[ACL API] Fixed get planned_downtimes_items and added ACL to more the rest of get functions

2018-06-07 13:11:40 +02:00 · 2018-06-07 13:11:40 +02:00 · 054b915846
parent 2e1bb2ac9c
commit 054b915846
2 changed files with 60 additions and 11 deletions
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@ -93,6 +93,10 @@ function returnError($typeError, $returnType = 'string') {
 			returnData($returnType,
 				array('type' => 'string', 'data' => __('The user has not enough permission to make this action.')));
 			break;
+		case 'no_data_to_show':
+			returnData($returnType,
+				array('type' => 'string', 'data' => __('No data to show.')));
+			break;
 		default:
 			returnData("string",
 				array('type' => 'string', 'data' => __($returnType)));
@ -2116,6 +2120,7 @@ function api_get_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 	}
 	else {
 		$agent_id = agents_get_agent_id($other['data'][0],true);
+		if (!util_api_check_agent_and_print_error($agent_id, 'csv')) return;
 	
 		$sql = sprintf("SELECT groups.nombre nombre 
 			FROM tagente agents, tgrupo groups
@ -2149,7 +2154,11 @@ function api_get_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 * @param $thrash3 Don't use.
 */
 function api_get_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+	if (!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
 	$group_names =array();
 	
 	if (is_metaconsole()) {
@ -2188,6 +2197,8 @@ function api_get_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
 		$agent_id = db_get_all_rows_sql($sql);

 		foreach ($agent_id as &$id) {
+			if(!users_access_to_agent($id['id_agente'])) continue;
+
 			$sql = sprintf("SELECT groups.nombre nombre 
 			FROM tagente agents, tgrupo groups
 			WHERE id_agente = %d 
@ -2303,6 +2314,8 @@ function api_get_id_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 	}
 	else {
 		$agent_id = agents_get_agent_id($other['data'][0],true);
+
+		if(!util_api_check_agent_and_print_error($agent_id, 'csv')) return;
 		
 		$sql = sprintf("SELECT groups.id_grupo id_group
 			FROM tagente agents, tgrupo groups
@ -2336,9 +2349,15 @@ function api_get_id_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 * @param $thrash3 Don't use.
 */
 function api_get_id_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
+	if (!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
+
 	$group_names =array();
-	
+
 	if (is_metaconsole()) {
 		$servers = db_get_all_rows_sql ("SELECT *
 			FROM tmetaconsole_setup
@ -2375,6 +2394,8 @@ function api_get_id_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
 		$agent_id = db_get_all_rows_sql($sql);

 		foreach ($agent_id as &$id) {
+			if(!users_access_to_agent($id['id_agente'])) continue;
+
 			$sql = sprintf("SELECT groups.id_grupo id_group
 			FROM tagente agents, tgrupo groups
 			WHERE id_agente = %d 
@ -5036,10 +5057,17 @@ function api_get_all_planned_downtimes ($thrash1, $thrash2, $other, $returnType
 */

 function api_get_planned_downtimes_items ($thrash1, $thrash2, $other, $returnType = 'json') {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
 	
+	if(!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+ 
 	$values = array();
 	$values = array(
 		"name LIKE '%".$other['data'][0]."%'"
@ -5066,9 +5094,16 @@ function api_get_planned_downtimes_items ($thrash1, $thrash2, $other, $returnTyp
 		
 		$filter['id_downtime'] = $downtime['id'];
 		
-		$return[] = planned_downtimes_items ($filter);
+		$items = planned_downtimes_items ($filter);
+		if ($items !== false) $return[] = $items;
 	}
 	
+	// If the header is the unique element in the array, return an error
+	if (count($return) == 1) {
+		returnError('no_data_to_show', $returnType);
+		return;
+	}
+
 	if ($is_quiet)
 		$return['list_index'][] = 'modules';
 	
--- a/pandora_console/include/functions_planned_downtimes.php
+++ b/pandora_console/include/functions_planned_downtimes.php
@ -752,10 +752,20 @@ function planned_downtimes_items ($filter) {
 	
 	$downtime_agents = db_get_all_rows_filter('tplanned_downtime_agents',$filter, 'id_agent,id_downtime,all_modules');
 	$downtime = db_get_row_filter('tplanned_downtime',array('id' => $filter['id_downtime']), 'type_downtime');
-	
+
+	$return = array(
+		'id_agents' => array(),
+		'id_downtime' => $filter['id_downtime'],
+		'all_modules' => 0,
+		'modules' => array(),
+	);
 	foreach ( $downtime_agents as $key => $data ) {
-		$return = $data;
-		$modules = array();
+		// Do not add the agent information if no permissions
+		if (!agents_check_access_agent($data['id_agent'], "AR")) continue;
+
+		$return['id_agents'][] = $data['id_agent'];
+		$return['id_downtime'] = $data['id_downtime'];
+		$return['all_modules'] = $data['all_modules'];
 		if ($downtime['type_downtime'] === 'quiet') {
 			if (!$data['all_modules']) {
 				$second_filter = array(
@ -765,14 +775,18 @@ function planned_downtimes_items ($filter) {
 				$downtime_modules = db_get_all_rows_filter('tplanned_downtime_modules',$second_filter, 'id_agent_module');
 				if ( $downtime_modules ) {
 					foreach ( $downtime_modules as $data2 ) {
-						$modules[] = $data2['id_agent_module'];
+						$return['modules'][$data2['id_agent_module']] = $data2['id_agent_module'];
 					}
-					$return['modules'] = implode(',', $modules);
 				}
 			}
 		}
-	}
-	
+	} 
+
+	if (empty($return['id_agents'])) return false;
+
+	// Implode agents and modules
+	$return['id_agents'] = implode(',', $return['id_agents']);
+	$return['modules'] = implode(',', $return['modules']);
 	return $return;
 }