Issues in SpecialModifyEntity.php (master) - Issues in master - wikimedia/mediawiki-extensions-Wikibase - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1401)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

repo/includes/Specials/SpecialModifyEntity.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Ricordisamoa 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Wikibase\Repo\Specials;

use Html;
use HTMLForm;
use Status;
use Wikibase\DataModel\Entity\EntityDocument;
use Wikibase\DataModel\Entity\EntityId;
use Wikibase\Lib\MessageException;
use Wikibase\Lib\Store\EntityRevision;
use Wikibase\Lib\Store\EntityTitleLookup;
use Wikibase\Lib\Store\RevisionedUnresolvedRedirectException;
use Wikibase\Lib\Store\StorageException;
use Wikibase\Lib\Summary;
use Wikibase\Lib\UserInputException;
use Wikibase\Repo\ChangeOp\ChangeOp;
use Wikibase\Repo\ChangeOp\ChangeOpException;
use Wikibase\Repo\ChangeOp\ChangeOpValidationException;
use Wikibase\Repo\EditEntity\MediawikiEditEntityFactory;
use Wikibase\Repo\SummaryFormatter;

/**
 * Abstract special page for modifying Wikibase entity.
 *
 * @license GPL-2.0-or-later
 * @author Bene* < [email protected] >
 * @author Daniel Kinzler
 */
abstract class SpecialModifyEntity extends SpecialWikibaseRepoPage {

	/**
	 * @var EntityDocument|null
	 */
	private $entityForModification = null;

	/**
	 * @var EntityId|null
	 */
	private $entityId;

	/**
	 * @param string $title The title of the special page
	 * @param SpecialPageCopyrightView $copyrightView
	 * @param SummaryFormatter $summaryFormatter
	 * @param EntityTitleLookup $entityTitleLookup
	 * @param MediawikiEditEntityFactory $editEntityFactory
	 */
	public function __construct(
		$title,
		SpecialPageCopyrightView $copyrightView,
		SummaryFormatter $summaryFormatter,
		EntityTitleLookup $entityTitleLookup,
		MediawikiEditEntityFactory $editEntityFactory
	) {
		parent::__construct(
			$title,
			'edit',
			$copyrightView,
			$summaryFormatter,
			$entityTitleLookup,
			$editEntityFactory
		);
	}

	public function doesWrites() {
		return true;
	}

	/**
	 * Returns the ID of the Entity being modified.
	 * Returns null if no entity ID was specified in the request.
	 *
	 * @note The return value is undefined before prepareArguments() has been called.
	 *
	 * @return null|EntityId
	 */
	protected function getEntityId() {
		return $this->entityId;
	}

	/**
	 * Returns the base revision. If no base revision ID was passed to prepareEditEntity(),
	 * this returns the latest revision.
	 *
	 * @throws UserInputException
	 *
	 * @return EntityRevision
	 */
	protected function getBaseRevision() {
		$id = $this->getEntityId();
		try {
			$baseRev = $this->getEditEntity()->getBaseRevision();

			if ( $baseRev === null ) {
				throw new UserInputException(
					'wikibase-wikibaserepopage-invalid-id',
					[ $id->getSerialization() ],
					'Entity ID "' . $id->getSerialization() . '" is unknown'
				);
			}
		} catch ( RevisionedUnresolvedRedirectException $ex ) {
			throw new UserInputException(
				'wikibase-wikibaserepopage-unresolved-redirect',
				[ $id->getSerialization() ],
				'Entity ID "' . $id->getSerialization() . '"" refers to a redirect'
			);
		} catch ( StorageException $ex ) {
			throw new UserInputException(
				'wikibase-wikibaserepopage-storage-exception',
				[ $id->getSerialization(), $ex->getMessage() ],
				'Entity "' . $id->getSerialization() . '" could not be loaded'
			);
		}

		return $baseRev;
	}

	/**
	 * Returns the current revision.
	 *
	 * @throws UserInputException
	 *
	 * @return null|EntityRevision
	 */
	protected function getLatestRevision() {
		$id = $this->getEntityId();
		try {
			$baseRev = $this->getEditEntity()->getLatestRevision();

