From 59bc3b48fdffb76ee65a4b630be3ffa1f6c20c80 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Mon, 29 Sep 2014 21:45:27 +0200 Subject: more scrutinizer issue improvements --- lib/plugins/usermanager/admin.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index b67d91b36..c568469a7 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -738,6 +738,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { global $auth; global $INPUT; + $user = array(); $user[0] = ($clean) ? $auth->cleanUser($INPUT->str('userid')) : $INPUT->str('userid'); $user[1] = $INPUT->str('userpass'); $user[2] = $INPUT->str('username'); @@ -764,7 +765,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $this->_filter = array(); if ($op == 'new') { - list($user,$pass,$name,$mail,$grps) = $this->_retrieveUser(false); + list($user,/* $pass */,$name,$mail,$grps) = $this->_retrieveUser(false); if (!empty($user)) $this->_filter['user'] = $user; if (!empty($name)) $this->_filter['name'] = $name; @@ -816,6 +817,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $disabled = 'disabled="disabled"'; + $buttons = array(); $buttons['start'] = $buttons['prev'] = ($this->_start == 0) ? $disabled : ''; if ($this->_user_total == -1) { @@ -951,7 +953,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $INPUT->set('usergroups', $candidate[4]); $cleaned = $this->_retrieveUser(); - list($user,$pass,$name,$mail,$grps) = $cleaned; + list($user,/* $pass */,$name,$mail,/* $grps */) = $cleaned; if (empty($user)) { $error = $this->lang['import_error_baduserid']; return false; -- cgit v1.2.3 From 253d4b48ec708eb42033862dc15c8576f44a48ed Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Wed, 1 Oct 2014 15:32:05 +0200 Subject: more PHPDocs, unused var, small bit code reformatting --- lib/plugins/usermanager/admin.php | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index c568469a7..86562f1dd 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -58,9 +58,12 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { } } - /** - * Return prompt for admin menu - */ + /** + * Return prompt for admin menu + * + * @param string $language + * @return string + */ public function getMenuText($language) { if (!is_null($this->_auth)) @@ -71,6 +74,8 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { /** * return sort order for position in admin menu + * + * @return int */ public function getMenuSort() { return 2; @@ -78,6 +83,8 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { /** * Handle user request + * + * @return bool */ public function handle() { global $INPUT; @@ -128,6 +135,8 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { /** * Output appropriate html + * + * @return bool */ public function html() { global $ID; @@ -939,8 +948,8 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { * Returns cleaned user data * * @param array $candidate raw values of line from input file - * @param $error - * @return array|bool cleaned data or false + * @param string $error + * @return array|false cleaned data or false */ protected function _cleanImportUser($candidate, & $error){ global $INPUT; @@ -1023,6 +1032,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { /** * wrapper for is_uploaded_file to facilitate overriding by test suite + * + * @param string $file filename + * @return bool */ protected function _isUploadedFile($file) { return is_uploaded_file($file); @@ -1033,6 +1045,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { * * @deprecated remove when dokuwiki php requirement increases to 5.3+ * also associated unit test & mock access method + * + * @param string $csv string to parse + * @return array */ protected function _getcsv($csv) { return function_exists('str_getcsv') ? str_getcsv($csv) : $this->str_getcsv($csv); @@ -1043,6 +1058,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { * loosely based on www.php.net/str_getcsv#88311 * * @deprecated remove when dokuwiki php requirement increases to 5.3+ + * + * @param string $str string to parse + * @return array */ protected function str_getcsv($str) { $fp = fopen("php://temp/maxmemory:1048576", 'r+'); // 1MiB -- cgit v1.2.3 From 67a31a83dd6c8a3ff9e87da0c2070a2783aec44e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 13:09:08 +0100 Subject: Create and use ad search for user, name and email --- lib/plugins/usermanager/admin.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index 86562f1dd..b1f5c4023 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -81,6 +81,20 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { return 2; } + /** + * @return int current start value for pageination + */ + public function getStart() { + return $this->_start; + } + + /** + * @return int number of users per page + */ + public function getPagesize() { + return $this->_pagesize; + } + /** * Handle user request * -- cgit v1.2.3 From 462e9e37f38d6de9ec19ad1476b64bac3b851fc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 15:06:26 +0100 Subject: Disable the ``last`` button when filtering groups Since we cannot effectively filter for groups and have to work with incremental prefetching, the ``last`` button is mostly broken/buggy. Hence it is disabled in this usecase. --- lib/plugins/usermanager/admin.