From 01997ff479428d9ff3fa0fa86a1c387dee75ac13 Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Mon, 30 Apr 2018 15:34:18 +0200
Subject: [PATCH 01/17] Added a select component to choose a timezone

---
 pandora_console/include/functions_html.php | 126 +++++++++++++++++++++
 1 file changed, 126 insertions(+)

diff --git a/pandora_console/include/functions_html.php b/pandora_console/include/functions_html.php
index 04cd81e0dd..a941a96790 100644
--- a/pandora_console/include/functions_html.php
+++ b/pandora_console/include/functions_html.php
@@ -2336,4 +2336,130 @@ function html_print_autocomplete_modules($name = 'module',
 		echo $output;
 	}
 }
+
+/**
+ * @param string Select form name
+ * @param string Current selected value
+ *
+ * @return string HTML code
+ */
+function html_print_timezone_select ($name, $selected = "") {
+	$timezones = array(
+		"Pacific/Midway"		=> "(GMT-11:00) " . __("Midway Island"),
+		"US/Samoa"				=> "(GMT-11:00) " . __("Samoa"),
+		"US/Hawaii"				=> "(GMT-10:00) " . __("Hawaii"),
+		"US/Alaska"				=> "(GMT-09:00) " . __("Alaska"),
+		"US/Pacific"			=> "(GMT-08:00) " . __("Pacific Time (US & Canada)"),
+		"America/Tijuana"		=> "(GMT-08:00) " . __("Tijuana"),
+		"US/Arizona"			=> "(GMT-07:00) " . __("Arizona"),
+		"US/Mountain"			=> "(GMT-07:00) " . __("Mountain Time (US & Canada)"),
+		"America/Chihuahua"		=> "(GMT-07:00) " . __("Chihuahua"),
+		"America/Mazatlan"		=> "(GMT-07:00) " . __("Mazatlan"),
+		"America/Mexico_City"	=> "(GMT-06:00) " . __("Mexico City"),
+		"America/Monterrey"		=> "(GMT-06:00) " . __("Monterrey"),
+		"Canada/Saskatchewan"	=> "(GMT-06:00) " . __("Saskatchewan"),
+		"US/Central"			=> "(GMT-06:00) " . __("Central Time (US & Canada)"),
+		"US/Eastern"			=> "(GMT-05:00) " . __("Eastern Time (US & Canada)"),
+		"US/East-Indiana"		=> "(GMT-05:00) " . __("Indiana (East)"),
+		"America/Bogota"		=> "(GMT-05:00) " . __("Bogota"),
+		"America/Lima"			=> "(GMT-05:00) " . __("Lima"),
+		"America/Caracas"		=> "(GMT-04:30) " . __("Caracas"),
+		"Canada/Atlantic"		=> "(GMT-04:00) " . __("Atlantic Time (Canada)"),
+		"America/La_Paz"		=> "(GMT-04:00) " . __("La Paz"),
+		"America/Santiago"		=> "(GMT-04:00) " . __("Santiago"),
+		"Canada/Newfoundland"	=> "(GMT-03:30) " . __("Newfoundland"),
+		"America/Buenos_Aires"	=> "(GMT-03:00) " . __("Buenos Aires"),
+		"Greenland'"			=> "(GMT-03:00) " . __("Greenland"),
+		"Atlantic/Stanley"		=> "(GMT-02:00) " . __("Stanley"),
+		"Atlantic/Azores"		=> "(GMT-01:00) " . __("Azores"),
+		"Atlantic/Cape_Verde"	=> "(GMT-01:00) " . __("Cape Verde Is."),
+		"Africa/Casablanca"		=> "(GMT+00:00) " . __("Casablanca"),
+		"Europe/Dublin"			=> "(GMT+00:00) " . __("Dublin"),
+		"Europe/Lisbon"			=> "(GMT+00:00) " . __("Lisbon"),
+		"Europe/London"			=> "(GMT+00:00) " . __("London"),
+		"Africa/Monrovia"		=> "(GMT+00:00) " . __("Monrovia"),
+		"Europe/Amsterdam"		=> "(GMT+01:00) " . __("Amsterdam"),
+		"Europe/Belgrade"		=> "(GMT+01:00) " . __("Belgrade"),
+		"Europe/Berlin"			=> "(GMT+01:00) " . __("Berlin"),
+		"Europe/Bratislava"		=> "(GMT+01:00) " . __("Bratislava"),
+		"Europe/Brussels"		=> "(GMT+01:00) " . __("Brussels"),
+		"Europe/Budapest"		=> "(GMT+01:00) " . __("Budapest"),
+		"Europe/Copenhagen"		=> "(GMT+01:00) " . __("Copenhagen"),
+		"Europe/Ljubljana"		=> "(GMT+01:00) " . __("Ljubljana"),
+		"Europe/Madrid"			=> "(GMT+01:00) " . __("Madrid"),
+		"Europe/Paris"			=> "(GMT+01:00) " . __("Paris"),
+		"Europe/Prague"			=> "(GMT+01:00) " . __("Prague"),
+		"Europe/Rome"			=> "(GMT+01:00) " . __("Rome"),
+		"Europe/Sarajevo"		=> "(GMT+01:00) " . __("Sarajevo"),
+		"Europe/Skopje"			=> "(GMT+01:00) " . __("Skopje"),
+		"Europe/Stockholm"		=> "(GMT+01:00) " . __("Stockholm"),
