PHP response or session functions should not be used 11

More information: https://insight.symfony.com/what-we-analyse/symfony.use_php_response_function

  1. protected function doDestroy(string $sessionId)
  2. {
  3. // expire the cookie
  4. if ('cli' !== PHP_SAPI) {
  5. setcookie(session_name(), '', 0, ini_get('session.cookie_path'));

    Using native PHP session or response functions (like setcookie() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. }
  7. $this->userSessionRepository->clearUnsavedData();
  8. $this->userSessionRepository->removeAndFlush($sessionId);
  9. return true;
  1. protected function doDestroy(string $sessionId)
  2. {
  3. // expire the cookie
  4. if ('cli' !== PHP_SAPI) {
  5. setcookie(session_name(), '', 0, ini_get('session.cookie_path'));

    Using native PHP session or response functions (like session_name() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. }
  7. $this->userSessionRepository->clearUnsavedData();
  8. $this->userSessionRepository->removeAndFlush($sessionId);
  9. return true;
  1. }
  2. }
  3. // remove again when https://github.com/symfony/symfony/issues/35460 is solved
  4. if (null !== $this->emulateSameSite) {
  5. $originalCookie = SessionUtils::popSessionCookie(session_name(), session_id());

    Using native PHP session or response functions (like session_name() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. if (null !== $originalCookie) {
  7. header(sprintf('%s; SameSite=%s', $originalCookie, $this->emulateSameSite), false);
  8. }
  9. }
  1. }
  2. }
  3. // remove again when https://github.com/symfony/symfony/issues/35460 is solved
  4. if (null !== $this->emulateSameSite) {
  5. $originalCookie = SessionUtils::popSessionCookie(session_name(), session_id());

    Using native PHP session or response functions (like session_id() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. if (null !== $originalCookie) {
  7. header(sprintf('%s; SameSite=%s', $originalCookie, $this->emulateSameSite), false);
  8. }
  9. }
  1. // remove again when https://github.com/symfony/symfony/issues/35460 is solved
  2. if (null !== $this->emulateSameSite) {
  3. $originalCookie = SessionUtils::popSessionCookie(session_name(), session_id());
  4. if (null !== $originalCookie) {
  5. header(sprintf('%s; SameSite=%s', $originalCookie, $this->emulateSameSite), false);

    Using native PHP session or response functions (like header() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. }
  7. }
  8. return $result;
  9. }
  1. }
  2. public function regenerate($destroy = false, $lifetime = null)
  3. {
  4. // Cannot regenerate the session ID for non-active sessions.
  5. if (\PHP_SESSION_ACTIVE !== session_status()) {

    Using native PHP session or response functions (like session_status() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. return false;
  7. }
  8. if (headers_sent()) {
  9. return false;
  1. // Cannot regenerate the session ID for non-active sessions.
  2. if (\PHP_SESSION_ACTIVE !== session_status()) {
  3. return false;
  4. }
  5. if (headers_sent()) {

    Using native PHP session or response functions (like headers_sent() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. return false;
  7. }
  8. if (null !== $lifetime) {
  9. // added due to https://github.com/symfony/symfony/issues/28577
  1. if ($destroy) {
  2. $this->metadataBag->stampNew();
  3. }
  4. $isRegenerated = session_regenerate_id($destroy);

    Using native PHP session or response functions (like session_regenerate_id() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  5. // The reference to $_SESSION in session bags is lost in PHP7 and we need to re-create it.
  6. // @see https://bugs.php.net/70013
  7. $this->loadSession();
  1. // The reference to $_SESSION in session bags is lost in PHP7 and we need to re-create it.
  2. // @see https://bugs.php.net/70013
  3. $this->loadSession();
  4. if (null !== $this->emulateSameSite) {
  5. $originalCookie = SessionUtils::popSessionCookie(session_name(), session_id());

    Using native PHP session or response functions (like session_id() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. if (null !== $originalCookie) {
  7. header(sprintf('%s; SameSite=%s', $originalCookie, $this->emulateSameSite), false);
  8. }
  9. }
  1. // The reference to $_SESSION in session bags is lost in PHP7 and we need to re-create it.
  2. // @see https://bugs.php.net/70013
  3. $this->loadSession();
  4. if (null !== $this->emulateSameSite) {
  5. $originalCookie = SessionUtils::popSessionCookie(session_name(), session_id());

