Merge pull request #8140 from ridz1208/PUSH_v23.0.12_INTO_24.0-release

Push v23.0.12 into 24.0 release
aces · Jul 14, 2022 · 926fac1 · 926fac1
2 parents ada12a8 + e3a702f
commit 926fac1
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 39 deletions.
diff --git a/modules/login/php/signup.class.inc b/modules/login/php/signup.class.inc
@@ -111,6 +111,15 @@ class Signup extends \NDB_Page implements ETagCalculator
         ];
 
         // Check if email address is valid.
+        if (preg_match('/(<|>|"|&)/', $from)) {
+            // Although some of these characters are legal in emails, due to the
+            // current HTML escaping method, it is better to reject email
+            // addresses containing them
+            return new \LORIS\Http\Response\JSON\Conflict(
+                'Email address can not contain the following' .
+                ' characters: <,>,& and "'
+            );
+        }
         if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
             // Invalid email address.
             return new \LORIS\Http\Response\JSON\Conflict(

diff --git a/modules/user_accounts/jsx/userAccountsIndex.js b/modules/user_accounts/jsx/userAccountsIndex.js
@@ -77,6 +77,11 @@ class UserAccountsIndex extends Component {
             .join(', ')}
           </td>
         );
+        if (cell.length === 0) {
+          result = (
+            <td>This user has no site affiliations</td>
+          );
+        }
         break;
       case 'Project':
         // If user has multiple projects, join array of sites into string
@@ -86,6 +91,11 @@ class UserAccountsIndex extends Component {
             ).join(', ')}
           </td>
         );
+        if (cell.length === 0) {
+          result = (
+            <td>This user has no project affiliations</td>
+          );
+        }
         break;
       case 'Username':
         url = loris.BaseURL + '/user_accounts/edit_user/' + row.Username;

diff --git a/modules/user_accounts/php/edit_user.class.inc b/modules/user_accounts/php/edit_user.class.inc
@@ -1308,9 +1308,13 @@ class Edit_User extends \NDB_Form
      */
     private function _getEmailError(\Database $DB, string $email): ?string
     {
-        // remove illegal characters
-        $email = filter_var($email, FILTER_SANITIZE_EMAIL);
-        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
+        if (preg_match('/(<|>|"|&)/', $email)) {
+            // Although some of these characters are legal in emails, due to the
+            // current HTML escaping method, it is better to reject email
+            // addresses containing them
+            return 'Email address can not contain any the following '.
+                'characters: <, >, & and "';
+        } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
             // If email not syntactically valid
             return "Invalid email address";
         }

diff --git a/modules/user_accounts/php/useraccountrowprovisioner.class.inc b/modules/user_accounts/php/useraccountrowprovisioner.class.inc
@@ -44,19 +44,24 @@ class UserAccountRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvisione
      */
     public function getInstance($row) : \LORIS\Data\DataInstance
     {
-        $pids = array_map(
-            function (string $pid) : \ProjectID {
-                return new \ProjectID($pid);
-            },
-            explode(',', $row['projectIds']),
-        );
-
-        $cids = array_map(
-            function (string $cid) : \CenterID {
-                return new \CenterID($cid);
-            },
-            explode(',', $row['centerIds']),
-        );
+        $cids = [];
+        $pids = [];
+        if (isset($row['centerIds'])) {
+            $cids = array_map(
+                function (string $cid) : \CenterID {
+                    return new \CenterID($cid);
+                },
+                explode(',', $row['centerIds'])
+            );
+        }
+        if (isset($row['projectIds'])) {
+            $pids = array_map(
+                function (string $pid) : \ProjectID {
+                    return new \ProjectID($pid);
+                },
+                explode(',', $row['projectIds'])
+            );
+        }
 
         $row['centerIds']  = $cids;
         $row['projectIds'] = $pids;

diff --git a/tools/exporters/data_dictionary_builder.php b/tools/exporters/data_dictionary_builder.php
@@ -98,23 +98,34 @@
 $parameterNames = [];
 
 foreach ($instruments AS $instrument) {
-    $catId = "";
-    $table = "";
-    $items = explode("\n", trim($instrument));
+    $catId    = "";
+    $table    = "";
+    $testname = "";
+    $items    = explode("\n", trim($instrument));
     foreach ($items AS $item) {
         $paramId = "";
         $bits    = explode("{@}", trim($item));
         switch ($bits[0]) {
         case "testname":
+            $testname = $bits[1];
+            print "Instrument: $testname\n";
             break;
         case "table":
             $table = $bits[1];
-            print "Instrument: $table\n";
+            //`testname` was only recently added to the lorisform parser, for
+            //backwards compatibility, instruments with no testname parameter
+            //should assume the testname from the `table` name (to maintain
+            //status quo) although it might be incorrect since instrument names
+            //and table names could be different by design.
+            if (empty($testname)) {
+                $testname = $table;
+                print "Instrument: $testname\n";
+            }
             break;
 
