_email_fieldname_array[$number])) {
				$emailFieldName = FrontEndCMS::$member_email_fieldname_array[$number];
				$email = $this->owner->$emailFieldName;
			}
			else {
				user_error('LostPasswordForm number is incorrect.', E_USER_NOTICE);
			}
		}
		else {
			$email = $number["Email"];
		}
		if($email) {
			$form = new ResetFrontEndCMSUserPasswordForm(
				$this,
				'LostPasswordForm',
				new FieldSet(
					new HiddenField('Email', _t('Member.EMAIL', 'Email'), $email),
					new HiddenField('Number', "Number", $number)
				),
				new FieldSet(
					new FormAction(
						'forgotPassword',
						'Send the password reset link to '.$email
					)
				),
				false
			);
			return $form;
		}
	}

	/**
	*	add section
	**/

	public function adddependablechild() {
		$record = $this->ownerRecord();
		if(!$record->canEdit()) {echo "can not edit parent"; return Security::permissionFailure();}
		$classToAddName = $record->addibleChildClass();
		echo $classToAddName;
		if(class_exists($classToAddName) ) {
			$childPage = new $classToAddName();
			$childPage->Title = 'New '.$classToAddName;
			$childPage->ParentID = $record->ID;
			$array = FrontEndCMS::$member_email_fieldname_array;
			if(is_array($array) && count($array)) {
				foreach($array as $field) {
					$childPage->$field = $record->$field;
				}
			}
			if (!$childPage->canCreate()) {echo "can not create child"; return Security::permissionFailure();}
			$childPage->writeToStage('Stage');
			$childPage->publish('Stage', 'Live');
			$childPage->flushCache();
			Director::redirect($childPage->Link('edit'));
		}
	}

	/**
	 * delete section
	 **/

	public function deletefromfrontend() {
		if($this->ownerRecord()->dependableChild()) {
			return array('ShowDeleteForm'=>true);
		}
		else {
			return array();
		}
	}

	public function DeleteForm () {
		$record = $this->ownerRecord();
		if($record->dependableChild()) {
			$title = $this->ownerRecord()->Title;
			$form = new Form(
				$controller = $this->owner,
				$name = "DeleteForm",
				$fields = new FieldSet(new HeaderField("Are you sure you want to delete $title?")),
				$actions = new fieldSet(new FormAction("doDelete", "Yes, Delete It"), new FormAction("cancelDelete", "No, Go back"))
			);
			return $form;
		}
		else {
			return array();
		}
	}

	public function cancelDelete() {
		$record = $this->ownerRecord();
		Director::redirect($record->Link());
	}

	public function doDelete() {
		$record = $this->ownerRecord();
		if (!$record->canDelete()) return Security::permissionFailure();

		$parent = $record->Parent();
		$id = $record->ID;

		$stageRecord = Versioned::get_one_by_stage('SiteTree', 'Stage', "SiteTree.ID = $id");
		if ($stageRecord) $stageRecord->delete();
		$liveRecord = Versioned::get_one_by_stage('SiteTree', 'Live', "SiteTree_Live.ID = $id");
		if ($liveRecord) $liveRecord->delete();
		$record->delete();

		Director::redirect($parent->Link());
	}

	public function Link() {
		$record = $this->ownerRecord();
		return $record->Link();
	}

