security/core#111 Add in Status check for if Anonymous Users have edit contributions...

diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php
index 2036e1b01526df32c86235f65445f484726116a4..16d64596684335cc8016ad83a41580af99b34999 100644 (file)
--- a/CRM/Utils/Check/Component/Security.php
+++ b/CRM/Utils/Check/Component/Security.php
@@ -292,6 +292,33 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
     return $messages;
   }
 
+  /**
+   * Check to see if anonymous user has edit contributions permission
+   * @return CRM_Utils_Check_Message[]
+   */
+  public function checkAnonEditContribution() {
+    $messages = [];
+    $permissions = [];
+    if (CRM_Core_Config::singleton()->userPermissionClass->check('edit contributions', 0)) {
+      $permissions[] = 'edit contributions';
+    }
+    if (CRM_Core_Config::singleton()->userPermissionClass->check('access CiviContribute', 0)) {
+      $permissions[] = 'access CiviContribute';
+    }
+    if (!empty($permissions)) {
+      $messages[] = new CRM_Utils_Check_Message(
+        __FUNCTION__,
+        ts('Anonymous users have permissions (%1). This may cause leakage of information in regards to recurring contributions.', [
+          1 => implode(', ', $permissions),
+        ]),
+        ts('Security Warning'),
+        \Psr\Log\LogLevel::WARNING,
+        'fa-lock'
+      );
+    }
+    return $messages;
+  }
+
   /**
    * Determine whether $url is a public, browsable listing for $dir
    *