From b975fdea1f2746e5f13a3d42c49b3d853522665f Mon Sep 17 00:00:00 2001
From: Dan Ashcom <dan.ashcom@acquia.com>
Date: Fri, 20 Apr 2018 13:32:19 -0700
Subject: [PATCH] D7 Anon Content Policy

---
 Policy/contentOwnedByUser0.policy.yml | 19 ++++++++++++
 src/Audit/ContentOwnedByUserID.php    | 42 +++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 Policy/contentOwnedByUser0.policy.yml
 create mode 100644 src/Audit/ContentOwnedByUserID.php

diff --git a/Policy/contentOwnedByUser0.policy.yml b/Policy/contentOwnedByUser0.policy.yml
new file mode 100644
index 0000000..198ca3d
--- /dev/null
+++ b/Policy/contentOwnedByUser0.policy.yml
@@ -0,0 +1,19 @@
+title: "Content Owned By Drupal's Anonymous User"
+class: \Drutiny\Plugin\Drupal7\Audit\ContentOwnedByUserID
+name: Drupal-7:ContentOwnedByAnonymous
+tags:
+  - Drupal 7
+description: |
+  Content owned by a user that is not expected can pose a security risk whereby untrusted users might 
+  be able to include malicious code in content. If the unexpected user is "Anonymous", this could 
+  mean any site visitor could present a risk if they entered malicious code into content.
+
+  This policy identifies if there are nodes owned by Drupal's Anonymous User.
+remediation: |
+  Assess whether or not there is a legitimate reason that nodes should be owned by Drupal's Anonymous User on the site.
+  If not, assign the appropriate owner to the content.
+success: No nodes are owned by Drupal's Anonymous User.
+failure: Drupal's Anonymous User owns {{totalnodes}} nodes.
+parameters:
+  uid:
+    default: 0
diff --git a/src/Audit/ContentOwnedByUserID.php b/src/Audit/ContentOwnedByUserID.php
new file mode 100644
index 0000000..0a1a043
--- /dev/null
+++ b/src/Audit/ContentOwnedByUserID.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace Drutiny\Plugin\Drupal7\Audit;
+
+use Drutiny\Audit;
+use Drutiny\Sandbox\Sandbox;
+use Drutiny\AuditResponse\AuditResponse;
+use Drutiny\Annotation\Param;
+
+/**
+ * Content Owned By Drupal's Anonymous User
+ * @Param(
+ *  name = "uid",
+ *  description = "UID to check content ownership against.",
+ *  type = "integer"
+ * )
+*/
+class ContentOwnedByUserID extends Audit {
+
+  /**
+   * @inheritdoc
+   */
+  public function audit(Sandbox $sandbox) {
+    $uid = $sandbox->getParameter('uid', 0);
+    $sandbox->setParameter('UID', $uid);
+
+    $output = $sandbox->drush()->evaluate(function ($uid) {
+      $query = new EntityFieldQuery();
+      return count($query->entityCondition("entity_type", "node")->propertyCondition("uid", $uid)->execute()["node"]);
+    }, ['uid' => $uid]);
+
+    if (empty($output)) {
+      return TRUE;
+    }
+
+    // Set the value for total nodes
+    $sandbox->setParameter('totalnodes', $output);
+
+    return Audit::FAIL;
+  }
+
+}