Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Differences Between: [Versions 401 and 402] [Versions 401 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Verifies sanity of frontpage role
  19   *
  20   * @package    core
  21   * @category   check
  22   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  23   * @copyright  2008 petr Skoda
  24   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25   */
  26  
  27  namespace core\check\access;
  28  
  29  defined('MOODLE_INTERNAL') || die();
  30  
  31  use core\check\check;
  32  use core\check\result;
  33  
  34  /**
  35   * Verifies sanity of frontpage role
  36   *
  37   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  38   * @copyright  2008 petr Skoda
  39   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  40   */
  41  class frontpagerole extends check {
  42  
  43      /**
  44       * Get the short check name
  45       *
  46       * @return string
  47       */
  48      public function get_name(): string {
  49          return get_string('check_frontpagerole_name', 'report_security');
  50      }
  51  
  52      /**
  53       * A link to a place to action this
  54       *
  55       * @return action_link|null
  56       */
  57      public function get_action_link(): ?\action_link {
  58          return new \action_link(
  59              new \moodle_url('/admin/settings.php?section=frontpagesettings#admin-defaultfrontpageroleid'),
  60              get_string('frontpagesettings', 'admin'));
  61      }
  62  
  63      /**
  64       * Return result
  65       * @return result
  66       */
  67      public function get_result(): result {
  68          global $DB, $CFG;
  69  
  70          if (!$frontpagerole = $DB->get_record('role', array('id' => $CFG->defaultfrontpageroleid))) {
  71              $status  = result::INFO;
  72              $summary = get_string('check_frontpagerole_notset', 'report_security');
  73              $details = get_string('check_frontpagerole_details', 'report_security');
  74              return new result($status, $summary, $details);
  75          }
  76  
  77          // Risky caps - usually very dangerous.
  78          $sql = "SELECT COUNT(DISTINCT rc.contextid)
  79                    FROM {role_capabilities} rc
  80                    JOIN {capabilities} cap ON cap.name = rc.capability
  81                   WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
  82                     AND rc.permission = :capallow
  83                     AND rc.roleid = :roleid";
  84  
  85          $riskycount = $DB->count_records_sql($sql, [
  86              'capallow' => CAP_ALLOW,
  87              'roleid' => $frontpagerole->id,
  88          ]);
  89  
  90          // There is no legacy role type for frontpage yet - anyway we can not allow teachers or admins there!
  91          if ($frontpagerole->archetype === 'teacher' or $frontpagerole->archetype === 'editingteacher'
  92            or $frontpagerole->archetype === 'coursecreator' or $frontpagerole->archetype === 'manager') {
  93              $legacyok = false;
  94          } else {
  95              $legacyok = true;
  96          }
  97  
  98          if ($riskycount or !$legacyok) {
  99              $status  = result::CRITICAL;
 100              $summary = get_string('check_frontpagerole_error', 'report_security', role_get_name($frontpagerole));
 101  
 102          } else {
 103              $status  = result::OK;
 104              $summary = get_string('check_frontpagerole_ok', 'report_security');
 105          }
 106  
 107          $details = get_string('check_frontpagerole_details', 'report_security');
 108          return new result($status, $summary, $details);
 109      }
 110  }
 111