+		"Europe/Vienna"			=> "(GMT+01:00) " . __("Vienna"),
+		"Europe/Warsaw"			=> "(GMT+01:00) " . __("Warsaw"),
+		"Europe/Zagreb"			=> "(GMT+01:00) " . __("Zagreb"),
+		"Europe/Athens"			=> "(GMT+02:00) " . __("Athens"),
+		"Europe/Bucharest"		=> "(GMT+02:00) " . __("Bucharest"),
+		"Africa/Cairo"			=> "(GMT+02:00) " . __("Cairo"),
+		"Africa/Harare"			=> "(GMT+02:00) " . __("Harare"),
+		"Europe/Helsinki"		=> "(GMT+02:00) " . __("Helsinki"),
+		"Europe/Istanbul"		=> "(GMT+02:00) " . __("Istanbul"),
+		"Asia/Jerusalem"		=> "(GMT+02:00) " . __("Jerusalem"),
+		"Europe/Kiev"			=> "(GMT+02:00) " . __("Kyiv"),
+		"Europe/Minsk"			=> "(GMT+02:00) " . __("Minsk"),
+		"Europe/Riga"			=> "(GMT+02:00) " . __("Riga"),
+		"Europe/Sofia"			=> "(GMT+02:00) " . __("Sofia"),
+		"Europe/Tallinn"		=> "(GMT+02:00) " . __("Tallinn"),
+		"Europe/Vilnius"		=> "(GMT+02:00) " . __("Vilnius"),
+		"Asia/Baghdad"			=> "(GMT+03:00) " . __("Baghdad"),
+		"Asia/Kuwait"			=> "(GMT+03:00) " . __("Kuwait"),
+		"Africa/Nairobi"		=> "(GMT+03:00) " . __("Nairobi"),
+		"Asia/Riyadh"			=> "(GMT+03:00) " . __("Riyadh"),
+		"Europe/Moscow"			=> "(GMT+03:00) " . __("Moscow"),
+		"Asia/Tehran"			=> "(GMT+03:30) " . __("Tehran"),
+		"Asia/Baku"				=> "(GMT+04:00) " . __("Baku"),
+		"Europe/Volgograd"		=> "(GMT+04:00) " . __("Volgograd"),
+		"Asia/Muscat"			=> "(GMT+04:00) " . __("Muscat"),
+		"Asia/Tbilisi"			=> "(GMT+04:00) " . __("Tbilisi"),
+		"Asia/Yerevan"			=> "(GMT+04:00) " . __("Yerevan"),
+		"Asia/Kabul"			=> "(GMT+04:30) " . __("Kabul"),
+		"Asia/Karachi"			=> "(GMT+05:00) " . __("Karachi"),
+		"Asia/Tashkent"			=> "(GMT+05:00) " . __("Tashkent"),
+		"Asia/Kolkata"			=> "(GMT+05:30) " . __("Kolkata"),
+		"Asia/Kathmandu"		=> "(GMT+05:45) " . __("Kathmandu"),
+		"Asia/Yekaterinburg"	=> "(GMT+06:00) " . __("Ekaterinburg"),
+		"Asia/Almaty"			=> "(GMT+06:00) " . __("Almaty"),
+		"Asia/Dhaka"			=> "(GMT+06:00) " . __("Dhaka"),
+		"Asia/Novosibirsk"		=> "(GMT+07:00) " . __("Novosibirsk"),
+		"Asia/Bangkok"			=> "(GMT+07:00) " . __("Bangkok"),
+		"Asia/Jakarta"			=> "(GMT+07:00) " . __("Jakarta"),
+		"Asia/Krasnoyarsk"		=> "(GMT+08:00) " . __("Krasnoyarsk"),
+		"Asia/Chongqing"		=> "(GMT+08:00) " . __("Chongqing"),
+		"Asia/Hong_Kong"		=> "(GMT+08:00) " . __("Hong Kong"),
+		"Asia/Kuala_Lumpur"		=> "(GMT+08:00) " . __("Kuala Lumpur"),
+		"Australia/Perth"		=> "(GMT+08:00) " . __("Perth"),
+		"Asia/Singapore"		=> "(GMT+08:00) " . __("Singapore"),
+		"Asia/Taipei"			=> "(GMT+08:00) " . __("Taipei"),
+		"Asia/Ulaanbaatar"		=> "(GMT+08:00) " . __("Ulaan Bataar"),
+		"Asia/Urumqi"			=> "(GMT+08:00) " . __("Urumqi"),
+		"Asia/Irkutsk"			=> "(GMT+09:00) " . __("Irkutsk"),
+		"Asia/Seoul"			=> "(GMT+09:00) " . __("Seoul"),
+		"Asia/Tokyo"			=> "(GMT+09:00) " . __("Tokyo"),
+		"Australia/Adelaide"	=> "(GMT+09:30) " . __("Adelaide"),
+		"Australia/Darwin"		=> "(GMT+09:30) " . __("Darwin"),
+		"Asia/Yakutsk"			=> "(GMT+10:00) " . __("Yakutsk"),
+		"Australia/Brisbane"	=> "(GMT+10:00) " . __("Brisbane"),
+		"Australia/Canberra"	=> "(GMT+10:00) " . __("Canberra"),
+		"Pacific/Guam"			=> "(GMT+10:00) " . __("Guam"),
+		"Australia/Hobart"		=> "(GMT+10:00) " . __("Hobart"),
+		"Australia/Melbourne"	=> "(GMT+10:00) " . __("Melbourne"),
+		"Pacific/Port_Moresby"	=> "(GMT+10:00) " . __("Port Moresby"),
+		"Australia/Sydney"		=> "(GMT+10:00) " . __("Sydney"),
+		"Asia/Vladivostok"		=> "(GMT+11:00) " . __("Vladivostok"),
+		"Asia/Magadan"			=> "(GMT+12:00) " . __("Magadan"),
+		"Pacific/Auckland"		=> "(GMT+12:00) " . __("Auckland"),
+		"Pacific/Fiji"			=> "(GMT+12:00) " . __("Fiji"),
+	);
+	
+	return html_print_select($timezones, $name, $selected, "", __("None"), "", true, false, false);
+}
+
 ?>

