You are here

Home » API reference » Security Review 7 » security_review.pages.inc

function security_review_settings in Security Review 7

Same name and namespace in other branches
  1. 6 security_review.module \security_review_settings()

Module settings form.

1 string reference to 'security_review_settings'
security_review_menu in ./security_review.module
Implements hook_menu().

File

./security_review.pages.inc, line 125
security_review.pages.inc

Code

function security_review_settings() {
  module_load_include('inc', 'security_review');
  $checklist = security_review_get_checklist();
  $roles = user_roles();
  foreach ($roles as $rid => $role) {
    $options[$rid] = check_plain($role);
  }
  $message = '';
  $defaults = _security_review_default_untrusted_roles();
  if (array_key_exists(DRUPAL_AUTHENTICATED_RID, $defaults)) {
    $message = 'You have allowed anonymous users to create accounts without approval so the authenticated role defaults to untrusted.';
  }
  $form['security_review_untrusted_roles'] = array(
    '#type' => 'checkboxes',
    '#title' => t('Untrusted roles'),
    '#description' => t('Mark which roles are not trusted. The anonymous role defaults to untrusted. @message Read more about the idea behind trusted and untrusted roles on <a href="!url">DrupalScout.com</a>. Most Security Review checks look for resources usable by untrusted roles.', array(
      '@message' => $message,
      '!url' => url('http://drupalscout.com/knowledge-base/importance-user-roles-and-permissions-site-security'),
    )),
    '#options' => $options,
    '#default_value' => variable_get('security_review_untrusted_roles', array_keys($defaults)),
  );
  $inactive_namespaces = array();

  // Report stored checks that aren't currently active.
  $checks = security_review_get_stored_results();
  foreach ($checks as $check) {
    if (!isset($checklist[$check['namespace']][$check['reviewcheck']])) {
      $inactive_namespaces[] = $check['namespace'];
    }
  }
  if (!empty($inactive_namespaces)) {
    $inactive_checks = implode(', ', $inactive_namespaces);
    $form['inactive_checks'] = array(
      '#prefix' => '<div class="messages warning">',
      '#suffix' => '</div>',
      '#markup' => t('Inactive checks are being stored under namespaces: %modules. Enabling associated modules may allow these checks to be run again. Inactive checks must be manually removed or uninstall and reinstall Security Review to clear all stored checks.', array(
        '%modules' => $inactive_checks,
      )),
    );
  }
  $form['security_review_adv'] = array(
    '#type' => 'fieldset',
    '#title' => t('Advanced'),
    '#collapsible' => TRUE,
    '#collapsed' => FALSE,
  );
  $form['security_review_adv']['security_review_log'] = array(
    '#type' => 'checkbox',
    '#title' => t('Log checklist results and skips'),
    '#description' => t('The result of each check and skip can be logged to watchdog for tracking.'),
    '#default_value' => variable_get('security_review_log', TRUE),
  );
  $options = $values = array();
  $skipped = security_review_skipped_checks();
  foreach ($checklist as $module => $checks) {
    foreach ($checks as $check_name => $check) {

      // Determine if check is being skipped.
      if (!empty($skipped) && isset($skipped[$module]) && array_key_exists($check_name, $skipped[$module])) {
        $values[] = $check_name;
        $label = t('!name <em>skipped by UID !uid on !date</em>', array(
          '!name' => $check['title'],
          '!uid' => $skipped[$module][$check_name]['skipuid'],
          '!date' => format_date($skipped[$module][$check_name]['skiptime']),
        ));
      }
      else {
        $label = $check['title'];
      }
      $options[$check_name] = $label;
    }
  }
  $form['security_review_adv']['security_review_skip'] = array(
    '#type' => 'checkboxes',
    '#title' => t('Checks to skip'),
    '#description' => t('Skip running certain checks. This can also be set on the <em>Run & review</em> page. It is recommended that you do not skip any checks unless you know the result is wrong or the process times out while running.'),
    '#options' => $options,
    '#default_value' => $values,
  );
  $form['security_review_adv']['check_settings'] = array(
    '#type' => 'fieldset',
    '#title' => t('Check-specific settings'),
    '#collapsible' => TRUE,
    '#collapsed' => TRUE,
    '#tree' => TRUE,
  );
  $form['security_review_adv']['check_settings']['security_review_base_url_method'] = array(
    '#type' => 'radios',
    '#title' => t('Base URL check method'),
    '#description' => t('Detecting the $base_url in settings.php can be done via PHP tokenization (recommend) or including the file. Note that if you have custom functionality in your settings.php it will be executed if the file is included. Including the file can result in a more accurate $base_url check if you wrap the setting in conditional statements.'),
    '#options' => array(
      'token' => t('Tokenize settings.php (recommended)'),
      'include' => t('Include settings.php'),
    ),
    '#default_value' => variable_get('security_review_base_url_method', 'token'),
  );

  // Add a submit handler to set the skipped checks.
  $form['#submit'][] = '_security_review_settings_submit';
  return system_settings_form($form);
}