permissions: provide new ones and enforce them

fixes #13039
tonnenpinguin · Nov 3, 2016 · b2c834e · b2c834e
1 parent 7e4479a
commit b2c834e
Show file tree

Hide file tree

Showing 30 changed files with 275 additions and 90 deletions.
diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php
@@ -15,8 +15,13 @@ class ConfigController extends ActionController
 {
     protected $isApified = true;
 
+    protected function checkDirectorPermissions()
+    {
+    }
+
     public function deploymentsAction()
     {
+        $this->assertPermission('director/deploy');
         $this->setAutorefreshInterval(5);
         try {
             if ($this->db()->hasUncollectedDeployments()) {
@@ -49,6 +54,8 @@ public function deploymentsAction()
 
     public function deployAction()
     {
+        $this->assertPermission('director/deploy');
+
         // TODO: require POST
         $isApiRequest = $this->getRequest()->isApiRequest();
         $checksum = $this->params->get('checksum');
@@ -86,23 +93,29 @@ public function deployAction()
 
     public function activitiesAction()
     {
+        $this->assertPermission('director/audit');
+
         $this->setAutorefreshInterval(10);
         $this->overviewTabs()->activate('activitylog');
         $this->view->title = $this->translate('Activity Log');
         $lastDeployedId = $this->db()->getLastDeploymentActivityLogId();
         $this->prepareTable('activityLog');
         $this->view->table->setLastDeployedId($lastDeployedId);
-        $this->view->form = $this
-            ->loadForm('DeployConfig')
-            ->setDb($this->db())
-            ->setApi($this->api())
-            ->handleRequest();
+        if ($this->hasPermission('director/deploy')) {
+            $this->view->form = $this
+                ->loadForm('DeployConfig')
+                ->setDb($this->db())
+                ->setApi($this->api())
+                ->handleRequest();
+        }
 
         $this->setViewScript('list/table');
     }
 
     public function settingsAction()
     {
+        $this->assertPermission('director/admin');
+
         $this->overviewTabs()->activate('settings');
         $this->view->title = $this->translate('Settings');
         $this->view->form = $this
@@ -116,6 +129,8 @@ public function settingsAction()
     // Show all files for a given config
     public function filesAction()
     {
+        $this->assertPermission('director/showconfig');
+
         $this->setAutorefreshInterval(10);
         $this->view->title = $this->translate('Generated config');
         $tabs = $this->getTabs();
@@ -163,6 +178,8 @@ public function filesAction()
     // Show a single file
     public function fileAction()
     {
+        $this->assertPermission('director/showconfig');
+
         $fileOnly = $this->params->get('fileOnly');
         $this->view->highlight = $this->params->get('highlight');
         $this->view->highlightSeverity = $this->params->get('highlightSeverity');
@@ -196,6 +213,8 @@ public function fileAction()
 
     public function showAction()
     {
+        $this->assertPermission('director/showconfig');
+
         $this->configTabs()->activate('config');
         $this->view->config = IcingaConfig::load(Util::hex2binary($this->params->get('checksum')), $this->db());
     }
@@ -214,6 +233,8 @@ public function storeAction()
 
     public function diffAction()
     {
+        $this->assertPermission('director/showconfig');
+
         $db = $this->db();
         $this->view->title = $this->translate('Config diff');
 
@@ -248,6 +269,8 @@ public function diffAction()
 
     public function filediffAction()
     {
+        $this->assertPermission('director/showconfig');
+
         $db = $this->db();
         $leftSum  = $this->params->get('left');
         $rightSum = $this->params->get('right');
@@ -271,33 +294,44 @@ public function filediffAction()
 
     protected function overviewTabs()
     {
-        $this->view->tabs = $this->getTabs()->add(
-            'activitylog',
-            array(
-                'label' => $this->translate('Activity Log'),
-                'url'   => 'director/config/activities'
-            )
-        )->add(
-            'deploymentlog',
-            array(
-                'label' => $this->translate('Deployments'),
-                'url'   => 'director/config/deployments'
-            )
-        )->add(
-            'settings',
-            array(
-                'label' => $this->translate('Settings'),
-                'url'   => 'director/config/settings'
-            )
-        );
+        $this->view->tabs = $tabs = $this->getTabs();
+
+        if ($this->hasPermission('director/audit')) {
+            $tabs->add(
+                'activitylog',
+                array(
+                    'label' => $this->translate('Activity Log'),
+                    'url'   => 'director/config/activities'
+                )
+            );
+        }
+
+        if ($this->hasPermission('director/deploy')) {
+            $tabs->add(
+                'deploymentlog',
+                array(
+                    'label' => $this->translate('Deployments'),
+                    'url' => 'director/config/deployments'
+                )
+            );
+        }
+        if ($this->hasPermission('director/admin')) {
+            $tabs->add(
+                'settings',
+                array(
+                    'label' => $this->translate('Settings'),
+                    'url' => 'director/config/settings'
+                )
+            );
+        }
         return $this->view->tabs;
     }
 
     protected function configTabs()
     {
         $tabs = $this->getTabs();
 
-        if ($deploymentId = $this->params->get('deployment_id')) {
+        if ($this->hasPermission('director/deploy') && $deploymentId = $this->params->get('deployment_id')) {
             $tabs->add('deployment', array(
                 'label'     => $this->translate('Deployment'),
                 'url'       => 'director/deployment/show',
@@ -307,11 +341,13 @@ protected function configTabs()
             ));
         }
 
