CRM-15928 - Display warning if `remote_profile_submissions` is enabled

diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php
index 19e7f66183d65037b768383845e674d14299e029..b1e13148a42c438f0f3e75cfb0f835495190d881 100644 (file)
--- a/CRM/Utils/Check/Component/Security.php
+++ b/CRM/Utils/Check/Component/Security.php
@@ -256,6 +256,28 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
     return $messages;
   }
 
+  /**
+   * Discourage use of remote profile forms.
+   */
+  public function checkRemoteProfile() {
+    $messages = array();
+
+    if (Civi::settings()->get('remote_profile_submissions')) {
+      $messages[] = new CRM_Utils_Check_Message(
+        __FUNCTION__,
+        ts('Warning: External profile support (aka "HTML Snippet" support) is enabled in <a href="%1">system settings</a>. This setting may be prone to abuse. If you must retain it, consider HTTP throttling or other protections.',
+          array(1 => CRM_Utils_System::url('civicrm/admin/setting/misc', 'reset=1'))
+        ),
+        ts('Remote Profiles Enabled'),
+        \Psr\Log\LogLevel::WARNING,
+        'fa-lock'
+      );
+    }
+
+    return $messages;
+  }
+
+
   /**
    * Check that the sysadmin has not modified the Cxn
    * security setup.