Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 3.10.x will end 8 November 2021 (12 months).
- Bug fixes for security issues in 3.10.x will end 9 May 2022 (18 months).
- PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.
/lib/classes/check/access/ -> riskxss_result.php (source)
Differences Between: [Versions 310 and 311] [Versions 310 and 400] [Versions 310 and 401] [Versions 310 and 402] [Versions 310 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Lists all users with XSS risk 19 * 20 * It would be great to combine this with risk trusts in user table, 21 * unfortunately nobody implemented user trust UI yet :-( 22 * 23 * @package core 24 * @category check 25 * @copyright 2020 Brendan Heywood <brendan@catalyst-au.net> 26 * @copyright 2008 petr Skoda 27 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 28 */ 29 30 namespace core\check\access; 31 32 defined('MOODLE_INTERNAL') || die(); 33 34 use core\check\result; 35 36 /** 37 * Lists all users with XSS risk 38 * 39 * It would be great to combine this with risk trusts in user table, 40 * unfortunately nobody implemented user trust UI yet :-( 41 * 42 * @copyright 2020 Brendan Heywood <brendan@catalyst-au.net> 43 * @copyright 2008 petr Skoda 44 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 45 */ 46 class riskxss_result extends \core\check\result { 47 48 /** 49 * Constructor 50 */ 51 public function __construct() { 52 53 global $DB; 54 $this->params = array('capallow' => CAP_ALLOW); 55 $this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid 56 FROM {role_capabilities} rcx 57 JOIN {capabilities} cap ON (cap.name = rcx.capability AND 58 " . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0) 59 WHERE rcx.permission = :capallow) rc, 60 {context} c, 61 {context} sc, 62 {role_assignments} ra, 63 {user} u 64 WHERE c.id = rc.contextid 65 AND (sc.path = c.path OR 66 sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR 67 c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ") 68 AND u.id = ra.userid AND u.deleted = 0 69 AND ra.contextid = sc.id 70 AND ra.roleid = rc.roleid"; 71 72 $count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params); 73 74 if ($count == 0) { 75 $this->status = result::OK; 76 } else { 77 $this->status = result::WARNING; 78 } 79 80 $this->summary = get_string('check_riskxss_warning', 'report_security', $count); 81 82 } 83 84 /** 85 * Showing the full list of user may be slow so defer it 86 * 87 * @return string 88 */ 89 public function get_details(): string { 90 91 global $CFG, $DB; 92 93 $userfields = \user_picture::fields('u'); 94 $users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params); 95 foreach ($users as $uid => $user) { 96 $url = "$CFG->wwwroot/user/view.php?id=$user->id"; 97 $link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')'); 98 $users[$uid] = \html_writer::tag('li' , $link); 99 } 100 $users = \html_writer::tag('ul', implode('', $users)); 101 102 return get_string('check_riskxss_details', 'report_security', $users); 103 } 104 } 105
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
