function paranoia_form_user_admin_permissions_alter in Paranoia 8
Same name and namespace in other branches
- 7 paranoia.module \paranoia_form_user_admin_permissions_alter()
Implements hook_form_FORM_ID_alter().
Hides permissions considered risky by hook_paranoia_hide_permissions().
File
- ./
paranoia.module, line 120 - Disables PHP block visibility permission and gives status error if a role has this permission. Disables the PHP module. Hides the PHP and paranoia modules from the modules page. Prevents user/1 editing which could give access to abitrary contrib…
Code
function paranoia_form_user_admin_permissions_alter(&$form, FormStateInterface $form_state) {
$banned_permissions = \Drupal::moduleHandler()
->invokeAll('paranoia_hide_permissions');
$permissions = \Drupal::service('user.permissions')
->getPermissions();
$permissions_by_provider = [];
foreach ($permissions as $permission_name => $permission) {
$permissions_by_provider[$permission['provider']][$permission_name] = $permission;
}
$has_hidden = FALSE;
foreach ($permissions_by_provider as $provider => $provider_permissions) {
$hidden_count = 0;
foreach ($provider_permissions as $permission_name => $permission) {
// If the permission is banned, remove it.
if (in_array($permission_name, $banned_permissions)) {
unset($form['permissions'][$permission_name]);
$hidden_count++;
$has_hidden = TRUE;
}
elseif (!empty($permission['restrict access'])) {
foreach ([
RoleInterface::ANONYMOUS_ID,
RoleInterface::AUTHENTICATED_ID,
] as $rid) {
$form['permissions'][$permission_name][$rid]['#disabled'] = TRUE;
$form['permissions'][$permission_name][$rid]['#default_value'] = FALSE;
}
}
}
// If all permissions for a provider were hidden, remove the provider name.
if ($hidden_count == count($provider_permissions)) {
unset($form['permissions'][$provider]);
}
}
if ($has_hidden) {
\Drupal::messenger()
->addMessage(t('To make this site more secure, some permissions have been removed from this form.'));
}
$form['#submit'][] = 'paranoia_permissions_submit';
}