From 6eb0139446082d852cfd594cee4028cc60f7c02a Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Mon, 1 Feb 2021 15:19:17 +0100
Subject: [PATCH] User: Move `$user:local_name$` handling to class
 `AdmissionLoader`

This way it also adjusts the roles directly, and not just their
copies for the user object
---
 library/Icinga/Authentication/AdmissionLoader.php | 6 +++++-
 library/Icinga/User.php                           | 4 ----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php
index 049b37c36..38ad18dd3 100644
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
@@ -155,9 +155,13 @@ class AdmissionLoader
                         array_diff($role->getPermissions(), $permissions)
                     );
 
-                    foreach ($role->getRestrictions() as $name => $restriction) {
+                    $roleRestrictions = $role->getRestrictions();
+                    foreach ($roleRestrictions as $name => & $restriction) {
+                        $restriction = str_replace('$user:local_name$', $user->getLocalUsername(), $restriction);
                         $restrictions[$name][] = $restriction;
                     }
+
+                    $role->setRestrictions($roleRestrictions);
                 }
             }
         }
diff --git a/library/Icinga/User.php b/library/Icinga/User.php
index 833a4c84b..2bc9ebec8 100644
--- a/library/Icinga/User.php
+++ b/library/Icinga/User.php
@@ -252,10 +252,6 @@ class User
      */
     public function setRestrictions(array $restrictions)
     {
-        foreach ($restrictions as $name => $restriction) {
-            $restrictions[$name] = str_replace('$user:local_name$', $this->getLocalUsername(), $restriction);
-        }
-
         $this->restrictions = $restrictions;
         return $this;
     }