3 namespace Drupal\security_review\Checks;
6 use Drupal\security_review\Check;
7 use Drupal\security_review\CheckResult;
8 use Drupal\user\Entity\Role;
11 * Checks whether untrusted roles have restricted permissions.
13 class AdminPermissions extends Check {
18 public function getNamespace() {
19 return 'Security Review';
25 public function getTitle() {
26 return 'Drupal permissions';
32 public function getMachineTitle() {
33 return 'admin_permissions';
39 public function run() {
40 $result = CheckResult::SUCCESS;
43 // Get every permission.
44 $all_permissions = $this->security()->permissions(TRUE);
45 $all_permission_strings = array_keys($all_permissions);
47 // Get permissions for untrusted roles.
48 $untrusted_permissions = $this->security()->untrustedPermissions(TRUE);
49 foreach ($untrusted_permissions as $rid => $permissions) {
50 $intersect = array_intersect($all_permission_strings, $permissions);
51 foreach ($intersect as $permission) {
52 if (isset($all_permissions[$permission]['restrict access'])) {
53 $findings[$rid][] = $permission;
58 if (!empty($findings)) {
59 $result = CheckResult::FAIL;
62 return $this->createResult($result, $findings);
68 public function help() {
70 $paragraphs[] = $this->t("Drupal's permission system is extensive and allows for varying degrees of control. Certain permissions would allow a user total control, or the ability to escalate their control, over your site and should only be granted to trusted users.");
72 '#theme' => 'check_help',
73 '#title' => $this->t('Admin and trusted Drupal permissions'),
74 '#paragraphs' => $paragraphs,
81 public function evaluate(CheckResult $result) {
84 foreach ($result->findings() as $rid => $permissions) {
85 $role = Role::load($rid);
86 /** @var Role $role */
88 $paragraphs[] = $this->t(
89 "@role has the following restricted permissions:",
91 '@role' => Link::createFromRoute(
93 'entity.user_role.edit_permissions_form',
94 ['user_role' => $role->id()]
100 '#theme' => 'check_evaluation',
101 '#paragraphs' => $paragraphs,
102 '#items' => $permissions,
112 public function evaluatePlain(CheckResult $result) {
115 foreach ($result->findings() as $rid => $permissions) {
116 $role = Role::load($rid);
117 /** @var Role $role */
120 '@role has @permissions',
122 '@role' => $role->label(),
123 '@permissions' => implode(', ', $permissions),
135 public function getMessage($result_const) {
136 switch ($result_const) {
137 case CheckResult::SUCCESS:
138 return $this->t('Untrusted roles do not have administrative or trusted Drupal permissions.');
140 case CheckResult::FAIL:
141 return $this->t('Untrusted roles have been granted administrative or trusted Drupal permissions.');
144 return $this->t("Unexpected result.");