			if ( $baseRev === null ) {
				throw new UserInputException(
					'wikibase-wikibaserepopage-invalid-id',
					[ $id->getSerialization() ],
					'Entity ID "' . $id->getSerialization() . '" is unknown'
				);
			}
		} catch ( RevisionedUnresolvedRedirectException $ex ) {
			throw new UserInputException(
				'wikibase-wikibaserepopage-unresolved-redirect',
				[ $id->getSerialization() ],
				'Entity ID "' . $id->getSerialization() . '"" refers to a redirect'
			);
		} catch ( StorageException $ex ) {
			throw new UserInputException(
				'wikibase-wikibaserepopage-storage-exception',
				[ $id->getSerialization(), $ex->getMessage() ],
				'Entity "' . $id->getSerialization() . '" could not be loaded'
			);
		}

		return $baseRev;
	}

	/**
	 * Returns the EntityDocument that is to be modified by code in this class (or subclasses).
	 * The first call to this method calls getBaseRevision().
	 *
	 * @throws MessageException
	 * @throws UserInputException
	 *
	 * @return EntityDocument
	 */
	protected function getEntityForModification() {
		if ( !$this->entityForModification ) {
			$revision = $this->getBaseRevision();
			$this->entityForModification = $revision->getEntity()->copy();
		}

		return $this->entityForModification;
	}

	/**
	 * Returns the EntityDocument that is to be shown by code in this class (or subclasses).
	 * The returns null if no entity ID was specified in the request.
	 *
	 * @throws MessageException
	 * @throws UserInputException
	 *
	 * @return EntityDocument|null
	 */
	protected function getEntityForDisplay() {
		if ( $this->entityId ) {
			$revision = $this->getBaseRevision();
			return $revision->getEntity();
		}

		return null;
	}

	/**
	 * @see SpecialWikibasePage::execute
	 *
	 * @param string|null $subPage
	 */
	public function execute( $subPage ) {
		parent::execute( $subPage );

		$this->checkPermissions();
		$this->checkBlocked();
		$this->checkReadOnly();

		$this->setHeaders();
		$this->outputHeader();

		try {
			$this->processArguments( $subPage );
			$valid = $this->validateInput();

			if ( $valid && $this->isModificationRequested() ) {
				$updatedEntity = $this->getEntityForModification();
				$summary = $this->modifyEntity( $updatedEntity );

				if ( $summary ) {
					$token = $this->getRequest()->getRawVal( 'wpEditToken' );
					$status = $this->saveEntity( $updatedEntity, $summary, $token );

					$this->handleStatus( $status, $updatedEntity );
					return;
				}
			}

			$entity = $this->getEntityForDisplay();
			$this->setForm( $entity );
		} catch ( UserInputException $ex ) {
			$error = $this->msg( $ex->getKey(), $ex->getParams() )->parse();
			$this->showErrorHTML( $error );
		}
	}

	private function handleStatus( Status $status, EntityDocument $entity ) {
		if ( $status->isOK() ) {
			$entityUrl = $this->getEntityTitle( $this->getEntityId() )->getFullURL();
			$this->getOutput()->redirect( $entityUrl );
		} else {
			$errors = $status->getErrorsArray();
			$this->showErrorHTML( $this->msg( $errors[0][0], array_slice( $errors[0], 1 ) )->parse() );
			$this->setForm( $entity );
		}
	}

	/**
	 * Prepares the arguments.
	 *
	 * @param string|null $subPage
	 */
	protected function processArguments( $subPage ) {
		$parts = $subPage === '' ? [] : explode( '/', $subPage, 2 );

		$idString = $this->getRequest()->getVal( 'id', $parts[0] ?? null );
		$baseRevId = $this->getRequest()->getInt( 'revid', 0 );

		if ( !$idString ) {
			return;
		}

		$this->entityId = $this->parseEntityId( $idString );

		$this->prepareEditEntity( $this->entityId, $baseRevId );
	}

	/**
	 * Return the HTML form.
	 *
	 * @param EntityDocument|null $entity
	 *
	 * @return HTMLForm
	 */
	abstract protected function getForm( EntityDocument $entity = null );