    Using native PHP session or response functions (like session_name() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. if (null !== $originalCookie) {
  7. header(sprintf('%s; SameSite=%s', $originalCookie, $this->emulateSameSite), false);
  8. }
  9. }
  1. $this->loadSession();
  2. if (null !== $this->emulateSameSite) {
  3. $originalCookie = SessionUtils::popSessionCookie(session_name(), session_id());
  4. if (null !== $originalCookie) {
  5. header(sprintf('%s; SameSite=%s', $originalCookie, $this->emulateSameSite), false);

    Using native PHP session or response functions (like header() here) is discouraged, as it bypasses the Symfony event system. Use the HttpFoundationResponse class instead.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. }
  7. }
  8. return $isRegenerated;
  9. }

PHP super globals should never be used 3

More information: https://insight.symfony.com/what-we-analyse/symfony.use_super_globals

  1. }
  2. private function getConnection(): Connection
  3. {
  4. $connectionParams = [
  5. 'url' => $_ENV['DATABASE_URL'] ?? ''

    $_ENV super global should not be used.

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  6. ];
  7. return DriverManager::getConnection($connectionParams, new Configuration());
  8. }
  1. }
  2. public function isNecessary(): bool
  3. {
  4. $params = $this->yamlManager->getParameters();
  5. $databaseUrl = $_ENV['DATABASE_URL'] ?? '';

    $_ENV super global should not be used.

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  6. if (empty($databaseUrl) || 'nothing' === $databaseUrl) {
  7. // check if credentials are temporarily stored as parameter during installation
  8. $databaseUrl = $params['database_url'] ?? '';
  9. }
  10. if (!empty($databaseUrl) && 'nothing' !== $databaseUrl) {
  1. * requirement checks. Die on failure.
  2. */
  3. public static function verify(): void
  4. {
  5. // on install or upgrade, check if system requirements are met.
  6. if (version_compare($_ENV['ZIKULA_INSTALLED'], ZikulaKernel::VERSION, '<')) {

    $_ENV super global should not be used.

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  7. self::loadParametersFromFile();
  8. $versionChecker = new ZikulaRequirements();
  9. $versionChecker->runSymfonyChecks(self::$parameters);
  10. if (empty($versionChecker->requirementsErrors)) {
  11. return;

The EntityManager should not be flushed within a loop

More information: https://insight.symfony.com/what-we-analyse/doctrine.use_flush_in_loop

  1. $count = 0;
  2. foreach ($users as $user) {
  3. $user->setAttribute(ZAuthConstant::REQUIRE_PASSWORD_CHANGE_KEY, true);
  4. $count++;
  5. if (0 === $count % 20) {
  6. $this->getDoctrine()->getManager()->flush(); // flush manager every 20 reps

    Calling flush is a resource intensive operation, especially when a lot of entities are managed by Doctrine. You should avoid flushing inside a loop.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Craig Heydenburg
  7. }
  8. }
  9. $this->getDoctrine()->getManager()->flush(); // flush remaining
  10. /** @Desc("{count, plural,\n one {# user was processed!}\n other {# users were processed!}\n}") */
  11. $this->addFlash('info', $this->trans('plural_n.users.processed.', ['%count%' => $count]));

Files should not be executable

More information: https://insight.symfony.com/what-we-analyse/php.too_permissive_file_permissions

Your project contains files with permissive permissions. In order to avoid opening a security breach, you should restrict execution rights on following files:

  • config/packages/twig.yaml

Time to fix: about 15 minutes
Open Issue Permalink
Collective
chmod a-x 'config/packages/twig.yaml'

Code should not be duplicated 7

More information: https://insight.symfony.com/what-we-analyse/php.duplicated_code

  1. *
  2. * For the full copyright and license information, please view the LICENSE
  3. * file that was distributed with this source code.
  4. */
  5. namespace Zikula\BlocksModule\Menu;

    The next 41 lines appear both in src/system/BlocksModule/Menu/ExtensionMenu.php:14 and src/system/PermissionsModule/Menu/ExtensionMenu.php:14.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. use Knp\Menu\FactoryInterface;
  7. use Knp\Menu\ItemInterface;
  8. use Zikula\MenuModule\ExtensionMenu\ExtensionMenuInterface;
  9. use Zikula\PermissionsModule\Api\ApiInterface\PermissionApiInterface;
  1. *
  2. * For the full copyright and license information, please view the LICENSE
  3. * file that was distributed with this source code.
  4. */
  5. namespace Zikula\BlocksModule\Menu;

