From b2c834e7a4913bf2666bb1ab04c145b93979c998 Mon Sep 17 00:00:00 2001 From: Thomas Gelf Date: Thu, 3 Nov 2016 16:06:18 +0100 Subject: [PATCH] permissions: provide new ones and enforce them fixes #13039 --- application/controllers/ConfigController.php | 96 +++++++++++++------ .../controllers/DashboardController.php | 4 + .../controllers/DeploymentController.php | 5 + application/controllers/HostController.php | 5 + application/controllers/HostsController.php | 5 + application/controllers/InspectController.php | 3 +- .../controllers/NotificationController.php | 5 + .../controllers/NotificationsController.php | 4 + application/controllers/ServiceController.php | 5 + application/controllers/ShowController.php | 5 + application/controllers/UserController.php | 4 + application/controllers/UsersController.php | 4 + application/tables/ActivityLogTable.php | 20 +++- .../views/scripts/object/deploymentLink.phtml | 4 + configuration.php | 42 +++++--- .../Dashboard/Dashlet/ActivityLogDashlet.php | 2 +- .../Dashlet/ApiUserObjectDashlet.php | 2 +- .../Dashlet/CommandObjectDashlet.php | 2 +- .../Dashboard/Dashlet/DatafieldDashlet.php | 2 +- .../Dashboard/Dashlet/DatalistDashlet.php | 2 +- .../Dashlet/EndpointObjectDashlet.php | 5 + .../Dashboard/Dashlet/ImportSourceDashlet.php | 2 +- .../Director/Dashboard/Dashlet/JobDashlet.php | 5 + .../Dashlet/ServiceObjectDashlet.php | 5 + .../Dashboard/Dashlet/SyncDashlet.php | 2 +- .../Dashlet/TimeperiodObjectDashlet.php | 5 + .../Dashboard/Dashlet/ZoneObjectDashlet.php | 5 + .../Web/Controller/ActionController.php | 31 +++++- .../Web/Controller/ObjectController.php | 30 ++++-- .../Web/Controller/ObjectsController.php | 54 ++++++----- 30 files changed, 275 insertions(+), 90 deletions(-) diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php index 2f3c01763..92afb9951 100644 --- a/application/controllers/ConfigController.php +++ b/application/controllers/ConfigController.php @@ -15,8 +15,13 @@ class ConfigController extends ActionController { protected $isApified = true; + protected function checkDirectorPermissions() + { + } + public function deploymentsAction() { + $this->assertPermission('director/deploy'); $this->setAutorefreshInterval(5); try { if ($this->db()->hasUncollectedDeployments()) { @@ -49,6 +54,8 @@ public function deploymentsAction() public function deployAction() { + $this->assertPermission('director/deploy'); + // TODO: require POST $isApiRequest = $this->getRequest()->isApiRequest(); $checksum = $this->params->get('checksum'); @@ -86,23 +93,29 @@ public function deployAction() public function activitiesAction() { + $this->assertPermission('director/audit'); + $this->setAutorefreshInterval(10); $this->overviewTabs()->activate('activitylog'); $this->view->title = $this->translate('Activity Log'); $lastDeployedId = $this->db()->getLastDeploymentActivityLogId(); $this->prepareTable('activityLog'); $this->view->table->setLastDeployedId($lastDeployedId); - $this->view->form = $this - ->loadForm('DeployConfig') - ->setDb($this->db()) - ->setApi($this->api()) - ->handleRequest(); + if ($this->hasPermission('director/deploy')) { + $this->view->form = $this + ->loadForm('DeployConfig') + ->setDb($this->db()) + ->setApi($this->api()) + ->handleRequest(); + } $this->setViewScript('list/table'); } public function settingsAction() { + $this->assertPermission('director/admin'); + $this->overviewTabs()->activate('settings'); $this->view->title = $this->translate('Settings'); $this->view->form = $this @@ -116,6 +129,8 @@ public function settingsAction() // Show all files for a given config public function filesAction() { + $this->assertPermission('director/showconfig'); + $this->setAutorefreshInterval(10); $this->view->title = $this->translate('Generated config'); $tabs = $this->getTabs(); @@ -163,6 +178,8 @@ public function filesAction() // Show a single file public function fileAction() { + $this->assertPermission('director/showconfig'); + $fileOnly = $this->params->get('fileOnly'); $this->view->highlight = $this->params->get('highlight'); $this->view->highlightSeverity = $this->params->get('highlightSeverity'); @@ -196,6 +213,8 @@ public function fileAction() public function showAction() { + $this->assertPermission('director/showconfig'); + $this->configTabs()->activate('config'); $this->view->config = IcingaConfig::load(Util::hex2binary($this->params->get('checksum')), $this->db()); } @@ -214,6 +233,8 @@ public function storeAction() public function diffAction() { + $this->assertPermission('director/showconfig'); + $db = $this->db(); $this->view->title = $this->translate('Config diff'); @@ -248,6 +269,8 @@ public function diffAction() public function filediffAction() { + $this->assertPermission('director/showconfig'); + $db = $this->db(); $leftSum = $this->params->get('left'); $rightSum = $this->params->get('right'); @@ -271,25 +294,36 @@ public function filediffAction() protected function overviewTabs() { - $this->view->tabs = $this->getTabs()->add( - 'activitylog', - array( - 'label' => $this->translate('Activity Log'), - 'url' => 'director/config/activities' - ) - )->add( - 'deploymentlog', - array( - 'label' => $this->translate('Deployments'), - 'url' => 'director/config/deployments' - ) - )->add( - 'settings', - array( - 'label' => $this->translate('Settings'), - 'url' => 'director/config/settings' - ) - ); + $this->view->tabs = $tabs = $this->getTabs(); + + if ($this->hasPermission('director/audit')) { + $tabs->add( + 'activitylog', + array( + 'label' => $this->translate('Activity Log'), + 'url' => 'director/config/activities' + ) + ); + } + + if ($this->hasPermission('director/deploy')) { + $tabs->add( + 'deploymentlog', + array( + 'label' => $this->translate('Deployments'), + 'url' => 'director/config/deployments' + ) + ); + } + if ($this->hasPermission('director/admin')) { + $tabs->add( + 'settings', + array( + 'label' => $this->translate('Settings'), + 'url' => 'director/config/settings' + ) + ); + } return $this->view->tabs; } @@ -297,7 +331,7 @@ protected function configTabs() { $tabs = $this->getTabs(); - if ($deploymentId = $this->params->get('deployment_id')) { + if ($this->hasPermission('director/deploy') && $deploymentId = $this->params->get('deployment_id')) { $tabs->add('deployment', array( 'label' => $this->translate('Deployment'), 'url' => 'director/deployment/show', @@ -307,11 +341,13 @@ protected function configTabs() )); } - $tabs->add('config', array( - 'label' => $this->translate('Config'), - 'url' => 'director/config/files', - 'urlParams' => $this->getConfigTabParams() - )); + if ($this->hasPermission('director/showconfig')) { + $tabs->add('config', array( + 'label' => $this->translate('Config'), + 'url' => 'director/config/files', + 'urlParams' => $this->getConfigTabParams() + )); + } return $tabs; } diff --git a/application/controllers/DashboardController.php b/application/controllers/DashboardController.php index 57763c772..f84a894c1 100644 --- a/application/controllers/DashboardController.php +++ b/application/controllers/DashboardController.php @@ -9,6 +9,10 @@ class DashboardController extends ActionController { + protected function checkDirectorPermissions() + { + } + public function indexAction() { if ($this->getRequest()->isGet()) { diff --git a/application/controllers/DeploymentController.php b/application/controllers/DeploymentController.php index b814cb838..100c72104 100644 --- a/application/controllers/DeploymentController.php +++ b/application/controllers/DeploymentController.php @@ -9,6 +9,11 @@ class DeploymentController extends ActionController { + protected function checkDirectorPermissions() + { + $this->assertPermission('director/deploy'); + } + public function indexAction() { $this->view->title = $this->translate('Deployment details'); diff --git a/application/controllers/HostController.php b/application/controllers/HostController.php index 383edeac5..ce6fc0d5b 100644 --- a/application/controllers/HostController.php +++ b/application/controllers/HostController.php @@ -41,6 +41,11 @@ public function init() } } + protected function checkDirectorPermissions() + { + $this->assertPermission('director/hosts'); + } + public