From 26338dab4fb56f15a9ebc593c4dd500d3c72d0c2 Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Mon, 30 Apr 2018 15:34:46 +0200
Subject: [PATCH 02/17] Add timezone selection to the user profile

---
 pandora_console/operation/users/user_edit.php | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/pandora_console/operation/users/user_edit.php b/pandora_console/operation/users/user_edit.php
index f5d1057941..eb72aaa9a6 100644
--- a/pandora_console/operation/users/user_edit.php
+++ b/pandora_console/operation/users/user_edit.php
@@ -76,6 +76,7 @@ if (isset ($_GET["modified"]) && !$view_mode) {
 	$upd_info["phone"] = get_parameter_post ("phone", $user_info["phone"]);
 	$upd_info["comments"] = get_parameter_post ("comments", $user_info["comments"]);
 	$upd_info["language"] = get_parameter_post ("language", $user_info["language"]);
+	$upd_info["timezone"] = get_parameter_post ("timezone", "");
 	$upd_info["id_skin"] = get_parameter ("skin", $user_info["id_skin"]);
 	$upd_info["id_filter"] = get_parameter ("event_filter",NULL);
 	$upd_info["block_size"] = get_parameter ("block_size", $config["block_size"]);
@@ -271,8 +272,10 @@ else
 $usr_groups = (users_get_groups($config['id_user'], 'AR', $display_all_group));
 $id_usr = $config['id_user'];
 
+
+$data = array();
+
 if (!$meta) {
-	$data = array();
 	$data[0] = '<span style="width:50%;float:left;">'.__('Home screen'). ui_print_help_tip(__('User can customize the home page. By default, will display \'Agent Detail\'. Example: Select \'Other\' and type sec=estado&sec2=operation/agentes/estado_agente to show agent detail view'), true).'</span>';
 	$values = array (
 		'Default' =>__('Default'),
@@ -326,10 +329,18 @@ if (!$meta) {
 			$data[1] .= $jump . '<span style="width:20%;float:left;">'. skins_print_select($id_usr,'skin', $user_info['id_skin'], '', __('None'), 0, true).'</span>';
 		}
 	}
-	$table->rowclass[] = '';
-	$table->rowstyle[] = 'font-weight: bold;';
-	$table->data[] = $data;
 }
+else {
+	$data[0] = "";
+	$data[1] = "";
+}
+
+$data[2] = '<span style="width:30%;float:left;">'.__('Timezone').'</span>';
+$data[2] .= $jump . html_print_timezone_select("timezone", $user_info["timezone"]);
+
+$table->rowclass[] = '';
+$table->rowstyle[] = 'font-weight: bold;';
+$table->data[] = $data;
 
 // Double auth
 $double_auth_enabled = (bool) db_get_value('id', 'tuser_double_auth', 'id_user', $config['id_user']);

From 0b1546be221c54f45aecf84dfeb711ab005bb85e Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Mon, 30 Apr 2018 15:35:41 +0200
Subject: [PATCH 03/17] Fixed a date

---
 pandora_console/include/functions_events.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pandora_console/include/functions_events.php b/pandora_console/include/functions_events.php
index e9faaba84e..5549c3508e 100644
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@@ -2467,11 +2467,12 @@ function events_page_general ($event) {
 	
 	$data = array();
 	$data[0] = __('Timestamp');
+	
 	if ($group_rep == 1 && $event["event_rep"] > 1) {
 		$data[1] = __('First event').': '.date ($config["date_format"], $event['timestamp_first']).'<br>'.__('Last event').': '.date ($config["date_format"], $event['timestamp_last']);
 	}
 	else {
-		$data[1] = date ($config["date_format"], strtotime($event["timestamp"]));
+		$data[1] = date ($config["date_format"], $event["utimestamp"]);
 	}
 	$table_general->data[] = $data;
 	

From f1985313ab4479ea975fbefc87bce7a85fd67a71 Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Mon, 7 May 2018 16:10:31 +0200
Subject: [PATCH 04/17] The audit view and csv now use the user defined
 timezone