    The next 39 lines appear both in src/system/BlocksModule/Menu/ExtensionMenu.php:14 and src/system/CategoriesModule/Menu/ExtensionMenu.php:14.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. use Knp\Menu\FactoryInterface;
  7. use Knp\Menu\ItemInterface;
  8. use Zikula\MenuModule\ExtensionMenu\ExtensionMenuInterface;
  9. use Zikula\PermissionsModule\Api\ApiInterface\PermissionApiInterface;
  1. *
  2. * For the full copyright and license information, please view the LICENSE
  3. * file that was distributed with this source code.
  4. */
  5. namespace Zikula\BlocksModule\Menu;

    The next 40 lines appear both in src/system/BlocksModule/Menu/ExtensionMenu.php:14 and src/system/MenuModule/Menu/ExtensionMenu.php:14.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. use Knp\Menu\FactoryInterface;
  7. use Knp\Menu\ItemInterface;
  8. use Zikula\MenuModule\ExtensionMenu\ExtensionMenuInterface;
  9. use Zikula\PermissionsModule\Api\ApiInterface\PermissionApiInterface;
  1. *
  2. * For the full copyright and license information, please view the LICENSE
  3. * file that was distributed with this source code.
  4. */
  5. namespace Zikula\GroupsModule\Form\Type;

    The next 27 lines appear both in src/system/GroupsModule/Form/Type/ConfigType.php:14 and src/system/SearchModule/Form/Type/ConfigType.php:14.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  6. use Symfony\Component\Form\AbstractType;
  7. use Symfony\Component\Form\Extension\Core\Type\CheckboxType;
  8. use Symfony\Component\Form\Extension\Core\Type\ChoiceType;
  9. use Symfony\Component\Form\Extension\Core\Type\IntegerType;
  1. *
  2. * For the full copyright and license information, please view the LICENSE
  3. * file that was distributed with this source code.
  4. */
  5. namespace Zikula\MailerModule\Menu;

    The next 42 lines appear both in src/system/MailerModule/Menu/ExtensionMenu.php:14 and src/system/ThemeModule/Menu/ExtensionMenu.php:14.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. use Knp\Menu\FactoryInterface;
  7. use Knp\Menu\ItemInterface;
  8. use Zikula\MenuModule\ExtensionMenu\ExtensionMenuInterface;
  9. use Zikula\PermissionsModule\Api\ApiInterface\PermissionApiInterface;
  1. $query = $qb->getQuery();
  2. return (int)$query->getSingleScalarResult();
  3. }
  4. public function getResults(array $filters = [], array $sorting = [], int $limit = 0, int $offset = 0): array

    The next 33 lines appear both in src/system/SearchModule/Entity/Repository/SearchResultRepository.php:48 and src/system/SearchModule/Entity/Repository/SearchStatRepository.php:43.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  5. {
  6. $qb = $this->createQueryBuilder('tbl')
  7. ->select('tbl');
  8. // add clauses for where
  1. 'mapped' => false,
  2. 'label' => 'Set password now',
  3. 'label_attr' => ['class' => 'switch-custom'],
  4. 'alert' => ['If unchecked, the user\'s e-mail address will be verified. The user will create a password at that time.' => 'info']
  5. ])
  6. ->add('pass', RepeatedType::class, [

    The next 28 lines appear both in src/system/ZAuthModule/Form/Type/AdminCreatedUserType.php:82 and src/system/ZAuthModule/Form/Type/AdminModifyUserType.php:73.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  7. 'type' => PasswordType::class,
  8. 'first_options' => [
  9. 'attr' => [
  10. 'class' => 'pwstrength',
  11. 'data-uname-id' => $builder->getName() . '_' . $builder->get('uname')->getName(),

The Doctrine Entity Manager should not be passed as an argument

More information: https://insight.symfony.com/what-we-analyse/symfony.dependency_injection.no_entity_manager_as_parameter

