mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 05:58:34 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'MDL-67852_MOODLE_401_NEW' of https://github.com/aydevworks/moodle into MOODLE_401_STABLE

Browse Source
This commit is contained in:
Ilya Tregubov 2023-07-11 11:12:16 +08:00
commit c057bc092d
No known key found for this signature in database
GPG Key ID: 0F58186F748E55C1
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/classes/check/access/defaultuserrole.php
View File

@ -76,18 +76,28 @@ class defaultuserrole extends check {
}
// Risky caps - usually very dangerous.
$sql = "SELECT COUNT(DISTINCT rc.contextid)
$sql = "SELECT rc.contextid, rc.capability
FROM {role_capabilities} rc
JOIN {capabilities} cap ON cap.name = rc.capability
WHERE " . $DB->sql_bitand('cap.riskbitmask', (RISK_XSS | RISK_CONFIG | RISK_DATALOSS)) . " <> 0
AND rc.permission = :capallow
AND rc.roleid = :roleid";
$riskycount = $DB->count_records_sql($sql, [
$riskyresults = $DB->get_records_sql($sql, [
'capallow' => CAP_ALLOW,
'roleid' => $defaultrole->id,
]);
// If automatic approval is disabled, then the requestdelete capability is not risky.
if (!get_config('tool_dataprivacy', 'automaticdatadeletionapproval')) {
$riskyresults = array_filter($riskyresults, function ($object) {
return $object->capability !== 'tool/dataprivacy:requestdelete';
});
}
// Count the number of unique contexts that have risky caps.
$riskycount = count(array_unique(array_column($riskyresults, 'contextid')));
// It may have either none or 'user' archetype - nothing else, or else it would break during upgrades badly.
if ($defaultrole->archetype === '' or $defaultrole->archetype === 'user') {
$legacyok = true;

3
report/security/lang/en/report_security.php
View File

@ -36,7 +36,8 @@ $string['check_cookiesecure_http'] = 'You must turn on https in order to use sec
$string['check_cookiesecure_name'] = 'Secure cookies';
$string['check_cookiesecure_ok'] = 'Secure cookies enabled.';
$string['check_defaultuserrole_details'] = '<p>All logged in users are given capabilities of the default user role. Please make sure no risky capabilities are allowed in this role.</p>
<p>The only supported legacy type for the default user role is <em>Authenticated user</em>. The course view capability must not be enabled.</p>';
<p>The only supported legacy type for the default user role is <em>Authenticated user</em>. The course view capability must not be enabled.</p>
<p>Please check if the automatic data deletion request approval(tool_dataprivacy | automaticdatadeletionapproval) option is enabled. Users can request deletions that could delete large amounts of data.</p>';
$string['check_defaultuserrole_error'] = 'The default user role "{$a}" is incorrectly defined!';
$string['check_defaultuserrole_name'] = 'Default role for all users';
$string['check_defaultuserrole_notset'] = 'Default role is not set.';