diff --git a/modules/login/php/signup.class.inc b/modules/login/php/signup.class.inc
index bf2cbb63314..6c694e60881 100644
--- a/modules/login/php/signup.class.inc
+++ b/modules/login/php/signup.class.inc
@@ -111,6 +111,15 @@ class Signup extends \NDB_Page implements ETagCalculator
];
// Check if email address is valid.
+ if (preg_match('/(<|>|"|&)/', $from)) {
+ // Although some of these characters are legal in emails, due to the
+ // current HTML escaping method, it is better to reject email
+ // addresses containing them
+ return new \LORIS\Http\Response\JSON\Conflict(
+ 'Email address can not contain the following' .
+ ' characters: <,>,& and "'
+ );
+ }
if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
// Invalid email address.
return new \LORIS\Http\Response\JSON\Conflict(
diff --git a/modules/user_accounts/jsx/userAccountsIndex.js b/modules/user_accounts/jsx/userAccountsIndex.js
index 7f2543d8594..979a6201f16 100644
--- a/modules/user_accounts/jsx/userAccountsIndex.js
+++ b/modules/user_accounts/jsx/userAccountsIndex.js
@@ -77,6 +77,11 @@ class UserAccountsIndex extends Component {
.join(', ')}
);
+ if (cell.length === 0) {
+ result = (
+ | This user has no site affiliations |
+ );
+ }
break;
case 'Project':
// If user has multiple projects, join array of sites into string
@@ -86,6 +91,11 @@ class UserAccountsIndex extends Component {
).join(', ')}
);
+ if (cell.length === 0) {
+ result = (
+ This user has no project affiliations |
+ );
+ }
break;
case 'Username':
url = loris.BaseURL + '/user_accounts/edit_user/' + row.Username;
diff --git a/modules/user_accounts/php/edit_user.class.inc b/modules/user_accounts/php/edit_user.class.inc
index 4b5e379ff01..a3938c68513 100644
--- a/modules/user_accounts/php/edit_user.class.inc
+++ b/modules/user_accounts/php/edit_user.class.inc
@@ -1308,9 +1308,13 @@ class Edit_User extends \NDB_Form
*/
private function _getEmailError(\Database $DB, string $email): ?string
{
- // remove illegal characters
- $email = filter_var($email, FILTER_SANITIZE_EMAIL);
- if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
+ if (preg_match('/(<|>|"|&)/', $email)) {
+ // Although some of these characters are legal in emails, due to the
+ // current HTML escaping method, it is better to reject email
+ // addresses containing them
+ return 'Email address can not contain any the following '.
+ 'characters: <, >, & and "';
+ } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
// If email not syntactically valid
return "Invalid email address";
}
diff --git a/modules/user_accounts/php/useraccountrowprovisioner.class.inc b/modules/user_accounts/php/useraccountrowprovisioner.class.inc
index a399213956a..382a70b8673 100644
--- a/modules/user_accounts/php/useraccountrowprovisioner.class.inc
+++ b/modules/user_accounts/php/useraccountrowprovisioner.class.inc
@@ -44,19 +44,24 @@ class UserAccountRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvisione
*/
public function getInstance($row) : \LORIS\Data\DataInstance
{
- $pids = array_map(
- function (string $pid) : \ProjectID {
- return new \ProjectID($pid);
- },
- explode(',', $row['projectIds']),
- );
-
- $cids = array_map(
- function (string $cid) : \CenterID {
- return new \CenterID($cid);
- },
- explode(',', $row['centerIds']),
- );
+ $cids = [];
+ $pids = [];
+ if (isset($row['centerIds'])) {
+ $cids = array_map(
+ function (string $cid) : \CenterID {
+ return new \CenterID($cid);
+ },
+ explode(',', $row['centerIds'])
+ );
+ }
+ if (isset($row['projectIds'])) {
+ $pids = array_map(
+ function (string $pid) : \ProjectID {
+ return new \ProjectID($pid);
+ },
+ explode(',', $row['projectIds'])
+ );
+ }
$row['centerIds'] = $cids;
$row['projectIds'] = $pids;
diff --git a/tools/exporters/data_dictionary_builder.php b/tools/exporters/data_dictionary_builder.php
index f40a7366a7c..8ffaab279f2 100755
--- a/tools/exporters/data_dictionary_builder.php
+++ b/tools/exporters/data_dictionary_builder.php
@@ -98,23 +98,34 @@
$parameterNames = [];
foreach ($instruments AS $instrument) {
- $catId = "";
- $table = "";
- $items = explode("\n", trim($instrument));
+ $catId = "";
+ $table = "";
+ $testname = "";
+ $items = explode("\n", trim($instrument));
foreach ($items AS $item) {
$paramId = "";
$bits = explode("{@}", trim($item));
switch ($bits[0]) {
case "testname":
+ $testname = $bits[1];
+ print "Instrument: $testname\n";
break;
case "table":
$table = $bits[1];
- print "Instrument: $table\n";
+ //`testname` was only recently added to the lorisform parser, for
+ //backwards compatibility, instruments with no testname parameter
+ //should assume the testname from the `table` name (to maintain
+ //status quo) although it might be incorrect since instrument names
+ //and table names could be different by design.