  1. public function getEntityManager(): ?EntityManagerInterface
  2. {
  3. return $this->entityManager;
  4. }
  5. public function setEntityManager(EntityManagerInterface $entityManager = null): void

    A Doctrine entity manager has been found as an argument.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. if ($this->entityManager !== $entityManager) {
  8. $this->entityManager = $entityManager;
  9. }
  10. }

Version of dependencies should be fixed 4

More information: https://insight.symfony.com/what-we-analyse/composer.unfixed_dependency_version

Package zikula/oauth-module#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package zikula/pagelock-module#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package zikula/profile-module#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package zikula/legal-module#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Form types should be in Form folders

More information: https://insight.symfony.com/what-we-analyse/symfony.form.form_type_not_in_type_form_folder

A form type has been found outside Form folder

Time to fix: about 2 hours
Open Issue Permalink
Collective
  • src/system/ExtensionsModule/ModuleInterface/Content
    • AbstractContentFormType.php

      A form type has been found outside Form folder

    • AbstractContentType.php
    • ContentTypeInterface.php

Commented code should not be committed 18

More information: https://insight.symfony.com/what-we-analyse/php.commented_out_code

in src/Kernel.php, line 15
  1. * For the full copyright and license information, please view the LICENSE
  2. * file that was distributed with this source code.
  3. */
  4. use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
  5. //use Symfony\Bundle\FrameworkBundle\Routing\Loader\Configurator\RoutingConfigurator;

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  6. use Symfony\Component\Config\Loader\LoaderInterface;
  7. use Symfony\Component\Config\Resource\FileResource;
  8. use Symfony\Component\DependencyInjection\ContainerBuilder;
  9. //use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
  10. use Symfony\Component\Routing\RouteCollectionBuilder;
in src/Kernel.php, line 19
  1. use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
  2. //use Symfony\Bundle\FrameworkBundle\Routing\Loader\Configurator\RoutingConfigurator;
  3. use Symfony\Component\Config\Loader\LoaderInterface;
  4. use Symfony\Component\Config\Resource\FileResource;
  5. use Symfony\Component\DependencyInjection\ContainerBuilder;
  6. //use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  7. use Symfony\Component\Routing\RouteCollectionBuilder;
  8. use Zikula\Bundle\CoreBundle\DynamicConfigDumper;
  9. use Zikula\Bundle\CoreBundle\Helper\PersistedBundleHelper;
  10. use Zikula\Bundle\CoreBundle\HttpKernel\ZikulaKernel;
  1. }
  2. try {
  3. $blockInstance = $this->blockApi->createInstanceFromBKey($block->getBkey());
  4. } catch (RuntimeException $exception) {
  5. //return 'Error during block creation: ' . $exception->getMessage();

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  6. return '';
  7. }
  8. $blockProperties = $block->getProperties();
  9. $blockProperties['bid'] = $block->getBid();
  10. $blockProperties['title'] = $block->getTitle();
  1. /** @var AbstractCategoryAssignment $categoryAssignmentEntity */
  2. foreach ($value as $categoryAssignmentEntity) {
  3. $registryKey = 'registry_' . $categoryAssignmentEntity->getCategoryRegistryId();
  4. $category = $categoryAssignmentEntity->getCategory();
  5. if (false !== mb_strpos(get_class($category), 'DoctrineProxy')) {
  6. //$this->entityManager->detach($category);

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  7. $category = $this->entityManager->find(CategoryEntity::class, $category->getId());
  8. //$this->entityManager->persist($category);
  9. }
  10. if ($this->multiple) {
  1. $registryKey = 'registry_' . $categoryAssignmentEntity->getCategoryRegistryId();
  2. $category = $categoryAssignmentEntity->getCategory();
  3. if (false !== mb_strpos(get_class($category), 'DoctrineProxy')) {
  4. //$this->entityManager->detach($category);
  5. $category = $this->entityManager->find(CategoryEntity::class, $category->getId());
  6. //$this->entityManager->persist($category);

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  7. }
  8. if ($this->multiple) {
  9. $data[$registryKey][] = $category;
  10. } else {
  1. $themeVarsPath = $this->getConfigPath() . '/variables.yaml';
  2. if (!file_exists($themeVarsPath)) {
  3. return $defaultVars;
  4. }
  5. /*if (!$this->getContainer()) {

