$endpoint) { $resources = services_get_resources($endpoint_name); $requirements['services_views_' . $endpoint_name] = array( 'title' => 'Services Views: ' . $endpoint->name, 'value' => t('Views Endpoint Disabled'), 'description' => t('The views endpoint is disabled, therefore there is no security risk.'), 'severity' => REQUIREMENT_OK, ); // Check to see if we are using the views resource endpoint. if (!empty($resources['views']['endpoint']) && $resources['views']['endpoint']['operations']['retrieve']['enabled']) { $requirements['services_views_' . $endpoint_name]['value'] = t('Views Endpoint Enabled'); $requirements['services_views_' . $endpoint_name]['description'] = t('The views resource is enabled, but there are no displays without access control.'); if (empty($insecure_views[$endpoint_name])) { $insecure_views[$endpoint_name] = array(); } // If we are, run a report of all the views displays that do not have // access control. $prefix = 'services_views_' . $endpoint_name; $whitelist = variable_get($prefix . '_white_list', 0); $listed_views = variable_get($prefix . "_view_displays", array()); foreach (views_get_enabled_views() as $view_name => $view) { foreach ($view->display as $view_display_name => $display) { $listed_view_key = $view_name . '|' . $view_display_name; if ((($whitelist && !empty($listed_views[$listed_view_key])) || (!$whitelist && empty($listed_views[$listed_view_key]))) && !empty($display->display_options) && !empty($display->display_options['access']) && $display->display_options['access']['type'] == 'none') { if (empty($insecure_views[$endpoint_name][$view_name])) { $insecure_views[$endpoint_name][$view_name] = array(); } $insecure_views[$endpoint_name][$view_name][] = $view_display_name; } } } if (!empty($insecure_views[$endpoint_name])) { $requirements['services_views_' . $endpoint_name]['description'] = t( "The views resource is enabled and there @views with insecure displays exposed via this endpoint. Manage the views resource settings or view a list of insecure views. Its preferred that you use single Services type displays to limit the accessibility of information on your site.", array( '@views' => format_plural(count($insecure_views[$endpoint_name]), 'is 1 view', 'are @count views'), '@url' => url('admin/structure/services/list/' . $endpoint_name . '/view_resource'), '@url2' => url('admin/reports/insecure-view-displays'), ) ); $requirements['services_views_' . $endpoint_name]['severity'] = REQUIREMENT_ERROR; } } } } return $requirements; }