---
 pandora_console/godmode/admin_access_logs.php | 3 ++-
 pandora_console/include/functions.php         | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/pandora_console/godmode/admin_access_logs.php b/pandora_console/godmode/admin_access_logs.php
index c3a8c9d0b0..7f359ef2c5 100644
--- a/pandora_console/godmode/admin_access_logs.php
+++ b/pandora_console/godmode/admin_access_logs.php
@@ -245,7 +245,8 @@ foreach ($result as $row) {
 	}
 	$data[1] = ui_print_session_action_icon ($row['accion'], true);
 	$data[1] .= $row["accion"];
-	$data[2] = ui_print_help_tip($row['fecha'], true) . ui_print_timestamp($row['utimestamp'], true);
+	$data[2] = ui_print_help_tip(date($config["date_format"], $row['utimestamp']), true)
+		. ui_print_timestamp($row['utimestamp'], true);
 	switch ($config['dbtype']) {
 		case "mysql":
 		case "postgresql":
diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 6c4d0a8199..9510036021 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -2359,7 +2359,11 @@ function print_audit_csv ($data) {
 		__('Source ID') . ';' .
 		__('Comments') ."\n";
 	foreach ($data as $line) {
-		echo io_safe_output($line['id_usuario']) . ';' .  io_safe_output($line['accion']) . ';' .  $line['fecha'] . ';' .  $line['ip_origen'] . ';'.  io_safe_output($line['descripcion']). "\n";
+		echo io_safe_output($line['id_usuario']) . ';'
+		. io_safe_output($line['accion']) . ';'
+		. date($config["date_format"], $line['utimestamp']) . ';'
+		. $line['ip_origen'] . ';'
+		. io_safe_output($line['descripcion']). "\n";
 	}
 
 	exit;

From 6bc8cee2375c82ee1586d75ffbe8ff72a882f090 Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Thu, 10 May 2018 11:43:03 +0200
Subject: [PATCH 05/17] Added the user defined timezone to some dates

---
 pandora_console/general/logon_ok.php | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/pandora_console/general/logon_ok.php b/pandora_console/general/logon_ok.php
index 3a43795fd5..34b19dad9f 100644
--- a/pandora_console/general/logon_ok.php
+++ b/pandora_console/general/logon_ok.php
@@ -230,19 +230,19 @@ if (!empty($all_data)) {
 			
 			switch ($config["dbtype"]) {
 				case "mysql":
-					$sql = sprintf ("SELECT id_usuario,accion,fecha,ip_origen,descripcion,utimestamp
+					$sql = sprintf ("SELECT id_usuario,accion, ip_origen,descripcion,utimestamp
 						FROM tsesion
 						WHERE (`utimestamp` > UNIX_TIMESTAMP(NOW()) - " . SECONDS_1WEEK . ") 
 							AND `id_usuario` = '%s' ORDER BY `utimestamp` DESC LIMIT 10", $config["id_user"]);
 					break;
 				case "postgresql":
-					$sql = sprintf ("SELECT \"id_usuario\", accion, fecha, \"ip_origen\", descripcion, utimestamp
+					$sql = sprintf ("SELECT \"id_usuario\", accion, \"ip_origen\", descripcion, utimestamp
 						FROM tsesion
 						WHERE (\"utimestamp\" > ceil(date_part('epoch', CURRENT_TIMESTAMP)) - " . SECONDS_1WEEK . ") 
 							AND \"id_usuario\" = '%s' ORDER BY \"utimestamp\" DESC LIMIT 10", $config["id_user"]);
 					break;
 				case "oracle":
-					$sql = sprintf ("SELECT id_usuario, accion, fecha, ip_origen, descripcion, utimestamp
+					$sql = sprintf ("SELECT id_usuario, accion, ip_origen, descripcion, utimestamp
 						FROM tsesion
 						WHERE ((utimestamp > ceil((sysdate - to_date('19700101000000','YYYYMMDDHH24MISS')) * (" . SECONDS_1DAY . ")) - " . SECONDS_1WEEK . ") 
 							AND id_usuario = '%s') AND rownum <= 10 ORDER BY utimestamp DESC", $config["id_user"]);
@@ -272,7 +272,8 @@ if (!empty($all_data)) {
 				
 				$data[0] = '<strong>' . $session_id_usuario . '</strong>';
 				$data[1] = ui_print_session_action_icon ($session['accion'], true) . ' ' . $session['accion'];
-				$data[2] =  ui_print_help_tip($session['fecha'], true) . human_time_comparation($session['utimestamp'], 'tiny');
+				$data[2] =  ui_print_help_tip(date($config["date_format"], $session['utimestamp']), true)
+					. human_time_comparation($session['utimestamp'], 'tiny');
 				$data[3] = $session_ip_origen;
 				$description = str_replace(array(',', ', '), ', ', $session['descripcion']);
 				$data[4] = '<div >' . io_safe_output($description) . '</div>';
@@ -427,19 +428,19 @@ $options = array();
 	
 	switch ($config["dbtype"]) {
 		case "mysql":
-			$sql = sprintf ("SELECT id_usuario,accion,fecha,ip_origen,descripcion,utimestamp
+			$sql = sprintf ("SELECT id_usuario,accion,ip_origen,descripcion,utimestamp
 				FROM tsesion
 				WHERE (`utimestamp` > UNIX_TIMESTAMP(NOW()) - " . SECONDS_1WEEK . ") 
 					AND `id_usuario` = '%s' ORDER BY `utimestamp` DESC LIMIT 10", $config["id_user"]);
 			break;
 		case "postgresql":
-			$sql = sprintf ("SELECT \"id_usuario\", accion, fecha, \"ip_origen\", descripcion, utimestamp
+			$sql = sprintf ("SELECT \"id_usuario\", accion, \"ip_origen\", descripcion, utimestamp
 				FROM tsesion
 				WHERE (\"utimestamp\" > ceil(date_part('epoch', CURRENT_TIMESTAMP)) - " . SECONDS_1WEEK . ") 
 					AND \"id_usuario\" = '%s' ORDER BY \"utimestamp\" DESC LIMIT 10", $config["id_user"]);
 			break;
 		case "oracle":
-			$sql = sprintf ("SELECT id_usuario, accion, fecha, ip_origen, descripcion, utimestamp
+			$sql = sprintf ("SELECT id_usuario, accion, ip_origen, descripcion, utimestamp
 				FROM tsesion
 				WHERE ((utimestamp > ceil((sysdate - to_date('19700101000000','YYYYMMDDHH24MISS')) * (" . SECONDS_1DAY . ")) - " . SECONDS_1WEEK . ") 
 					AND id_usuario = '%s') AND rownum <= 10 ORDER BY utimestamp DESC", $config["id_user"]);
@@ -470,7 +471,8 @@ $options = array();
 		$data[0] = '<strong>' . $session_id_usuario . '</strong>';
 		$data[1] = ui_print_session_action_icon ($session['accion'], true);
 		$data[2] = $session['accion'];
-		$data[3] =  ui_print_help_tip($session['fecha'], true) . human_time_comparation($session['utimestamp'], 'tiny');
+		$data[3] = ui_print_help_tip(date($config["date_format"], $session['utimestamp']), true)
+			. human_time_comparation($session['utimestamp'], 'tiny');
 		$data[4] = $session_ip_origen;
 		$data[5] = io_safe_output ($session['descripcion']);
 		