function editAction() { parent::editAction(); diff --git a/application/controllers/HostsController.php b/application/controllers/HostsController.php index 8fe23a09b..bc59f5dfa 100644 --- a/application/controllers/HostsController.php +++ b/application/controllers/HostsController.php @@ -10,4 +10,9 @@ class HostsController extends ObjectsController 'imports', 'groups' ); + + protected function checkDirectorPermissions() + { + $this->assertPermission('director/hosts'); + } } diff --git a/application/controllers/InspectController.php b/application/controllers/InspectController.php index 65525dec0..99f695616 100644 --- a/application/controllers/InspectController.php +++ b/application/controllers/InspectController.php @@ -6,10 +6,9 @@ class InspectController extends ActionController { - public function init() + protected function checkDirectorPermissions() { $this->assertPermission('director/inspect'); - parent::init(); } public function typesAction() diff --git a/application/controllers/NotificationController.php b/application/controllers/NotificationController.php index c4097dcf1..72f52bbea 100644 --- a/application/controllers/NotificationController.php +++ b/application/controllers/NotificationController.php @@ -9,6 +9,11 @@ class NotificationController extends ObjectController { + protected function checkDirectorPermissions() + { + $this->assertPermission('director/notifications'); + } + public function init() { parent::init(); diff --git a/application/controllers/NotificationsController.php b/application/controllers/NotificationsController.php index ae5c021dc..6762af15b 100644 --- a/application/controllers/NotificationsController.php +++ b/application/controllers/NotificationsController.php @@ -6,4 +6,8 @@ class NotificationsController extends ObjectsController { + protected function checkDirectorPermissions() + { + $this->assertPermission('director/notifications'); + } } diff --git a/application/controllers/ServiceController.php b/application/controllers/ServiceController.php index 855b67d7a..304786ad3 100644 --- a/application/controllers/ServiceController.php +++ b/application/controllers/ServiceController.php @@ -27,6 +27,11 @@ protected function beforeTabs() } } + protected function checkDirectorPermissions() + { + $this->assertPermission('director/hosts'); + } + public function init() { if ($host = $this->params->get('host')) { diff --git a/application/controllers/ShowController.php b/application/controllers/ShowController.php index 90b66e519..30ced66a3 100644 --- a/application/controllers/ShowController.php +++ b/application/controllers/ShowController.php @@ -15,6 +15,11 @@ class ShowController extends ActionController protected $oldObject; + protected function checkDirectorPermissions() + { + $this->assertPermission('director/showconfig'); + } + protected function objectKey($entry) { if ($entry->object_type === 'icinga_service' || $entry->object_type === 'icinga_service_set') { diff --git a/application/controllers/UserController.php b/application/controllers/UserController.php index 86c7d9f13..12f1bd907 100644 --- a/application/controllers/UserController.php +++ b/application/controllers/UserController.php @@ -6,4 +6,8 @@ class UserController extends ObjectController { + protected function checkDirectorPermissions() + { + $this->assertPermission('director/users'); + } } diff --git a/application/controllers/UsersController.php b/application/controllers/UsersController.php index dab1da019..ee6d93d19 100644 --- a/application/controllers/UsersController.php +++ b/application/controllers/UsersController.php @@ -6,4 +6,8 @@ class UsersController extends ObjectsController { + protected function checkDirectorPermissions() + { + $this->assertPermission('director/users'); + } } diff --git a/application/tables/ActivityLogTable.php b/application/tables/ActivityLogTable.php index 7c54bd9a7..91f5b9263 100644 --- a/application/tables/ActivityLogTable.php +++ b/application/tables/ActivityLogTable.php @@ -2,6 +2,7 @@ namespace Icinga\Module\Director\Tables; +use Icinga\Module\Director\Util; use