--- /dev/null
+<?php
+
+namespace Drupal\security_review\Checks;
+
+use Drupal\Core\Link;
+use Drupal\security_review\Check;
+use Drupal\security_review\CheckResult;
+use Drupal\user\Entity\Role;
+
+/**
+ * Checks whether untrusted roles have restricted permissions.
+ */
+class AdminPermissions extends Check {
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getNamespace() {
+ return 'Security Review';
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getTitle() {
+ return 'Drupal permissions';
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getMachineTitle() {
+ return 'admin_permissions';
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function run() {
+ $result = CheckResult::SUCCESS;
+ $findings = [];
+
+ // Get every permission.
+ $all_permissions = $this->security()->permissions(TRUE);
+ $all_permission_strings = array_keys($all_permissions);
+
+ // Get permissions for untrusted roles.
+ $untrusted_permissions = $this->security()->untrustedPermissions(TRUE);
+ foreach ($untrusted_permissions as $rid => $permissions) {
+ $intersect = array_intersect($all_permission_strings, $permissions);
+ foreach ($intersect as $permission) {
+ if (isset($all_permissions[$permission]['restrict access'])) {
+ $findings[$rid][] = $permission;
+ }
+ }
+ }
+
+ if (!empty($findings)) {
+ $result = CheckResult::FAIL;
+ }
+
+ return $this->createResult($result, $findings);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function help() {
+ $paragraphs = [];
+ $paragraphs[] = $this->t("Drupal's permission system is extensive and allows for varying degrees of control. Certain permissions would allow a user total control, or the ability to escalate their control, over your site and should only be granted to trusted users.");
+ return [
+ '#theme' => 'check_help',
+ '#title' => $this->t('Admin and trusted Drupal permissions'),
+ '#paragraphs' => $paragraphs,
+ ];
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function evaluate(CheckResult $result) {
+ $output = [];
+
+ foreach ($result->findings() as $rid => $permissions) {
+ $role = Role::load($rid);
+ /** @var Role $role */
+ $paragraphs = [];
+ $paragraphs[] = $this->t(
+ "@role has the following restricted permissions:",
+ [
+ '@role' => Link::createFromRoute(
+ $role->label(),
+ 'entity.user_role.edit_permissions_form',
+ ['user_role' => $role->id()]
+ )->toString(),
+ ]
+ );
+
+ $output[] = [
+ '#theme' => 'check_evaluation',
+ '#paragraphs' => $paragraphs,
+ '#items' => $permissions,
+ ];
+ }
+
+ return $output;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function evaluatePlain(CheckResult $result) {
+ $output = '';
+
+ foreach ($result->findings() as $rid => $permissions) {
+ $role = Role::load($rid);
+ /** @var Role $role */
+
+ $output .= $this->t(
+ '@role has @permissions',
+ [
+ '@role' => $role->label(),
+ '@permissions' => implode(', ', $permissions),
+ ]
+ );
+ $output .= "\n";
+ }
+
+ return $output;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function getMessage($result_const) {
+ switch ($result_const) {
+ case CheckResult::SUCCESS:
+ return $this->t('Untrusted roles do not have administrative or trusted Drupal permissions.');
+
+ case CheckResult::FAIL:
+ return $this->t('Untrusted roles have been granted administrative or trusted Drupal permissions.');
+
+ default:
+ return $this->t("Unexpected result.");
+ }
+ }
+
+}