	/**
	 * Building the HTML form for modifying an entity.
	 *
	 * @param EntityDocument|null $entity
	 */
	private function setForm( EntityDocument $entity = null ) {
		$this->getOutput()->addHTML( $this->getCopyrightHTML() );

		if ( $this->getUser()->isAnon() ) {
			$this->getOutput()->addHTML( Html::rawElement(
				'p',
				[ 'class' => 'warning' ],
				$this->msg(
					'wikibase-anonymouseditwarning',
					$this->msg( 'wikibase-entity-item' )->text()
				)->parse()
			) );
		}

		$submitKey = 'wikibase-' . strtolower( $this->getName() ) . '-submit';

		$this->getForm( $entity )
			->setId( 'wb-' . strtolower( $this->getName() ) . '-form1' )

			->setSubmitID( 'wb-' . strtolower( $this->getName() ) . '-submit' )

			->setSubmitName( $submitKey )
			->setSubmitTextMsg( $submitKey )
			->setWrapperLegend( $this->getDescription() )
			->setSubmitCallback( function () {
				// no-op
			} )->show();
	}

	/**
	 * @param EntityDocument|null $entity
	 *
	 * @return array
	 */
	protected function getFormElements( EntityDocument $entity = null ) {
		$id = 'wb-modifyentity-id';

		return [
			'id' => [
				'name' => 'id',
				'label-message' => 'wikibase-modifyentity-id',
				'type' => 'text',
				'id' => $id,
				'default' => $entity === null ? '' : $entity->getId(),
			],
		];
	}

	/**
	 * Validates form input.
	 *
	 * The default implementation does nothing.
	 * Subclasses should override this to detect otherwise incomplete or erroneous input.
	 *
	 * If this method returns false, the entity should not be updated and the user should be
	 * presented with an input form. Only if it returns true, and isModificationRequested() also
	 * returns true, the entity should be updated in the storage backend.
	 *
	 * @throws UserInputException if any of the provided input is invalid. If the input is
	 *         merely incomplete, no exception should be raised.
	 *
	 * @return bool true if all input needed for modification has been supplied.
	 *         false if the input is valid but incomplete, or if the input is invalid and
	 *         showErrorHTML() has already been called to notify the user of the problem.
	 *         The preferred way of indicating invalid input is however to throw a
	 *         UserInputException.
	 */
	protected function validateInput() {
		return $this->getEntityId() !== null;
	}

	/**
	 * Whether the current request is a request for modification (as opposed to a
	 * request for showing the input form).
	 *
	 * If this method returns false, the entity should not be updated and the user should be
	 * presented with an input form. Only if it returns true, and validateInput() also
	 * returns true, the entity should be updated in the storage backend.
	 *
	 * Undefined before processArguments() was called.
	 *
	 * @return bool
	 */
	protected function isModificationRequested() {
		return $this->getRequest()->wasPosted();
	}

	/**
	 * Modifies the entity.
	 *
	 * @param EntityDocument $entity
	 *
	 * @return Summary|bool
	 */
	abstract protected function modifyEntity( EntityDocument $entity );

	/**
	 * Applies the given ChangeOp to the given Entity.
	 * If validation fails, a ChangeOpValidationException is thrown.
	 *
	 * @param ChangeOp $changeOp
	 * @param EntityDocument $entity
	 * @param Summary|null $summary The summary object to update with information about the change.
	 *
	 * @throws ChangeOpException
	 */
	protected function applyChangeOp( ChangeOp $changeOp, EntityDocument $entity, Summary $summary = null ) {
		// NOTE: always validate modification against the current revision!
		// TODO: this should be re-engineered, see T126231
		$currentEntityRevision = $this->getLatestRevision();
		$result = $changeOp->validate( $currentEntityRevision->getEntity() );

		if ( !$result->isValid() ) {
			throw new ChangeOpValidationException( $result );
		}

