From 5ff07930363bba466c2f51fda57555fcdc335a0c Mon Sep 17 00:00:00 2001
From: Yonas Habteab <yonas.habteab@netways.de>
Date: Mon, 30 Aug 2021 11:00:26 +0200
Subject: [PATCH] ObjectAuthorization: Check whether the permission isn't
 within the refusals

---
 library/Icingadb/Authentication/ObjectAuthorization.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/Icingadb/Authentication/ObjectAuthorization.php b/library/Icingadb/Authentication/ObjectAuthorization.php
index b18cb5f9..27f8dd3c 100644
--- a/library/Icingadb/Authentication/ObjectAuthorization.php
+++ b/library/Icingadb/Authentication/ObjectAuthorization.php
@@ -197,7 +197,7 @@ class ObjectAuthorization
         }
 
         foreach ($this->getAuth()->getUser()->getRoles() as $role) {
-            if (! $role->grants($permission)) {
+            if (! $role->grants($permission) || $role->denies($permission)) {
                 continue;
             }