From 0afd436cea5285007cbc47c9f600c9d9678da704 Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Wed, 6 Jun 2018 15:04:30 +0200
Subject: [PATCH 06/17] [ACL API] Added ACL to some get api calls and
 refactorized agent count

---
 pandora_console/include/functions_agents.php  |  43 +-
 pandora_console/include/functions_api.php     | 474 ++++++++++--------
 .../operation/agentes/estado_agente.php       |  20 +-
 3 files changed, 329 insertions(+), 208 deletions(-)

diff --git a/pandora_console/include/functions_agents.php b/pandora_console/include/functions_agents.php
index 0d90d8f725..fd527e167d 100644
--- a/pandora_console/include/functions_agents.php
+++ b/pandora_console/include/functions_agents.php
@@ -2669,7 +2669,10 @@ function agents_generate_name ($alias, $address = '') {
  */
 function agents_get_all_groups_agent ($id_agent, $group = false) {
 	// Get the group if is not defined
-	if ($group === false) $group = agents_get_group_agents($id_agent);
+	if ($group === false) $group = agents_get_agent_group($id_agent);
+
+	// If cannot retrieve the group, it means that agent does not exist
+	if (!$group) return array();
 
 	$secondary_groups = enterprise_hook('agents_get_secondary_groups', array($id_agent));
 
@@ -2681,4 +2684,42 @@ function agents_get_all_groups_agent ($id_agent, $group = false) {
 	return $secondary_groups['plain'];
 }
 