+ if (empty($testname)) {
+ $testname = $table;
+ print "Instrument: $testname\n";
+ }
break;
case "title":
$title = $bits[1];
- // Check if there's already an entry with the same name and reuse same ID
+ // Check if there's already an entry with the same name
// insertIgnore does not work here since name
// is not a Unique key in the database
$catId = $DB->pselectOne(
@@ -156,7 +167,7 @@
// the name from the examiner id
$bits[0] = "varchar(255)";
} else if ($bits[0]=="select") {
- $bits[0] = enumizeOptions($bits[3], $table, $bits[1]);
+ $bits[0] = enumizeOptions($bits[3], $testname, $bits[1]);
} else if ($bits[0]=="textarea") {
$bits[0] ="text";
} else if ($bits[0]=="text") {
@@ -175,10 +186,10 @@
continue 2;
}
- print "\tInserting $table $bits[1]\n";
+ print "\tInserting $testname $bits[1]\n";
$bits[2] = htmlspecialchars($bits[2]);
//find values to insert
- $Name = $table . "_" . $bits[1];
+ $Name = $testname . "_" . $bits[1];
if (in_array($Name, $parameterNames, true)) {
// this specific table_field combination
// was already inserted, skip.
@@ -190,7 +201,7 @@
"Type" => $bits[0],
"Description" => $bits[2],
"SourceField" => $bits[1],
- "SourceFrom" => $table,
+ "SourceFrom" => $testname,
"Queryable" => "1",
];
@@ -230,13 +241,13 @@
}
}
- if (empty($table)) {
+ if (empty($testname)) {
continue;
}
// INSTRUMENT VALIDITY
- print "\tInserting validity for $table\n";
- $Name = $table . "_Validity";
+ print "\tInserting validity for $testname\n";
+ $Name = $testname . "_Validity";
if (in_array($Name, $parameterNames, true)) {
// this specific table_validity combination was already inserted, skip.
@@ -248,9 +259,9 @@
$query_params = [
"Name" => $Name,
"Type" => $_type_enum,
- "Description" => "Validity of $table",
+ "Description" => "Validity of $testname",
"SourceField" => "Validity",
- "SourceFrom" => $table,
+ "SourceFrom" => $testname,
"Queryable" => "1",
];
@@ -280,8 +291,8 @@
);
// INSTRUMENT ADMINISTRATION
- print "\tInserting administration for $table\n";
- $Name = $table . "_Administration";
+ print "\tInserting administration for $testname\n";
+ $Name = $testname . "_Administration";
if (in_array($Name, $parameterNames, true)) {
// this specific table__Administration combination
// was already inserted, skip.
@@ -292,9 +303,9 @@
$query_params = [
"Name" => $Name,
"Type" => $_type_enum,
- "Description" => "Administration for $table",
+ "Description" => "Administration for $testname",
"SourceField" => "Administration",
- "SourceFrom" => $table,
+ "SourceFrom" => $testname,
"Queryable" => "1",
];
@@ -351,13 +362,13 @@
* Convert ip_output.txt format enums to MySQL format
* enums
*
- * @param string $options The line of the ip_output.txt to enumize
- * @param string $table The table containing this line
- * @param string $name The name of the field being enumized
+ * @param string $options The line of the ip_output.txt to enumize
+ * @param string $testname The table containing this line
+ * @param string $name The name of the field being enumized
*
* @return string A valid MySQL format enum field string
*/
-function enumizeOptions($options, $table, $name)
+function enumizeOptions($options, $testname, $name)
{
$options =explode("{-}", $options);
foreach ($options as $option) {
@@ -367,7 +378,7 @@ function enumizeOptions($options, $table, $name)
}
}
if (!is_array($enum)) {
- echo "$table $name $options\n";
+ echo "$testname $name $options\n";
}
$enum =implode(",", $enum);
return "enum($enum)";