Moodle 4.1 XRef and Diffs

Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Moodle 4.1 Database Schema (by Marcus Green)

/lib/classes/check/access/ -> riskxss_result.php (source)

Differences Between: [Versions 310 and 401] [Versions 39 and 401] [Versions 401 and 402] [Versions 401 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Lists all users with XSS risk
  19   *
  20   * It would be great to combine this with risk trusts in user table,
  21   * unfortunately nobody implemented user trust UI yet :-(
  22   *
  23   * @package    core
  24   * @category   check
  25   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  26   * @copyright  2008 petr Skoda
  27   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  28   */
  29  
  30  namespace core\check\access;
  31  
  32  defined('MOODLE_INTERNAL') || die();
  33  
  34  use core\check\result;
  35  
  36  /**
  37   * Lists all users with XSS risk
  38   *
  39   * It would be great to combine this with risk trusts in user table,
  40   * unfortunately nobody implemented user trust UI yet :-(
  41   *
  42   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  43   * @copyright  2008 petr Skoda
  44   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  45   */
  46  class riskxss_result extends \core\check\result {
  47  
  48      /**
  49       * Constructor
  50       */
  51      public function __construct() {
  52  
  53          global $DB;
  54          $this->params = array('capallow' => CAP_ALLOW);
  55          $this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid
  56                             FROM {role_capabilities} rcx
  57                             JOIN {capabilities} cap ON (cap.name = rcx.capability AND
  58                                  " . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0)
  59                             WHERE rcx.permission = :capallow) rc,
  60                       {context} c,
  61                       {context} sc,
  62              {role_assignments} ra,
  63                          {user} u
  64                           WHERE c.id = rc.contextid
  65                             AND (sc.path = c.path OR
  66                                  sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR
  67                                  c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ")
  68                             AND u.id = ra.userid AND u.deleted = 0
  69                             AND ra.contextid = sc.id
  70                             AND ra.roleid = rc.roleid";
  71  
  72          $count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params);
  73  
  74          if ($count == 0) {
  75              $this->status = result::OK;
  76          } else {
  77              $this->status = result::WARNING;
  78          }
  79  
  80          $this->summary = get_string('check_riskxss_warning', 'report_security', $count);
  81  
  82      }
  83  
  84      /**
  85       * Showing the full list of user may be slow so defer it
  86       *
  87       * @return string
  88       */
  89      public function get_details(): string {
  90  
  91          global $CFG, $DB;
  92  
  93          $userfieldsapi = \core_user\fields::for_userpic();
  94          $userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;
  95          $users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params);
  96          foreach ($users as $uid => $user) {
  97              $url = "$CFG->wwwroot/user/view.php?id=$user->id";
  98              $link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')');
  99              $users[$uid] = \html_writer::tag('li' , $link);
 100          }
 101          $users = \html_writer::tag('ul', implode('', $users));
 102  
 103          return get_string('check_riskxss_details', 'report_security', $users);
 104      }
 105  }
 106