Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 4.3.x will end 7 October 2024 (12 months).
- Bug fixes for security issues in 4.3.x will end 21 April 2025 (18 months).
- PHP version: minimum PHP 8.0.0 Note: minimum PHP version has increased since Moodle 4.1. PHP 8.2.x is supported too.
/lib/classes/check/access/ -> riskxss_result.php (source)
Differences Between: [Versions 310 and 403] [Versions 311 and 403] [Versions 39 and 403] [Versions 400 and 403] [Versions 401 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Lists all users with XSS risk 19 * 20 * It would be great to combine this with risk trusts in user table, 21 * unfortunately nobody implemented user trust UI yet :-( 22 * 23 * @package core 24 * @category check 25 * @copyright 2020 Brendan Heywood <brendan@catalyst-au.net> 26 * @copyright 2008 petr Skoda 27 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 28 */ 29 30 namespace core\check\access; 31 32 defined('MOODLE_INTERNAL') || die(); 33 34 use core\check\result; 35 36 /** 37 * Lists all users with XSS risk 38 * 39 * It would be great to combine this with risk trusts in user table, 40 * unfortunately nobody implemented user trust UI yet :-( 41 * 42 * @copyright 2020 Brendan Heywood <brendan@catalyst-au.net> 43 * @copyright 2008 petr Skoda 44 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 45 */ 46 class riskxss_result extends \core\check\result { 47 48 /** @var array SQL parameters. */ 49 protected $params = []; 50 51 /** @var string SQL statement. */ 52 protected $sqlfrom; 53 54 /** 55 * Constructor 56 */ 57 public function __construct() { 58 59 global $DB; 60 $this->params = array('capallow' => CAP_ALLOW); 61 $this->sqlfrom = "FROM (SELECT DISTINCT rcx.contextid, rcx.roleid 62 FROM {role_capabilities} rcx 63 JOIN {capabilities} cap ON (cap.name = rcx.capability AND 64 " . $DB->sql_bitand('cap.riskbitmask', RISK_XSS) . " <> 0) 65 WHERE rcx.permission = :capallow) rc, 66 {context} c, 67 {context} sc, 68 {role_assignments} ra, 69 {user} u 70 WHERE c.id = rc.contextid 71 AND (sc.path = c.path OR 72 sc.path LIKE " . $DB->sql_concat('c.path', "'/%'") . " OR 73 c.path LIKE " . $DB->sql_concat('sc.path', "'/%'") . ") 74 AND u.id = ra.userid AND u.deleted = 0 75 AND ra.contextid = sc.id 76 AND ra.roleid = rc.roleid"; 77 78 $count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $this->sqlfrom", $this->params); 79 80 if ($count == 0) { 81 $this->status = result::OK; 82 } else { 83 $this->status = result::WARNING; 84 } 85 86 $this->summary = get_string('check_riskxss_warning', 'report_security', $count); 87 88 } 89 90 /** 91 * Showing the full list of user may be slow so defer it 92 * 93 * @return string 94 */ 95 public function get_details(): string { 96 97 global $CFG, $DB; 98 99 $userfieldsapi = \core_user\fields::for_userpic(); 100 $userfields = $userfieldsapi->get_sql('u', false, '', '', false)->selects; 101 $users = $DB->get_records_sql("SELECT DISTINCT $userfields $this->sqlfrom", $this->params); 102 foreach ($users as $uid => $user) { 103 $url = "$CFG->wwwroot/user/view.php?id=$user->id"; 104 $link = \html_writer::link($url, fullname($user, true) . ' (' . s($user->email) . ')'); 105 $users[$uid] = \html_writer::tag('li' , $link); 106 } 107 $users = \html_writer::tag('ul', implode('', $users)); 108 109 return get_string('check_riskxss_details', 'report_security', $users); 110 } 111 } 112
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
