From b5334a063e550642bf1b8c8ee434e738b455bc83 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Tue, 6 Apr 2021 16:09:45 +0200
Subject: [PATCH] PrivilegeAudit: Show missing restrictions if only parents
 restrict

---
 library/Icinga/Web/View/PrivilegeAudit.php | 32 ++++++++++++++--------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/library/Icinga/Web/View/PrivilegeAudit.php b/library/Icinga/Web/View/PrivilegeAudit.php
index 0e63fc9d1..affa6cd3f 100644
--- a/library/Icinga/Web/View/PrivilegeAudit.php
+++ b/library/Icinga/Web/View/PrivilegeAudit.php
@@ -199,8 +199,8 @@ class PrivilegeAudit extends BaseHtmlElement
                 break;
             }
 
-            if (($roleRestriction = $role->getRestrictions($restriction)) !== null) {
-                $restrictedBy[] = $role->getName();
+            foreach ($this->collectRestrictions($role, $restriction) as $role => $roleRestriction) {
+                $restrictedBy[] = $role;
                 $restrictions[] = $roleRestriction;
             }
         }
@@ -216,13 +216,15 @@ class PrivilegeAudit extends BaseHtmlElement
                             'Restricted by %s and %s as well as %d others',
                             count($restrictedBy) - 2
                         ),
-                        $restrictedBy[0],
-                        $restrictedBy[1],
+                        $restrictedBy[0]->getName(),
+                        $restrictedBy[1]->getName(),
                         count($restrictedBy) - 2
                     )
                     : sprintf(
                         tp('Restricted by %s', 'Restricted by %s and %s', count($restrictedBy)),
-                        ...$restrictedBy
+                        ...array_map(function ($role) {
+                            return $role->getName();
+                        }, $restrictedBy)
                     )
             ]);
         } else {
@@ -237,7 +239,9 @@ class PrivilegeAudit extends BaseHtmlElement
                     new HtmlElement('span', [
                         'class' => 'role',
                         'title' => t('All roles combined')
-                    ], join(' | ', $restrictedBy)),
+                    ], join(' | ', array_map(function ($role) {
+                        return $role->getName();
+                    }, $restrictedBy))),
                     new HtmlElement('code', ['class' => 'restriction'], $combinedRestrictions)
                 ]),
                 $combinedLinks ? new HtmlElement('div', ['class' => 'previews'], [
@@ -247,11 +251,7 @@ class PrivilegeAudit extends BaseHtmlElement
             ]);
         }
 
-        foreach ($this->roles as $role) {
-            if (! in_array($role->getName(), $restrictedBy, true)) {
-                continue;
-            }
-
+        foreach ($restrictedBy as $role) {
             list($roleRestriction, $restrictionLinks) = $this->createRestrictionLinks(
                 $restriction,
                 [$role->getRestrictions($restriction)]
@@ -422,6 +422,16 @@ class PrivilegeAudit extends BaseHtmlElement
         }
     }
 
+    private function collectRestrictions(Role $role, $restrictionName)
+    {
+        do {
+            $restriction = $role->getRestrictions($restrictionName);
+            if ($restriction) {
+                yield $role => $restriction;
+            }
+        } while (($role = $role->getParent()) !== null);
+    }
+
     private function createRestrictionLinks($restrictionName, array $restrictions)
     {
         // TODO: Remove this hardcoded mess. Do this based on the restriction's meta data