From 084e5a086f831eefd383879ea0145872761b6831 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Thu, 2 Apr 2020 13:21:28 +0200
Subject: [PATCH] CompatObject: Respect security config when fetching
 customvars

---
 library/Icingadb/Compat/CompatObject.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/library/Icingadb/Compat/CompatObject.php b/library/Icingadb/Compat/CompatObject.php
index 1bd52fb5..989dcfe0 100644
--- a/library/Icingadb/Compat/CompatObject.php
+++ b/library/Icingadb/Compat/CompatObject.php
@@ -4,7 +4,9 @@
 
 namespace Icinga\Module\Icingadb\Compat;
 
+use Icinga\Application\Config;
 use Icinga\Exception\NotImplementedError;
+use Icinga\Module\Icingadb\Common\Auth;
 use Icinga\Module\Icingadb\Common\Database;
 use Icinga\Module\Icingadb\Model\Customvar;
 use Icinga\Module\Icingadb\Model\Host;
@@ -17,6 +19,7 @@ use function ipl\Stdlib\get_php_type;
 
 trait CompatObject
 {
+    use Auth;
     use Database;
 
     private $defaultLegacyColumns = [
@@ -91,8 +94,15 @@ trait CompatObject
             ->with($this->type);
         $query->getSelectBase()->where(['customvar_' . $this->type . '.id = ?' => $this->object->id]);
 
+        $vars = new CustomvarFilter(
+            $query->execute(),
+            $this->type,
+            $this->getAuth()->getRestrictions('monitoring/blacklist/properties'),
+            Config::module('monitoring')->get('security', 'protected_customvars', '')
+        );
+
         $customvars = [];
-        foreach ($query as $row) {
+        foreach ($vars as $row) {
             $customvars[$row->name] = $row->value;
         }