diff --git a/admin/report/security/lib.php b/admin/report/security/lib.php index 2909fe4319c..19bcd4b7376 100644 --- a/admin/report/security/lib.php +++ b/admin/report/security/lib.php @@ -992,7 +992,7 @@ function report_security_check_courserole($detailed=false) { * @return object result */ function report_security_check_riskadmin($detailed=false) { - global $DB; + global $DB, $CFG; $result = new object(); $result->issue = 'report_security_check_riskadmin'; @@ -1004,7 +1004,7 @@ function report_security_check_riskadmin($detailed=false) { $params = array('doanything'=>'moodle/site:doanything', 'syscontextid'=>SYSCONTEXTID, 'capallow'=>CAP_ALLOW); - $sql = "SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt + $sql = "SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt, u.email FROM {role_capabilities} rc JOIN {role_assignments} ra ON (ra.contextid = rc.contextid AND ra.roleid = rc.roleid) JOIN {user} u ON u.id = ra.userid @@ -1014,8 +1014,10 @@ function report_security_check_riskadmin($detailed=false) { AND rc.contextid = :syscontextid"; $admins = $DB->get_records_sql($sql, $params); + $admincount = count($admins); - $sqlfrom = "FROM (SELECT rcx.* + $sqlunsup = "SELECT u.id, u.firstname, u.lastname, u.picture, u.imagealt, u.email, ra.contextid, ra.roleid + FROM (SELECT rcx.* FROM {role_capabilities} rcx WHERE rcx.capability = :doanything AND rcx.permission = :capallow) rc, {context} c, @@ -1025,37 +1027,42 @@ function report_security_check_riskadmin($detailed=false) { WHERE c.id = rc.contextid AND (sc.path = c.path OR sc.path LIKE ".$DB->sql_concat('c.path', "'/%'")." OR c.path LIKE ".$DB->sql_concat('sc.path', "'/%'").") AND u.id = ra.userid AND u.deleted = 0 - AND ra.contextid = sc.id AND ra.roleid = rc.roleid AND ra.contextid <> :syscontextid"; + AND ra.contextid = sc.id AND ra.roleid = rc.roleid AND ra.contextid <> :syscontextid + GROUP BY u.id, u.firstname, u.lastname, u.picture, u.imagealt, u.email, ra.contextid, ra.roleid + ORDER BY u.lastname, u.firstname"; - $count = $DB->count_records_sql("SELECT COUNT(DISTINCT u.id) $sqlfrom", $params); + $unsupcount = $DB->count_records_sql("SELECT COUNT('x') FROM ($sqlunsup) unsup", $params); - if (!$count) { + if ($detailed) { + foreach ($admins as $uid=>$user) { + $url = "$CFG->wwwroot/user/view.php?id=$user->id"; + $admins[$uid] = '
Please verify the following list of administrators:
$a
'; -$string['check_riskadmin_detailswarning'] = 'Please verify the following list of administrators:
$a->admins
-It is recommended to assign administrator role in system context only. Following users have unsupported admin role assignments:
$a->unsupported
'; +$string['check_riskadmin_detailsok'] = 'Please verify the following list of system administrators:
$a'; +$string['check_riskadmin_detailswarning'] = 'Please verify the following list of system administrators:
$a->admins +It is recommended to assign administrator role in system context only. Following users have unsupported admin role assignments:
$a->unsupported'; $string['check_riskadmin_name'] = 'Administrators'; $string['check_riskadmin_ok'] = 'Found $a server administrator(s).'; $string['check_riskadmin_warning'] = 'Found $a->admincount server administrators and $a->unsupcount unsupported admin role assignments.';