		$changeOp->apply( $entity, $summary );
	}

}


1			<?php
2
3			namespace Wikibase\Repo\Specials;
4
5			use Html;
6			use HTMLForm;
7			use Status;
8			use Wikibase\DataModel\Entity\EntityDocument;
9			use Wikibase\DataModel\Entity\EntityId;
10			use Wikibase\Lib\MessageException;
11			use Wikibase\Lib\Store\EntityRevision;
12			use Wikibase\Lib\Store\EntityTitleLookup;
13			use Wikibase\Lib\Store\RevisionedUnresolvedRedirectException;
14			use Wikibase\Lib\Store\StorageException;
15			use Wikibase\Lib\Summary;
16			use Wikibase\Lib\UserInputException;
17			use Wikibase\Repo\ChangeOp\ChangeOp;
18			use Wikibase\Repo\ChangeOp\ChangeOpException;
19			use Wikibase\Repo\ChangeOp\ChangeOpValidationException;
20			use Wikibase\Repo\EditEntity\MediawikiEditEntityFactory;
21			use Wikibase\Repo\SummaryFormatter;
22
23			/**
24			* Abstract special page for modifying Wikibase entity.
25			*
26			* @license GPL-2.0-or-later
27			* @author Bene* < [email protected] >
28			* @author Daniel Kinzler
29			*/
30			abstract class SpecialModifyEntity extends SpecialWikibaseRepoPage {
31
32			/**
33			* @var EntityDocument\|null
34			*/
35			private $entityForModification = null;
36
37			/**
38			* @var EntityId\|null
39			*/
40			private $entityId;
41
42			/**
43			* @param string $title The title of the special page
44			* @param SpecialPageCopyrightView $copyrightView
45			* @param SummaryFormatter $summaryFormatter
46			* @param EntityTitleLookup $entityTitleLookup
47			* @param MediawikiEditEntityFactory $editEntityFactory
48			*/
49			public function __construct(
50			$title,
51			SpecialPageCopyrightView $copyrightView,
52			SummaryFormatter $summaryFormatter,
53			EntityTitleLookup $entityTitleLookup,
54			MediawikiEditEntityFactory $editEntityFactory
55			) {
56			parent::__construct(
57			$title,
58			'edit',
59			$copyrightView,
60			$summaryFormatter,
61			$entityTitleLookup,
62			$editEntityFactory
63			);
64			}
65
66			public function doesWrites() {
67			return true;
68			}
69
70			/**
71			* Returns the ID of the Entity being modified.
72			* Returns null if no entity ID was specified in the request.
73			*
74			* @note The return value is undefined before prepareArguments() has been called.
75			*
76			* @return null\|EntityId
77			*/
78			protected function getEntityId() {
79			return $this->entityId;
80			}
81
82			/**
83			* Returns the base revision. If no base revision ID was passed to prepareEditEntity(),
84			* this returns the latest revision.
85			*
86			* @throws UserInputException
87			*
88			* @return EntityRevision
89			*/
90			protected function getBaseRevision() {
91			$id = $this->getEntityId();
92			try {
93			$baseRev = $this->getEditEntity()->getBaseRevision();
94
95			if ( $baseRev === null ) {
96			throw new UserInputException(
97			'wikibase-wikibaserepopage-invalid-id',
98			[ $id->getSerialization() ],
99			'Entity ID "' . $id->getSerialization() . '" is unknown'
100			);
101			}
102			} catch ( RevisionedUnresolvedRedirectException $ex ) {
103			throw new UserInputException(
104			'wikibase-wikibaserepopage-unresolved-redirect',
105			[ $id->getSerialization() ],
106			'Entity ID "' . $id->getSerialization() . '"" refers to a redirect'
107			);
108			} catch ( StorageException $ex ) {
109			throw new UserInputException(
110			'wikibase-wikibaserepopage-storage-exception',
111			[ $id->getSerialization(), $ex->getMessage() ],
112			'Entity "' . $id->getSerialization() . '" could not be loaded'
113			);
114			}
115
116			return $baseRev;
117			}
118
119			/**
120			* Returns the current revision.
121			*
122			* @throws UserInputException
123			*
124			* @return null\|EntityRevision
125			*/
126			protected function getLatestRevision() {
127			$id = $this->getEntityId();
128			try {
129			$baseRev = $this->getEditEntity()->getLatestRevision();
130
131			if ( $baseRev === null ) {
132			throw new UserInputException(
133			'wikibase-wikibaserepopage-invalid-id',
134			[ $id->getSerialization() ],
135			'Entity ID "' . $id->getSerialization() . '" is unknown'
136			);
137			}
138			} catch ( RevisionedUnresolvedRedirectException $ex ) {
139			throw new UserInputException(
140			'wikibase-wikibaserepopage-unresolved-redirect',
141			[ $id->getSerialization() ],
142			'Entity ID "' . $id->getSerialization() . '"" refers to a redirect'