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index b1f5c4023..cc4c4ae47 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -31,6 +31,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { protected $_edit_userdata = array(); protected $_disabled = ''; // if disabled set to explanatory string protected $_import_failures = array(); + protected $_lastdisabled = false; // set to true if last user is unknown and last button is hence buggy /** * Constructor @@ -95,6 +96,13 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { return $this->_pagesize; } + /** + * @param boolean $lastdisabled + */ + public function setLastdisabled($lastdisabled) { + $this->_lastdisabled = $lastdisabled; + } + /** * Handle user request * @@ -850,6 +858,10 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $buttons['last'] = $buttons['next'] = (($this->_start + $this->_pagesize) >= $this->_user_total) ? $disabled : ''; } + if ($this->_lastdisabled) { + $buttons['last'] = $disabled; + } + return $buttons; } -- cgit v1.2.3 From f23f95941a400702f525923973f3612df6da82cb Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 18 Mar 2015 22:16:34 +0100 Subject: SECURITY escape user properties in user manager #1081 The user properties (login, real name, etc) where not properly escaped in the user manager's edit form. This allowed a XSS attack on the superuser by registered users. Thanks to Filippo Cavallarin from www.segment.technology for discovering this bug. --- lib/plugins/usermanager/admin.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index cc4c4ae47..9cb9b0c40 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -222,9 +222,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { */ $groups = join(', ',$grps); ptln(" "); - ptln(" "); + ptln(" "); if ($editable) { - ptln(" 1, + ptln(" 1, 'do' => 'admin', 'page' => 'usermanager', 'sectok' => getSecurityToken())). @@ -356,7 +356,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { // save current $user, we need this to access details if the name is changed if ($user) - ptln(" ",$indent); + ptln(" ",$indent); $this->_htmlFilterSettings($indent+10); @@ -401,6 +401,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $fieldtype = 'text'; $autocomp = ''; } + $value = hsc($value); echo ""; echo ""; -- cgit v1.2.3 From 26e22ab837dcabe137a0912fcd2f96d0c35f48c8 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Fri, 15 May 2015 19:03:34 +0200 Subject: Changes for PHP 7 Compatibility - replace PHP4 style class constructor function names (based on class name) with php 5 __construct() Also remove some '&' reference operators used with objects And add some object type hints --- lib/plugins/usermanager/admin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index 9cb9b0c40..0d92e5cc1 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -36,7 +36,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { /** * Constructor */ - public function admin_plugin_usermanager(){ + public function __construct(){ /** @var DokuWiki_Auth_Plugin $auth */ global $auth; -- cgit v1.2.3 From ae614416a5d7f5cab6c5b82a0c45f587d7fa9c01 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Sun, 12 Jul 2015 19:05:43 +0100 Subject: changed all input type=submit buttons to button type=submit button for better stylability --- lib/plugins/usermanager/admin.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'lib/plugins/usermanager/admin.php') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index 0d92e5cc1..86823ee2f 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -241,18 +241,18 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { ptln(" "); ptln(" "); ptln(" "); - ptln(" lang['delete_selected']."\" id=\"usrmgr__del\" />"); - ptln(" "); + ptln(" "); + ptln(" "); ptln(" "); - ptln(" lang['start']."\" />"); - ptln(" lang['prev']."\" />"); - ptln(" lang['next']."\" />"); - ptln(" lang['last']."\" />"); + ptln(" "); + ptln(" "); + ptln(" "); + ptln(" "); ptln(" "); if (!empty($this->_filter)) { - ptln(" lang['clear']."\" />"); + ptln(" "); } - ptln(" "); + ptln(" "); ptln(" "); ptln(" "); @@ -360,7 +360,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $this->_htmlFilterSettings($indent+10); - ptln(" lang[$cmd]."\" />",$indent); + ptln(" ",$indent); ptln(" ",$indent); ptln(" ",$indent); ptln(" ",$indent); @@ -369,7 +369,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { if ($notes) { ptln("
    "); foreach ($notes as $note) { - ptln("
  • ".$note."
    • ",$indent); + ptln("
  • ".$note."
    • ",$indent); } ptln("
"); } @@ -456,7 +456,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { ptln('
',$indent); formSecurityToken(); ptln(' ',$indent); - ptln(' ',$indent); + ptln(' ',$indent); ptln(' ',$indent); ptln(' ',$indent); -- cgit v1.2.3