D7 Anon Content Policy

Policy/contentOwnedByUser0.policy.yml

@@ -0,0 +1,19 @@
+title: "Content Owned By Drupal's Anonymous User"
+class: \Drutiny\Plugin\Drupal7\Audit\ContentOwnedByUserID
+name: Drupal-7:ContentOwnedByAnonymous
+tags:
+  - Drupal 7
+description: |
+  Content owned by a user that is not expected can pose a security risk whereby untrusted users might 
+  be able to include malicious code in content. If the unexpected user is "Anonymous", this could 
+  mean any site visitor could present a risk if they entered malicious code into content.
+
+  This policy identifies if there are nodes owned by Drupal's Anonymous User.
+remediation: |
+  Assess whether or not there is a legitimate reason that nodes should be owned by Drupal's Anonymous User on the site.
+  If not, assign the appropriate owner to the content.
+success: No nodes are owned by Drupal's Anonymous User.
+failure: Drupal's Anonymous User owns {{totalnodes}} nodes.
+parameters:
+  uid:
+    default: 0

src/Audit/ContentOwnedByUserID.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace Drutiny\Plugin\Drupal7\Audit;
+
+use Drutiny\Audit;
+use Drutiny\Sandbox\Sandbox;
+use Drutiny\AuditResponse\AuditResponse;
+use Drutiny\Annotation\Param;
+
+/**
+ * Content Owned By Drupal's Anonymous User
+ * @Param(
+ *  name = "uid",
+ *  description = "UID to check content ownership against.",
+ *  type = "integer"
+ * )
+*/
+class ContentOwnedByUserID extends Audit {
+
+  /**
+   * @inheritdoc
+   */
+  public function audit(Sandbox $sandbox) {
+    $uid = $sandbox->getParameter('uid', 0);
+    $sandbox->setParameter('UID', $uid);
+
+    $output = $sandbox->drush()->evaluate(function ($uid) {
+      $query = new EntityFieldQuery();
+      return count($query->entityCondition("entity_type", "node")->propertyCondition("uid", $uid)->execute()["node"]);
+    }, ['uid' => $uid]);
+
+    if (empty($output)) {
+      return TRUE;
+    }
+
+    // Set the value for total nodes
+    $sandbox->setParameter('totalnodes', $output);
+
+    return Audit::FAIL;
+  }
+
+}