+/**
+ * @brief Get the total agents with a filter and an access bit
+ *
+ * @param Array filter agentes array. It is the same that agents_get_agents function
+ * @param string ACL bit
+ *
+ * @return int Total agents retrieved with the filter
+ */
+function agents_count_agents_filter ($filter = array(), $access = "AR") {
+	$total_agents = agents_get_agents(
+		array ('id_group' => $id_group),
+		array ('COUNT(DISTINCT id_agente) as total'),
+		$access
+	);
+	return ($total_agents !== false)
+		? $total_agents[0]['total']
+		: 0;
+}
+
+/**
+ * @brief Check if an agent is accessible by the user
+ *
+ * @param int Id agent
+ * @param string ACL access bit
+ *
+ * @return True if user has access, false if user has not permissions and
+ * 		null if id agent does not exist
+ */
+function agents_check_access_agent ($id_agent, $access = "AR") {
+	global $config;
+
+	if (users_access_to_agent($id_agent, $access)) return true;
+
+	// If agent exist return false
+	if (agents_check_agent_exists($id_agent)) return false;
+	// Return null otherwise
+	return null;
+}
 ?>
diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index b65f17dbda..a21d00661e 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -88,6 +88,10 @@ function returnError($typeError, $returnType = 'string') {
 			returnData($returnType,
 				array('type' => 'string', 'data' => __('This operation can not be used in cluster elements.')));
 			break;
+		case 'forbidden':
+			returnData($returnType,
+				array('type' => 'string', 'data' => __('The user has not enough permission to make this action.')));
+			break;
 		default:
 			returnData("string",
 				array('type' => 'string', 'data' => __($returnType)));
@@ -304,41 +308,24 @@ function api_get_groups($thrash1, $thrash2, $other, $returnType, $user_in_db) {
 function api_get_agent_module_name_last_value($agentName, $moduleName, $other = ';', $returnType)
 {
 	global $config;
-	
+
 	$idAgent = agents_get_agent_id($agentName);
-	switch ($config["dbtype"]) {
-		case "mysql":
-			$sql = sprintf('SELECT id_agente_modulo
-				FROM tagente_modulo
-				WHERE id_agente = %d AND nombre LIKE "%s"', $idAgent, $moduleName);
-			break;
-		case "postgresql":
-		case "oracle":
-			$sql = sprintf('SELECT id_agente_modulo
-				FROM tagente_modulo
-				WHERE id_agente = %d AND nombre LIKE \'%s\'', $idAgent, $moduleName);
-			break;
-	}
-	
+	$sql = sprintf('SELECT id_agente_modulo
+		FROM tagente_modulo
+		WHERE id_agente = %d AND nombre LIKE "%s"', $idAgent, $moduleName);
 	$idModuleAgent = db_get_value_sql($sql);
-	
-	if ($idModuleAgent === false) {
-		switch ($other['type']) {
-			case 'string':
-				switch ($other['data']) {
-					case 'error_message':
-					default:
-						returnError('id_not_found', $returnType);
-					break;
-				}
-				break;
-			case 'array':
-				switch ($other['data'][0]) {
-					case 'error_value':
-						returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
-						break;
-				}
-				break;
+
+	$user_has_access = users_access_to_agent($idAgent);
+
+	if (($value === false || !$user_has_access) && isset($other['data'][0])) {
+		if ($other['type'] == 'array' && $other['data'][0] == 'error_value') {
+			returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
+		} else {
+			if (!$value) {
+				returnError('id_not_found', $returnType);
+			} else {
+				returnError('forbidden', $returnType);
+			}
 		}
 	}
 	else {
@@ -350,40 +337,23 @@ function api_get_agent_module_name_last_value($agentName, $moduleName, $other =
 function api_get_agent_module_name_last_value_alias($alias, $moduleName, $other = ';', $returnType)
 {
 	global $config;
-	
-	switch ($config["dbtype"]) {
-		case "mysql":
-			$sql = sprintf('SELECT tagente_modulo.id_agente_modulo FROM tagente_modulo 
-					INNER JOIN tagente ON tagente_modulo.id_agente = tagente.id_agente 
-					WHERE tagente.alias LIKE "%s" AND tagente_modulo.nombre LIKE "%s"', $alias, $moduleName);
-			break;
-		case "postgresql":
-		case "oracle":
-			$sql = sprintf('SELECT tagente_modulo.id_agente_modulo FROM tagente_modulo 
-					INNER JOIN tagente ON tagente_modulo.id_agente = tagente.id_agente 
-					WHERE tagente.alias LIKE \'%s\' AND tagente_modulo.nombre LIKE \'%s\'', $alias, $moduleName);
-			break;
-	}
-	
+
+	$sql = sprintf('SELECT tagente_modulo.id_agente_modulo FROM tagente_modulo
+			INNER JOIN tagente ON tagente_modulo.id_agente = tagente.id_agente
+			WHERE tagente.alias LIKE "%s" AND tagente_modulo.nombre LIKE "%s"', $alias, $moduleName);
 	$idModuleAgent = db_get_value_sql($sql);
-	
-	if ($idModuleAgent === false) {
-		switch ($other['type']) {
-			case 'string':
-				switch ($other['data']) {
-					case 'error_message':
-					default:
-						returnError('id_not_found', $returnType);
-					break;
-				}
-				break;
-			case 'array':
-				switch ($other['data'][0]) {
-					case 'error_value':
-						returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
-						break;
-				}
-				break;
+
+	$user_has_access = users_access_to_agent($idAgent);
+
+	if (($value === false || !$user_has_access) && isset($other['data'][0])) {
+		if ($other['type'] == 'array' && $other['data'][0] == 'error_value') {
+			returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
+		} else {
+			if (!$value) {
+				returnError('id_not_found', $returnType);
+			} else {
+				returnError('forbidden', $returnType);
+			}
 		}
 	}
 	else {
@@ -393,31 +363,27 @@ function api_get_agent_module_name_last_value_alias($alias, $moduleName, $other
 
 
 function api_get_module_last_value($idAgentModule, $trash1, $other = ';', $returnType) {
+	global $config;
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	$user_has_access = users_access_to_agent(modules_get_agentmodule($idAgentModule));
+
 	$sql = sprintf('SELECT datos
 		FROM tagente_estado
 		WHERE id_agente_modulo = %d', $idAgentModule);
 	$value = db_get_value_sql($sql);
-	if ($value === false) {
-		switch ($other['type']) {
-			case 'string':
-				switch ($other['data']) {
-					case 'error_message':
-					default:
-						returnError('id_not_found', $returnType);
-					break;
-				}
-				break;
-			case 'array':
-				switch ($other['data'][0]) {
-					case 'error_value':
-						returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
-						break;
-				}
-				break;
+
+	if (($value === false || !$user_has_access) && isset($other['data'][0])) {
+		if ($other['type'] == 'array' && $other['data'][0] == 'error_value') {
+			returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
+		} else {
+			if (!$value) {
+				returnError('id_not_found', $returnType);
+			} else {
+				returnError('forbidden', $returnType);
+			}
 		}
 	}
 	else {
@@ -527,6 +493,8 @@ $estado_fields_to_columns_mapping = array(
  * @return unknown_type
  */
 function api_get_tree_agents($trash1, $trahs2, $other, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
@@ -806,81 +774,89 @@ function api_get_tree_agents($trash1, $trahs2, $other, $returnType) {
 	}
 	
