5 * Contains \Drupal\security_review\Checks\ViewsAccess.
8 namespace Drupal\security_review\Checks;
11 use Drupal\security_review\Check;
12 use Drupal\security_review\CheckResult;
13 use Drupal\views\Entity\View;
16 * Checks for Views that do not check access.
18 class ViewsAccess extends Check {
23 public function getNamespace() {
24 return 'Security Review';
30 public function getTitle() {
31 return 'Views access';
37 public function run() {
38 // If views is not enabled return with INFO.
39 if (!$this->moduleHandler()->moduleExists('views')) {
40 return $this->createResult(CheckResult::INFO);
43 $result = CheckResult::SUCCESS;
46 $views = View::loadMultiple();
47 /** @var View[] $views */
49 // Iterate through views and their displays.
50 foreach ($views as $view) {
51 if ($view->status()) {
52 foreach ($view->get('display') as $display_name => $display) {
53 $access = &$display['display_options']['access'];
54 if (isset($access) && $access['type'] == 'none') {
55 // Access is not controlled for this display.
56 $findings[$view->id()][] = $display_name;
62 if (!empty($findings)) {
63 $result = CheckResult::FAIL;
66 return $this->createResult($result, $findings);
72 public function help() {
74 $paragraphs[] = $this->t("Views can check if the user is allowed access to the content. It is recommended that all Views implement some amount of access control, at a minimum checking for the permission 'access content'.");
77 '#theme' => 'check_help',
78 '#title' => $this->t('Views access'),
79 '#paragraphs' => $paragraphs,
86 public function evaluate(CheckResult $result) {
87 $findings = $result->findings();
88 if (empty($findings)) {
93 $paragraphs[] = $this->t('The following View displays do not check access.');
96 foreach ($findings as $view_id => $displays) {
97 $view = View::load($view_id);
98 /** @var View $view */
100 foreach ($displays as $display) {
102 $view->label() . ': ' . $display,
104 'entity.view.edit_display_form',
107 'display_id' => $display,
115 '#theme' => 'check_evaluation',
116 '#paragraphs' => $paragraphs,
124 public function evaluatePlain(CheckResult $result) {
125 $findings = $result->findings();
126 if (empty($findings)) {
130 $output = $this->t('Views without access check:') . ":\n";
131 foreach ($findings as $view_id => $displays) {
132 $output .= "\t" . $view_id . ": " . implode(', ', $displays) . "\n";
141 public function getMessage($result_const) {
142 switch ($result_const) {
143 case CheckResult::SUCCESS:
144 return $this->t('Views are access controlled.');
146 case CheckResult::FAIL:
147 return $this->t('There are Views that do not provide any access checks.');
149 case CheckResult::INFO:
150 return $this->t('Module views is not enabled.');
153 return $this->t('Unexpected result.');