From 005193442cc457b41777ff1d5765e10f30f4e478 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 30 Mar 2022 14:15:20 +0200
Subject: [PATCH] ObjectAuthorization: Bail early if a role denies a permission

fixes #515
---
 .../Icingadb/Authentication/ObjectAuthorization.php   | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/library/Icingadb/Authentication/ObjectAuthorization.php b/library/Icingadb/Authentication/ObjectAuthorization.php
index 5cbbd672..ea72d800 100644
--- a/library/Icingadb/Authentication/ObjectAuthorization.php
+++ b/library/Icingadb/Authentication/ObjectAuthorization.php
@@ -240,16 +240,17 @@ class ObjectAuthorization
             return false;
         }
 
+        $granted = false;
         foreach ($this->getAuth()->getUser()->getRoles() as $role) {
-            if (! $role->grants($permission) || $role->denies($permission)) {
+            if ($role->denies($permission)) {
+                return false;
+            } elseif ($granted || ! $role->grants($permission)) {
                 continue;
             }
 
-            if (in_array($role->getName(), $roles, true)) {
-                return true;
-            }
+            $granted = in_array($role->getName(), $roles, true);
         }
 
-        return false;
+        return $granted;
     }
 }