Icinga\Module\Director\Web\Table\QuickTable; class ActivityLogTable extends QuickTable @@ -41,7 +42,11 @@ public function setLastDeployedId($id) protected function listTableClasses() { - return array_merge(array('activity-log'), parent::listTableClasses()); + if (Util::hasPermission('director/showconfig')) { + return array_merge(array('activity-log'), parent::listTableClasses()); + } else { + return array('simple', 'common-table', 'activity-log'); + } } public function render() @@ -75,10 +80,15 @@ protected function getRowClasses($row) protected function getActionUrl($row) { - return $this->url( - 'director/show/activitylog', - array_merge(array('id' => $row->id), $this->extraParams) - ); + if (Util::hasPermission('director/showconfig')) { + return $this->url( + 'director/show/activitylog', + array_merge(array('id' => $row->id), $this->extraParams) + ); + + } else { + return false; + } } public function getTitles() diff --git a/application/views/scripts/object/deploymentLink.phtml b/application/views/scripts/object/deploymentLink.phtml index 417e5ade8..aa7ac58f2 100644 --- a/application/views/scripts/object/deploymentLink.phtml +++ b/application/views/scripts/object/deploymentLink.phtml @@ -4,6 +4,10 @@ if (! $this->undeployedChanges && ! $this->totalUndeployedChanges) { return; } +if (! $this->hasPermission('director/deploy')) { + return; +} + if ($this->undeployedChanges === 0) { if ($this->totalUndeployedChanges) { $msg = $this->translate('The is a single pending change'); diff --git a/configuration.php b/configuration.php index 57af23d1e..4242c127f 100644 --- a/configuration.php +++ b/configuration.php @@ -1,11 +1,13 @@ providePermission('director/api', $this->translate('Allow to access the director API')); -$this->providePermission('director/hosts/read', $this->translate('Allow to configure hosts')); -$this->providePermission('director/hosts/write', $this->translate('Allow to configure hosts')); -$this->providePermission('director/inspect', $this->translate('Allow to inspect objects through the Icinga 2 API')); -$this->providePermission('director/templates/read', $this->translate('Allow to see template details')); -$this->providePermission('director/templates/write', $this->translate('Allow to configure templates')); +$this->providePermission('director/audit', $this->translate('Allow to access the full audit log')); +$this->providePermission('director/showconfig', $this->translate('Allow to show configuration (could contain sensitive information)')); +$this->providePermission('director/deploy', $this->translate('Allow to deploy configuration')); +$this->providePermission('director/hosts', $this->translate('Allow to configure hosts')); +$this->providePermission('director/users', $this->translate('Allow to configure users')); +$this->providePermission('director/notifications', $this->translate('Allow to configure notifications')); +$this->providePermission('director/inspect', $this->translate('Allow to inspect objects through the Icinga 2 API (could contain sensitive information)')); $this->provideSearchUrl($this->translate('Host configs'), 'director/hosts?limit=10', 60); @@ -33,14 +35,32 @@ 'state' => 'critical' )); -$section->add($this->translate('Hosts'))->setUrl('director/hosts')->setPriority(30); -$section->add($this->translate('Services'))->setUrl('director/services/templates')->setPriority(40); -$section->add($this->translate('Commands'))->setUrl('director/commands')->setPriority(50); -$section->add($this->translate('Users'))->setUrl('director/users')->setPriority(70); -$section->add($this->translate('Automation')) +$section->add(N_('Hosts')) + ->setUrl('director/hosts') + ->setPermission('director/hosts') + ->setPriority(30); +$section->add(N_('Services')) + ->setUrl('director/services/templates') + ->setPermission('director/admin') + ->setPriority(40); +$section->add(N_('Commands')) + ->setUrl('director/commands') + ->setPermission('director/admin') + ->setPriority(50); +$section->add(N_('Users')) + ->setUrl('director/users') + ->setPermission('director/users') + ->setPriority(70); +$section->add(N_('Automation')) ->setUrl('director/list/importsource') + ->setPermission('director/admin') ->setPriority(901); -$section->add($this->translate('Config