class AdminPermissions in Security Review 8
Checks whether untrusted roles have restricted permissions.
Hierarchy
- class \Drupal\security_review\Check uses DependencySerializationTrait, StringTranslationTrait
- class \Drupal\security_review\Checks\AdminPermissions
Expanded class hierarchy of AdminPermissions
1 file declares its use of AdminPermissions
- security_review.module in ./
security_review.module - Site security review and reporting Drupal module.
File
- src/
Checks/ AdminPermissions.php, line 13
Namespace
Drupal\security_review\ChecksView source
class AdminPermissions extends Check {
/**
* {@inheritdoc}
*/
public function getNamespace() {
return 'Security Review';
}
/**
* {@inheritdoc}
*/
public function getTitle() {
return 'Drupal permissions';
}
/**
* {@inheritdoc}
*/
public function getMachineTitle() {
return 'admin_permissions';
}
/**
* {@inheritdoc}
*/
public function run() {
$result = CheckResult::SUCCESS;
$findings = [];
// Get every permission.
$all_permissions = $this
->security()
->permissions(TRUE);
$all_permission_strings = array_keys($all_permissions);
// Get permissions for untrusted roles.
$untrusted_permissions = $this
->security()
->untrustedPermissions(TRUE);
foreach ($untrusted_permissions as $rid => $permissions) {
$intersect = array_intersect($all_permission_strings, $permissions);
foreach ($intersect as $permission) {
if (isset($all_permissions[$permission]['restrict access'])) {
$findings[$rid][] = $permission;
}
}
}
if (!empty($findings)) {
$result = CheckResult::FAIL;
}
return $this
->createResult($result, $findings);
}
/**
* {@inheritdoc}
*/
public function help() {
$paragraphs = [];
$paragraphs[] = $this
->t("Drupal's permission system is extensive and allows for varying degrees of control. Certain permissions would allow a user total control, or the ability to escalate their control, over your site and should only be granted to trusted users.");
return [
'#theme' => 'check_help',
'#title' => $this
->t('Admin and trusted Drupal permissions'),
'#paragraphs' => $paragraphs,
];
}
/**
* {@inheritdoc}
*/
public function evaluate(CheckResult $result) {
$output = [];
foreach ($result
->findings() as $rid => $permissions) {
$role = Role::load($rid);
/** @var Role $role */
$paragraphs = [];
$paragraphs[] = $this
->t("@role has the following restricted permissions:", [
'@role' => Link::createFromRoute($role
->label(), 'entity.user_role.edit_permissions_form', [
'user_role' => $role
->id(),
])
->toString(),
]);
$output[] = [
'#theme' => 'check_evaluation',
'#paragraphs' => $paragraphs,
'#items' => $permissions,
];
}
return $output;
}
/**
* {@inheritdoc}
*/
public function evaluatePlain(CheckResult $result) {
$output = '';
foreach ($result
->findings() as $rid => $permissions) {
$role = Role::load($rid);
/** @var Role $role */
$output .= $this
->t('@role has @permissions', [
'@role' => $role
->label(),
'@permissions' => implode(', ', $permissions),
]);
$output .= "\n";
}
return $output;
}
/**
* {@inheritdoc}
*/
public function getMessage($result_const) {
switch ($result_const) {
case CheckResult::SUCCESS:
return $this
->t('Untrusted roles do not have administrative or trusted Drupal permissions.');
case CheckResult::FAIL:
return $this
->t('Untrusted roles have been granted administrative or trusted Drupal permissions.');
default:
return $this
->t("Unexpected result.");
}
}
}Members
Name |
Modifiers | Type | Description | Overrides |
|---|---|---|---|---|
|
AdminPermissions:: |
public | function |
Returns the evaluation page of a result. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
Evaluates a CheckResult and returns a plaintext output. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
Returns the machine name of the check. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
Converts a result integer to a human-readable result message. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
Returns the namespace of the check. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
Returns the human-readable title of the check. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
Returns the check-specific help page. Overrides Check:: |
|
|
AdminPermissions:: |
public | function |
The actual procedure of carrying out the check. Overrides Check:: |
|
|
Check:: |
protected | property | The configuration storage for this check. | |
|
Check:: |
protected | property | The service container. | |
|
Check:: |
protected | property | Settings handler for this check. | |
|
Check:: |
protected | property | The State system. | |
|
Check:: |
protected | property | The check's prefix in the State system. | |
|
Check:: |
protected | function | Returns the Security Review Checklist service. | |
|
Check:: |
protected | function | Returns the Config factory. | |
|
Check:: |
protected | function | Returns the service container. | |
|
Check:: |
public | function | Creates a new CheckResult for this Check. | |
|
Check:: |
protected | function | Returns the current Drupal user. | |
|
Check:: |
protected | function | Returns the database connection. | |
|
Check:: |
public | function | Enables the check. Has no effect if the check was not skipped. | |
|
Check:: |
protected | function | Returns the entity type manager. | |
|
Check:: |
public | function | Returns the namespace of the check. | |
|
Check:: |
final public | function | Returns the identifier constructed using the namespace and title values. | |
|
Check:: |
public | function | Returns whether the check is skipped. Checks are not skipped by default. | |
|
Check:: |
protected | function | Returns the Drupal Kernel. | |
|
Check:: |
public | function | Returns the last stored result of the check. | |
|
Check:: |
public | function | Returns the timestamp the check was last run. | |
|
Check:: |
protected | function | Returns the module handler. | |
|
Check:: |
public | function | Same as run(), but used in CLI context such as Drush. | 2 |
|
Check:: |
protected | function | Returns the Security Review Security service. | |
|
Check:: |
protected | function | Returns the Security Review service. | |
|
Check:: |
public | function | Returns the check-specific settings' handler. | |
|
Check:: |
public | function | Marks the check as skipped. | |
|
Check:: |
public | function | Returns the user the check was skipped by. | |
|
Check:: |
public | function | Returns the timestamp the check was last skipped on. | |
|
Check:: |
public | function | Stores a result in the state system. | |
|
Check:: |
public | function | Returns whether the findings should be stored or reproduced when needed. | 2 |
|
Check:: |
public | function | Initializes the configuration storage and the settings handler. | 2 |
|
DependencySerializationTrait:: |
protected | property | An array of entity type IDs keyed by the property name of their storages. | |
|
DependencySerializationTrait:: |
protected | property | An array of service IDs keyed by property name used for serialization. | |
|
DependencySerializationTrait:: |
public | function | 1 | |
|
DependencySerializationTrait:: |
public | function | 2 | |
|
StringTranslationTrait:: |
protected | property | The string translation service. | 1 |
|
StringTranslationTrait:: |
protected | function | Formats a string containing a count of items. | |
|
StringTranslationTrait:: |
protected | function | Returns the number of plurals supported by a given language. | |
|
StringTranslationTrait:: |
protected | function | Gets the string translation service. | |
|
StringTranslationTrait:: |
public | function | Sets the string translation service to use. | 2 |
|
StringTranslationTrait:: |
protected | function | Translates a string to the current language or to a given language. |