 	$returnVar = array();
-	
+
+	// Get only the user groups
+	$filter_groups = "1 = 1";
+	if (!users_is_admin($config['id_user'])) {
+		$user_groups = implode (',', array_keys(users_get_groups()));
+		$filter_groups = "id_grupo IN ($user_groups)";
+	}
+
 	$groups = db_get_all_rows_sql('SELECT id_grupo as group_id, ' .
 			'nombre as group_name, parent as group_parent, disabled, custom_id, ' .
 			'description as group_description, contact as group_contact, ' .
-			'other as group_other FROM tgrupo');
+			'other as group_other FROM tgrupo WHERE ' . $filter_groups);
 	if ($groups === false) $groups = array();
 	$groups = str_replace('\n', $returnReplace, $groups);
-	
-	$agents = db_get_all_rows_sql('
-		SELECT id_agente AS agent_id, id_grupo AS agent_id_group , alias' . $agent_additional_columns . ' FROM tagente');
-	if ($agents === false) $agents = array();
-	$agents = str_replace('\n', $returnReplace, $agents);
-	
+
 	foreach ($groups as &$group) {
 		$group['type_row'] = 'group';
 		$returnVar[] = $group;
-		
+
+		// Get the agents for this group
+		$id_group = $group['group_id'];
+		$agents = db_get_all_rows_sql("SELECT id_agente AS agent_id, id_grupo AS agent_id_group , alias $agent_additional_columns
+			FROM tagente ta LEFT JOIN tagent_secondary_group tasg
+				ON ta.id_agente = tasg.id_agent
+			WHERE ta.id_grupo = $id_group OR tasg.id_group = $id_group"
+		);
+		if ($agents === false) $agents = array();
+		$agents = str_replace('\n', $returnReplace, $agents);
+
 		foreach ($agents as $index => &$agent) {
-			if ($agent['agent_id_group'] == $group['group_id']) {
+			$agent['type_row']  = 'agent';
+			$returnVar[] = $agent;
+			
+			if ( strlen($module_additional_columns) <= 0
+				&& strlen($estado_additional_columns) <= 0 
+				&& strlen($alert_additional_columns) <= 0 ) {
+				continue; /** SKIP collecting MODULES and ALERTS **/
+			}
+			
+			$modules = db_get_all_rows_sql('SELECT *
+				FROM (SELECT id_agente_modulo as module_id_agent_modulo ' .  $module_additional_columns . '
+						FROM tagente_modulo 
+						WHERE id_agente = ' . $agent['agent_id'] . ') t1 
+					INNER JOIN (SELECT id_agente_modulo as module_id_agent_modulo ' .  $estado_additional_columns . '
+						FROM tagente_estado
+						WHERE id_agente = ' . $agent['agent_id'] . ') t2
+					ON t1.module_id_agent_modulo = t2.module_id_agent_modulo');
+			
+			if ($modules === false) $modules = array();
+			$modules = str_replace('\n', $returnReplace, $modules);
+			
+			foreach ($modules as &$module) {
+				$module['type_row']  = 'module';
+
+				if( $module['module_macros'] ) {
+					$module['module_macros'] = base64_decode( $module['module_macros']);
+				}
+
+				$returnVar[] = $module;
 				
-				$agent['type_row']  = 'agent';
-				$returnVar[] = $agent;
-				
-				if ( strlen($module_additional_columns) <= 0
-					&& strlen($estado_additional_columns) <= 0 
-					&& strlen($alert_additional_columns) <= 0 ) {
-					continue; /** SKIP collecting MODULES and ALERTS **/
+				if ( strlen($alert_additional_columns) <= 0 ) {
+					continue;	/** SKIP collecting ALERTS info **/
 				}
 				
-				$modules = db_get_all_rows_sql('SELECT *
-					FROM (SELECT id_agente_modulo as module_id_agent_modulo ' .  $module_additional_columns . '
-							FROM tagente_modulo 
-							WHERE id_agente = ' . $agent['agent_id'] . ') t1 
-						INNER JOIN (SELECT id_agente_modulo as module_id_agent_modulo ' .  $estado_additional_columns . '
-							FROM tagente_estado
-							WHERE id_agente = ' . $agent['agent_id'] . ') t2
-						ON t1.module_id_agent_modulo = t2.module_id_agent_modulo');
+				$alerts = db_get_all_rows_sql('SELECT t1.id_agent_module as alert_id_agent_module ' .  $alert_additional_columns . '
+					FROM (SELECT * FROM talert_template_modules
+						WHERE id_agent_module = ' . $module['module_id_agent_modulo'] . ') t1 
+					INNER JOIN talert_templates t2
+						ON t1.id_alert_template = t2.id
+					LEFT JOIN talert_template_module_actions t3
+						ON t1.id = t3.id_alert_template_module
+					LEFT JOIN talert_actions t4
+						ON t3.id_alert_action = t4.id
+					LEFT JOIN talert_commands t5
+						ON t4.id_alert_command = t5.id');
 				
-				if ($modules === false) $modules = array();
-				$modules = str_replace('\n', $returnReplace, $modules);
+				if ($alerts === false) $alerts = array();
+				$alerts = str_replace('\n', $returnReplace, $alerts);
 				
-				foreach ($modules as &$module) {
-					$module['type_row']  = 'module';
-
-					if( $module['module_macros'] ) {
-						$module['module_macros'] = base64_decode( $module['module_macros']);
-					}
-
-					$returnVar[] = $module;
-					
-					if ( strlen($alert_additional_columns) <= 0 ) {
-						continue;	/** SKIP collecting ALERTS info **/
-					}
-					
-					$alerts = db_get_all_rows_sql('SELECT t1.id_agent_module as alert_id_agent_module ' .  $alert_additional_columns . '
-						FROM (SELECT * FROM talert_template_modules
-							WHERE id_agent_module = ' . $module['module_id_agent_modulo'] . ') t1 
-						INNER JOIN talert_templates t2
-							ON t1.id_alert_template = t2.id
-						LEFT JOIN talert_template_module_actions t3
-							ON t1.id = t3.id_alert_template_module
-						LEFT JOIN talert_actions t4
-							ON t3.id_alert_action = t4.id
-						LEFT JOIN talert_commands t5
-							ON t4.id_alert_command = t5.id');
-					
-					if ($alerts === false) $alerts = array();
-					$alerts = str_replace('\n', $returnReplace, $alerts);
-					
-					foreach ($alerts as &$alert) {
-						$alert['type_row'] = 'alert';
-						$returnVar[] = $alert;
-					}
+				foreach ($alerts as &$alert) {
+					$alert['type_row'] = 'alert';
+					$returnVar[] = $alert;
 				}
-				unset($agents[$index]);
 			}
 		}
 	}
@@ -1537,10 +1513,23 @@ function api_set_delete_agent($id, $thrash1, $thrast2, $thrash3) {
  * @param $returnType.
  */
 function api_get_all_agents($thrash1, $thrash2, $other, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	$where = '';
+
+	// Error if user cannot read agents.
+	if (!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+
+	$groups = '1 = 1';
+	if (!is_user_admin($config['id_user'])) {
+		$user_groups = implode (',', array_keys(users_get_groups()));
+		$groups = "(id_grupo IN ($user_groups) OR id_group IN ($user_groups))";
+	}
 
