}
/**
- * Check to see if anonymous user has edit contributions permission
+ * Check to see if anonymous user has excessive permissions.
* @return CRM_Utils_Check_Message[]
*/
- public function checkAnonEditContribution() {
+ public function checkAnonPermissions() {
$messages = [];
$permissions = [];
- if (CRM_Core_Config::singleton()->userPermissionClass->check('edit contributions', 0)) {
- $permissions[] = 'edit contributions';
- }
- if (CRM_Core_Config::singleton()->userPermissionClass->check('access CiviContribute', 0)) {
- $permissions[] = 'access CiviContribute';
+ // These specific permissions were referenced in a security submission.
+ // This functionality is generally useful -- may be good to expand to a longer list.
+ $checkPerms = ['access CiviContribute', 'edit contributions'];
+ foreach ($checkPerms as $checkPerm) {
+ if (CRM_Core_Config::singleton()->userPermissionClass->check($checkPerm, 0)) {
+ $permissions[] = $checkPerm;
+ }
}
if (!empty($permissions)) {
$messages[] = new CRM_Utils_Check_Message(
__FUNCTION__,
- ts('Anonymous users have permissions (%1). This may cause leakage of information in regards to recurring contributions.', [
- 1 => implode(', ', $permissions),
+ ts('The system configuration grants anonymous users an <em>unusually broad</em> list of permissions. This could compromise security. Please reassess whether these permissions are required: %1', [
+ 1 => '<ul><li><tt>' . implode('</tt></li><li><tt>', $permissions) . '</tt></li></ul>',
]),
- ts('Security Warning'),
+ ts('Unusual Permissions for Anonymous Users'),
\Psr\Log\LogLevel::WARNING,
'fa-lock'
);
projects / civicrm-core.git / commitdiff