history')) +$section->add(N_('Activity log')) ->setUrl('director/config/activities') ->setPriority(902) + ->setPermission('director/audit') ->setRenderer('ConfigHealthItemRenderer'); +$section->add(N_('Deployments')) + ->setUrl('director/config/deployments') + ->setPriority(902) + ->setPermission('director/deployments'); diff --git a/library/Director/Dashboard/Dashlet/ActivityLogDashlet.php b/library/Director/Dashboard/Dashlet/ActivityLogDashlet.php index 052651166..f21db2a28 100644 --- a/library/Director/Dashboard/Dashlet/ActivityLogDashlet.php +++ b/library/Director/Dashboard/Dashlet/ActivityLogDashlet.php @@ -30,6 +30,6 @@ public function getUrl() public function listRequiredPermissions() { - return array('director/activitylog'); + return array('director/audit'); } } diff --git a/library/Director/Dashboard/Dashlet/ApiUserObjectDashlet.php b/library/Director/Dashboard/Dashlet/ApiUserObjectDashlet.php index 8fe78a685..d2b1a61c6 100644 --- a/library/Director/Dashboard/Dashlet/ApiUserObjectDashlet.php +++ b/library/Director/Dashboard/Dashlet/ApiUserObjectDashlet.php @@ -15,6 +15,6 @@ public function getTitle() public function getUrl() { - return 'director/apiusers'; + return 'director/admin'; } } diff --git a/library/Director/Dashboard/Dashlet/CommandObjectDashlet.php b/library/Director/Dashboard/Dashlet/CommandObjectDashlet.php index 1243424a6..7b8d0c589 100644 --- a/library/Director/Dashboard/Dashlet/CommandObjectDashlet.php +++ b/library/Director/Dashboard/Dashlet/CommandObjectDashlet.php @@ -15,6 +15,6 @@ public function getTitle() public function getUrl() { - return 'director/commands'; + return 'director/admin'; } } diff --git a/library/Director/Dashboard/Dashlet/DatafieldDashlet.php b/library/Director/Dashboard/Dashlet/DatafieldDashlet.php index 48d082557..1c6d4a849 100644 --- a/library/Director/Dashboard/Dashlet/DatafieldDashlet.php +++ b/library/Director/Dashboard/Dashlet/DatafieldDashlet.php @@ -25,6 +25,6 @@ public function getUrl() public function listRequiredPermissions() { - return array('director/data'); + return array('director/admin'); } } diff --git a/library/Director/Dashboard/Dashlet/DatalistDashlet.php b/library/Director/Dashboard/Dashlet/DatalistDashlet.php index 8170851d6..372e60d75 100644 --- a/library/Director/Dashboard/Dashlet/DatalistDashlet.php +++ b/library/Director/Dashboard/Dashlet/DatalistDashlet.php @@ -25,6 +25,6 @@ public function getUrl() public function listRequiredPermissions() { - return array('director/data'); + return array('director/admin'); } } diff --git a/library/Director/Dashboard/Dashlet/EndpointObjectDashlet.php b/library/Director/Dashboard/Dashlet/EndpointObjectDashlet.php index 149c71c98..9dd94674f 100644 --- a/library/Director/Dashboard/Dashlet/EndpointObjectDashlet.php +++ b/library/Director/Dashboard/Dashlet/EndpointObjectDashlet.php @@ -22,6 +22,11 @@ public function getUrl() return 'director/endpoints'; } + public function listRequiredPermissions() + { + return array('director/admin'); + } + protected function hasDeploymentEndpoint() { if ($this->hasDeploymentEndpoint === null) { diff --git a/library/Director/Dashboard/Dashlet/ImportSourceDashlet.php b/library/Director/Dashboard/Dashlet/ImportSourceDashlet.php index 4901a8886..752f1a8a0 100644 --- a/library/Director/Dashboard/Dashlet/ImportSourceDashlet.php +++ b/library/Director/Dashboard/Dashlet/ImportSourceDashlet.php @@ -60,6 +60,6 @@ public function getUrl() public function listRequiredPermissions() { - return array('director/sync'); + return array('director/admin'); } } diff --git a/library/Director/Dashboard/Dashlet/JobDashlet.php b/library/Director/Dashboard/Dashlet/JobDashlet.php index bed6b38c9..d7452e0c2 100644 --- a/library/Director/Dashboard/Dashlet/JobDashlet.php +++ b/library/Director/Dashboard/Dashlet/JobDashlet.php @@ -57,4 +57,9 @@ public function getUrl() { return 'director/jobs'; } + + public function