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. return $defaultVars;
  7. }*/
  8. $yamlVars = Yaml::parse(file_get_contents($themeVarsPath));
  9. if (!is_array($yamlVars)) {
  1. public function process()
  2. {
  3. // Construct the require.js and stick it in the destination.
  4. $json = $this->requireJson($this->packages);
  5. $requireConfig = $this->requireJs($json);
  6. // $vendorPath = str_replace('build/Composer', 'vendor/robloach/component-installer/src/ComponentInstaller', dirname(__DIR__));

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Craig Heydenburg
  7. $vendorPath = $this->config->get('vendor-dir') . '/robloach/component-installer/src/ComponentInstaller';
  8. // Attempt to write the require.config.js file.
  9. $destination = $this->componentDir . '/require.config.js';
  10. $this->fs->ensureDirectoryExists(dirname($destination));
  1. }
  2. }
  3. public function isValid(): bool
  4. {
  5. //return 1 < count($this->getErrors());

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. return empty($this->getErrors());
  7. }
  8. public function getErrors(): array
  9. {
  1. $logger->addError("Could not send message to: ${emailList} :: " . $this->message->toString());
  2. }
  3. $this->eventDispatcher->dispatch($event, MailerEvents::SEND_MESSAGE_FAILURE);
  4. //throw new RuntimeException($this->trans('Error! A problem occurred while sending the e-mail message.'));

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Craig Heydenburg
  5. return false;
  6. }
  7. if ($this->dataValues['enableLogging']) {
  1. * MenuItemEntity constructor.
  2. */
  3. public function __construct()
  4. {
  5. $this->title = '';
  6. $this->options = []; /*new ArrayCollection();

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  7. $this->options = [
  8. 'routeParameters' => [],
  9. 'attributes' => [],
  10. 'linkAttributes' => [],
  11. 'childrenAttributes' => [],
  1. if ($this->has($bundleName)) {
  2. try {
  3. $menu = $this->extensionMenus[$bundleName]->get($type);
  4. } catch (\Exception $exception) {
  5. // do nothing
  6. //throw $exception;

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  7. return null;
  8. }
  9. // fire event here to add more menu items like hooks, moduleServices, etc
  10. $event = new ExtensionMenuEvent($bundleName, $type, $menu);
  1. $record['instance'] = ':(ZikulaRssTheme|ZikulaPrinterTheme|ZikulaAtomTheme):';
  2. $record['level'] = ACCESS_COMMENT; // 300
  3. $this->entityManager->persist($record);
  4. $lastPerm->setSequence($record->getSequence() + 1);
  5. $this->entityManager->flush();
  6. //$this->addFlash('success', 'A permission rule was added to allow users access to "utility" themes. Please check the sequence.');

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  7. case '1.1.2':
  8. case '1.2.0':
  9. case '1.2.1':
  10. $this->delVar('rowview');
  1. if ($request->server->has('USER_AGENT')) {
  2. $requestArgs['USER_AGENT'] = $request->server->get('USER_AGENT');
  3. }
  4. // while i think that REQUEST_URI is unnecessary,
  5. // the REFERER would be important, but results in way too many false positives
  6. /*

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  7. if ($request->server->has('REQUEST_URI')) {
  8. $requestArgs['REQUEST_URI'] = $request->server->get('REQUEST_URI');
  9. }
  10. if ($request->server->has('HTTP_REFERER')) {
  11. $requestArgs['REFERER'] = $request->server->get('HTTP_REFERER');
  1. $config['General']['filter_type'] = $this->getSystemVar('idsfilter', 'xml');
  2. if (empty($config['General']['filter_type'])) {
  3. $config['General']['filter_type'] = 'xml';
  4. }
  5. $config['General']['base_path'] = ''; //PHPIDS_PATH_PREFIX;

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. // we don't use the base path because the tmp directory is in zkTemp (see below)
  7. $config['General']['use_base_path'] = false;
  8. // path to the filters used
  9. $defaultPath = 'Resources/config/phpids_zikula_default.xml';
  1. $transConfigNew['configs'][mb_strtolower($bundle->getName())] = $bundleConfig;
  2. }
  3. foreach ($this->kernel->getThemes() as $bundle) {
  4. // lets include core themes as they need translation as all other themes, too
  5. // (/system is included in "zikula" config while /themes is not)
  6. /*if (in_array($bundle->getName(), ['ZikulaBootstrapTheme', 'ZikulaAtomTheme', 'ZikulaPrinterTheme', 'ZikulaRssTheme'], true)) {

