upstream/icingadb-web
1
0
Fork 0
mirror of https://github.com/Icinga/icingadb-web.git synced 2026-05-28 04:36:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

ObjectAuthorization: Bail early if a role denies a permission

Browse source 
fixes #515
This commit is contained in:
Johannes Meyer 2022-03-30 14:15:20 +02:00
parent 45f2f2aa2f
commit 005193442c
1 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
library/Icingadb/Authentication/ObjectAuthorization.php
View file

@ -240,16 +240,17 @@ class ObjectAuthorization
return false;
}
$granted = false;
foreach ($this->getAuth()->getUser()->getRoles() as $role) {
if (! $role->grants($permission) || $role->denies($permission)) {
if ($role->denies($permission)) {
return false;
} elseif ($granted || ! $role->grants($permission)) {
continue;
}
if (in_array($role->getName(), $roles, true)) {
return true;
}
$granted = in_array($role->getName(), $roles, true);
}
return false;
return $granted;
}
}