X-Git-Url: http://www.aleph1.co.uk/gitweb/?p=yaffs-website;a=blobdiff_plain;f=web%2Fmodules%2Fcontrib%2Fsecurity_review%2Fsrc%2FChecks%2FAdminPermissions.php;fp=web%2Fmodules%2Fcontrib%2Fsecurity_review%2Fsrc%2FChecks%2FAdminPermissions.php;h=1b663adcb2adf3efab7288800ece8e23f0f32c65;hp=0000000000000000000000000000000000000000;hb=ba1b5c55c66590c41ccc9844d3e62391b0399abb;hpb=93ef30d42f68e55d11d97312531118bbcd4cf318 diff --git a/web/modules/contrib/security_review/src/Checks/AdminPermissions.php b/web/modules/contrib/security_review/src/Checks/AdminPermissions.php new file mode 100644 index 000000000..1b663adcb --- /dev/null +++ b/web/modules/contrib/security_review/src/Checks/AdminPermissions.php @@ -0,0 +1,155 @@ +security()->permissions(TRUE); + $all_permission_strings = array_keys($all_permissions); + + // Get permissions for untrusted roles. + $untrusted_permissions = $this->security()->untrustedPermissions(TRUE); + foreach ($untrusted_permissions as $rid => $permissions) { + $intersect = array_intersect($all_permission_strings, $permissions); + foreach ($intersect as $permission) { + if (isset($all_permissions[$permission]['restrict access'])) { + $findings[$rid][] = $permission; + } + } + } + + if (!empty($findings)) { + $result = CheckResult::FAIL; + } + + return $this->createResult($result, $findings); + } + + /** + * {@inheritdoc} + */ + public function help() { + $paragraphs = []; + $paragraphs[] = $this->t("Drupal's permission system is extensive and allows for varying degrees of control. Certain permissions would allow a user total control, or the ability to escalate their control, over your site and should only be granted to trusted users."); + return [ + '#theme' => 'check_help', + '#title' => $this->t('Admin and trusted Drupal permissions'), + '#paragraphs' => $paragraphs, + ]; + } + + /** + * {@inheritdoc} + */ + public function evaluate(CheckResult $result) { + $output = []; + + foreach ($result->findings() as $rid => $permissions) { + $role = Role::load($rid); + /** @var Role $role */ + $paragraphs = []; + $paragraphs[] = $this->t( + "@role has the following restricted permissions:", + [ + '@role' => $this->l( + $role->label(), + Url::fromRoute( + 'entity.user_role.edit_permissions_form', + ['user_role' => $role->id()] + ) + ), + ] + ); + + $output[] = [ + '#theme' => 'check_evaluation', + '#paragraphs' => $paragraphs, + '#items' => $permissions, + ]; + } + + return $output; + } + + /** + * {@inheritdoc} + */ + public function evaluatePlain(CheckResult $result) { + $output = ''; + + foreach ($result->findings() as $rid => $permissions) { + $role = Role::load($rid); + /** @var Role $role */ + + $output .= $this->t( + '@role has @permissions', + [ + '@role' => $role->label(), + '@permissions' => implode(', ', $permissions), + ] + ); + $output .= "\n"; + } + + return $output; + } + + /** + * {@inheritdoc} + */ + public function getMessage($result_const) { + switch ($result_const) { + case CheckResult::SUCCESS: + return $this->t('Untrusted roles do not have administrative or trusted Drupal permissions.'); + + case CheckResult::FAIL: + return $this->t('Untrusted roles have been granted administrative or trusted Drupal permissions.'); + + default: + return $this->t("Unexpected result."); + } + } + +}