}



1			<?php
2
3			/**
4			* @author nicolaas [at] sunnysideup.co.nz
5			*
6			*/
7
8			class FrontEndCMS extends SiteTreeDecorator {
			0 ignored issues – show Coding Style Compatibility introduced 2017-01-10 01:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
9
10			protected static $member_email_fieldname_array = array("Email", "AlternativeEmail");
11			static function set_member_email_fieldname_array (array $var) {self::$member_email_fieldname_array = $var;}
12
13			protected static $group_title = 'Business Members';
14			static function set_group_title ($var) { self::$group_title = $var;}
15
16			protected static $group_code = 'business-members';
17			static function set_group_code ($var) { self::$group_code = $var;}
18
19			protected static $access_code = 'ACCESS_BUSINESS';
20			static function set_access_code ($var) { self::$access_code = $var;}
21
22			protected static $other_groups_to_which_members_should_be_added = array("forum-members");
23			static function set_other_groups_to_which_members_should_be_added (array $var) {self::$other_groups_to_which_members_should_be_added = $var;}
24
25			protected static $filter_many_many_table_in_CMS = true;
26			static function set_filter_many_many_table_in_CMS ($var) { self::$filter_many_many_table_in_CMS = $var;}
27
28			protected static $editable_child_combination = array("BusinessPage" => "ProductPage");
29			static function set_editable_child_combination (array $var) {self::$editable_child_combination = $var;}
30
31			protected static $editor_details_tab_name = "Editors";
32			static function set_editor_details_tab_name ($var) { self::$editor_details_tab_name = $var;}
33			static function get_editor_details_tab_name ($var) { return $editor_details_tab_name;}
34
35			private static $is_editor = array();
36
37			/**
38			* Fields and CMS
39			*/
40
41			public function extraStatics() {
42			$emailArray = array();
43			if(is_array(self::$member_email_fieldname_array) && count(self::$member_email_fieldname_array)) {
44			foreach(self::$member_email_fieldname_array as $email) {
45			$emailArray[$email] = "Varchar(255)";
46			}
47			return array(
48			'db' => $emailArray,
49			'many_many' => array(
50			'Members' => 'Member'
51			)
52			);
53			}
54			else {
55			user_error('You need to specify at least one email field in static $member_email_fieldname_array', E_USER_NOTICE);
56			}
57			}
58
59			public function updateCMSFields(FieldSet &$fields) {
60			// TO DO: this should not be added if the fields are front-end.
61			if($this->isEditablePage()) {
62			foreach(self::$member_email_fieldname_array as $field) {
63			$fields->addFieldToTab("Root.Content.".self::$editor_details_tab_name, new TextField($field, $field));
64			}
65			if(self::$filter_many_many_table_in_CMS) {
66			$list = $this->owner->Members();
67			$memberIdArray = array();
68			foreach($list as $item) {
69			if($item instanceOf Member) {
70			$memberIdArray[$item->ID] = $item->MemberID;
71			}
72			}
73			if(count($memberIdArray)) {
74			$filterString = implode(",", $memberIdArray);
75			$sourceFilter = "`MemberID` IN (".$filterString.')';
76			}
77			else {
78			$sourceFilter = "`MemberID` < 0";
79			}
80			}
81			else {
82			$sourceFilter = "";
83			}
84			$membersField = new ManyManyComplexTableField(
85			$controller = $this->owner,
86			$name = 'Members',
87			$sourceClass = 'Member', //Classname
88			$fieldList = array(
89			'Email'=>'Email',
90			'FirstName'=>'First Name',
91			'Surname'=>'Surname'
92			),
93			'getCMSFields',
94			$sourceFilter
95			);
96			$membersField->setPermissions(array());
97			$membersField->pageSize = 500;
98			$membersField->setParentClass($this->owner->class);
99			$fields->addFieldToTab("Root.Content.".self::$editor_details_tab_name, new HeaderField('Please note: These members will be able to edit this page',4));
100			$fields->addFieldToTab("Root.Content.".self::$editor_details_tab_name, $membersField);
101			}
102			return $fields; //needed??
103			}
104
105			//checks if we need to add them to CMS (i.e. do we want this page to be edited at all?
106			public function isEditablePage() {
107			if($this->canEdit()) {
