From 2cd1f96c93ee4d965683d12e6974792d15878552 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Thu, 5 Feb 2026 17:13:36 +0100
Subject: [PATCH] Auth: Only ignore redundancy groups, if they're actually
 fetched

fixes #1294
---
 library/Icingadb/Common/Auth.php | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/library/Icingadb/Common/Auth.php b/library/Icingadb/Common/Auth.php
index 7260636a..c1d12906 100644
--- a/library/Icingadb/Common/Auth.php
+++ b/library/Icingadb/Common/Auth.php
@@ -196,6 +196,9 @@ trait Auth
                 // Hosts and services have a special relation as a service can't exist without its host.
                 // Hence why the hosts restriction is also applied if only services are queried.
                 || $applyServiceRestriction;
+            // Redundancy groups have no relation to anything in order to be subject
+            // for authorization, so they must be exempt from the respective filters.
+            $skipRedundancyGroups = $relations[0] === 'dependency_node';
 
             $hostStateRelation = array_search('host_state', $relations, true);
             $serviceStateRelation = array_search('service_state', $relations, true);
@@ -229,14 +232,18 @@ trait Auth
                 }
 
                 if ($customVarRelationName === false || count($relations) > 1) {
-                    if ($restriction = $role->getRestrictions('icingadb/filter/objects')) {
-                        $roleFilter->add(Filter::any(
-                            Filter::all(
-                                Filter::unlike('host.id', '*'),
-                                Filter::unlike('service.id', '*')
-                            ),
-                            $this->parseRestriction($restriction, 'icingadb/filter/objects')
-                        ));
+                    if (($restriction = $role->getRestrictions('icingadb/filter/objects'))) {
+                        if ($skipRedundancyGroups) {
+                            $roleFilter->add(Filter::any(
+                                Filter::all(
+                                    Filter::unlike('host_id', '*'),
+                                    Filter::unlike('service_id', '*')
+                                ),
+                                $this->parseRestriction($restriction, 'icingadb/filter/objects')
+                            ));
+                        } else {
+                            $roleFilter->add($this->parseRestriction($restriction, 'icingadb/filter/objects'));
+                        }
                     }
 
                     if ($applyHostRestriction && ($restriction = $role->getRestrictions('icingadb/filter/hosts'))) {
@@ -245,7 +252,11 @@ trait Auth
                             $this->forceQueryOptimization($hostFilter, 'hostgroup.name');
                         }
 
-                        $roleFilter->add(Filter::any(Filter::unlike('host.id', '*'), $hostFilter));
+                        if ($skipRedundancyGroups) {
+                            $roleFilter->add(Filter::any(Filter::unlike('host_id', '*'), $hostFilter));
+                        } else {
+                            $roleFilter->add($hostFilter);
+                        }
                     }
 
                     if (