X-Git-Url: http://www.aleph1.co.uk/gitweb/?p=yaffs-website;a=blobdiff_plain;f=web%2Fmodules%2Fcontrib%2Fsecurity_review%2Fsrc%2FChecks%2FViewsAccess.php;fp=web%2Fmodules%2Fcontrib%2Fsecurity_review%2Fsrc%2FChecks%2FViewsAccess.php;h=3d7cf0150939504e21abc2d1fa5dcb9d82e83c3c;hp=0000000000000000000000000000000000000000;hb=ba1b5c55c66590c41ccc9844d3e62391b0399abb;hpb=93ef30d42f68e55d11d97312531118bbcd4cf318 diff --git a/web/modules/contrib/security_review/src/Checks/ViewsAccess.php b/web/modules/contrib/security_review/src/Checks/ViewsAccess.php new file mode 100644 index 000000000..3d7cf0150 --- /dev/null +++ b/web/modules/contrib/security_review/src/Checks/ViewsAccess.php @@ -0,0 +1,157 @@ +moduleHandler()->moduleExists('views')) { + return $this->createResult(CheckResult::INFO); + } + + $result = CheckResult::SUCCESS; + $findings = []; + + $views = View::loadMultiple(); + /** @var View[] $views */ + + // Iterate through views and their displays. + foreach ($views as $view) { + if ($view->status()) { + foreach ($view->get('display') as $display_name => $display) { + $access = &$display['display_options']['access']; + if (isset($access) && $access['type'] == 'none') { + // Access is not controlled for this display. + $findings[$view->id()][] = $display_name; + } + } + } + } + + if (!empty($findings)) { + $result = CheckResult::FAIL; + } + + return $this->createResult($result, $findings); + } + + /** + * {@inheritdoc} + */ + public function help() { + $paragraphs = []; + $paragraphs[] = $this->t("Views can check if the user is allowed access to the content. It is recommended that all Views implement some amount of access control, at a minimum checking for the permission 'access content'."); + + return [ + '#theme' => 'check_help', + '#title' => $this->t('Views access'), + '#paragraphs' => $paragraphs, + ]; + } + + /** + * {@inheritdoc} + */ + public function evaluate(CheckResult $result) { + $findings = $result->findings(); + if (empty($findings)) { + return []; + } + + $paragraphs = []; + $paragraphs[] = $this->t('The following View displays do not check access.'); + + $items = []; + foreach ($findings as $view_id => $displays) { + $view = View::load($view_id); + /** @var View $view */ + + foreach ($displays as $display) { + $items[] = $this->l( + $view->label() . ': ' . $display, + Url::fromRoute( + 'entity.view.edit_display_form', + [ + 'view' => $view_id, + 'display_id' => $display, + ] + ) + ); + } + } + + return [ + '#theme' => 'check_evaluation', + '#paragraphs' => $paragraphs, + '#items' => $items, + ]; + } + + /** + * {@inheritdoc} + */ + public function evaluatePlain(CheckResult $result) { + $findings = $result->findings(); + if (empty($findings)) { + return ''; + } + + $output = $this->t('Views without access check:') . ":\n"; + foreach ($findings as $view_id => $displays) { + $output .= "\t" . $view_id . ": " . implode(', ', $displays) . "\n"; + } + + return $output; + } + + /** + * {@inheritdoc} + */ + public function getMessage($result_const) { + switch ($result_const) { + case CheckResult::SUCCESS: + return $this->t('Views are access controlled.'); + + case CheckResult::FAIL: + return $this->t('There are Views that do not provide any access checks.'); + + case CheckResult::INFO: + return $this->t('Module views is not enabled.'); + + default: + return $this->t('Unexpected result.'); + } + } + +}