108			if(is_array(self::$editable_child_combination) && count(self::$editable_child_combination)) {
109			foreach(self::$editable_child_combination as $key => $value) {
110			if($key == $this->owner->class \|\| $this->owner->class == $value) {
111			return true;
112			}
113			}
114			}
115			}
116			return false;
117			}
118
119			/**
120			* Can functions
121			*/
122
123			//we add this here to do all the checking for canEdit in the DOD.
124			public function getCanEditType() {
125			return "OnlyTheseUsers";
126			}
127
128			public function canEdit($member = null) {
129			/* this code maybe useful
130			if(Permission::checkMember($member, "ADMIN")) return true;
131			// decorated access checks
132			$results = $this->extend('canEdit', $member);
133			if($results && is_array($results)) if(!min($results)) return false;
134			// if page can't be viewed, don't grant edit permissions
135			if(!$this->canView()) return false;
136			// check for empty spec
137			if(!$this->CanEditType \|\| $this->CanEditType == 'Anyone') return true;
138			// check for inherit
139			if($this->CanEditType == 'Inherit') {
140			if($this->ParentID) return $this->Parent()->canEdit($member);
141			else return Permission::checkMember($member, 'CMS_ACCESS_CMSMain');
142			}
143			// check for any logged-in users
144			if($this->CanEditType == 'LoggedInUsers' && Permission::checkMember($member, 'CMS_ACCESS_CMSMain')) return true;
145			// check for specific groups
146			if($this->CanEditType == 'OnlyTheseUsers' && $member && $member->inGroups($this->EditorGroups())) return true;
147			if($this->Members('MemberID = '.$member->ID)) return true;
148			//Debug::message('About to fail');
149			return false;
150			*/
151
152			// hack to make sure that there is no denial because some other page is called.
153			/*
154			if(Director::currentPage()->ID != $this->owner->ID) {
155			return true;
156			}
157			*/
158			if(isset(self::$is_editor[$this->owner->ID])) {
159			return self::$is_editor[$this->owner->ID];
160			}
161			self::$is_editor[$this->owner->ID] = false;
162			if(!$member) {$member = Member::currentUser();}
163			if(!$member) {return false;}
164			if($member->isAdmin()) {return true;}
165			else {
166			// Check for business member
167			$pageMembers = $this->owner->Members();
168			if($pageMembers->count()) {
169			foreach($pageMembers as $pageMember) {
170			if($pageMember->ID == $member->ID) {
171			self::$is_editor[$this->owner->ID] = true;
172			}
173			}
174			}
175			}
176			return self::$is_editor[$this->owner->ID];
177			}
178
179			public function canDelete($member = null) {
180			if ($this->dependableChild()) return true;
181			return false;
182			}
183
184			public function canCreate($member = null) {
185			if ($this->dependableChild()) return true;
186			return false;
187			}
188
189			/**
190			* Links
191			*/
192
193			public function Link($action = null) {/* this was required at some stage */
194			return $this->owner->Link($action);
195			}
196
197			public function AddDependableChildLink() {
198			if($this->addibleChildClass()) {
199			return $this->Link('adddependablechild');
200			}
201			}
202
203			public function EditLink() {
204			if($this->canEdit()) {
205			Requirements::javascript("frontendcms/javascript/greybox.js");
206			Requirements::css("frontendcms/css/greybox.css");
207			Requirements::javascript("frontendcms/javascript/frontendcms.js");
208			return this->Link('edit');
209			}
210			}
211
212			public function DeleteLink() {
213			if($this->canDelete()) {
214			return this->Link('deletefromfrontend');
215			}
216			}
217
218			public function BackLink() {
219			return urlencode(Director::absoluteURL($this->Link(), true));
220			}
221
222			/**
223			* Status functions
224			*/
225
226			public function dependableChild() {
227			$member = Member::currentUser();
228			if($member) {
229			if($member->isAdmin()) {
230			return true;
231			}
232			}
233			if(is_array(self::$editable_child_combination) && count(self::$editable_child_combination)) {
234			foreach(self::$editable_child_combination as $parentClass => $childClass) {
235			if($this->owner->class == $childClass) {
