tyler.durden
/
icingaweb2-module-director
mirror of https://github.com/Icinga/icingaweb2-module-director.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DirectorObjectForm: do not allow to store... 

...IcingaHost objects you wouldn't be allowed to see afterwards

fixes #1451
This commit is contained in:
Thomas Gelf 2018-03-28 18:30:53 +02:00
parent 3e46602802
commit 8c7897ee46
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/82-Changelog.md
View File

@ -13,6 +13,7 @@ before switching to a new version.
### Permissions and Restrictions
* FEATURE: Showing the executed SQL query now requires the `showsql` permission
* FEATURE: Grant access to Service Set in a controlled way
* FIX: do not allow a user to create hosts he wouldn't be allowed to see #1451
### User Interface
* FEATURE: Admins have now access to JSON download links in many places

12
library/Director/Web/Form/DirectorObjectForm.php
View File

@ -4,14 +4,17 @@ namespace Icinga\Module\Director\Web\Form;
use Exception;
use Icinga\Authentication\Auth;
use Icinga\Exception\AuthenticationException;
use Icinga\Module\Director\Db;
use Icinga\Module\Director\Data\Db\DbObject;
use Icinga\Module\Director\Data\Db\DbObjectWithSettings;
use Icinga\Module\Director\Exception\NestingError;
use Icinga\Module\Director\IcingaConfig\StateFilterSet;
use Icinga\Module\Director\IcingaConfig\TypeFilterSet;
use Icinga\Module\Director\Objects\IcingaHost;
use Icinga\Module\Director\Objects\IcingaTemplateChoice;
use Icinga\Module\Director\Objects\IcingaObject;
use Icinga\Module\Director\Restriction\HostgroupRestriction;
use Icinga\Module\Director\Util;
use Icinga\Module\Director\Web\Form\Validate\NamePattern;
use Zend_Form_Element as ZfElement;
@ -630,6 +633,15 @@ abstract class DirectorObjectForm extends DirectorForm
{
$object = $this->object();
if ($object->hasBeenModified()) {
if ($object instanceof IcingaHost && $this->hasHostGroupRestriction()) {
$restriction = new HostgroupRestriction($this->db, $this->auth);
if (! $restriction->allowsHost($object)) {
throw new AuthenticationException($this->translate(
'Unable to store a host with the given properties because of insufficient permissions'
));
}
}
if (! $object->hasBeenLoadedFromDb()) {
$this->setHttpResponseCode(201);
}