From 607f7ab5ca89db8965e55ca2414ec880a7c7d815 Mon Sep 17 00:00:00 2001
From: Yonas Habteab <yonas.habteab@icinga.com>
Date: Wed, 5 Oct 2022 17:51:13 +0200
Subject: [PATCH] ObjectQueryHandler: Check user permissions on joined
 relations

---
 lib/remote/objectqueryhandler.cpp | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/lib/remote/objectqueryhandler.cpp b/lib/remote/objectqueryhandler.cpp
index 3f827037c..c29b61ba4 100644
--- a/lib/remote/objectqueryhandler.cpp
+++ b/lib/remote/objectqueryhandler.cpp
@@ -8,6 +8,7 @@
 #include "base/configtype.hpp"
 #include <boost/algorithm/string/case_conv.hpp>
 #include <set>
+#include <unordered_map>
 
 using namespace icinga;
 
@@ -189,6 +190,8 @@ bool ObjectQueryHandler::HandleRequest(
 		joinAttrs.insert(field.Name);
 	}
 
+	std::unordered_map<Type*, std::pair<bool, Expression::Ptr>> typePermissions;
+
 	for (const ConfigObject::Ptr& obj : objs) {
 		DictionaryData result1{
 			{ "name", obj->GetName() },
@@ -257,6 +260,29 @@ bool ObjectQueryHandler::HandleRequest(
 			if (!joinedObj)
 				continue;
 
+			Type::Ptr reflectionType = joinedObj->GetReflectionType();
+			Expression::Ptr permissionFilter;
+
+			auto it = typePermissions.find(reflectionType.get());
+			bool granted;
+
+			if (it == typePermissions.end()) {
+				String permission = "objects/query/" + reflectionType->GetName();
+
+				Expression *filter = nullptr;
+				granted = FilterUtility::HasPermission(user, permission, &filter);
+				permissionFilter = filter;
+
+				typePermissions.insert({reflectionType.get(), std::make_pair(granted, permissionFilter)});
+			} else {
+				std::tie(granted, permissionFilter) = it->second;
+			}
+
+			if (!granted) {
+				// Not authorized
+				continue;
+			}
+
 			String prefix = field.NavigationName;
 
 			try {