3 namespace Drupal\security_review\Checks;
6 use Drupal\security_review\Check;
7 use Drupal\security_review\CheckResult;
8 use Drupal\views\Entity\View;
11 * Checks for Views that do not check access.
13 class ViewsAccess extends Check {
18 public function getNamespace() {
19 return 'Security Review';
25 public function getTitle() {
26 return 'Views access';
32 public function run() {
33 // If views is not enabled return with INFO.
34 if (!$this->moduleHandler()->moduleExists('views')) {
35 return $this->createResult(CheckResult::INFO);
38 $result = CheckResult::SUCCESS;
41 $views = View::loadMultiple();
42 /** @var View[] $views */
44 // Iterate through views and their displays.
45 foreach ($views as $view) {
46 if ($view->status()) {
47 foreach ($view->get('display') as $display_name => $display) {
48 $access = &$display['display_options']['access'];
49 if (isset($access) && $access['type'] == 'none') {
50 // Access is not controlled for this display.
51 $findings[$view->id()][] = $display_name;
57 if (!empty($findings)) {
58 $result = CheckResult::FAIL;
61 return $this->createResult($result, $findings);
67 public function help() {
69 $paragraphs[] = $this->t("Views can check if the user is allowed access to the content. It is recommended that all Views implement some amount of access control, at a minimum checking for the permission 'access content'.");
72 '#theme' => 'check_help',
73 '#title' => $this->t('Views access'),
74 '#paragraphs' => $paragraphs,
81 public function evaluate(CheckResult $result) {
82 $findings = $result->findings();
83 if (empty($findings)) {
88 $paragraphs[] = $this->t('The following View displays do not check access.');
91 foreach ($findings as $view_id => $displays) {
92 $view = View::load($view_id);
93 /** @var View $view */
95 foreach ($displays as $display) {
96 $items[] = Link::createFromRoute(
97 $view->label() . ': ' . $display,
98 'entity.view.edit_display_form',
101 'display_id' => $display,
108 '#theme' => 'check_evaluation',
109 '#paragraphs' => $paragraphs,
117 public function evaluatePlain(CheckResult $result) {
118 $findings = $result->findings();
119 if (empty($findings)) {
123 $output = $this->t('Views without access check:') . ":\n";
124 foreach ($findings as $view_id => $displays) {
125 $output .= "\t" . $view_id . ": " . implode(', ', $displays) . "\n";
134 public function getMessage($result_const) {
135 switch ($result_const) {
136 case CheckResult::SUCCESS:
137 return $this->t('Views are access controlled.');
139 case CheckResult::FAIL:
140 return $this->t('There are Views that do not provide any access checks.');
142 case CheckResult::INFO:
143 return $this->t('Module views is not enabled.');
146 return $this->t('Unexpected result.');