From c8b1693fdc20309e1e6302673e8f2a5fdf5edc47 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Wed, 31 Aug 2016 13:19:30 +0200 Subject: [PATCH] Fix Controller::assertPermission() allowing everything for unauthenticated requests fixes #12108 --- library/Icinga/Web/Controller/ActionController.php | 2 +- library/Icinga/Web/Controller/ModuleActionController.php | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/library/Icinga/Web/Controller/ActionController.php b/library/Icinga/Web/Controller/ActionController.php index 0703e4e98..655a85aca 100644 --- a/library/Icinga/Web/Controller/ActionController.php +++ b/library/Icinga/Web/Controller/ActionController.php @@ -179,7 +179,7 @@ class ActionController extends Zend_Controller_Action */ public function assertPermission($permission) { - if ($this->requiresAuthentication && ! $this->Auth()->hasPermission($permission)) { + if (! $this->Auth()->hasPermission($permission)) { throw new SecurityException('No permission for %s', $permission); } } diff --git a/library/Icinga/Web/Controller/ModuleActionController.php b/library/Icinga/Web/Controller/ModuleActionController.php index 1ae32e10c..38826a84c 100644 --- a/library/Icinga/Web/Controller/ModuleActionController.php +++ b/library/Icinga/Web/Controller/ModuleActionController.php @@ -26,7 +26,8 @@ class ModuleActionController extends ActionController protected function prepareInit() { $this->moduleInit(); - if ($this->getFrontController()->getDefaultModule() !== $this->getModuleName()) { + if ($this->requiresLogin() + && $this->getFrontController()->getDefaultModule() !== $this->getModuleName()) { $this->assertPermission(Manager::MODULE_PERMISSION_NS . $this->getModuleName()); } }