listRequiredPermissions() + { + return array('director/admin'); + } } diff --git a/library/Director/Dashboard/Dashlet/ServiceObjectDashlet.php b/library/Director/Dashboard/Dashlet/ServiceObjectDashlet.php index bf2572e48..aa7d41a7e 100644 --- a/library/Director/Dashboard/Dashlet/ServiceObjectDashlet.php +++ b/library/Director/Dashboard/Dashlet/ServiceObjectDashlet.php @@ -17,4 +17,9 @@ public function getUrl() { return 'director/services'; } + + public function listRequiredPermissions() + { + return array('director/admin'); + } } diff --git a/library/Director/Dashboard/Dashlet/SyncDashlet.php b/library/Director/Dashboard/Dashlet/SyncDashlet.php index 5288a928e..02b975876 100644 --- a/library/Director/Dashboard/Dashlet/SyncDashlet.php +++ b/library/Director/Dashboard/Dashlet/SyncDashlet.php @@ -60,6 +60,6 @@ public function getUrl() public function listRequiredPermissions() { - return array('director/sync'); + return array('director/admin'); } } diff --git a/library/Director/Dashboard/Dashlet/TimeperiodObjectDashlet.php b/library/Director/Dashboard/Dashlet/TimeperiodObjectDashlet.php index 441912966..ba4c1dbac 100644 --- a/library/Director/Dashboard/Dashlet/TimeperiodObjectDashlet.php +++ b/library/Director/Dashboard/Dashlet/TimeperiodObjectDashlet.php @@ -20,4 +20,9 @@ public function getUrl() { return 'director/timeperiods'; } + + public function listRequiredPermissions() + { + return array('director/admin'); + } } diff --git a/library/Director/Dashboard/Dashlet/ZoneObjectDashlet.php b/library/Director/Dashboard/Dashlet/ZoneObjectDashlet.php index f3cfe2247..ee789f2eb 100644 --- a/library/Director/Dashboard/Dashlet/ZoneObjectDashlet.php +++ b/library/Director/Dashboard/Dashlet/ZoneObjectDashlet.php @@ -17,4 +17,9 @@ public function getUrl() { return 'director/zones'; } + + public function listRequiredPermissions() + { + return array('director/admin'); + } } diff --git a/library/Director/Web/Controller/ActionController.php b/library/Director/Web/Controller/ActionController.php index 6d0334365..f1d7b4c59 100644 --- a/library/Director/Web/Controller/ActionController.php +++ b/library/Director/Web/Controller/ActionController.php @@ -13,9 +13,9 @@ use Icinga\Module\Director\Objects\IcingaEndpoint; use Icinga\Module\Director\Web\Form\FormLoader; use Icinga\Module\Director\Web\Form\QuickBaseForm; -use Icinga\Module\Director\Web\Form\QuickForm; use Icinga\Module\Director\Web\Table\QuickTable; use Icinga\Module\Director\Web\Table\TableLoader; +use Icinga\Security\SecurityException; use Icinga\Web\Controller; use Icinga\Web\Widget; @@ -45,6 +45,35 @@ public function init() throw new NotFoundError('No such API endpoint found'); } } + + $this->checkDirectorPermissions(); + } + + protected function checkDirectorPermissions() + { + $this->assertPermission('director/admin'); + } + + /** + * Assert that the current user has one of the given permission + * + * @param array $permissions Permission name list + * + * @throws SecurityException If the current user lacks the given permission + */ + protected function assertOneOfPermissions($permissions) + { + $auth = $this->Auth(); + + foreach ($permissions as $permission) + if ($auth->hasPermission($permission)) { + return; + } + + throw new SecurityException( + 'Got none of the following permissions: %s', + implode(', ', $permissions) + ); } protected function isApified() diff --git a/library/Director/Web/Controller/ObjectController.php b/library/Director/Web/Controller/ObjectController.php index ff157a324..b43be5370 100644 --- a/library/Director/Web/Controller/ObjectController.php +++ b/library/Director/Web/Controller/ObjectController.php @@ -44,17 +44,24 @@ public function init() )); } - $tabs->add('render', array( - 'url' => sprintf('director/%s/render', $type), - 'urlParams' => $params, - 'label' => $this->translate('Preview'), - ))->add('history', array( - 'url' => sprintf('director/%s/history', $type), - 'urlParams' => $params, - 'label' => $this->translate('History') - )); + if ($this->hasPermission('director/showconfig')) { + $tabs->add('render', array( + 