User: Consider the shortest wildcard permission more important

I hope we do not need a fourth attempt to get this right... fixes #10016
2015-08-27 14:24:04 +02:00 · 2015-08-27 14:24:04 +02:00 · f90f7b1528
parent eb30ecd776
commit f90f7b1528
1 changed files with 10 additions and 6 deletions
--- a/library/Icinga/User.php
+++ b/library/Icinga/User.php
@ -452,16 +452,19 @@ class User
        if (isset($this->permissions['*']) || isset($this->permissions[$requiredPermission])) {
            return true;
        }
-        // If the permission to check contains a wildcard, grant the permission if any permit related to the permission
-        // matches
-        $any = strpos($requiredPermission, '*');
+
+        $requiredWildcard = strpos($requiredPermission, '*');
        foreach ($this->permissions as $grantedPermission) {
-            if ($any !== false) {
-                $wildcard = $any;
+            if ($requiredWildcard !== false) {
+                if (($grantedWildcard = strpos($grantedPermission, '*')) !== false) {
+                    $wildcard = min($requiredWildcard, $grantedWildcard);
+                } else {
+                    $wildcard = $requiredWildcard;
+                }
            } else {
-                // If the permit contains a wildcard, grant the permission if it's related to the permit
                $wildcard = strpos($grantedPermission, '*');
            }
+
            if ($wildcard !== false) {
                if (substr($requiredPermission, 0, $wildcard) === substr($grantedPermission, 0, $wildcard)) {
                    return true;
@ -470,6 +473,7 @@ class User
                return true;
            }
        }
+
        return false;
    }
 }