236			if($this->owner->Parent()->class == $parentClass) {
237			if($this->owner->Parent()->canEdit()) {
238			return true;
239			}
240			}
241			}
242			}
243			}
244			return false;
245			}
246
247			public function addibleChildClass() {
248			if(is_array(self::$editable_child_combination) && count(self::$editable_child_combination)) {
249			foreach(self::$editable_child_combination as $parentClass => $childClass) {
250			if($this->owner->class == $parentClass) {
251			return $childClass;
252			}
253			}
254			}
255			return false;
256			}
257
258			/**
259			* delete section
260			**/
261
262			//nothing here at present - see controller
263
264			/**
265			* add members to pages
266			**/
267
268			function onAfterWrite() {
269			$fieldArrayValues = array();
270			foreach(self::$member_email_fieldname_array as $field) {
271			$fieldArrayValues[] = $this->owner->$field;
272			}
273			//add new members
274			foreach ($fieldArrayValues as $email) {
275			if ($email) {
276			$member = DataObject::get_one('Member', "Email = '$email'");
277
278			if (!$member) {
279			$member = new Member();
280			$member->Email = $email;
281			$member->FirstName = $this->owner->Title;
282			$member->Surname = $this->owner->Title;
283			$member->Nickname = $this->owner->Title;
284			$pwd = Member::create_new_password();
285			$member->Password = $pwd;
286			$member->write();
287			}
288			// Add user as BusinessMember
289			$this->owner->Members()->add($member);
290			foreach(self::$other_groups_to_which_members_should_be_added as $group) {
291			Group::addToGroupByName($member, $group);
292			}
293			Group::addToGroupByName($member, self::$group_code);
294			}
295			}
296			// Delete old members
297			$whereString = '';
298			foreach(self::$member_email_fieldname_array as $key=>$field) {
299			if($key) {
300			$whereString .= ' AND ';
301			}
302			$whereString .= '`Email` != "'.$this->owner->$field.'" ';
303			}
304			$members = $this->owner->Members($whereString);
305			foreach ($members as $member) {
306			$member->delete();
307			}
308			if($editGroup = DataObject::get_one("Group", 'Code = "'.self::$group_code.'"')) {
309			$this->owner->EditorGroups()->add($editGroup->ID);
310			}
311			if($AdminGroup = DataObject::get_one("Group", 'Code = "administrators"')) {
312			$this->owner->EditorGroups()->add($AdminGroup->ID);
313			}
314			parent::onAfterWrite();
315			}
316
317			/**
318			* add editor group
319			**/
320
321			function requireDefaultRecords() {
322			parent::requireDefaultRecords();
323			if(!$editorGroup = DataObject::get_one("Group", 'Code = "'.self::$group_code.'"')) {
324			$editorGroup = new Group();
325			$editorGroup->Code = self::$group_code;
326			$editorGroup->Title = self::$group_title;
327			$editorGroup->write();
328			Permission::grant( $editorGroup->ID, self::$access_code );
329			Database::alteration_message(self::$group_title.' - created with access group '.self::$access_code ,"created");
330			}
331			else if(DB::query('SELECT * FROM Permission WHERE `GroupID` = '.$editorGroup->ID.' AND `Code` LIKE "'.self::$access_code.'"')->numRecords() == 0 ) {
332			Permission::grant($editorGroup->ID, self::$access_code);
333			}
334			}
335			}
336
337			class FrontEndCMS_Controller extends Extension {
			0 ignored issues – show Coding Style Compatibility introduced 2017-01-10 01:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this PSR1 recommends that each class should be in its own file to aid autoloaders. Having each class in a dedicated file usually plays nice with PSR autoloaders and is therefore a well established practice. If you use other autoloaders, you might not want to follow this rule. Loading history... Coding Style Compatibility introduced 2017-01-10 01:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
338
339			static $allowed_actions = array(
340			'edit',
341			'frontendcms',
342			'dosave',
343			'deletefromfrontend',
344			'DeleteForm',
345			'adddependablechild',
346			);
347
348			protected static $requirements_to_block = array();
349			static function set_requirements_to_block(array $requirementFileArray) {self::$requirements_to_block = $requirementFileArray;}