'url' => sprintf('director/%s/render', $type), + 'urlParams' => $params, + 'label' => $this->translate('Preview'), + )); + } + + if ($this->hasPermission('director/audit')) { + $tabs->add('history', array( + 'url' => sprintf('director/%s/history', $type), + 'urlParams' => $params, + 'label' => $this->translate('History') + )); + } + - if ($this->hasFields()) { + if ($this->hasPermission('director/admin') && $this->hasFields()) { $tabs->add('fields', array( 'url' => sprintf('director/%s/fields', $type), 'urlParams' => $params, @@ -99,6 +106,7 @@ public function indexAction() public function renderAction() { + $this->assertPermission('director/showconfig'); $type = $this->getType(); $this->getTabs()->activate('render'); $object = $this->object; @@ -237,6 +245,7 @@ public function cloneAction() public function fieldsAction() { + $this->hasPermission('director/admin'); $object = $this->object; $type = $this->getType(); @@ -278,6 +287,7 @@ public function fieldsAction() public function historyAction() { + $this->hasPermission('director/audit'); $this->setAutorefreshInterval(10); $db = $this->db(); $type = $this->getType(); diff --git a/library/Director/Web/Controller/ObjectsController.php b/library/Director/Web/Controller/ObjectsController.php index 6f82afe35..d2fe40ecf 100644 --- a/library/Director/Web/Controller/ObjectsController.php +++ b/library/Director/Web/Controller/ObjectsController.php @@ -54,32 +54,36 @@ public function init() 'url' => sprintf('director/%ss', strtolower($type)), 'label' => $this->translate(ucfirst($type) . 's'), )); - if ($object->supportsImports()) { - $tabs->add('templates', array( - 'url' => sprintf('director/%ss/templates', strtolower($type)), - 'label' => $this->translate('Templates'), - )); - } - if ($object->supportsGroups() || $object->isGroup()) { - $tabs->add('objectgroups', array( - 'url' => sprintf('director/%sgroups', $type), - 'label' => $this->translate('Groups') - )); - } - if ($object->supportsSets() || $object->isGroup() /** Bullshit, need base object, wrong on users */) { - /** forced to master, disabled for now - $tabs->add('sets', array( - 'url' => sprintf('director/%ss/sets', $type), - 'label' => $this->translate('Sets') + if ($this->hasPermission('director/admin')) { + if ($object->supportsImports()) { + $tabs->add('templates', array( + 'url' => sprintf('director/%ss/templates', strtolower($type)), + 'label' => $this->translate('Templates'), + )); + } + + if ($object->supportsGroups() || $object->isGroup()) { + $tabs->add('objectgroups', array( + 'url' => sprintf('director/%sgroups', $type), + 'label' => $this->translate('Groups') + )); + } + + if ($object->supportsSets() || $object->isGroup() /** Bullshit, need base object, wrong on users */) { + /** forced to master, disabled for now + $tabs->add('sets', array( + 'url' => sprintf('director/%ss/sets', $type), + 'label' => $this->translate('Sets') + )); + */ + } + + $tabs->add('tree', array( + 'url' => sprintf('director/%ss/templatetree', $type), + 'label' => $this->translate('Tree'), )); - */ } - - $tabs->add('tree', array( - 'url' => sprintf('director/%ss/templatetree', $type), - 'label' => $this->translate('Tree'), - )); } public function indexAction() @@ -90,7 +94,6 @@ public function indexAction() $type = $this->getType(); $ltype = strtolower($type); - $this->assertPermission('director/' . $type . 's/read'); /** @var IcingaObject $dummy */ $dummy = $this->dummyObject(); @@ -243,11 +246,13 @@ public function editAction() public function templatesAction() { + $this->assertPermission('director/admin'); $this->indexAction(); } public function templatetreeAction() { + $this->assertPermission('director/admin'); $this->setAutorefreshInterval(10); $this->getTabs()->activate('tree'); $this->view->tree = $this->db()->fetchTemplateTree(strtolower($this->getType())); @@ -257,6 +262,7 @@ public function templatetreeAction() public function setsAction() { + $this->assertPermission('director/admin'); $this->view->title = $this->translate('Service sets'); $this->view->table = $this ->loadTable('IcingaServiceSet')