From d1aaaf7fb0dea779e35a05694e7c7efb447b2c0a Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@icinga.com>
Date: Mon, 28 Jun 2021 14:26:42 +0200
Subject: [PATCH] Replace user:local_name with user.local_name macro in
 restrictions

---
 doc/06-Security.md                                | 7 +++++--
 doc/80-Upgrading.md                               | 2 ++
 library/Icinga/Authentication/AdmissionLoader.php | 9 ++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/doc/06-Security.md b/doc/06-Security.md
index 6a3b67c1f..33fe6ccc0 100644
--- a/doc/06-Security.md
+++ b/doc/06-Security.md
@@ -154,10 +154,13 @@ application/share/groups  | which groups a user can share navigation items with
 ### Username placeholder
 
 It is possible to reference the local username (without the domain part) of the user in restrictions. To accomplish
-this, put the macro `$user:local_name$` in the restriction where you want it to appear.
+this, put the macro `$user.local_name$` in the restriction where you want it to appear.
 
 This can come in handy if you have e.g. an attribute on hosts or services defining which user is responsible for it:
-`_host_deputy=$user:local_name$|_service_deputy=$user:local_name$`
+`_host_deputy=$user.local_name$|_service_deputy=$user.local_name$`
+
+> Please note that since version 2.9 the use of `user.local_name` instead of `user:local_name` is supported and
+> recommended. `user:local_name` is deprecated and will be removed in version 2.11.
 
 ### Filter Expressions
 
diff --git a/doc/80-Upgrading.md b/doc/80-Upgrading.md
index f1fcafacf..f0f08258d 100644
--- a/doc/80-Upgrading.md
+++ b/doc/80-Upgrading.md
@@ -10,6 +10,8 @@ v2.6 to v2.8 requires to follow the instructions for v2.7 too.
 * Support for EOL PHP versions (5.6, 7.0, 7.1 and 7.2) will be removed with version 2.11
 * Support for Internet Explorer will be completely removed with version 2.11
   * New features after v2.9 will already not (necessarily) be available in Internet Explorer
+* `user.local_name` replaces the `user:local_name` macro in restrictions, and the latter will be removed with
+  version 2.11
 
 ## Upgrading to Icinga Web 2 2.8.x
 
diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php
index 30f59e502..54814c87f 100644
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
@@ -204,7 +204,14 @@ class AdmissionLoader
 
                     $roleRestrictions = $role->getRestrictions();
                     foreach ($roleRestrictions as $name => & $restriction) {
-                        $restriction = str_replace('$user:local_name$', $user->getLocalUsername(), $restriction);
+                        // TODO(el): user.local_name is supported since version 2.9.
+                        // and therefore user:local_name is deprecated.
+                        // The latter will be removed in version 2.11.
+                        $restriction = str_replace(
+                            ['$user.local_name$', '$user:local_name$'],
+                            $user->getLocalUsername(),
+                            $restriction
+                        );
                         $restrictions[$name][] = $restriction;
                     }