tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix Controller::assertPermission() allowing everything for unauthenticated requests 

fixes #12108
This commit is contained in:
Alexander A. Klimov 2016-08-31 13:19:30 +02:00 committed by Eric Lippmann
parent 4398267db5
commit c8b1693fdc
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/Icinga/Web/Controller/ActionController.php
View File

@ -179,7 +179,7 @@ class ActionController extends Zend_Controller_Action
*/ */
public function assertPermission($permission) public function assertPermission($permission)
{ {
if ($this->requiresAuthentication && ! $this->Auth()->hasPermission($permission)) { if (! $this->Auth()->hasPermission($permission)) {
throw new SecurityException('No permission for %s', $permission); throw new SecurityException('No permission for %s', $permission);
} }
} }

3
library/Icinga/Web/Controller/ModuleActionController.php
View File

@ -26,7 +26,8 @@ class ModuleActionController extends ActionController
protected function prepareInit() protected function prepareInit()
{ {
$this->moduleInit(); $this->moduleInit();
if ($this->getFrontController()->getDefaultModule() !== $this->getModuleName()) { if ($this->requiresLogin()
&& $this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
$this->assertPermission(Manager::MODULE_PERMISSION_NS . $this->getModuleName()); $this->assertPermission(Manager::MODULE_PERMISSION_NS . $this->getModuleName());
} }
} }