coregrade/CoreGradeLearning
1
0
Fork 0
Code Issues Pull Requests Releases Activity

first commit

Browse Source
This commit is contained in:
CHIEFSOFT\ameye
2024-09-30 18:11:26 -04:00
commit e592ca6823
27270 changed files with 5002257 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/classes/check/access/defaultuserrole.php
+115
View File
@@ -0,0 +1,115 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
namespace core\check\access;
use core\check\check;
use core\check\result;
/**
* Verifies sanity of default user role.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class defaultuserrole extends check {
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return get_string('check_defaultuserrole_name', 'report_security');
}
/**
* A link to a place to action this
*
* @return \action_link|null
*/
public function get_action_link(): ?\action_link {
global $CFG, $DB;
$defaultrole = $DB->get_record('role', ['id' => $CFG->defaultuserroleid]);
return new \action_link(
new \moodle_url('/admin/roles/define.php', ['action' => 'view', 'roleid' => $defaultrole->id]),
get_string('definitionofrolex', 'core_role', role_get_name($defaultrole))
);
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
$details = '';
if (!$defaultrole = $DB->get_record('role', ['id' => $CFG->defaultuserroleid])) {
$status = result::WARNING;
$summary = get_string('check_defaultuserrole_notset', 'report_security');
return new result($status, $summary, $details);
}
// Risky caps - usually very dangerous.
$sql = "SELECT rc.id, rc.contextid, rc.capability
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskyresults = $DB->get_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $defaultrole->id,
]);
// If automatic approval is disabled, then the requestdelete capability is not risky.
if (!get_config('tool_dataprivacy', 'automaticdatadeletionapproval')) {
$riskyresults = array_filter($riskyresults, function ($object) {
return $object->capability !== 'tool/dataprivacy:requestdelete';
});
}
// Count the number of unique contexts that have risky caps.
$riskycount = count(array_unique(array_column($riskyresults, 'contextid')));
// It may have either none or 'user' archetype - nothing else, or else it would break during upgrades badly.
if ($defaultrole->archetype === '' or $defaultrole->archetype === 'user') {
$legacyok = true;
} else {
$legacyok = false;
}
if ($riskycount or !$legacyok) {
$status = result::CRITICAL;
$summary = get_string('check_defaultuserrole_error', 'report_security', role_get_name($defaultrole));
} else {
$status = result::OK;
$summary = get_string('check_defaultuserrole_ok', 'report_security');
}
$details = get_string('check_defaultuserrole_details', 'report_security');
return new result($status, $summary, $details);
}
}
lib/classes/check/access/frontpagerole.php
+111
View File
@@ -0,0 +1,111 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sanity of frontpage role
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sanity of frontpage role
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class frontpagerole extends check {
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return get_string('check_frontpagerole_name', 'report_security');
}
/**
* A link to a place to action this
*
* @return \action_link|null
*/
public function get_action_link(): ?\action_link {
return new \action_link(
new \moodle_url('/admin/settings.php?section=frontpagesettings#admin-defaultfrontpageroleid'),
get_string('frontpagesettings', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
if (!$frontpagerole = $DB->get_record('role', array('id' => $CFG->defaultfrontpageroleid))) {
$status = result::INFO;
$summary = get_string('check_frontpagerole_notset', 'report_security');
$details = get_string('check_frontpagerole_details', 'report_security');
return new result($status, $summary, $details);
}
// Risky caps - usually very dangerous.
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $frontpagerole->id,
]);
// There is no legacy role type for frontpage yet - anyway we can not allow teachers or admins there!
