From c545fc757c054217fce9df78b0992121495b112f Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 11 Feb 2026 14:47:26 +0100
Subject: [PATCH 1/3] Service: Do not restrict property `customvars` at all

---
 library/Icingadb/Model/Service.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/Icingadb/Model/Service.php b/library/Icingadb/Model/Service.php
index 240f772f..b6d849d6 100644
--- a/library/Icingadb/Model/Service.php
+++ b/library/Icingadb/Model/Service.php
@@ -228,9 +228,9 @@ class Service extends Model
         });
 
         $defaults->add('customvars', function (self $subject) {
-            if (! $subject->customvar instanceof ResultSet) {
-                $this->applyRestrictions($subject->customvar);
-            }
+            // In contrast to customvar_flat, we cannot apply restrictions here as denylists and protections
+            // require the flattened values to work. To retrieve only customvars the user has access to, the
+            // `vars` property should be used instead.
 
             $vars = [];
             foreach ($subject->customvar as $customVar) {

From a52719bff52600be0e296fe85717347ea86e67c6 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 11 Feb 2026 14:48:15 +0100
Subject: [PATCH 2/3] Host: Do not restrict property `customvars` at all

---
 library/Icingadb/Model/Host.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/Icingadb/Model/Host.php b/library/Icingadb/Model/Host.php
index b18896a8..9f568dab 100644
--- a/library/Icingadb/Model/Host.php
+++ b/library/Icingadb/Model/Host.php
@@ -236,9 +236,9 @@ class Host extends Model
         });
 
         $defaults->add('customvars', function (self $subject) {
-            if (! $subject->customvar instanceof ResultSet) {
-                $this->applyRestrictions($subject->customvar);
-            }
+            // In contrast to customvar_flat, we cannot apply restrictions here as denylists and protections
+            // require the flattened values to work. To retrieve only customvars the user has access to, the
+            // `vars` property should be used instead.
 
             $vars = [];
             foreach ($subject->customvar as $customVar) {

From 1ed561231917b13eb882433274ac90215b8e5012 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 11 Feb 2026 15:26:39 +0100
Subject: [PATCH 3/3] doc: Mention how `$object->customvars` now behaves
 differently

---
 doc/05-Upgrading.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/doc/05-Upgrading.md b/doc/05-Upgrading.md
index f1e82c59..7aef5e77 100644
--- a/doc/05-Upgrading.md
+++ b/doc/05-Upgrading.md
@@ -3,6 +3,31 @@
 Specific version upgrades are described below. Please note that version upgrades are incremental.
 If you are upgrading across multiple versions, make sure to follow the steps for each of them.
 
+## Upgrading to Icinga DB Web v1.4
+
+**Behavior Changes**
+
+Modules that provide integrations for a host's or service's detail view now have unrestricted access to all custom
+variables of said object. This is the case by accessing custom variables via the object's `customvars` property.
+This was always meant to be the case, but due to an implementation oversight, the restrictions configured via
+`icingadb/filter/objects`, `icingadb/filter/hosts` and `icingadb/filter/services` were applied and caused
+unexpected or erroneous behavior. Though, in some cases this may not have been noticed or seen as a problem,
+so when upgrading we recommend to review modules that provide such integrations and check if they rely on the
+previous behavior. If so, accessing the `vars` property of an object should have the desired effect.
+
+The following modules made by Icinga are safe and do not need an update to still work:
+
+* Icinga Business Process Modeling
+* Icinga Web Graphite Integration
+
+Cases where this may not have been noticed are as follows:
+
+* Restrictions only reference `host.*` columns and integrations only require access to host variables.
+* Restrictions only reference `service.*` columns and integrations only require access to service variables.
+
+Since these are very specific cases, we don't expect broad expectation of the previous behavior, but please review
+your setup nonetheless if you use third party or custom modules that access custom variables this way.
+
 ## Upgrading to Icinga DB Web v1.3
 
 **Requirements**