Moodle 4.1 XRef and Diffs

Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Moodle 4.1 Database Schema (by Marcus Green)

/lib/classes/check/access/ -> defaultuserrole.php (source)

Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401] [Versions 401 and 402] [Versions 401 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  namespace core\check\access;
  18  
  19  use core\check\check;
  20  use core\check\result;
  21  
  22  /**
  23   * Verifies sanity of default user role.
  24   *
  25   * @package    core
  26   * @category   check
  27   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  28   * @copyright  2008 petr Skoda
  29   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  30   */
  31  class defaultuserrole extends check {
  32  
  33      /**
  34       * Get the short check name
  35       *
  36       * @return string
  37       */
  38      public function get_name(): string {
  39          return get_string('check_defaultuserrole_name', 'report_security');
  40      }
  41  
  42      /**
  43       * A link to a place to action this
  44       *
  45       * @return action_link|null
  46       */
  47      public function get_action_link(): ?\action_link {
  48          global $CFG, $DB;
  49  
  50          $defaultrole = $DB->get_record('role', ['id' => $CFG->defaultuserroleid]);
  51  
  52          return new \action_link(
  53              new \moodle_url('/admin/roles/define.php', ['action' => 'view', 'roleid' => $defaultrole->id]),
  54              get_string('definitionofrolex', 'core_role', role_get_name($defaultrole))
  55          );
  56      }
  57  
  58      /**
  59       * Return result
  60       * @return result
  61       */
  62      public function get_result(): result {
  63          global $DB, $CFG;
  64          $details = '';
  65  
  66          if (!$defaultrole = $DB->get_record('role', ['id' => $CFG->defaultuserroleid])) {
  67              $status  = result::WARNING;
  68              $summary = get_string('check_defaultuserrole_notset', 'report_security');
  69              return new result($status, $summary, $details);
  70          }
  71  
  72          // Risky caps - usually very dangerous.
  73          $sql = "SELECT rc.id, rc.contextid, rc.capability
  74                    FROM {role_capabilities} rc
  75                    JOIN {capabilities} cap ON cap.name = rc.capability
  76                   WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
  77                     AND rc.permission = :capallow
  78                     AND rc.roleid = :roleid";
  79  
  80          $riskyresults = $DB->get_records_sql($sql, [
  81              'capallow' => CAP_ALLOW,
  82              'roleid' => $defaultrole->id,
  83          ]);
  84  
  85          // If automatic approval is disabled, then the requestdelete capability is not risky.
  86          if (!get_config('tool_dataprivacy', 'automaticdatadeletionapproval')) {
  87              $riskyresults = array_filter($riskyresults, function ($object) {
  88                  return $object->capability !== 'tool/dataprivacy:requestdelete';
  89              });
  90          }
  91  
  92          // Count the number of unique contexts that have risky caps.
  93          $riskycount = count(array_unique(array_column($riskyresults, 'contextid')));
  94  
  95          // It may have either none or 'user' archetype - nothing else, or else it would break during upgrades badly.
  96          if ($defaultrole->archetype === '' or $defaultrole->archetype === 'user') {
  97              $legacyok = true;
  98          } else {
  99              $legacyok = false;
 100          }
 101  
 102          if ($riskycount or !$legacyok) {
 103              $status = result::CRITICAL;
 104              $summary = get_string('check_defaultuserrole_error', 'report_security', role_get_name($defaultrole));
 105  
 106          } else {
 107              $status = result::OK;
 108              $summary = get_string('check_defaultuserrole_ok', 'report_security');
 109          }
 110  
 111          $details = get_string('check_defaultuserrole_details', 'report_security');
 112          return new result($status, $summary, $details);
 113      }
 114  }
 115