Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 3.9.x will end* 10 May 2021 (12 months).
  • Bug fixes for security issues in 3.9.x will end* 8 May 2023 (36 months).
  • PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.

Differences Between: [Versions 39 and 401] [Versions 39 and 402] [Versions 39 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Verifies sanity of default user role.
  19   *
  20   * @package    core
  21   * @category   check
  22   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  23   * @copyright  2008 petr Skoda
  24   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25   */
  26  
  27  namespace core\check\access;
  28  
  29  defined('MOODLE_INTERNAL') || die();
  30  
  31  use core\check\check;
  32  use core\check\result;
  33  
  34  /**
  35   * Verifies sanity of default user role.
  36   *
  37   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  38   * @copyright  2008 petr Skoda
  39   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  40   */
  41  class defaultuserrole extends check {
  42  
  43      /**
  44       * Get the short check name
  45       *
  46       * @return string
  47       */
  48      public function get_name(): string {
  49          return get_string('check_defaultuserrole_name', 'report_security');
  50      }
  51  
  52      /**
  53       * A link to a place to action this
  54       *
  55       * @return action_link|null
  56       */
  57      public function get_action_link(): ?\action_link {
  58          global $CFG;
  59          return new \action_link(
  60              new \moodle_url('/admin/roles/define.php?action=view&roleid=' . $CFG->defaultuserroleid),
  61              get_string('userpolicies', 'admin'));
  62      }
  63  
  64      /**
  65       * Return result
  66       * @return result
  67       */
  68      public function get_result(): result {
  69          global $DB, $CFG;
  70          $details = '';
  71  
  72          if (!$defaultrole = $DB->get_record('role', ['id' => $CFG->defaultuserroleid])) {
  73              $status  = result::WARNING;
  74              $summary = get_string('check_defaultuserrole_notset', 'report_security');
  75              return new result($status, $summary, $details);
  76          }
  77  
  78          // Risky caps - usually very dangerous.
  79          $sql = "SELECT COUNT(DISTINCT rc.contextid)
  80                    FROM {role_capabilities} rc
  81                    JOIN {capabilities} cap ON cap.name = rc.capability
  82                   WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
  83                     AND rc.permission = :capallow
  84                     AND rc.roleid = :roleid";
  85  
  86          $riskycount = $DB->count_records_sql($sql, [
  87              'capallow' => CAP_ALLOW,
  88              'roleid' => $defaultrole->id,
  89          ]);
  90  
  91          // It may have either none or 'user' archetype - nothing else, or else it would break during upgrades badly.
  92          if ($defaultrole->archetype === '' or $defaultrole->archetype === 'user') {
  93              $legacyok = true;
  94          } else {
  95              $legacyok = false;
  96          }
  97  
  98          if ($riskycount or !$legacyok) {
  99              $status = result::CRITICAL;
 100              $summary = get_string('check_defaultuserrole_error', 'report_security', role_get_name($defaultrole));
 101  
 102          } else {
 103              $status = result::OK;
 104              $summary = get_string('check_defaultuserrole_ok', 'report_security');
 105          }
 106  
 107          $details = get_string('check_defaultuserrole_details', 'report_security');
 108          return new result($status, $summary, $details);
 109      }
 110  }
 111