Search moodle.org's
Developer Documentation

See Release Notes
Long Term Support Release

  • Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
  • Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
  • PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.

Differences Between: [Versions 310 and 401] [Versions 39 and 401] [Versions 401 and 402] [Versions 401 and 403]

   1  <?php
   2  // This file is part of Moodle - http://moodle.org/
   3  //
   4  // Moodle is free software: you can redistribute it and/or modify
   5  // it under the terms of the GNU General Public License as published by
   6  // the Free Software Foundation, either version 3 of the License, or
   7  // (at your option) any later version.
   8  //
   9  // Moodle is distributed in the hope that it will be useful,
  10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  // GNU General Public License for more details.
  13  //
  14  // You should have received a copy of the GNU General Public License
  15  // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Lists all users with XSS risk
  19   *
  20   * It would be great to combine this with risk trusts in user table,
  21   * unfortunately nobody implemented user trust UI yet :-(
  22   *
  23   * @package    core
  24   * @category   check
  25   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  26   * @copyright  2008 petr Skoda
  27   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  28   */
  29  
  30  namespace core\check\access;
  31  
  32  defined('MOODLE_INTERNAL') || die();
  33  
  34  use core\check\result;
  35  
  36  /**
  37   * Lists all users with XSS risk
  38   *
  39   * It would be great to combine this with risk trusts in user table,
  40   * unfortunately nobody implemented user trust UI yet :-(
  41   *
  42   * @copyright  2020 Brendan Heywood <brendan@catalyst-au.net>
  43   * @copyright  2008 petr Skoda
  44   * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  45   */
  46  class riskxss_result extends \core\check\result {
  47  
  48      /**
  49       * Constructor
  50       */
  51      public function __construct() {
  52  
  53          global $DB;
  54          $this->params = array('capallow' => CAP_ALLOW);
  55          $this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid
  56                             FROM {role_capabilities} rcx
  57                             JOIN {capabilities} cap ON (cap.name = rcx.capability AND
  58                                  " . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0)
  59                             WHERE rcx.permission = :capallow) rc,
  60                       {context} c,
  61                       {context} sc,
  62              {role_assignments} ra,
  63                          {user} u
  64                           WHERE c.id = rc.contextid
  65                             AND (sc.path = c.path OR
  66                                  sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR
  67                                  c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ")
  68                             AND u.id = ra.userid AND u.deleted = 0
  69                             AND ra.contextid = sc.id
  70                             AND ra.roleid = rc.roleid";
  71  
  72          $count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params);
  73  
  74          if ($count == 0) {
  75              $this->status = result::OK;
  76          } else {
  77              $this->status = result::WARNING;
  78          }
  79  
  80          $this->summary = get_string('check_riskxss_warning', 'report_security', $count);
  81  
  82      }
  83  
  84      /**
  85       * Showing the full list of user may be slow so defer it
  86       *
  87       * @return string
  88       */
  89      public function get_details(): string {
  90  
  91          global $CFG, $DB;
  92  
  93          $userfieldsapi = \core_user\fields::for_userpic();
  94          $userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects;
  95          $users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params);
  96          foreach ($users as $uid => $user) {
  97              $url = "$CFG->wwwroot/user/view.php?id=$user->id";
  98              $link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')');
  99              $users[$uid] = \html_writer::tag('li' , $link);
 100          }
 101          $users = \html_writer::tag('ul', implode('', $users));
 102  
 103          return get_string('check_riskxss_details', 'report_security', $users);
 104      }
 105  }
 106