143			);
144			} catch ( StorageException $ex ) {
145			throw new UserInputException(
146			'wikibase-wikibaserepopage-storage-exception',
147			[ $id->getSerialization(), $ex->getMessage() ],
148			'Entity "' . $id->getSerialization() . '" could not be loaded'
149			);
150			}
151
152			return $baseRev;
153			}
154
155			/**
156			* Returns the EntityDocument that is to be modified by code in this class (or subclasses).
157			* The first call to this method calls getBaseRevision().
158			*
159			* @throws MessageException
160			* @throws UserInputException
161			*
162			* @return EntityDocument
163			*/
164			protected function getEntityForModification() {
165			if ( !$this->entityForModification ) {
166			$revision = $this->getBaseRevision();
167			$this->entityForModification = $revision->getEntity()->copy();
168			}
169
170			return $this->entityForModification;
171			}
172
173			/**
174			* Returns the EntityDocument that is to be shown by code in this class (or subclasses).
175			* The returns null if no entity ID was specified in the request.
176			*
177			* @throws MessageException
178			* @throws UserInputException
179			*
180			* @return EntityDocument\|null
181			*/
182			protected function getEntityForDisplay() {
183			if ( $this->entityId ) {
184			$revision = $this->getBaseRevision();
185			return $revision->getEntity();
186			}
187
188			return null;
189			}
190
191			/**
192			* @see SpecialWikibasePage::execute
193			*
194			* @param string\|null $subPage
195			*/
196			public function execute( $subPage ) {
197			parent::execute( $subPage );
198
199			$this->checkPermissions();
200			$this->checkBlocked();
201			$this->checkReadOnly();
202
203			$this->setHeaders();
204			$this->outputHeader();
205
206			try {
207			$this->processArguments( $subPage );
208			$valid = $this->validateInput();
209
210			if ( $valid && $this->isModificationRequested() ) {
211			$updatedEntity = $this->getEntityForModification();
212			$summary = $this->modifyEntity( $updatedEntity );
213
214			if ( $summary ) {
215			$token = $this->getRequest()->getRawVal( 'wpEditToken' );
216			$status = $this->saveEntity( $updatedEntity, $summary, $token );
217
218			$this->handleStatus( $status, $updatedEntity );
219			return;
220			}
221			}
222
223			$entity = $this->getEntityForDisplay();
224			$this->setForm( $entity );
225			} catch ( UserInputException $ex ) {
226			$error = $this->msg( $ex->getKey(), $ex->getParams() )->parse();
227			$this->showErrorHTML( $error );
228			}
229			}
230
231			private function handleStatus( Status $status, EntityDocument $entity ) {
232			if ( $status->isOK() ) {
233			$entityUrl = $this->getEntityTitle( $this->getEntityId() )->getFullURL();
234			$this->getOutput()->redirect( $entityUrl );
235			} else {
236			$errors = $status->getErrorsArray();
237			$this->showErrorHTML( $this->msg( $errors[0][0], array_slice( $errors[0], 1 ) )->parse() );
238			$this->setForm( $entity );
239			}
240			}
241
242			/**
243			* Prepares the arguments.
244			*
245			* @param string\|null $subPage
246			*/
247			protected function processArguments( $subPage ) {
248			$parts = $subPage === '' ? [] : explode( '/', $subPage, 2 );
249
250			$idString = $this->getRequest()->getVal( 'id', $parts[0] ?? null );
251			$baseRevId = $this->getRequest()->getInt( 'revid', 0 );
252
253			if ( !$idString ) {
254			return;
255			}
256
257			$this->entityId = $this->parseEntityId( $idString );
258
259			$this->prepareEditEntity( $this->entityId, $baseRevId );
260			}
261
262			/**
263			* Return the HTML form.
264			*
265			* @param EntityDocument\|null $entity
266			*
267			* @return HTMLForm
268			*/
269			abstract protected function getForm( EntityDocument $entity = null );
270
271			/**
272			* Building the HTML form for modifying an entity.
273			*
274			* @param EntityDocument\|null $entity
275			*/
276			private function setForm( EntityDocument $entity = null ) {
277			$this->getOutput()->addHTML( $this->getCopyrightHTML() );
278
279			if ( $this->getUser()->isAnon() ) {
280			$this->getOutput()->addHTML( Html::rawElement(
281			'p',
282			[ 'class' => 'warning' ],
283			$this->msg(
284			'wikibase-anonymouseditwarning',
285			$this->msg( 'wikibase-entity-item' )->text()
286			)->parse()
287			) );
288			}
289
290			$submitKey = 'wikibase-' . strtolower( $this->getName() ) . '-submit';