if ($frontpagerole->archetype === 'teacher' or $frontpagerole->archetype === 'editingteacher'
or $frontpagerole->archetype === 'coursecreator' or $frontpagerole->archetype === 'manager') {
$legacyok = false;
} else {
$legacyok = true;
}
if ($riskycount or !$legacyok) {
$status = result::CRITICAL;
$summary = get_string('check_frontpagerole_error', 'report_security', role_get_name($frontpagerole));
} else {
$status = result::OK;
$summary = get_string('check_frontpagerole_ok', 'report_security');
}
$details = get_string('check_frontpagerole_details', 'report_security');
return new result($status, $summary, $details);
}
}
lib/classes/check/access/guestrole.php
+109
View File
@@ -0,0 +1,109 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Verifies sanity of guest role
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Verifies sanity of guest role
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class guestrole extends check {
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return get_string('check_guestrole_name', 'report_security');
}
/**
* A link to a place to action this
*
* @return \action_link|null
*/
public function get_action_link(): ?\action_link {
return new \action_link(
new \moodle_url('/admin/settings.php?section=userpolicies'),
get_string('userpolicies', 'admin'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
if (!$guestrole = $DB->get_record('role', ['id' => $CFG->guestroleid])) {
$status = result::WARNING;
$summary = get_string('check_guestrole_notset', 'report_security');
return new result($status, $summary);
}
// Risky caps - usually very dangerous.
$sql = "SELECT COUNT(DISTINCT rc.contextid)
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $guestrole->id,
]);
// It may have either no or 'guest' archetype - nothing else, or else it would break during upgrades badly.
if ($guestrole->archetype === '' or $guestrole->archetype === 'guest') {
$legacyok = true;
} else {
$legacyok = false;
}
if ($riskycount or !$legacyok) {
$status = result::CRITICAL;
$summary = get_string('check_guestrole_error', 'report_security', format_string($guestrole->name));
} else {
$status = result::OK;
$summary = get_string('check_guestrole_ok', 'report_security');
}
$details = get_string('check_guestrole_details', 'report_security');
return new result($status, $summary, $details);
}
}
lib/classes/check/access/riskadmin.php
+91
View File
@@ -0,0 +1,91 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all admins.
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Lists all admins.
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskadmin extends check {
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return get_string('check_riskadmin_name', 'report_security');
}
/**
* A link to a place to action this
*
* @return \action_link|null
*/
public function get_action_link(): ?\action_link {
return new \action_link(
new \moodle_url('/admin/roles/admins.php'),
get_string('siteadministrators', 'role'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
global $DB, $CFG;
$userfieldsapi = \core_user\fields::for_userpic();
$userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;
$sql = "SELECT $userfields
FROM {user} u
WHERE u.id IN ($CFG->siteadmins)";
$admins = $DB->get_records_sql($sql);
$admincount = count($admins);
foreach ($admins as $uid => $user) {
$url = "$CFG->wwwroot/user/view.php?id=$user->id";
$link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')');
$admins[$uid] = \html_writer::tag('li' , $link);
}
$admins = \html_writer::tag('ul', implode('', $admins));
$status = result::INFO;
$summary = get_string('check_riskadmin_ok', 'report_security', $admincount);
$details = get_string('check_riskadmin_detailsok', 'report_security', $admins);
return new result($status, $summary, $details);
}
}
lib/classes/check/access/riskbackup.php
+69
View File
@@ -0,0 +1,69 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all roles that have the ability to backup user data, as well as users
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\check;
use core\check\result;
/**
* Lists all roles that have the ability to backup user data, as well as users
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskbackup extends check {
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return get_string('check_riskbackup_name', 'report_security');
}
/**
* A link to a place to action this
*
* @return \action_link|null
*/
public function get_action_link(): ?\action_link {
return new \action_link(
new \moodle_url('/admin/roles/manage.php'),
get_string('manageroles', 'role'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
return new riskbackup_result();
}
}
lib/classes/check/access/riskbackup_result.php
+201
View File
@@ -0,0 +1,201 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all roles that have the ability to backup user data, as well as users
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
use context;
use stdClass;
use core\check\result;
/**
* Lists all roles that have the ability to backup user data, as well as users
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskbackup_result extends \core\check\result {
/** @var stdClass[] $systemroles */
private $systemroles;
/** @var stdClass[] $overriddenroles */
private $overriddenroles;
/** @var string $sqluserinfo */
private $sqluserinfo;
/**
* Constructor
*/
public function __construct() {
global $DB;
$syscontext = \context_system::instance();
$params = array('capability' => 'moodle/backup:userinfo', 'permission' => CAP_ALLOW, 'contextid' => $syscontext->id);
$sql = "SELECT DISTINCT r.id, r.name, r.shortname, r.sortorder, r.archetype
FROM {role} r
JOIN {role_capabilities} rc ON rc.roleid = r.id
WHERE rc.capability = :capability
AND rc.contextid = :contextid
AND rc.permission = :permission";
$this->systemroles = $DB->get_records_sql($sql, $params);
// Ensure first field is unique (role.id + role_capabilities.contextid).
