diff --git a/library/Icinga/User.php b/library/Icinga/User.php index 0d237831d..ef5a0ff62 100644 --- a/library/Icinga/User.php +++ b/library/Icinga/User.php @@ -579,7 +579,7 @@ class User $wildcard = strpos($grantedPermission, '*'); } - if ($wildcard !== false) { + if ($wildcard !== false && $wildcard > 0) { if (substr($requiredPermission, 0, $wildcard) === substr($grantedPermission, 0, $wildcard)) { return true; } diff --git a/modules/monitoring/application/controllers/ListController.php b/modules/monitoring/application/controllers/ListController.php index 737475199..ca923ba00 100644 --- a/modules/monitoring/application/controllers/ListController.php +++ b/modules/monitoring/application/controllers/ListController.php @@ -3,6 +3,7 @@ namespace Icinga\Module\Monitoring\Controllers; +use Icinga\Security\SecurityException; use Icinga\Web\Form; use Zend_Form; use Icinga\Data\Filter\Filter; @@ -308,6 +309,10 @@ class ListController extends Controller */ public function contactsAction() { + if (! $this->hasPermission('*') && $this->hasPermission('no-monitoring/contacts')) { + throw new SecurityException('No permission for %s', 'monitoring/contacts'); + } + $this->addTitleTab( 'contacts', $this->translate('Contacts'), @@ -387,6 +392,10 @@ class ListController extends Controller */ public function contactgroupsAction() { + if (! $this->hasPermission('*') && $this->hasPermission('no-monitoring/contacts')) { + throw new SecurityException('No permission for %s', 'monitoring/contacts'); + } + $this->addTitleTab( 'contactgroups', $this->translate('Contact Groups'), diff --git a/modules/monitoring/application/controllers/ShowController.php b/modules/monitoring/application/controllers/ShowController.php index 2af7d46d8..da495eee4 100644 --- a/modules/monitoring/application/controllers/ShowController.php +++ b/modules/monitoring/application/controllers/ShowController.php @@ -5,6 +5,7 @@ namespace Icinga\Module\Monitoring\Controllers; use Icinga\Module\Monitoring\Backend; use Icinga\Module\Monitoring\Controller; +use Icinga\Security\SecurityException; use Icinga\Web\Url; /** @@ -28,6 +29,10 @@ class ShowController extends Controller public function contactAction() { + if (! $this->hasPermission('*') && $this->hasPermission('no-monitoring/contacts')) { + throw new SecurityException('No permission for %s', 'monitoring/contacts'); + } + $contactName = $this->params->getRequired('contact_name'); $this->getTabs()->add('contact-detail', [ diff --git a/modules/monitoring/application/views/scripts/partials/object/detail-content.phtml b/modules/monitoring/application/views/scripts/partials/object/detail-content.phtml index 3ab6dab17..0dc4572ec 100644 --- a/modules/monitoring/application/views/scripts/partials/object/detail-content.phtml +++ b/modules/monitoring/application/views/scripts/partials/object/detail-content.phtml @@ -26,7 +26,9 @@ render('show/components/notifications.phtml') ?> + hasPermission('*') || ! $this->hasPermission('no-monitoring/contacts')): ?> render('show/components/contacts.phtml') ?> +
diff --git a/modules/monitoring/configuration.php b/modules/monitoring/configuration.php index c2372ef78..867ffc43d 100644 --- a/modules/monitoring/configuration.php +++ b/modules/monitoring/configuration.php @@ -1,6 +1,8 @@ providePermission( @@ -83,6 +85,10 @@ $this->providePermission( 'monitoring/command/send-custom-notification', $this->translate('Allow sending custom notifications for hosts and services') ); +$this->providePermission( + 'no-monitoring/contacts', + $this->translate('Prohibit access to contacts and contactgroups') +); $this->provideRestriction( 'monitoring/filter/objects', @@ -212,18 +218,24 @@ $section->add(N_('Hostgroups'), array( 'url' => 'monitoring/list/hostgroups', 'priority' => 60 )); -$section->add(N_('Contacts'), array( - 'icon' => 'user', - 'description' => $this->translate('List contacts'), - 'url' => 'monitoring/list/contacts', - 'priority' => 70 -)); -$section->add(N_('Contactgroups'), array( - 'icon' => 'users', - 'description' => $this->translate('List users'), - 'url' => 'monitoring/list/contactgroups', - 'priority' => 70 -)); + +// Checking the permission here since navigation items don't support negating permissions +$auth = Auth::getInstance(); +if ($auth->hasPermission('*') || ! $auth->hasPermission('no-monitoring/contacts')) { + $section->add(N_('Contacts'), array( + 'icon' => 'user', + 'description' => $this->translate('List contacts'), + 'url' => 'monitoring/list/contacts', + 'priority' => 70 + )); + $section->add(N_('Contactgroups'), array( + 'icon' => 'users', + 'description' => $this->translate('List users'), + 'url' => 'monitoring/list/contactgroups', + 'priority' => 70 + )); +} + $section->add(N_('Comments'), array( 'icon' => 'chat-empty', 'description' => $this->translate('List comments'), diff --git a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php index f4a1d44d2..4d07ca8b9 100644 --- a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php +++ b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php @@ -149,11 +149,16 @@ abstract class MonitoredObjectController extends Controller || $this->getRequest()->getHeader('Accept') === 'application/json' ) { $payload = (array) $this->object->properties; - $payload += array( - 'contacts' => $this->object->contacts->fetchPairs(), - 'contact_groups' => $this->object->contactgroups->fetchPairs(), - 'vars' => $this->object->customvars - ); + $payload['vars'] = $this->object->customvars; + + if ($this->hasPermission('*') || ! $this->hasPermission('no-monitoring/contacts')) { + $payload['contacts'] = $this->object->contacts->fetchPairs(); + $payload['contact_groups'] = $this->object->contactgroups->fetchPairs(); + } else { + $payload['contacts'] = []; + $payload['contact_groups'] = []; + } + $groupName = $this->object->getType() . 'groups'; $payload[$groupName] = $this->object->$groupName; $this->getResponse()->json()