ScheduledDowntime: introduce a new permission...

...and a related name-based restriction fixes #2086
2021-04-23 12:33:42 +02:00 · 2021-04-23 12:33:42 +02:00 · c5e25cdcc7
parent ebe1af13ea
commit c5e25cdcc7
9 changed files with 52 additions and 4 deletions
--- a/application/controllers/ScheduledDowntimeController.php
+++ b/application/controllers/ScheduledDowntimeController.php
@ -11,6 +11,11 @@ class ScheduledDowntimeController extends ObjectController
 {
    protected $objectBaseUrl = 'director/scheduled-downtime';

+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/scheduled-downtimes');
+    }
+
    public function rangesAction()
    {
        /** @var IcingaScheduledDowntime $object */
--- a/application/controllers/ScheduledDowntimesController.php
+++ b/application/controllers/ScheduledDowntimesController.php
@ -34,4 +34,14 @@ class ScheduledDowntimesController extends ObjectsController
    {
        return 'scheduled-downtime';
    }
+
+    protected function assertApplyRulePermission()
+    {
+        return $this->assertPermission('director/scheduled-downtimes');
+    }
+
+    protected function checkDirectorPermissions()
+    {
+        $this->assertPermission('director/scheduled-downtimes');
+    }
 }
--- a/application/forms/IcingaScheduledDowntimeForm.php
+++ b/application/forms/IcingaScheduledDowntimeForm.php
@ -22,6 +22,10 @@ class IcingaScheduledDowntimeForm extends DirectorObjectForm
                'required' => true,
            ]);
        }
+
+        if ($this->object()->isApplyRule()) {
+            $this->eventuallyAddNameRestriction('director/scheduled-downtime/apply/filter-by-name');
+        }
        $this->addImportsElement();
        $this->addElement('text', 'author', [
            'label'       => $this->translate('Author'),
--- a/configuration.php
+++ b/configuration.php
@ -22,7 +22,11 @@ $this->providePermission('director/services', $this->translate('Allow to configu
 $this->providePermission('director/servicesets', $this->translate('Allow to configure service sets'));
 $this->providePermission('director/service_set/apply', $this->translate('Allow to define Service Set Apply Rules'));
 $this->providePermission('director/users', $this->translate('Allow to configure users'));
-$this->providePermission('director/notifications', $this->translate('Allow to configure notifications'));
+$this->providePermission('director/notifications', $this->translate('Allow to configure notifications (unrestricted)'));
+$this->providePermission(
+    'director/scheduled-downtimes',
+    $this->translate('Allow to configure notifications (unrestricted)')
+);
 $this->providePermission(
    'director/inspect',
    $this->translate(
@ -76,6 +80,13 @@ $this->provideRestriction(
    )
 );

+$this->provideRestriction(
+    'director/scheduled-downtime/apply/filter-by-name',
+    $this->translate(
+        'Filter available scheduled downtime rules'
+    )
+);
+
 $this->provideRestriction(
    'director/service_set/filter-by-name',
    $this->translate(
--- a/doc/82-Changelog.md
+++ b/doc/82-Changelog.md
@ -19,6 +19,7 @@ next (will be 1.9.0)

 ### Permissions and Restrictions
 * FEATURE: allow using monitoring module permissions (#2304)
+* FEATURE: it's now possible to grant (global) access to scheduled downtimes (#2086)

 ### User Interface
 * FIX: allow switching DB config while connection is failing (#2300)
--- a/library/Director/Dashboard/Dashlet/ScheduledDowntimeApplyDashlet.php
+++ b/library/Director/Dashboard/Dashlet/ScheduledDowntimeApplyDashlet.php
@ -13,6 +13,11 @@ class ScheduledDowntimeApplyDashlet extends Dashlet
        return $this->translate('Scheduled Downtimes');
    }

+    public function listRequiredPermissions()
+    {
+        return array('director/scheduled-downtimes');
+    }
+
    public function getUrl()
    {
        return 'director/scheduled-downtimes/applyrules';
--- a/library/Director/Web/Controller/ObjectController.php
+++ b/library/Director/Web/Controller/ObjectController.php
@ -434,9 +434,13 @@ abstract class ObjectController extends ActionController

    protected function assertTypePermission()
    {
-        return $this->assertPermission(
-            'director/' . strtolower($this->getPluralType())
-        );
+        $type = strtolower($this->getPluralType());
+        // TODO: Check getPluralType usage, fix it there.
+        if ($type === 'scheduleddowntimes') {
+            $type = 'scheduled-downtimes';
+        }
+
+        return $this->assertPermission("director/$type");
    }

    protected function eventuallyLoadObject()
--- a/library/Director/Web/Table/ApplyRulesTable.php
+++ b/library/Director/Web/Table/ApplyRulesTable.php
@ -175,6 +175,10 @@ class ApplyRulesTable extends ZfQueryBasedTable
    {
        $auth = Auth::getInstance();
        $type = $this->type;
+        // TODO: Centralize this logic
+        if ($type === 'scheduledDowntime') {
+            $type = 'scheduled-downtime';
+        }
        $restrictions = $auth->getRestrictions("director/$type/apply/filter-by-name");
        if (empty($restrictions)) {
            return $query;
--- a/library/Director/Web/Tabs/ObjectsTabs.php
+++ b/library/Director/Web/Tabs/ObjectsTabs.php
@ -20,6 +20,7 @@ class ObjectsTabs extends Tabs
        $shortName = $object->getShortTableName();

        $plType = strtolower(preg_replace('/cys$/', 'cies', $shortName . 's'));
+        $plType = str_replace('_', '-', $plType);
        if ($auth->hasPermission("director/${plType}")) {
            $this->add('index', array(
                'url'   => sprintf('director/%s', $plType),
@ -38,6 +39,9 @@ class ObjectsTabs extends Tabs
        if ($auth->hasPermission('director/admin') || (
            $object->getShortTableName() === 'notification'
            && $auth->hasPermission('director/notifications')
+        ) || (
+            $object->getShortTableName() === 'scheduled_downtime'
+            && $auth->hasPermission('director/scheduled-downtimes')
        )) {
            if ($object->supportsApplyRules()) {
                $this->add('applyrules', array(