$roleidcontextfield = $DB->sql_concat_join("','", ['r.id', 'rc.contextid']);
$params = array('capability' => 'moodle/backup:userinfo', 'permission' => CAP_ALLOW, 'contextid' => $syscontext->id);
$sql = "SELECT DISTINCT {$roleidcontextfield} AS rolecontext, r.id, r.name, r.shortname, r.sortorder, r.archetype,
rc.contextid
FROM {role} r
JOIN {role_capabilities} rc ON rc.roleid = r.id
WHERE rc.capability = :capability
AND rc.contextid <> :contextid
AND rc.permission = :permission";
$this->overriddenroles = $DB->get_records_sql($sql, $params);
// List of users that are able to backup personal info
// note:
// "sc" is context where is role assigned,
// "c" is context where is role overridden or system context if in role definition.
$params = [
'capability' => 'moodle/backup:userinfo',
'permission' => CAP_ALLOW,
'context1' => CONTEXT_COURSE,
'context2' => CONTEXT_COURSE,
];
$this->sqluserinfo = "
FROM (SELECT DISTINCT rcx.contextid,
rcx.roleid
FROM {role_capabilities} rcx
WHERE rcx.permission = :permission
AND rcx.capability = :capability) rc
JOIN {context} c ON c.id = rc.contextid
JOIN {context} sc ON sc.contextlevel <= :context1
JOIN {role_assignments} ra ON ra.contextid = sc.id AND ra.roleid = rc.roleid
JOIN {user} u ON u.id = ra.userid AND u.deleted = 0
WHERE (sc.path = c.path OR
sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR
c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ")
AND c.contextlevel <= :context2";
$usercount = $DB->count_records_sql("SELECT COUNT('x') FROM (SELECT DISTINCT u.id $this->sqluserinfo) userinfo", $params);
$systemrolecount = empty($this->systemroles) ? 0 : count($this->systemroles);
$overriddenrolecount = empty($this->overriddenroles) ? 0 : count($this->overriddenroles);
if (max($usercount, $systemrolecount, $overriddenrolecount) > 0) {
$this->status = result::WARNING;
} else {
$this->status = result::OK;
}
$a = (object)array(
'rolecount' => $systemrolecount,
'overridecount' => $overriddenrolecount,
'usercount' => $usercount,
);
$this->summary = get_string('check_riskbackup_warning', 'report_security', $a);
}
/**
* Showing the full list of roles may be slow so defer it
*
* @return string
*/
public function get_details(): string {
global $CFG, $DB;
$details = '';
// Make a list of roles.
if ($this->systemroles) {
$links = array();
foreach ($this->systemroles as $role) {
$role->name = role_get_name($role);
$role->url = (new \moodle_url('/admin/roles/manage.php', ['action' => 'edit', 'roleid' => $role->id]))->out();
$links[] = \html_writer::tag('li', get_string('check_riskbackup_editrole', 'report_security', $role));
}
$links = \html_writer::tag('ul', implode('', $links));
$details .= get_string('check_riskbackup_details_systemroles', 'report_security', $links);
}
// Make a list of overrides to roles.
if ($this->overriddenroles) {
$links = array();
foreach ($this->overriddenroles as $role) {
$context = context::instance_by_id($role->contextid);
$role->name = role_get_name($role, $context, ROLENAME_BOTH);
$role->contextname = $context->get_context_name();
$role->url = (new \moodle_url('/admin/roles/override.php',
['contextid' => $role->contextid, 'roleid' => $role->id]))->out();
$links[] = \html_writer::tag('li', get_string('check_riskbackup_editoverride', 'report_security', $role));
}
$links = \html_writer::tag('ul', implode('', $links));
$details .= get_string('check_riskbackup_details_overriddenroles', 'report_security', $links);
}
// Get a list of affected users as well.