291
292			$this->getForm( $entity )
293			->setId( 'wb-' . strtolower( $this->getName() ) . '-form1' )
			0 ignored issues – show Bug introduced 2017-04-18 09:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using `$this->name`. There is an issue with `getName()` and APC-enabled PHP versions. Loading history...
294			->setSubmitID( 'wb-' . strtolower( $this->getName() ) . '-submit' )
			0 ignored issues – show Bug introduced 2017-02-24 11:01 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using `$this->name`. There is an issue with `getName()` and APC-enabled PHP versions. Loading history...
295			->setSubmitName( $submitKey )
296			->setSubmitTextMsg( $submitKey )
297			->setWrapperLegend( $this->getDescription() )
298			->setSubmitCallback( function () {
299			// no-op
300			} )->show();
301			}
302
303			/**
304			* @param EntityDocument\|null $entity
305			*
306			* @return array
307			*/
308			protected function getFormElements( EntityDocument $entity = null ) {
309			$id = 'wb-modifyentity-id';
310
311			return [
312			'id' => [
313			'name' => 'id',
314			'label-message' => 'wikibase-modifyentity-id',
315			'type' => 'text',
316			'id' => $id,
317			'default' => $entity === null ? '' : $entity->getId(),
318			],
319			];
320			}
321
322			/**
323			* Validates form input.
324			*
325			* The default implementation does nothing.
326			* Subclasses should override this to detect otherwise incomplete or erroneous input.
327			*
328			* If this method returns false, the entity should not be updated and the user should be
329			* presented with an input form. Only if it returns true, and isModificationRequested() also
330			* returns true, the entity should be updated in the storage backend.
331			*
332			* @throws UserInputException if any of the provided input is invalid. If the input is
333			* merely incomplete, no exception should be raised.
334			*
335			* @return bool true if all input needed for modification has been supplied.
336			* false if the input is valid but incomplete, or if the input is invalid and
337			* showErrorHTML() has already been called to notify the user of the problem.
338			* The preferred way of indicating invalid input is however to throw a
339			* UserInputException.
340			*/
341			protected function validateInput() {
342			return $this->getEntityId() !== null;
343			}
344
345			/**
346			* Whether the current request is a request for modification (as opposed to a
347			* request for showing the input form).
348			*
349			* If this method returns false, the entity should not be updated and the user should be
350			* presented with an input form. Only if it returns true, and validateInput() also
351			* returns true, the entity should be updated in the storage backend.
352			*
353			* Undefined before processArguments() was called.
354			*
355			* @return bool
356			*/
357			protected function isModificationRequested() {
358			return $this->getRequest()->wasPosted();
359			}
360
361			/**
362			* Modifies the entity.
363			*
364			* @param EntityDocument $entity
365			*
366			* @return Summary\|bool
367			*/
368			abstract protected function modifyEntity( EntityDocument $entity );
369
370			/**
371			* Applies the given ChangeOp to the given Entity.
372			* If validation fails, a ChangeOpValidationException is thrown.
373			*
374			* @param ChangeOp $changeOp
375			* @param EntityDocument $entity
376			* @param Summary\|null $summary The summary object to update with information about the change.
377			*
378			* @throws ChangeOpException
379			*/
380			protected function applyChangeOp( ChangeOp $changeOp, EntityDocument $entity, Summary $summary = null ) {
381			// NOTE: always validate modification against the current revision!
382			// TODO: this should be re-engineered, see T126231
383			$currentEntityRevision = $this->getLatestRevision();
384			$result = $changeOp->validate( $currentEntityRevision->getEntity() );
385
386			if ( !$result->isValid() ) {
387			throw new ChangeOpValidationException( $result );
388			}
389
390			$changeOp->apply( $entity, $summary );
391			}
392
393			}
394

wikimedia / mediawiki-extensions-Wikibase

Issues (1401)

Security Analysis no request data

repo/includes/Specials/SpecialModifyEntity.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like