From ab90b3e0a1f21be9c35d0bb6498af8a3f322f6e4 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 24 Mar 2021 09:10:06 +0100
Subject: [PATCH] Role: Add param `$cascadeUpwards` also to public method
 `grant()`

---
 library/Icinga/Authentication/Role.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/library/Icinga/Authentication/Role.php b/library/Icinga/Authentication/Role.php
index 1fca29b9d..c409ba4db 100644
--- a/library/Icinga/Authentication/Role.php
+++ b/library/Icinga/Authentication/Role.php
@@ -253,19 +253,20 @@ class Role
      *
      * @param string $permission
      * @param bool $ignoreParent    Only evaluate the role's own permissions
+     * @param bool $cascadeUpwards  `false` if `foo/bar/*` and `foo/bar/raboof` should not match `foo/*`
      *
      * @return bool
      */
-    public function grants($permission, $ignoreParent = false)
+    public function grants($permission, $ignoreParent = false, $cascadeUpwards = true)
     {
         foreach ($this->permissions as $grantedPermission) {
-            if ($this->match($grantedPermission, $permission)) {
+            if ($this->match($grantedPermission, $permission, $cascadeUpwards)) {
                 return true;
             }
         }
 
         if (! $ignoreParent && $this->getParent() !== null) {
-            return $this->getParent()->grants($permission);
+            return $this->getParent()->grants($permission, false, $cascadeUpwards);
         }
 
         return false;