$users = array();
list($sort, $sortparams) = users_order_by_sql('u');
$params = [
'capability' => 'moodle/backup:userinfo',
'permission' => CAP_ALLOW,
'context1' => CONTEXT_COURSE,
'context2' => CONTEXT_COURSE,
];
$userfieldsapi = \core_user\fields::for_userpic();
$userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;
$rs = $DB->get_recordset_sql("
SELECT DISTINCT $userfields,
ra.contextid,
ra.roleid
$this->sqluserinfo
ORDER BY $sort", array_merge($params, $sortparams));
foreach ($rs as $user) {
$context = \context::instance_by_id($user->contextid);
$url = new \moodle_url('/admin/roles/assign.php', ['contextid' => $user->contextid, 'roleid' => $user->roleid]);
$a = (object)array(
'fullname' => fullname($user),
'url' => $url->out(),
'email' => s($user->email),
'contextname' => $context->get_context_name(),
);
$users[] = \html_writer::tag('li', get_string('check_riskbackup_unassign', 'report_security', $a));
}
$rs->close();
if (!empty($users)) {
$users = \html_writer::tag('ul', implode('', $users));
$details .= get_string('check_riskbackup_details_users', 'report_security', $users);
}
return $details;
}
}
lib/classes/check/access/riskxss.php
+76
View File
@@ -0,0 +1,76 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskxss extends \core\check\check {
/**
* Get the short check name
*
* @return string
*/
public function get_name(): string {
return get_string('check_riskxss_name', 'report_security');
}
/**
* A link to a place to action this
*
* @return \action_link|null
*/
public function get_action_link(): ?\action_link {
return new \action_link(
new \moodle_url('/admin/roles/manage.php'),
get_string('manageroles', 'role'));
}
/**
* Return result
* @return result
*/
public function get_result(): result {
return new riskxss_result();
}
}
lib/classes/check/access/riskxss_result.php
+112
View File
@@ -0,0 +1,112 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @package core
* @category check
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\check\access;
defined('MOODLE_INTERNAL') || die();
use core\check\result;
/**
* Lists all users with XSS risk
*
* It would be great to combine this with risk trusts in user table,
* unfortunately nobody implemented user trust UI yet :-(
*
* @copyright 2020 Brendan Heywood <brendan@catalyst-au.net>
* @copyright 2008 petr Skoda
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class riskxss_result extends \core\check\result {
/** @var array SQL parameters. */
protected $params = [];
/** @var string SQL statement. */
protected $sqlfrom;
/**
* Constructor
*/
public function __construct() {
global $DB;
$this->params = array('capallow' => CAP_ALLOW);
$this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid
FROM {role_capabilities} rcx
JOIN {capabilities} cap ON (cap.name = rcx.capability AND
" . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0)
WHERE rcx.permission = :capallow) rc,
{context} c,
{context} sc,
{role_assignments} ra,
{user} u
WHERE c.id = rc.contextid
AND (sc.path = c.path OR
sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR
c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ")
AND u.id = ra.userid AND u.deleted = 0
AND ra.contextid = sc.id
AND ra.roleid = rc.roleid";
$count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params);
if ($count == 0) {
$this->status = result::OK;
} else {
$this->status = result::WARNING;
}
$this->summary = get_string('check_riskxss_warning', 'report_security', $count);
}
/**
* Showing the full list of user may be slow so defer it
*
* @return string
*/
public function get_details(): string {
global $CFG, $DB;
$userfieldsapi = \core_user\fields::for_userpic();
$userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;
$users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params);
foreach ($users as $uid => $user) {
$url = "$CFG->wwwroot/user/view.php?id=$user->id";
$link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')');
$users[$uid] = \html_writer::tag('li' , $link);
}
$users = \html_writer::tag('ul', implode('', $users));
return get_string('check_riskxss_details', 'report_security', $users);
}
}