350			static function add_requirement_to_block($requirementFile) {self::$requirements_to_block[] = $requirementFile;}
351
352			protected static $field_names_to_remove = array();
353			function set_field_names_to_remove (array $var) {self::$field_names_to_remove = $var;}
354
355			static function add_field_name_to_remove($field) {
356			self::$field_names_to_remove[] = $field;
357			}
358
359			protected static $field_names_to_replace = array();
360			function set_field_names_to_replace ($var) {self::$field_names_to_replace = $var;}
361
362			static function add_field_names_to_replace($oldFieldName, $newFieldTypeOrObject) {
363			self::$field_names_to_replace[$oldFieldName] = $newFieldTypeOrObject;
364			}
365
366			protected static $use_cms_fields = false;
367			static function set_use_cms_fields($var) {self::$use_cms_fields = $var;}
368
369			protected $frontEndFieldSet = null;
370
371			private $ownerRecord = null;
372
373			/**
374			* Render actions
375			*/
376
377			public function edit() {
378			if(!$this->ownerRecord()->canEdit()) return Security::permissionFailure();
379			return $this->owner->renderWith(array("EditPagePopup"));
380			}
381
382			/**
383			* assisting functions
384			*/
385
386			protected function fieldReplacer($fieldSet) {
387			if(!$this->frontEndFieldSet) {
388			$this->frontEndFieldSet = new FieldSet();
389			}
390			$i = 0;
391			foreach($fieldSet as $field) {
392			$i++;
393			if("TabSet" == $field->class) {
394			$this->frontEndFieldSet->push(new HeaderField("section".$i, "header".$field->rightTitle.$field->leftTitle.$field->title.$field->name ));
395			if($field->children) {
396			$this->fieldReplacer($field->children);
397			}
398			}
399			else {
400			$this->frontEndFieldSet->push($field);
401			}
402			}
403			return $this->frontEndFieldSet;
404			}
405
406			private function ownerRecord() {
407			if($this->ownerRecord) {
408			return $this->ownerRecord;
409			}
410			else {
411			$this->ownerRecord = $this->owner->data();
412			return $this->ownerRecord;
413			}
414			}
415
416			/**
417			* forms
418			**/
419
420			public function frontendcms() {
421			$record = $this->ownerRecord();
422			if (self::$use_cms_fields) $fieldset = $record->getCMSFields();
423			else $fieldset = $record->getFrontEndFields();
424			// the next three lines can be removed once the editor fields are no longer added
425			if(is_array(FrontEndCMS::$member_email_fieldname_array) && count(FrontEndCMS::$member_email_fieldname_array)) {
426			self::add_field_names_to_remove(array(FrontEndCMS::get_editor_details_tab_name()));
427			}
428			foreach(self::$field_names_to_remove as $fieldName) {
429			if($fieldset->dataFieldByName($fieldName)) {
430			$fieldset->removeByName($fieldName, $dataFieldOnly = true);
431			}
432			else {
433			$fieldset->removeByName($fieldName, $dataFieldOnly = false);
434			}
435			}
436			foreach(self::$field_names_to_replace as $fieldName => $replacement) {
437			if (is_string($replacement)) $newField = new $replacement($fieldName, $fieldName);
438			else $newField = $replacement;
439			$fieldset->replaceField($fieldName, $newField);
440			}
441			if (self::$use_cms_fields) {
442			Requirements::css('frontendcms/css/FrontEndCMS.css');
443			Requirements::css('cms/css/cms_right.css');
444			Requirements::css('cms/css/typography.css');
445			Requirements::css('cms/css/TinyMCEImageEnhancement.css');
446			}
447			if(is_array(self::$requirements_to_block) && count(self::$requirements_to_block) ) {
448			foreach(self::$requirements_to_block as $file) {
449			Requirements::block($file);
450			}
451			}
452			Requirements::block("jsparty/jquery/plugins/greybox/greybox.js");
453			Requirements::block("jsparty/jquery/plugins/greybox/greybox.css");
454			Requirements::block("frontendcms/javascript/frontendcms.js");
455			//Requirements::themedCSS('FrontEndCMS');
456			$form = new Form(
457			$controller = $this->owner,
458			$name = "frontendcms",
459			$fields = $fieldset,
460			$actions = new fieldSet(new FormAction("dosave", "Save"))
461			);
462			$form->loadDataFrom($record);
463			Requirements::css("cms/css/cms_right.css");
464			return $form;
465			}
466
