From 17e7f1e7543ced6889192becddf0cb1690691b96 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@netways.de>
Date: Mon, 1 Jun 2015 16:43:11 +0200
Subject: [PATCH] Link the roles configuration with the user and group
 management

refs #8826
---
 application/controllers/ConfigController.php  | 10 ----
 application/controllers/RolesController.php   | 51 +++----------------
 .../Web/Controller/AuthBackendController.php  | 13 +++++
 3 files changed, 20 insertions(+), 54 deletions(-)

diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php
index 321fcf882..ab4b62049 100644
--- a/application/controllers/ConfigController.php
+++ b/application/controllers/ConfigController.php
@@ -61,16 +61,6 @@ class ConfigController extends Controller
             ));
             $allowedActions[] = 'resource';
         }
-        if ($auth->hasPermission('config/application/roles')) {
-            $tabs->add('roles', array(
-                'title' => $this->translate(
-                    'Configure roles to permit or restrict users and groups accessing Icinga Web 2'
-                ),
-                'label' => $this->translate('Roles'),
-                'url'   => 'roles'
-            ));
-            $allowedActions[] = 'roles';
-        }
         $this->firstAllowedAction = array_shift($allowedActions);
     }
 
diff --git a/application/controllers/RolesController.php b/application/controllers/RolesController.php
index d4b7b7c63..b889083c6 100644
--- a/application/controllers/RolesController.php
+++ b/application/controllers/RolesController.php
@@ -4,61 +4,21 @@
 use Icinga\Application\Config;
 use Icinga\Forms\ConfirmRemovalForm;
 use Icinga\Forms\Security\RoleForm;
-use Icinga\Web\Controller\ActionController;
+use Icinga\Web\Controller\AuthBackendController;
 use Icinga\Web\Notification;
-use Icinga\Web\Widget;
 
 /**
  * Roles configuration
  */
-class RolesController extends ActionController
+class RolesController extends AuthBackendController
 {
-    /**
-     * Initialize tabs and validate the user's permissions
-     *
-     * @throws \Icinga\Security\SecurityException   If the user lacks permissions for configuring roles
-     */
-    public function init()
-    {
-        $this->assertPermission('config/application/roles');
-        $tabs = $this->getTabs();
-        $auth = $this->Auth();
-        if ($auth->hasPermission('config/application/general')) {
-            $tabs->add('application', array(
-                'title' => $this->translate('Adjust the general configuration of Icinga Web 2'),
-                'label' => $this->translate('Application'),
-                'url'   => 'config'
-            ));
-        }
-        if ($auth->hasPermission('config/application/authentication')) {
-            $tabs->add('authentication', array(
-                'title' => $this->translate('Configure how users authenticate with and log into Icinga Web 2'),
-                'label' => $this->translate('Authentication'),
-                'url'   => 'config/authentication'
-            ));
-        }
-        if ($auth->hasPermission('config/application/resources')) {
-            $tabs->add('resource', array(
-                'title' => $this->translate('Configure which resources are being utilized by Icinga Web 2'),
-                'label' => $this->translate('Resources'),
-                'url'   => 'config/resource'
-            ));
-        }
-        $tabs->add('roles', array(
-            'title' => $this->translate(
-                'Configure roles to permit or restrict users and groups accessing Icinga Web 2'
-            ),
-            'label' => $this->translate('Roles'),
-            'url'   => 'roles'
-        ));
-    }
-
     /**
      * List roles
      */
     public function indexAction()
     {
-        $this->view->tabs->activate('roles');
+        $this->assertPermission('config/application/roles');
+        $this->createListTabs()->activate('roles');
         $this->view->roles = Config::app('roles', true);
     }
 
@@ -67,6 +27,7 @@ class RolesController extends ActionController
      */
     public function newAction()
     {
+        $this->assertPermission('config/application/roles');
         $role = new RoleForm(array(
             'onSuccess' => function (RoleForm $role) {
                 $name = $role->getElement('name')->getValue();
@@ -100,6 +61,7 @@ class RolesController extends ActionController
      */
     public function updateAction()
     {
+        $this->assertPermission('config/application/roles');
         $name = $this->_request->getParam('role');
         if (empty($name)) {
             throw new Zend_Controller_Action_Exception(
@@ -149,6 +111,7 @@ class RolesController extends ActionController
      */
     public function removeAction()
     {
+        $this->assertPermission('config/application/roles');
         $name = $this->_request->getParam('role');
         if (empty($name)) {
             throw new Zend_Controller_Action_Exception(
diff --git a/library/Icinga/Web/Controller/AuthBackendController.php b/library/Icinga/Web/Controller/AuthBackendController.php
index 5b2a4f18e..a3d93e0f8 100644
--- a/library/Icinga/Web/Controller/AuthBackendController.php
+++ b/library/Icinga/Web/Controller/AuthBackendController.php
@@ -163,6 +163,19 @@ class AuthBackendController extends Controller
             );
         }
 
+        if ($this->hasPermission('config/application/roles')) {
+            $tabs->add(
+                'roles',
+                array(
+                    'title' => $this->translate(
+                        'Configure roles to permit or restrict users and groups accessing Icinga Web 2'
+                    ),
+                    'label' => $this->translate('Roles'),
+                    'url'   => 'roles'
+                )
+            );
+        }
+
         return $tabs;
     }
 }