-        $tabs->add('config', array(
-            'label'     => $this->translate('Config'),
-            'url'       => 'director/config/files',
-            'urlParams' => $this->getConfigTabParams()
-        ));
+        if ($this->hasPermission('director/showconfig')) {
+            $tabs->add('config', array(
+                'label'     => $this->translate('Config'),
+                'url'       => 'director/config/files',
+                'urlParams' => $this->getConfigTabParams()
+            ));
+        }
 
         return $tabs;
     }

diff --git a/application/controllers/DashboardController.php b/application/controllers/DashboardController.php
@@ -9,6 +9,10 @@
 
 class DashboardController extends ActionController
 {
+    protected function checkDirectorPermissions()
+    {
+    }
+
     public function indexAction()
     {
         if ($this->getRequest()->isGet()) {

diff --git a/application/controllers/DeploymentController.php b/application/controllers/DeploymentController.php
@@ -9,6 +9,11 @@
 
 class DeploymentController extends ActionController
 {
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/deploy');
+    }
+
     public function indexAction()
     {
         $this->view->title = $this->translate('Deployment details');

diff --git a/application/controllers/HostController.php b/application/controllers/HostController.php
@@ -41,6 +41,11 @@ public function init()
         }
     }
 
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/hosts');
+    }
+
     public function editAction()
     {
         parent::editAction();

diff --git a/application/controllers/HostsController.php b/application/controllers/HostsController.php
@@ -10,4 +10,9 @@ class HostsController extends ObjectsController
         'imports',
         'groups'
     );
+
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/hosts');
+    }
 }
diff --git a/application/controllers/InspectController.php b/application/controllers/InspectController.php
@@ -6,10 +6,9 @@
 
 class InspectController extends ActionController
 {
-    public function init()
+    protected function checkDirectorPermissions()
     {
         $this->assertPermission('director/inspect');
-        parent::init();
     }
 
     public function typesAction()

diff --git a/application/controllers/NotificationController.php b/application/controllers/NotificationController.php
@@ -9,6 +9,11 @@
 
 class NotificationController extends ObjectController
 {
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/notifications');
+    }
+
     public function init()
     {
         parent::init();

diff --git a/application/controllers/NotificationsController.php b/application/controllers/NotificationsController.php
@@ -6,4 +6,8 @@
 
 class NotificationsController extends ObjectsController
 {
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/notifications');
+    }
 }
diff --git a/application/controllers/ServiceController.php b/application/controllers/ServiceController.php
@@ -27,6 +27,11 @@ protected function beforeTabs()
         }
     }
 
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/hosts');
+    }
+
     public function init()
     {
         if ($host = $this->params->get('host')) {

diff --git a/application/controllers/ShowController.php b/application/controllers/ShowController.php
@@ -15,6 +15,11 @@ class ShowController extends ActionController
 
     protected $oldObject;
 
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/showconfig');
+    }
+
     protected function objectKey($entry)
     {
         if ($entry->object_type === 'icinga_service' || $entry->object_type === 'icinga_service_set') {

diff --git a/application/controllers/UserController.php b/application/controllers/UserController.php
@@ -6,4 +6,8 @@
 
 class UserController extends ObjectController
 {
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/users');
+    }
 }
diff --git a/application/controllers/UsersController.php b/application/controllers/UsersController.php
@@ -6,4 +6,8 @@
 
 class UsersController extends ObjectsController
 {
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/users');
+    }
 }
diff --git a/application/tables/ActivityLogTable.php b/application/tables/ActivityLogTable.php
@@ -2,6 +2,7 @@
 
 namespace Icinga\Module\Director\Tables;
 
+use Icinga\Module\Director\Util;
 use Icinga\Module\Director\Web\Table\QuickTable;
 
 class ActivityLogTable extends QuickTable
@@ -41,7 +42,11 @@ public function setLastDeployedId($id)
 
     protected function listTableClasses()
     {
-        return array_merge(array('activity-log'), parent::listTableClasses());
+        if (Util::hasPermission('director/showconfig')) {
+            return array_merge(array('activity-log'), parent::listTableClasses());
+        } else {
+            return array('simple', 'common-table', 'activity-log');
+        }
     }
 
     public function render()
@@ -75,10 +80,15 @@ protected function getRowClasses($row)
 
     protected function getActionUrl($row)
     {
-        return $this->url(
-            'director/show/activitylog',
-            array_merge(array('id' => $row->id), $this->extraParams)
-        );
+        if (Util::hasPermission('director/showconfig')) {
+            return $this->url(
+                'director/show/activitylog',
+                array_merge(array('id' => $row->id), $this->extraParams)
+            );
+
+        } else {
+            return false;
+        }
     }
 
     public function getTitles()

diff --git a/application/views/scripts/object/deploymentLink.phtml b/application/views/scripts/object/deploymentLink.phtml
@@ -4,6 +4,10 @@ if (! $this->undeployedChanges && ! $this->totalUndeployedChanges) {
     return; 
 }
 
+if (! $this->hasPermission('director/deploy')) {
+    return;
+}
+
 if ($this->undeployedChanges === 0) {
     if ($this->totalUndeployedChanges) {
         $msg = $this->translate('The is a single pending change');