From 56bab8392a5485e9b2817e8e5ed86f2a5abd6c9f Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 16 Mar 2022 02:27:19 -0700
Subject: [PATCH] (security/core#111) Refine prose/naming

---
 CRM/Utils/Check/Component/Security.php | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php
index 8a35354d4a..da8735e78a 100644
--- a/CRM/Utils/Check/Component/Security.php
+++ b/CRM/Utils/Check/Component/Security.php
@@ -293,25 +293,27 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
   }
 
   /**
-   * Check to see if anonymous user has edit contributions permission
+   * Check to see if anonymous user has excessive permissions.
    * @return CRM_Utils_Check_Message[]
    */
-  public function checkAnonEditContribution() {
+  public function checkAnonPermissions() {
     $messages = [];
     $permissions = [];
-    if (CRM_Core_Config::singleton()->userPermissionClass->check('edit contributions', 0)) {
-      $permissions[] = 'edit contributions';
-    }
-    if (CRM_Core_Config::singleton()->userPermissionClass->check('access CiviContribute', 0)) {
-      $permissions[] = 'access CiviContribute';
+    // These specific permissions were referenced in a security submission.
+    // This functionality is generally useful -- may be good to expand to a longer list.
+    $checkPerms = ['access CiviContribute', 'edit contributions'];
+    foreach ($checkPerms as $checkPerm) {
+      if (CRM_Core_Config::singleton()->userPermissionClass->check($checkPerm, 0)) {
+        $permissions[] = $checkPerm;
+      }
     }
     if (!empty($permissions)) {
       $messages[] = new CRM_Utils_Check_Message(
         __FUNCTION__,
-        ts('Anonymous users have permissions (%1). This may cause leakage of information in regards to recurring contributions.', [
-          1 => implode(', ', $permissions),
+        ts('The system configuration grants anonymous users an <em>unusually broad</em> list of permissions. This could compromise security. Please reassess whether these permissions are required: %1', [
+          1 => '<ul><li><tt>' . implode('</tt></li><li><tt>', $permissions) . '</tt></li></ul>',
         ]),
-        ts('Security Warning'),
+        ts('Unusual Permissions for Anonymous Users'),
         \Psr\Log\LogLevel::WARNING,
         'fa-lock'
       );
-- 
2.25.1