From a327c9320031d457e5e05d5519b166ba082ba215 Mon Sep 17 00:00:00 2001 From: Markus Frosch Date: Wed, 2 Mar 2016 22:35:03 +0100 Subject: [PATCH] Protect preference and navigation from guests This is an implicit allowance to the user/* permission space, for any logged in user. refs #11281 --- application/controllers/NavigationController.php | 2 ++ application/controllers/PreferenceController.php | 10 ++++++++++ library/Icinga/User.php | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/application/controllers/NavigationController.php b/application/controllers/NavigationController.php index 51b5dae1c..87d2486db 100644 --- a/application/controllers/NavigationController.php +++ b/application/controllers/NavigationController.php @@ -35,6 +35,8 @@ class NavigationController extends Controller { parent::init(); $this->itemTypeConfig = Navigation::getItemTypeConfiguration(); + + $this->assertPermission('user/navigation'); } /** diff --git a/application/controllers/PreferenceController.php b/application/controllers/PreferenceController.php index bb4655c27..5b8403ae0 100644 --- a/application/controllers/PreferenceController.php +++ b/application/controllers/PreferenceController.php @@ -18,6 +18,16 @@ use Icinga\Web\Widget\Tab; */ class PreferenceController extends BasePreferenceController { + /** + * {@inheritdoc} + */ + public function init() + { + parent::init(); + + $this->assertPermission('user/preference'); + } + /** * Create tabs for this preference controller * diff --git a/library/Icinga/User.php b/library/Icinga/User.php index 4ea6846d5..65678141d 100644 --- a/library/Icinga/User.php +++ b/library/Icinga/User.php @@ -457,6 +457,12 @@ class User return true; } + // the user/* context is available for all default users + // TODO: verify security! (admin?) + if (!$this->isGuest() and strpos($requiredPermission, 'user/') === 0) { + return true; + } + $requiredWildcard = strpos($requiredPermission, '*'); foreach ($this->permissions as $grantedPermission) { if ($requiredWildcard !== false) {