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  7. continue;
  8. }*/
  9. $bundleConfig = $configTemplate;
  10. $translationDirectory = $bundle->getPath() . '/Resources/translations';
  11. $bundleConfig['output_dir'] = $translationDirectory;
  1. private function addFosJsRouting(string $locale): void
  2. {
  3. // reenable after https://github.com/FriendsOfSymfony/FOSJsRoutingBundle/issues/221 OR https://github.com/zikula/core/issues/4027 is solved
  4. //if ('dev' !== $this->kernel->getEnvironment() && file_exists($this->kernel->getProjectDir() . '/public/js/fos_js_routes.' . $locale . '.js')) {
  5. // $routeScript = $this->assetHelper->resolve('js/fos_js_routes.' . $locale . '.js');

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  6. //} else {
  7. $routeScript = $this->router->generate('fos_js_routing_js', ['callback' => 'fos.Router.setData']);
  8. //}
  9. $this->jsAssetBag->add([
  10. $this->assetHelper->resolve('bundles/fosjsrouting/js/router.js') => AssetBag::WEIGHT_ROUTER_JS,
  1. }
  2. $response = $event->getResponse();
  3. $response->headers->set('X-Frame-Options', $this->xFrameOptions);
  4. //$response->headers->set('X-Content-Security-Policy', "frame-ancestors 'self'");

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Guite
  5. $response->headers->set('X-XSS-Protection', '1');
  6. }
  7. }
  1. }
  2. private function protectFile(string $filePath): void
  3. {
  4. return; // see #4099
  5. //@chmod($filePath, 0400);

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  6. //if (!is_readable($filePath)) {
  7. @chmod($filePath, 0440);
  8. if (!is_readable($filePath)) {
  9. @chmod($filePath, 0444);
  10. }

PHP code should not contain unreachable code

More information: https://insight.symfony.com/what-we-analyse/php.unreachable_code

  1. private function protectFile(string $filePath): void
  2. {
  3. return; // see #4099
  4. //@chmod($filePath, 0400);
  5. //if (!is_readable($filePath)) {
  6. @chmod($filePath, 0440);
  7. if (!is_readable($filePath)) {
  8. @chmod($filePath, 0444);
  9. }
  10. //}
  11. }

    This code is unreachable.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  12. /**
  13. * Remove base64 encoding for admin parameters.
  14. */
  15. public function decodeParameters(array $params = []): array

Unused method, property, variable or parameter 12

More information: https://insight.symfony.com/what-we-analyse/php.unused_local_variable_or_private_member

  1. ) {
  2. $this->factory = $factory;
  3. $this->permissionApi = $permissionApi;
  4. }
  5. public function createAdminMenu(array $options = []): ItemInterface

    This options argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. $menu = $this->factory->createItem('bootstrapThemeAdminMenu');
  8. $menu->setChildrenAttribute('class', 'navbar-nav');
  9. $menu->addChild('Home', ['route' => 'home']);
  10. if ($this->permissionApi->hasPermission('ZikulaSettingsModule::', '::', ACCESS_ADMIN)) {
  1. $this->setTranslator($translator);
  2. $this->factory = $factory;
  3. $this->capabilityApi = $capabilityApi;
  4. }
  5. public function createAdminMenu(array $options): ItemInterface

    This options argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. // @see https://gist.github.com/nateevans/9958390
  8. $menu = $this->factory->createItem('menuModuleAdminMenu');
  9. $menu->setChildrenAttribute('class', 'nav navbar-nav');
  1. }
  2. /**
  3. * Returns an array of additional template variables for view quick navigation forms.
  4. */
  5. protected function getViewQuickNavParametersForRoute(string $context = '', array $args = []): array

    This args argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. $parameters = [];
  8. $request = $this->requestStack->getCurrentRequest();
  9. if (null === $request) {
  10. return $parameters;
  1. }
  2. /**
  3. * Returns an array of additional template variables for view quick navigation forms.
  4. */
  5. protected function getViewQuickNavParametersForRoute(string $context = '', array $args = []): array

