upstream/icingadb-web
1
0
Fork 0
mirror of https://github.com/Icinga/icingadb-web.git synced 2026-05-28 04:36:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Auth: Only ignore redundancy groups, if they're actually fetched

Browse source 
fixes #1294
This commit is contained in:
Johannes Meyer 2026-02-05 17:13:36 +01:00
parent 9cabfd5968
commit 2cd1f96c93
1 changed files with 20 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
library/Icingadb/Common/Auth.php
View file

@ -196,6 +196,9 @@ trait Auth
// Hosts and services have a special relation as a service can't exist without its host. // Hosts and services have a special relation as a service can't exist without its host.
// Hence why the hosts restriction is also applied if only services are queried. // Hence why the hosts restriction is also applied if only services are queried.
|| $applyServiceRestriction; || $applyServiceRestriction;
// Redundancy groups have no relation to anything in order to be subject
// for authorization, so they must be exempt from the respective filters.
$skipRedundancyGroups = $relations[0] === 'dependency_node';
$hostStateRelation = array_search('host_state', $relations, true); $hostStateRelation = array_search('host_state', $relations, true);
$serviceStateRelation = array_search('service_state', $relations, true); $serviceStateRelation = array_search('service_state', $relations, true);
@ -229,14 +232,18 @@ trait Auth
} }
if ($customVarRelationName === false || count($relations) > 1) { if ($customVarRelationName === false || count($relations) > 1) {
if ($restriction = $role->getRestrictions('icingadb/filter/objects')) { if (($restriction = $role->getRestrictions('icingadb/filter/objects'))) {
$roleFilter->add(Filter::any( if ($skipRedundancyGroups) {
Filter::all( $roleFilter->add(Filter::any(
Filter::unlike('host.id', '*'), Filter::all(
Filter::unlike('service.id', '*') Filter::unlike('host_id', '*'),
), Filter::unlike('service_id', '*')
$this->parseRestriction($restriction, 'icingadb/filter/objects') ),
)); $this->parseRestriction($restriction, 'icingadb/filter/objects')
));
} else {
$roleFilter->add($this->parseRestriction($restriction, 'icingadb/filter/objects'));
}
} }
if ($applyHostRestriction && ($restriction = $role->getRestrictions('icingadb/filter/hosts'))) { if ($applyHostRestriction && ($restriction = $role->getRestrictions('icingadb/filter/hosts'))) {
@ -245,7 +252,11 @@ trait Auth
$this->forceQueryOptimization($hostFilter, 'hostgroup.name'); $this->forceQueryOptimization($hostFilter, 'hostgroup.name');
} }
$roleFilter->add(Filter::any(Filter::unlike('host.id', '*'), $hostFilter)); if ($skipRedundancyGroups) {
$roleFilter->add(Filter::any(Filter::unlike('host_id', '*'), $hostFilter));
} else {
$roleFilter->add($hostFilter);
}
} }
if ( if (