tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Evaluate permission filters also on all joined relations

This commit is contained in:
Yonas Habteab 2022-10-05 17:52:29 +02:00
parent 607f7ab5ca
commit 72e6894bbb
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
lib/remote/objectqueryhandler.cpp
View File

@ -191,6 +191,7 @@ bool ObjectQueryHandler::HandleRequest(
}
std::unordered_map<Type*, std::pair<bool, Expression::Ptr>> typePermissions;
std::unordered_map<Object*, bool> objectAccessAllowed;
for (const ConfigObject::Ptr& obj : objs) {
DictionaryData result1{
@ -283,6 +284,28 @@ bool ObjectQueryHandler::HandleRequest(
continue;
}
auto relation = objectAccessAllowed.find(joinedObj.get());
bool accessAllowed;
if (relation == objectAccessAllowed.end()) {
ScriptFrame permissionFrame(false, new Namespace());
try {
accessAllowed = FilterUtility::EvaluateFilter(permissionFrame, permissionFilter.get(), joinedObj);
} catch (const ScriptError& err) {
accessAllowed = false;
}
objectAccessAllowed.insert({joinedObj.get(), accessAllowed});
} else {
accessAllowed = relation->second;
}
if (!accessAllowed) {
// Access denied
continue;
}
String prefix = field.NavigationName;
try {