From: Seamus Lee <seamuslee001@gmail.com>
Date: Wed, 16 Mar 2022 08:33:54 +0000 (-0700)
Subject: security/core#111 Add in Status check for if Anonymous Users have edit contributions... 
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=7b3dcbb099351891872744e8f75ea74ad21f031c;p=civicrm-core.git

security/core#111 Add in Status check for if Anonymous Users have edit contributions and or access CiviContribute Permissions
---

diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php
index e6ce5a0709..8a35354d4a 100644
--- a/CRM/Utils/Check/Component/Security.php
+++ b/CRM/Utils/Check/Component/Security.php
@@ -292,6 +292,33 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
     return $messages;
   }
 
+  /**
+   * Check to see if anonymous user has edit contributions permission
+   * @return CRM_Utils_Check_Message[]
+   */
+  public function checkAnonEditContribution() {
+    $messages = [];
+    $permissions = [];
+    if (CRM_Core_Config::singleton()->userPermissionClass->check('edit contributions', 0)) {
+      $permissions[] = 'edit contributions';
+    }
+    if (CRM_Core_Config::singleton()->userPermissionClass->check('access CiviContribute', 0)) {
+      $permissions[] = 'access CiviContribute';
+    }
+    if (!empty($permissions)) {
+      $messages[] = new CRM_Utils_Check_Message(
+        __FUNCTION__,
+        ts('Anonymous users have permissions (%1). This may cause leakage of information in regards to recurring contributions.', [
+          1 => implode(', ', $permissions),
+        ]),
+        ts('Security Warning'),
+        \Psr\Log\LogLevel::WARNING,
+        'fa-lock'
+      );
+    }
+    return $messages;
+  }
+
   /**
    * Determine whether $url is a public, browsable listing for $dir
    *