         case "title":
             $title = $bits[1];
-            // Check if there's already an entry with the same name and reuse same ID
+            // Check if there's already an entry with the same name
             // insertIgnore does not work here since name
             // is not a Unique key in the database
             $catId = $DB->pselectOne(
@@ -156,7 +167,7 @@
                 // the name from the examiner id
                 $bits[0] = "varchar(255)";
             } else if ($bits[0]=="select") {
-                $bits[0] = enumizeOptions($bits[3], $table, $bits[1]);
+                $bits[0] = enumizeOptions($bits[3], $testname, $bits[1]);
             } else if ($bits[0]=="textarea") {
                 $bits[0] ="text";
             } else if ($bits[0]=="text") {
@@ -175,10 +186,10 @@
                 continue 2;
             }
 
-            print "\tInserting $table $bits[1]\n";
+            print "\tInserting $testname $bits[1]\n";
             $bits[2] = htmlspecialchars($bits[2]);
             //find values to insert
-            $Name = $table . "_" . $bits[1];
+            $Name = $testname . "_" . $bits[1];
             if (in_array($Name, $parameterNames, true)) {
                 // this specific table_field combination
                 // was already inserted, skip.
@@ -190,7 +201,7 @@
                 "Type"        => $bits[0],
                 "Description" => $bits[2],
                 "SourceField" => $bits[1],
-                "SourceFrom"  => $table,
+                "SourceFrom"  => $testname,
                 "Queryable"   => "1",
             ];
 
@@ -230,13 +241,13 @@
         }
     }
 
-    if (empty($table)) {
+    if (empty($testname)) {
         continue;
     }
 
     // INSTRUMENT VALIDITY
-    print "\tInserting validity for $table\n";
-    $Name = $table . "_Validity";
+    print "\tInserting validity for $testname\n";
+    $Name = $testname . "_Validity";
 
     if (in_array($Name, $parameterNames, true)) {
         // this specific table_validity combination was already inserted, skip.
@@ -248,9 +259,9 @@
     $query_params = [
         "Name"        => $Name,
         "Type"        => $_type_enum,
-        "Description" => "Validity of $table",
+        "Description" => "Validity of $testname",
         "SourceField" => "Validity",
-        "SourceFrom"  => $table,
+        "SourceFrom"  => $testname,
         "Queryable"   => "1",
     ];
 
@@ -280,8 +291,8 @@
     );
 
     // INSTRUMENT ADMINISTRATION
-    print "\tInserting administration for $table\n";
-    $Name = $table . "_Administration";
+    print "\tInserting administration for $testname\n";
+    $Name = $testname . "_Administration";
     if (in_array($Name, $parameterNames, true)) {
         // this specific table__Administration combination
         // was already inserted, skip.
@@ -292,9 +303,9 @@
     $query_params = [
         "Name"        => $Name,
         "Type"        => $_type_enum,
-        "Description" => "Administration for $table",
+        "Description" => "Administration for $testname",
         "SourceField" => "Administration",
-        "SourceFrom"  => $table,
+        "SourceFrom"  => $testname,
         "Queryable"   => "1",
     ];
 
@@ -351,13 +362,13 @@
  * Convert ip_output.txt format enums to MySQL format
  * enums
  *
- * @param string $options The line of the ip_output.txt to enumize
- * @param string $table   The table containing this line
- * @param string $name    The name of the field being enumized
+ * @param string $options  The line of the ip_output.txt to enumize
+ * @param string $testname The table containing this line
+ * @param string $name     The name of the field being enumized
  *
  * @return string A valid MySQL format enum field string
  */
-function enumizeOptions($options, $table, $name)
+function enumizeOptions($options, $testname, $name)
 {
     $options =explode("{-}", $options);
     foreach ($options as $option) {
@@ -367,7 +378,7 @@ function enumizeOptions($options, $table, $name)
         }
     }
     if (!is_array($enum)) {
-        echo "$table $name $options\n";
+        echo "$testname $name $options\n";
     }
     $enum =implode(",", $enum);
     return "enum($enum)";