You are here

class ViewsAccess in Security Review 8

Checks for Views that do not check access.

Hierarchy

Expanded class hierarchy of ViewsAccess

1 file declares its use of ViewsAccess
security_review.module in ./security_review.module
Site security review and reporting Drupal module.

File

src/Checks/ViewsAccess.php, line 13

Namespace

Drupal\security_review\Checks
View source
class ViewsAccess extends Check {

  /**
   * {@inheritdoc}
   */
  public function getNamespace() {
    return 'Security Review';
  }

  /**
   * {@inheritdoc}
   */
  public function getTitle() {
    return 'Views access';
  }

  /**
   * {@inheritdoc}
   */
  public function run() {

    // If views is not enabled return with INFO.
    if (!$this
      ->moduleHandler()
      ->moduleExists('views')) {
      return $this
        ->createResult(CheckResult::INFO);
    }
    $result = CheckResult::SUCCESS;
    $findings = [];
    $views = View::loadMultiple();

    /** @var View[] $views */

    // Iterate through views and their displays.
    foreach ($views as $view) {
      if ($view
        ->status()) {
        foreach ($view
          ->get('display') as $display_name => $display) {
          $access =& $display['display_options']['access'];
          if (isset($access) && $access['type'] == 'none') {

            // Access is not controlled for this display.
            $findings[$view
              ->id()][] = $display_name;
          }
        }
      }
    }
    if (!empty($findings)) {
      $result = CheckResult::FAIL;
    }
    return $this
      ->createResult($result, $findings);
  }

  /**
   * {@inheritdoc}
   */
  public function help() {
    $paragraphs = [];
    $paragraphs[] = $this
      ->t("Views can check if the user is allowed access to the content. It is recommended that all Views implement some amount of access control, at a minimum checking for the permission 'access content'.");
    return [
      '#theme' => 'check_help',
      '#title' => $this
        ->t('Views access'),
      '#paragraphs' => $paragraphs,
    ];
  }

  /**
   * {@inheritdoc}
   */
  public function evaluate(CheckResult $result) {
    $findings = $result
      ->findings();
    if (empty($findings)) {
      return [];
    }
    $paragraphs = [];
    $paragraphs[] = $this
      ->t('The following View displays do not check access.');
    $items = [];
    foreach ($findings as $view_id => $displays) {
      $view = View::load($view_id);

      /** @var View $view */
      foreach ($displays as $display) {
        $items[] = Link::createFromRoute($view
          ->label() . ': ' . $display, 'entity.view.edit_display_form', [
          'view' => $view_id,
          'display_id' => $display,
        ]);
      }
    }
    return [
      '#theme' => 'check_evaluation',
      '#paragraphs' => $paragraphs,
      '#items' => $items,
    ];
  }

  /**
   * {@inheritdoc}
   */
  public function evaluatePlain(CheckResult $result) {
    $findings = $result
      ->findings();
    if (empty($findings)) {
      return '';
    }
    $output = $this
      ->t('Views without access check:') . ":\n";
    foreach ($findings as $view_id => $displays) {
      $output .= "\t" . $view_id . ": " . implode(', ', $displays) . "\n";
    }
    return $output;
  }

  /**
   * {@inheritdoc}
   */
  public function getMessage($result_const) {
    switch ($result_const) {
      case CheckResult::SUCCESS:
        return $this
          ->t('Views are access controlled.');
      case CheckResult::FAIL:
        return $this
          ->t('There are Views that do not provide any access checks.');
      case CheckResult::INFO:
        return $this
          ->t('Module views is not enabled.');
      default:
        return $this
          ->t('Unexpected result.');
    }
  }

}

Members

Namesort descending Modifiers Type Description Overrides
Check::$config protected property The configuration storage for this check.
Check::$container protected property The service container.
Check::$settings protected property Settings handler for this check.
Check::$state protected property The State system.
Check::$statePrefix protected property The check's prefix in the State system.
Check::checklist protected function Returns the Security Review Checklist service.
Check::configFactory protected function Returns the Config factory.
Check::container protected function Returns the service container.
Check::createResult public function Creates a new CheckResult for this Check.
Check::currentUser protected function Returns the current Drupal user.
Check::database protected function Returns the database connection.
Check::enable public function Enables the check. Has no effect if the check was not skipped.
Check::entityTypeManager protected function Returns the entity type manager.
Check::getMachineNamespace public function Returns the namespace of the check.
Check::getMachineTitle public function Returns the machine name of the check. 5
Check::id final public function Returns the identifier constructed using the namespace and title values.
Check::isSkipped public function Returns whether the check is skipped. Checks are not skipped by default.
Check::kernel protected function Returns the Drupal Kernel.
Check::lastResult public function Returns the last stored result of the check.
Check::lastRun public function Returns the timestamp the check was last run.
Check::moduleHandler protected function Returns the module handler.
Check::runCli public function Same as run(), but used in CLI context such as Drush. 2
Check::security protected function Returns the Security Review Security service.
Check::securityReview protected function Returns the Security Review service.
Check::settings public function Returns the check-specific settings' handler.
Check::skip public function Marks the check as skipped.
Check::skippedBy public function Returns the user the check was skipped by.
Check::skippedOn public function Returns the timestamp the check was last skipped on.
Check::storeResult public function Stores a result in the state system.
Check::storesFindings public function Returns whether the findings should be stored or reproduced when needed. 2
Check::__construct public function Initializes the configuration storage and the settings handler. 2
DependencySerializationTrait::$_entityStorages protected property An array of entity type IDs keyed by the property name of their storages.
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
StringTranslationTrait::$stringTranslation protected property The string translation service. 1
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.
ViewsAccess::evaluate public function Returns the evaluation page of a result. Overrides Check::evaluate
ViewsAccess::evaluatePlain public function Evaluates a CheckResult and returns a plaintext output. Overrides Check::evaluatePlain
ViewsAccess::getMessage public function Converts a result integer to a human-readable result message. Overrides Check::getMessage
ViewsAccess::getNamespace public function Returns the namespace of the check. Overrides Check::getNamespace
ViewsAccess::getTitle public function Returns the human-readable title of the check. Overrides Check::getTitle
ViewsAccess::help public function Returns the check-specific help page. Overrides Check::help
ViewsAccess::run public function The actual procedure of carrying out the check. Overrides Check::run