467			public function dosave($data, $form) {
468			$record = $this->ownerRecord();
469			if(!$record->canEdit()) return Security::permissionFailure();
470
471			$form->saveInto($record);
472			//$record->write();
473			$record->writeToStage('Stage');$record->publish('Stage', 'Live');$record->flushCache();
474			//Director::redirect($record->Link());
475			return $this->owner->renderWith(
476			array("EditPagePopup"),
477			array('SavedSuccess'=>true)
478			);
479			}
480
481			public function LostPasswordForm($number = 1) {
482			$number = intval($number);
483			if(is_int($number)) {
484			$number--;
485			if(isset( FrontEndCMS::$member_email_fieldname_array[$number])) {
486			$emailFieldName = FrontEndCMS::$member_email_fieldname_array[$number];
487			$email = $this->owner->$emailFieldName;
488			}
489			else {
490			user_error('LostPasswordForm number is incorrect.', E_USER_NOTICE);
491			}
492			}
493			else {
494			$email = $number["Email"];
495			}
496			if($email) {
497			$form = new ResetFrontEndCMSUserPasswordForm(
498			$this,
499			'LostPasswordForm',
500			new FieldSet(
501			new HiddenField('Email', _t('Member.EMAIL', 'Email'), $email),
502			new HiddenField('Number', "Number", $number)
503			),
504			new FieldSet(
505			new FormAction(
506			'forgotPassword',
507			'Send the password reset link to '.$email
508			)
509			),
510			false
511			);
512			return $form;
513			}
514			}
515
516			/**
517			* add section
518			**/
519
520			public function adddependablechild() {
521			$record = $this->ownerRecord();
522			if(!$record->canEdit()) {echo "can not edit parent"; return Security::permissionFailure();}
523			$classToAddName = $record->addibleChildClass();
524			echo $classToAddName;
525			if(class_exists($classToAddName) ) {
526			$childPage = new $classToAddName();
527			$childPage->Title = 'New '.$classToAddName;
528			$childPage->ParentID = $record->ID;
529			$array = FrontEndCMS::$member_email_fieldname_array;
530			if(is_array($array) && count($array)) {
531			foreach($array as $field) {
532			$childPage->$field = $record->$field;
533			}
534			}
535			if (!$childPage->canCreate()) {echo "can not create child"; return Security::permissionFailure();}
536			$childPage->writeToStage('Stage');
537			$childPage->publish('Stage', 'Live');
538			$childPage->flushCache();
539			Director::redirect($childPage->Link('edit'));
540			}
541			}
542
543			/**
544			* delete section
545			**/
546
547			public function deletefromfrontend() {
548			if($this->ownerRecord()->dependableChild()) {
549			return array('ShowDeleteForm'=>true);
550			}
551			else {
552			return array();
553			}
554			}
555
556			public function DeleteForm () {
557			$record = $this->ownerRecord();
558			if($record->dependableChild()) {
559			$title = $this->ownerRecord()->Title;
560			$form = new Form(
561			$controller = $this->owner,
562			$name = "DeleteForm",
563			$fields = new FieldSet(new HeaderField("Are you sure you want to delete $title?")),
564			$actions = new fieldSet(new FormAction("doDelete", "Yes, Delete It"), new FormAction("cancelDelete", "No, Go back"))
565			);
566			return $form;
567			}
568			else {
569			return array();
570			}
571			}
572
573			public function cancelDelete() {
574			$record = $this->ownerRecord();
575			Director::redirect($record->Link());
576			}
577
578			public function doDelete() {
579			$record = $this->ownerRecord();
580			if (!$record->canDelete()) return Security::permissionFailure();
581
582			$parent = $record->Parent();
583			$id = $record->ID;
584
585			$stageRecord = Versioned::get_one_by_stage('SiteTree', 'Stage', "SiteTree.ID = $id");
586			if ($stageRecord) $stageRecord->delete();
587			$liveRecord = Versioned::get_one_by_stage('SiteTree', 'Live', "SiteTree_Live.ID = $id");
588			if ($liveRecord) $liveRecord->delete();
589			$record->delete();
590
591			Director::redirect($parent->Link());
592			}
593
594			public function Link() {
595			$record = $this->ownerRecord();
596			return $record->Link();
597			}
598
599			}
600
601

sunnysideup / silverstripe-wiki

Issues (34)

Security Analysis no request data

code/FrontEndCMS.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like