class ViewsAccess in Security Review 8
Checks for Views that do not check access.
Hierarchy
- class \Drupal\security_review\Check uses DependencySerializationTrait, StringTranslationTrait
- class \Drupal\security_review\Checks\ViewsAccess
Expanded class hierarchy of ViewsAccess
1 file declares its use of ViewsAccess
- security_review.module in ./
security_review.module - Site security review and reporting Drupal module.
File
- src/
Checks/ ViewsAccess.php, line 13
Namespace
Drupal\security_review\ChecksView source
class ViewsAccess extends Check {
/**
* {@inheritdoc}
*/
public function getNamespace() {
return 'Security Review';
}
/**
* {@inheritdoc}
*/
public function getTitle() {
return 'Views access';
}
/**
* {@inheritdoc}
*/
public function run() {
// If views is not enabled return with INFO.
if (!$this
->moduleHandler()
->moduleExists('views')) {
return $this
->createResult(CheckResult::INFO);
}
$result = CheckResult::SUCCESS;
$findings = [];
$views = View::loadMultiple();
/** @var View[] $views */
// Iterate through views and their displays.
foreach ($views as $view) {
if ($view
->status()) {
foreach ($view
->get('display') as $display_name => $display) {
$access =& $display['display_options']['access'];
if (isset($access) && $access['type'] == 'none') {
// Access is not controlled for this display.
$findings[$view
->id()][] = $display_name;
}
}
}
}
if (!empty($findings)) {
$result = CheckResult::FAIL;
}
return $this
->createResult($result, $findings);
}
/**
* {@inheritdoc}
*/
public function help() {
$paragraphs = [];
$paragraphs[] = $this
->t("Views can check if the user is allowed access to the content. It is recommended that all Views implement some amount of access control, at a minimum checking for the permission 'access content'.");
return [
'#theme' => 'check_help',
'#title' => $this
->t('Views access'),
'#paragraphs' => $paragraphs,
];
}
/**
* {@inheritdoc}
*/
public function evaluate(CheckResult $result) {
$findings = $result
->findings();
if (empty($findings)) {
return [];
}
$paragraphs = [];
$paragraphs[] = $this
->t('The following View displays do not check access.');
$items = [];
foreach ($findings as $view_id => $displays) {
$view = View::load($view_id);
/** @var View $view */
foreach ($displays as $display) {
$items[] = Link::createFromRoute($view
->label() . ': ' . $display, 'entity.view.edit_display_form', [
'view' => $view_id,
'display_id' => $display,
]);
}
}
return [
'#theme' => 'check_evaluation',
'#paragraphs' => $paragraphs,
'#items' => $items,
];
}
/**
* {@inheritdoc}
*/
public function evaluatePlain(CheckResult $result) {
$findings = $result
->findings();
if (empty($findings)) {
return '';
}
$output = $this
->t('Views without access check:') . ":\n";
foreach ($findings as $view_id => $displays) {
$output .= "\t" . $view_id . ": " . implode(', ', $displays) . "\n";
}
return $output;
}
/**
* {@inheritdoc}
*/
public function getMessage($result_const) {
switch ($result_const) {
case CheckResult::SUCCESS:
return $this
->t('Views are access controlled.');
case CheckResult::FAIL:
return $this
->t('There are Views that do not provide any access checks.');
case CheckResult::INFO:
return $this
->t('Module views is not enabled.');
default:
return $this
->t('Unexpected result.');
}
}
}Members
Name |
Modifiers | Type | Description | Overrides |
|---|---|---|---|---|
|
Check:: |
protected | property | The configuration storage for this check. | |
|
Check:: |
protected | property | The service container. | |
|
Check:: |
protected | property | Settings handler for this check. | |
|
Check:: |
protected | property | The State system. | |
|
Check:: |
protected | property | The check's prefix in the State system. | |
|
Check:: |
protected | function | Returns the Security Review Checklist service. | |
|
Check:: |
protected | function | Returns the Config factory. | |
|
Check:: |
protected | function | Returns the service container. | |
|
Check:: |
public | function | Creates a new CheckResult for this Check. | |
|
Check:: |
protected | function | Returns the current Drupal user. | |
|
Check:: |
protected | function | Returns the database connection. | |
|
Check:: |
public | function | Enables the check. Has no effect if the check was not skipped. | |
|
Check:: |
protected | function | Returns the entity type manager. | |
|
Check:: |
public | function | Returns the namespace of the check. | |
|
Check:: |
public | function | Returns the machine name of the check. | 5 |
|
Check:: |
final public | function | Returns the identifier constructed using the namespace and title values. | |
|
Check:: |
public | function | Returns whether the check is skipped. Checks are not skipped by default. | |
|
Check:: |
protected | function | Returns the Drupal Kernel. | |
|
Check:: |
public | function | Returns the last stored result of the check. | |
|
Check:: |
public | function | Returns the timestamp the check was last run. | |
|
Check:: |
protected | function | Returns the module handler. | |
|
Check:: |
public | function | Same as run(), but used in CLI context such as Drush. | 2 |
|
Check:: |
protected | function | Returns the Security Review Security service. | |
|
Check:: |
protected | function | Returns the Security Review service. | |
|
Check:: |
public | function | Returns the check-specific settings' handler. | |
|
Check:: |
public | function | Marks the check as skipped. | |
|
Check:: |
public | function | Returns the user the check was skipped by. | |
|
Check:: |
public | function | Returns the timestamp the check was last skipped on. | |
|
Check:: |
public | function | Stores a result in the state system. | |
|
Check:: |
public | function | Returns whether the findings should be stored or reproduced when needed. | 2 |
|
Check:: |
public | function | Initializes the configuration storage and the settings handler. | 2 |
|
DependencySerializationTrait:: |
protected | property | An array of entity type IDs keyed by the property name of their storages. | |
|
DependencySerializationTrait:: |
protected | property | An array of service IDs keyed by property name used for serialization. | |
|
DependencySerializationTrait:: |
public | function | 1 | |
|
DependencySerializationTrait:: |
public | function | 2 | |
|
StringTranslationTrait:: |
protected | property | The string translation service. | 1 |
|
StringTranslationTrait:: |
protected | function | Formats a string containing a count of items. | |
|
StringTranslationTrait:: |
protected | function | Returns the number of plurals supported by a given language. | |
|
StringTranslationTrait:: |
protected | function | Gets the string translation service. | |
|
StringTranslationTrait:: |
public | function | Sets the string translation service to use. | 2 |
|
StringTranslationTrait:: |
protected | function | Translates a string to the current language or to a given language. | |
|
ViewsAccess:: |
public | function |
Returns the evaluation page of a result. Overrides Check:: |
|
|
ViewsAccess:: |
public | function |
Evaluates a CheckResult and returns a plaintext output. Overrides Check:: |
|
|
ViewsAccess:: |
public | function |
Converts a result integer to a human-readable result message. Overrides Check:: |
|
|
ViewsAccess:: |
public | function |
Returns the namespace of the check. Overrides Check:: |
|
|
ViewsAccess:: |
public | function |
Returns the human-readable title of the check. Overrides Check:: |
|
|
ViewsAccess:: |
public | function |
Returns the check-specific help page. Overrides Check:: |
|
|
ViewsAccess:: |
public | function |
The actual procedure of carrying out the check. Overrides Check:: |