    This context argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. $parameters = [];
  8. $request = $this->requestStack->getCurrentRequest();
  9. if (null === $request) {
  10. return $parameters;
  1. /**
  2. * Returns an array of all allowed object types in ZikulaRoutesModule.
  3. *
  4. * @return string[] List of allowed object types
  5. */
  6. public function getObjectTypes(string $context = '', array $args = []): array

    This args argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  7. {
  8. $allowedContexts = ['controllerAction', 'api', 'helper', 'actionHandler', 'block', 'contentType', 'mailz'];
  9. if (!in_array($context, $allowedContexts, true)) {
  10. $context = 'controllerAction';
  11. }
  1. }
  2. /**
  3. * Returns the default object type in ZikulaRoutesModule.
  4. */
  5. public function getDefaultObjectType(string $context = '', array $args = []): string

    This args argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. $allowedContexts = ['controllerAction', 'api', 'helper', 'actionHandler', 'block', 'contentType', 'mailz'];
  8. if (!in_array($context, $allowedContexts, true)) {
  9. $context = 'controllerAction';
  10. }
  1. /**
  2. * Filters a given collection of entities based on different permission checks.
  3. *
  4. * @param array|ArrayCollection $entities The given list of entities
  5. */
  6. public function filterCollection($objectType, $entities, int $permissionLevel, int $userId = null): array

    This objectType argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  7. {
  8. $filteredEntities = [];
  9. foreach ($entities as $routes) {
  10. if (!$this->hasEntityPermission($routes, $permissionLevel, $userId)) {
  11. continue;
  1. }
  2. /**
  3. * Returns a translatable title for a certain action.
  4. */
  5. protected function getTitleForAction(string $currentState, string $actionId): string

    This currentState argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. $title = '';
  8. switch ($actionId) {
  9. case 'submit':
  10. $title = $this->translator->trans('Submit');
  1. $entity = $event->getSubject();
  2. if (!$this->isEntityManagedByThisBundle($entity) || !method_exists($entity, 'get_objectType')) {
  3. return;
  4. }
  5. $objectType = $entity->get_objectType();

    This objectType local variable is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Axel Guckelsberger
  6. $permissionLevel = ACCESS_READ;
  7. $transitionName = $event->getTransition()->getName();
  8. $hasApproval = false;
  1. 'combined_assets',
  2. $this->lifetime,
  3. $this->kernel->getCacheDir() . '/assets/' . $type
  4. );
  5. $key = md5(serialize($assets)) . (int)$this->minify . (int)$this->compress . $this->lifetime . '.combined.' . $type;
  6. $data = $cacheService->get($key, function() use ($cachedFiles, $type) {

    This data local variable is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  7. $data = [];
  8. foreach ($cachedFiles as $k => $file) {
  9. $this->readFile($data, $file, $type);
  10. // avoid exposure of absolute server path
  11. $pathParts = explode($this->rootDir, $file);
  1. /**
  2. * A list of characters not suited to 'human readable' strings
  3. * @var array
  4. */
  5. private $passwordIncompatibleCharacters = ['0', 'o', 'O', 'l', '1', 'i', 'I', 'j', '!', '|'];

    This passwordIncompatibleCharacters attribute is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Craig Heydenburg
  6. /**
  7. * A string of characters to use in random string generation
  8. * @var string
  9. */
  1. private $installed;
  2. /**
  3. * @var ParameterBagInterface
  4. */
  5. private $params;

    This params attribute is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by craigh
  6. /**
  7. * @var ControllerHelper
  8. */
  9. private $controllerHelper;

PHP code should follow PSR-1 basic coding standard 2

More information: https://insight.symfony.com/what-we-analyse/php.psr1

  1. */
  2. public function __construct()
  3. {
  4. }
  5. public function get_objectType(): string

    Method names should be declared in camelCase.
    You should rename this method to comply with PSR-1.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. return $this->_objectType;
  8. }
  9. public function set_objectType(string $_objectType): void
  1. public function get_objectType(): string
  2. {
  3. return $this->_objectType;
  4. }
  5. public function set_objectType(string $_objectType): void

    Method names should be declared in camelCase.
    You should rename this method to comply with PSR-1.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Guite
  6. {
  7. if ($this->_objectType !== $_objectType) {
  8. $this->_objectType = $_objectType ?? '';
  9. }
  10. }