You are here

function services_views_insecure_view_displays_report in Services Views 7

Page callback for the Insecure View Displays Report.

1 string reference to 'services_views_insecure_view_displays_report'
services_views_menu in ./services_views.module
Implements hook_menu().

File

./services_views.module, line 473
Provides a generic but powerful API for web services.

Code

function services_views_insecure_view_displays_report() {
  $rows = array();
  foreach (views_get_enabled_views() as $view_name => $view) {
    $displays = array();
    foreach ($view->display as $view_display_name => $display) {
      if (!empty($display->display_options) && !empty($display->display_options['access']) && $display->display_options['access']['type'] == 'none') {
        $displays[] = check_plain($display->display_title);
      }
    }
    if (!empty($displays)) {
      $rows[$view_name] = array(
        'view' => l(check_plain($view->human_name), "admin/structure/views/view/{$view_name}"),
        'displays' => implode(', ', $displays),
      );
    }
  }
  ksort($rows);
  return array(
    'header' => array(
      '#markup' => "<div class='messages warning'>" . t('This report contains all the views displays that currently have their access property set to "none". This, coupled with the Services Views "views: retrieve" resource can potentially unintentionally leak information because certain view display types (such as block and panel pane displays) do not have a direct route to the display be default. Additionally, other forms of access control on these view types are typically used via a "wrapping" module. Consider adding an access restriction to each of these displays if possible.') . "</div>",
    ),
    'table' => array(
      '#theme' => 'table',
      '#header' => array(
        t('View'),
        t('Displays'),
      ),
      '#rows' => $rows,
      '#empty' => t('There are no insecure view displays.'),
      '#sticky' => TRUE,
    ),
  );
}