monitoring: Apply permission `no-monitoring/contacts` where applicable

2019-12-05 08:50:51 +01:00 · 2019-12-05 08:50:51 +01:00 · bb7f1cd24b
parent a9d5f2a6f0
commit bb7f1cd24b
5 changed files with 46 additions and 17 deletions
--- a/modules/monitoring/application/controllers/ListController.php
+++ b/modules/monitoring/application/controllers/ListController.php
@ -3,6 +3,7 @@

 namespace Icinga\Module\Monitoring\Controllers;

+use Icinga\Security\SecurityException;
 use Icinga\Web\Form;
 use Zend_Form;
 use Icinga\Data\Filter\Filter;
@ -308,6 +309,10 @@ class ListController extends Controller
     */
    public function contactsAction()
    {
+        if (! $this->hasPermission('*') && $this->hasPermission('no-monitoring/contacts')) {
+            throw new SecurityException('No permission for %s', 'monitoring/contacts');
+        }
+
        $this->addTitleTab(
            'contacts',
            $this->translate('Contacts'),
@ -387,6 +392,10 @@ class ListController extends Controller
     */
    public function contactgroupsAction()
    {
+        if (! $this->hasPermission('*') && $this->hasPermission('no-monitoring/contacts')) {
+            throw new SecurityException('No permission for %s', 'monitoring/contacts');
+        }
+
        $this->addTitleTab(
            'contactgroups',
            $this->translate('Contact Groups'),
--- a/modules/monitoring/application/controllers/ShowController.php
+++ b/modules/monitoring/application/controllers/ShowController.php
@ -5,6 +5,7 @@ namespace Icinga\Module\Monitoring\Controllers;

 use Icinga\Module\Monitoring\Backend;
 use Icinga\Module\Monitoring\Controller;
+use Icinga\Security\SecurityException;
 use Icinga\Web\Url;

 /**
@ -28,6 +29,10 @@ class ShowController extends Controller

    public function contactAction()
    {
+        if (! $this->hasPermission('*') && $this->hasPermission('no-monitoring/contacts')) {
+            throw new SecurityException('No permission for %s', 'monitoring/contacts');
+        }
+
        $contactName = $this->params->getRequired('contact_name');

        $this->getTabs()->add('contact-detail', [
--- a/modules/monitoring/application/views/scripts/partials/object/detail-content.phtml
+++ b/modules/monitoring/application/views/scripts/partials/object/detail-content.phtml
@ -26,7 +26,9 @@
    <table class="name-value-table">
    <tbody>
        <?= $this->render('show/components/notifications.phtml') ?>
+    <?php if ($this->hasPermission('*') || ! $this->hasPermission('no-monitoring/contacts')): ?>
        <?= $this->render('show/components/contacts.phtml') ?>
+    <?php endif ?>
    </tbody>
    </table>

--- a/modules/monitoring/configuration.php
+++ b/modules/monitoring/configuration.php
@ -1,6 +1,8 @@
 <?php
 /* Icinga Web 2 | (c) 2014 Icinga Development Team | GPLv2+ */

+use Icinga\Authentication\Auth;
+
 /** @var $this \Icinga\Application\Modules\Module */

 $this->providePermission(
@ -216,18 +218,24 @@ $section->add(N_('Hostgroups'), array(
    'url'         => 'monitoring/list/hostgroups',
    'priority'    => 60
 ));
-$section->add(N_('Contacts'), array(
-    'icon'        => 'user',
-    'description' => $this->translate('List contacts'),
-    'url'         => 'monitoring/list/contacts',
-    'priority'    => 70
-));
-$section->add(N_('Contactgroups'), array(
-    'icon'        => 'users',
-    'description' => $this->translate('List users'),
-    'url'         => 'monitoring/list/contactgroups',
-    'priority'    => 70
-));
+
+// Checking the permission here since navigation items don't support negating permissions
+$auth = Auth::getInstance();
+if ($auth->hasPermission('*') || ! $auth->hasPermission('no-monitoring/contacts')) {
+    $section->add(N_('Contacts'), array(
+        'icon'        => 'user',
+        'description' => $this->translate('List contacts'),
+        'url'         => 'monitoring/list/contacts',
+        'priority'    => 70
+    ));
+    $section->add(N_('Contactgroups'), array(
+        'icon'        => 'users',
+        'description' => $this->translate('List users'),
+        'url'         => 'monitoring/list/contactgroups',
+        'priority'    => 70
+    ));
+}
+
 $section->add(N_('Comments'), array(
    'icon'        => 'chat-empty',
    'description' => $this->translate('List comments'),
--- a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
+++ b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
@ -149,11 +149,16 @@ abstract class MonitoredObjectController extends Controller
            || $this->getRequest()->getHeader('Accept') === 'application/json'
        ) {
            $payload = (array) $this->object->properties;
-            $payload += array(
-                'contacts'          => $this->object->contacts->fetchPairs(),
-                'contact_groups'    => $this->object->contactgroups->fetchPairs(),
-                'vars'              => $this->object->customvars
-            );
+            $payload['vars'] = $this->object->customvars;
+
+            if ($this->hasPermission('*') || ! $this->hasPermission('no-monitoring/contacts')) {
+                $payload['contacts'] = $this->object->contacts->fetchPairs();
+                $payload['contact_groups'] = $this->object->contactgroups->fetchPairs();
+            } else {
+                $payload['contacts'] = [];
+                $payload['contact_groups'] = [];
+            }
+
            $groupName = $this->object->getType() . 'groups';
            $payload[$groupName] = $this->object->$groupName;
            $this->getResponse()->json()