5 * Contains \Drupal\security_review\Checks\AdminPermissions.
8 namespace Drupal\security_review\Checks;
11 use Drupal\security_review\Check;
12 use Drupal\security_review\CheckResult;
13 use Drupal\user\Entity\Role;
16 * Checks whether untrusted roles have restricted permissions.
18 class AdminPermissions extends Check {
23 public function getNamespace() {
24 return 'Security Review';
30 public function getTitle() {
31 return 'Drupal permissions';
37 public function getMachineTitle() {
38 return 'admin_permissions';
44 public function run() {
45 $result = CheckResult::SUCCESS;
48 // Get every permission.
49 $all_permissions = $this->security()->permissions(TRUE);
50 $all_permission_strings = array_keys($all_permissions);
52 // Get permissions for untrusted roles.
53 $untrusted_permissions = $this->security()->untrustedPermissions(TRUE);
54 foreach ($untrusted_permissions as $rid => $permissions) {
55 $intersect = array_intersect($all_permission_strings, $permissions);
56 foreach ($intersect as $permission) {
57 if (isset($all_permissions[$permission]['restrict access'])) {
58 $findings[$rid][] = $permission;
63 if (!empty($findings)) {
64 $result = CheckResult::FAIL;
67 return $this->createResult($result, $findings);
73 public function help() {
75 $paragraphs[] = $this->t("Drupal's permission system is extensive and allows for varying degrees of control. Certain permissions would allow a user total control, or the ability to escalate their control, over your site and should only be granted to trusted users.");
77 '#theme' => 'check_help',
78 '#title' => $this->t('Admin and trusted Drupal permissions'),
79 '#paragraphs' => $paragraphs,
86 public function evaluate(CheckResult $result) {
89 foreach ($result->findings() as $rid => $permissions) {
90 $role = Role::load($rid);
91 /** @var Role $role */
93 $paragraphs[] = $this->t(
94 "@role has the following restricted permissions:",
99 'entity.user_role.edit_permissions_form',
100 ['user_role' => $role->id()]
107 '#theme' => 'check_evaluation',
108 '#paragraphs' => $paragraphs,
109 '#items' => $permissions,
119 public function evaluatePlain(CheckResult $result) {
122 foreach ($result->findings() as $rid => $permissions) {
123 $role = Role::load($rid);
124 /** @var Role $role */
127 '@role has @permissions',
129 '@role' => $role->label(),
130 '@permissions' => implode(', ', $permissions),
142 public function getMessage($result_const) {
143 switch ($result_const) {
144 case CheckResult::SUCCESS:
145 return $this->t('Untrusted roles do not have administrative or trusted Drupal permissions.');
147 case CheckResult::FAIL:
148 return $this->t('Untrusted roles have been granted administrative or trusted Drupal permissions.');
151 return $this->t("Unexpected result.");