Cast 'statamic.users.elevated_session_duration' config value to float/integer

[michaldoda]

Bug description

In several places throughout the codebase, configuration values are explicitly cast to integers using (int) before being used. Since env() values are returned as strings, it may be worth applying the same approach here to ensure the value passed to addMinutes() is always an integer or float in that specific case:

// vendor/statamic/cms/src/Providers/AppServiceProvider.php

return Carbon::createFromTimestamp($lastElevated)
    ->addMinutes((int) config('statamic.users.elevated_session_duration', 15))
    ->timestamp;

How to reproduce

Add the following environment variable to your .env:

STATAMIC_ELEVATED_SESSION_DURATION=5

Update config/statamic/users.php to use the environment variable:

'elevated_session_duration' => env('STATAMIC_ELEVATED_SESSION_DURATION', 15),

Log in to the Control Panel and perform an action that requires an elevated session.

Logs

Environment

# fresh installation
$ php please support:details

Environment
Laravel Version: 13.13.0
PHP Version: 8.5.6
Composer Version: 2.7.2
Environment: local
Debug Mode: ENABLED
Maintenance Mode: OFF
Timezone: UTC
Locale: en

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: file
Database: sqlite
Logs: stack / single
Mail: log
Queue: sync
Session: file

Storage
public/storage: NOT LINKED

Statamic
Addons: 0
License Key: ...
Sites: 1
Stache Watcher: Enabled (auto)
Static Caching: Disabled
Version: 6.20.0 PRO

Installation

Fresh statamic/statamic site via CLI

Additional details

It's a fresh installation

[duncanmcclean]

Is it causing issues for you or just something you noticed?

[jasonvarga]

I'm not sure what you're requesting. Is there an issue? The addMinutes method typehints int|float, so by passing a string it will already automatically cast it to an integer.

[michaldoda]

Thanks for your reply. Yes, after following the repro steps, I get the following error:

Carbon\Carbon::rawAddUnit(): Argument #3 ($value) must be of type int|float, string given, called in /home/user/PhpstormProjects/test_projects/vendor/nesbot/carbon/src/Carbon/Traits/Units.php on line 356

Sorry, the snippet I pasted above was just my proposal, the current code in statamic/cms doesnt have this casting, and it looks like below:

// the current code in AppServiceProvider.php

            return Carbon::createFromTimestamp($lastElevated)
                ->addMinutes(config('statamic.users.elevated_session_duration', 15))
                ->timestamp;

[jasonvarga]

Yeah sorry I only tested that with a fake class.

class Foo {
    function addMinutes(int|float $minutes) {
        return $minutes;
    }
}

new Foo()->addMinutes('4'); // returns (int) 4

But I guess the call stack is different when actually using addMinutes with carbon.

[michaldoda]

Or there is somewhere declare(strict_types=1); within Carbon classes. Anyway thank you both for your very quick replies & actions.