From c1c5a161c9aa75706b9d1b055e34471012a02023 Mon Sep 17 00:00:00 2001
From: Thomas Gelf <thomas@gelf.net>
Date: Mon, 24 Oct 2016 21:13:51 +0000
Subject: [PATCH 1/2] director/inspect: just a new permission setting

---
 configuration.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configuration.php b/configuration.php
index b5d0ec23..57af23d1 100644
--- a/configuration.php
+++ b/configuration.php
@@ -3,6 +3,7 @@
 $this->providePermission('director/api', $this->translate('Allow to access the director API'));
 $this->providePermission('director/hosts/read', $this->translate('Allow to configure hosts'));
 $this->providePermission('director/hosts/write', $this->translate('Allow to configure hosts'));
+$this->providePermission('director/inspect', $this->translate('Allow to inspect objects through the Icinga 2 API'));
 $this->providePermission('director/templates/read', $this->translate('Allow to see template details'));
 $this->providePermission('director/templates/write', $this->translate('Allow to configure templates'));
 

From d00644956474072afa5c59a8eedc5c8507a549fa Mon Sep 17 00:00:00 2001
From: Thomas Gelf <thomas@gelf.net>
Date: Thu, 3 Nov 2016 11:49:04 +0100
Subject: [PATCH 2/2] inspect: enforce permissions

fixes #11763
fixes #11764
---
 application/controllers/EndpointController.php   |  1 +
 application/controllers/InspectController.php    |  6 ++++++
 .../ProvidedHook/Monitoring/HostActions.php      | 16 +++++++++++-----
 .../ProvidedHook/Monitoring/ServiceActions.php   |  5 +++++
 4 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/application/controllers/EndpointController.php b/application/controllers/EndpointController.php
index 93be5156..5e64e2be 100644
--- a/application/controllers/EndpointController.php
+++ b/application/controllers/EndpointController.php
@@ -8,6 +8,7 @@ class EndpointController extends ObjectController
 {
     public function init()
     {
+        $this->assertPermission('director/inspect');
         parent::init();
         if ($this->object && $this->object->hasApiUser()) {
             $params['endpoint'] = $this->object->object_name;
diff --git a/application/controllers/InspectController.php b/application/controllers/InspectController.php
index 668bd369..65525dec 100644
--- a/application/controllers/InspectController.php
+++ b/application/controllers/InspectController.php
@@ -6,6 +6,12 @@ use Icinga\Module\Director\Web\Controller\ActionController;
 
 class InspectController extends ActionController
 {
+    public function init()
+    {
+        $this->assertPermission('director/inspect');
+        parent::init();
+    }
+
     public function typesAction()
     {
         $api = $this->api();
diff --git a/library/Director/ProvidedHook/Monitoring/HostActions.php b/library/Director/ProvidedHook/Monitoring/HostActions.php
index 24f8d861..3ae3538f 100644
--- a/library/Director/ProvidedHook/Monitoring/HostActions.php
+++ b/library/Director/ProvidedHook/Monitoring/HostActions.php
@@ -6,6 +6,7 @@ use Exception;
 use Icinga\Application\Config;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Objects\IcingaHost;
+use Icinga\Module\Director\Util;
 use Icinga\Module\Monitoring\Hook\HostActionsHook;
 use Icinga\Module\Monitoring\Object\Host;
 use Icinga\Web\Url;
@@ -29,16 +30,21 @@ class HostActions extends HostActionsHook
         }
 
         if (IcingaHost::exists($host->host_name, $db)) {
-            return array(
+            $actions = array(
                 'Modify' => Url::fromPath(
                     'director/host/edit',
                     array('name' => $host->host_name)
-                ),
-                'Inspect' => Url::fromPath(
-                    'director/inspect/object',
-                    array('type' => 'host', 'plural' => 'hosts', 'name' => $host->host_name)
                 )
             );
+
+            if (Util::hasPermission('director/inspect')) {
+                $actions['Inspect'] = Url::fromPath(
+                    'director/inspect/object',
+                    array('type' => 'host', 'plural' => 'hosts', 'name' => $host->host_name)
+                );
+            }
+
+            return $actions;
         } else {
             return array();
         }
diff --git a/library/Director/ProvidedHook/Monitoring/ServiceActions.php b/library/Director/ProvidedHook/Monitoring/ServiceActions.php
index 4c9414c1..65b8507b 100644
--- a/library/Director/ProvidedHook/Monitoring/ServiceActions.php
+++ b/library/Director/ProvidedHook/Monitoring/ServiceActions.php
@@ -6,6 +6,7 @@ use Exception;
 use Icinga\Application\Config;
 use Icinga\Module\Director\Db;
 use Icinga\Module\Director\Objects\IcingaHost;
+use Icinga\Module\Director\Util;
 use Icinga\Module\Monitoring\Hook\ServiceActionsHook;
 use Icinga\Module\Monitoring\Object\Service;
 use Icinga\Web\Url;
@@ -23,6 +24,10 @@ class ServiceActions extends ServiceActionsHook
 
     protected function getThem(Service $service)
     {
+        if (! Util::hasPermission('director/inspect')) {
+            return array();
+        }
+
         $db = $this->db();
         if (! $db) {
             return array();