Differences Between: [Versions 310 and 400] [Versions 39 and 400] [Versions 400 and 402] [Versions 400 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Lists all users with XSS risk 19 * 20 * It would be great to combine this with risk trusts in user table, 21 * unfortunately nobody implemented user trust UI yet :-( 22 * 23 * @package core 24 * @category check 25 * @copyright 2020 Brendan Heywood <brendan@catalyst-au.net> 26 * @copyright 2008 petr Skoda 27 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 28 */ 29 30 namespace core\check\access; 31 32 defined('MOODLE_INTERNAL') || die(); 33 34 use core\check\result; 35 36 /** 37 * Lists all users with XSS risk 38 * 39 * It would be great to combine this with risk trusts in user table, 40 * unfortunately nobody implemented user trust UI yet :-( 41 * 42 * @copyright 2020 Brendan Heywood <brendan@catalyst-au.net> 43 * @copyright 2008 petr Skoda 44 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 45 */ 46 class riskxss_result extends \core\check\result { 47 48 /** 49 * Constructor 50 */ 51 public function __construct() { 52 53 global $DB; 54 $this->params = array('capallow' => CAP_ALLOW); 55 $this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid 56 FROM {role_capabilities} rcx 57 JOIN {capabilities} cap ON (cap.name = rcx.capability AND 58 " . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0) 59 WHERE rcx.permission = :capallow) rc, 60 {context} c, 61 {context} sc, 62 {role_assignments} ra, 63 {user} u 64 WHERE c.id = rc.contextid 65 AND (sc.path = c.path OR 66 sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR 67 c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ") 68 AND u.id = ra.userid AND u.deleted = 0 69 AND ra.contextid = sc.id 70 AND ra.roleid = rc.roleid"; 71 72 $count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params); 73 74 if ($count == 0) { 75 $this->status = result::OK; 76 } else { 77 $this->status = result::WARNING; 78 } 79 80 $this->summary = get_string('check_riskxss_warning', 'report_security', $count); 81 82 } 83 84 /** 85 * Showing the full list of user may be slow so defer it 86 * 87 * @return string 88 */ 89 public function get_details(): string { 90 91 global $CFG, $DB; 92 93 $userfieldsapi = \core_user\fields::for_userpic(); 94 $userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects; 95 $users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params); 96 foreach ($users as $uid => $user) { 97 $url = "$CFG->wwwroot/user/view.php?id=$user->id"; 98 $link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')'); 99 $users[$uid] = \html_writer::tag('li' , $link); 100 } 101 $users = \html_writer::tag('ul', implode('', $users)); 102 103 return get_string('check_riskxss_details', 'report_security', $users); 104 } 105 } 106
title
Description
Body
title
Description
Body
title
Description
Body
title
Body