Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Differences Between: [Versions 401 and 402] [Versions 401 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Verifies sanity of guest role
  19   *
  20   * @package    core
  21   * @category   check
  22   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  23   * @copyright  2008 petr Skoda
  24   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  25   */
  26  
  27  namespace core\check\access;
  28  
  29  defined('MOODLE_INTERNAL') || die();
  30  
  31  use core\check\check;
  32  use core\check\result;
  33  
  34  /**
  35   * Verifies sanity of guest role
  36   *
  37   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  38   * @copyright  2008 petr Skoda
  39   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  40   */
  41  class guestrole extends check {
  42  
  43      /**
  44       * Get the short check name
  45       *
  46       * @return string
  47       */
  48      public function get_name(): string {
  49          return get_string('check_guestrole_name', 'report_security');
  50      }
  51  
  52      /**
  53       * A link to a place to action this
  54       *
  55       * @return action_link|null
  56       */
  57      public function get_action_link(): ?\action_link {
  58          return new \action_link(
  59              new \moodle_url('/admin/settings.php?section=userpolicies'),
  60              get_string('userpolicies', 'admin'));
  61      }
  62  
  63      /**
  64       * Return result
  65       * @return result
  66       */
  67      public function get_result(): result {
  68          global $DB, $CFG;
  69  
  70          if (!$guestrole = $DB->get_record('role', ['id' => $CFG->guestroleid])) {
  71              $status  = result::WARNING;
  72              $summary = get_string('check_guestrole_notset', 'report_security');
  73              return new result($status, $summary);
  74          }
  75  
  76          // Risky caps - usually very dangerous.
  77          $sql = "SELECT COUNT(DISTINCT rc.contextid)
  78                    FROM {role_capabilities} rc
  79                    JOIN {capabilities} cap ON cap.name = rc.capability
  80                   WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
  81                     AND rc.permission = :capallow
  82                     AND rc.roleid = :roleid";
  83  
  84          $riskycount = $DB->count_records_sql($sql, [
  85              'capallow' => CAP_ALLOW,
  86              'roleid' => $guestrole->id,
  87          ]);
  88  
  89          // It may have either no or 'guest' archetype - nothing else, or else it would break during upgrades badly.
  90          if ($guestrole->archetype === '' or $guestrole->archetype === 'guest') {
  91              $legacyok = true;
  92          } else {
  93              $legacyok = false;
  94          }
  95  
  96          if ($riskycount or !$legacyok) {
  97              $status  = result::CRITICAL;
  98              $summary = get_string('check_guestrole_error', 'report_security', format_string($guestrole->name));
  99  
 100          } else {
 101              $status  = result::OK;
 102              $summary = get_string('check_guestrole_ok', 'report_security');
 103          }
 104  
 105          $details = get_string('check_guestrole_details', 'report_security');
 106          return new result($status, $summary, $details);
 107      }
 108  }
 109