From f90f7b15282b7b26b14bf205cddaefb965001438 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@netways.de>
Date: Thu, 27 Aug 2015 14:24:04 +0200
Subject: [PATCH] User: Consider the shortest wildcard permission more
 important

I hope we do not need a fourth attempt to get this right...

fixes #10016
---
 library/Icinga/User.php | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/library/Icinga/User.php b/library/Icinga/User.php
index 31bb8812e..11d8177d1 100644
--- a/library/Icinga/User.php
+++ b/library/Icinga/User.php
@@ -452,16 +452,19 @@ class User
         if (isset($this->permissions['*']) || isset($this->permissions[$requiredPermission])) {
             return true;
         }
-        // If the permission to check contains a wildcard, grant the permission if any permit related to the permission
-        // matches
-        $any = strpos($requiredPermission, '*');
+
+        $requiredWildcard = strpos($requiredPermission, '*');
         foreach ($this->permissions as $grantedPermission) {
-            if ($any !== false) {
-                $wildcard = $any;
+            if ($requiredWildcard !== false) {
+                if (($grantedWildcard = strpos($grantedPermission, '*')) !== false) {
+                    $wildcard = min($requiredWildcard, $grantedWildcard);
+                } else {
+                    $wildcard = $requiredWildcard;
+                }
             } else {
-                // If the permit contains a wildcard, grant the permission if it's related to the permit
                 $wildcard = strpos($grantedPermission, '*');
             }
+
             if ($wildcard !== false) {
                 if (substr($requiredPermission, 0, $wildcard) === substr($grantedPermission, 0, $wildcard)) {
                     return true;
@@ -470,6 +473,7 @@ class User
                 return true;
             }
         }
+
         return false;
     }
 }