 	if (isset($other['data'][0])) {
 		// Filter by SO
@@ -1580,10 +1569,12 @@ function api_get_all_agents($thrash1, $thrash2, $other, $returnType) {
 	// Filter by state
 	$sql = "SELECT id_agente, alias, direccion, comentarios,
 			tconfig_os.name, url_address, nombre
-		FROM tagente, tconfig_os
+		FROM tconfig_os, tagente
+		LEFT JOIN tagent_secondary_group
+			ON tagente.id_agente = tagent_secondary_group.id_agent
 		WHERE tagente.id_os = tconfig_os.id_os
-			AND disabled = 0 " . $where;
-	
+			AND disabled = 0 $where AND $groups";
+
 	$all_agents = db_get_all_rows_sql($sql);
 
 	// Filter by status: unknown, warning, critical, without modules 
@@ -1678,6 +1669,8 @@ function api_get_agent_modules($thrash1, $thrash2, $other, $thrash3) {
 		return;
 	}
 	
+	if (!api_check_agent_and_print_error($other['data'][0], 'csv')) return;
+
 	$sql = sprintf("SELECT id_agente, id_agente_modulo, nombre 
 		FROM tagente_modulo
 		WHERE id_agente = %d AND disabled = 0
@@ -2014,6 +2007,8 @@ function api_get_module_id($id , $thrash1 , $name, $thrash3) {
 		return;
 	}
 
+	if (!api_check_agent_and_print_error($id, 'csv')) return;
+
 	$sql = sprintf('SELECT id_agente_modulo
 		FROM tagente_modulo WHERE id_agente = %d
 		AND nombre = "%s" AND disabled = 0
@@ -2406,23 +2401,30 @@ function api_get_id_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_get_policies($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
-	$where = '';
-	
+
+	$user_groups = implode (',', array_keys(users_get_groups($config["id_user"], "AW")));
+
 	if ($other['data'][0] != "") {
-		$where .= ' AND pol_agents.id_agent = ' . $other['data'][0];
-		
+		if (!users_access_to_agent($other['data'][0])) {
+			returnError ('forbidden', 'csv');
+			return;
+		}
+		$where = ' AND pol_agents.id_agent = ' . $other['data'][0];
+
 		$sql = sprintf("SELECT policy.id, name, id_agent
 			FROM tpolicies AS policy, tpolicy_agents AS pol_agents 
-			WHERE policy.id = pol_agents.id_policy %s", $where);
+			WHERE policy.id = pol_agents.id_policy %s AND id_group IN (%s)",
+			$where, $user_groups);
 	}
 	else {
-		$sql = "SELECT id, name FROM tpolicies AS policy";
+		$sql = "SELECT id, name FROM tpolicies AS policy WHERE id_group IN ($user_groups)";
 	}
-	
+
 	$policies = db_get_all_rows_sql($sql);
 	
 	if (count($policies) > 0 and $policies !== false) {
@@ -4012,34 +4014,43 @@ function api_set_new_local_component($id, $thrash1, $other, $thrash2) {
 
  */
 function api_get_module_value_all_agents($id, $thrash1, $other, $thrash2) {
+	global $config;
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	if ($id == "") {
 		returnError('error_get_module_value_all_agents',
 			__('Error getting module value from all agents. Module name cannot be left blank.'));
 		return;
 	}
-	
+
 	$id_module = db_get_value ('id_agente_modulo', 'tagente_modulo', 'nombre', $id);
-	
+
 	if ($id_module === false) {
 		returnError('error_get_module_value_all_agents',
 			__('Error getting module value from all agents. Module name doesn\'t exist.'));
 		return;
 	}
-	
-	$sql = sprintf("SELECT agent.id_agente, agent.alias, module_state.datos, agent.nombre FROM tagente agent, tagente_modulo module, tagente_estado module_state WHERE agent.id_agente = module.id_agente AND module.id_agente_modulo=module_state.id_agente_modulo AND module.nombre = '%s'", $id);
-	
+
+	$groups = '1 = 1';
+	if (!is_user_admin($config['id_user'])) {
+		$user_groups = implode (',', array_keys(users_get_groups()));
+		$groups = "(id_grupo IN ($user_groups) OR id_group IN ($user_groups))";
+	}
+
+	$sql = sprintf( "SELECT agent.id_agente, agent.alias, module_state.datos, agent.nombre
+		FROM tagente agent LEFT JOIN tagent_secondary_group tasg ON agent.id_agente = tasg.id_agent, tagente_modulo module, tagente_estado module_state
+		WHERE agent.id_agente = module.id_agente AND module.id_agente_modulo=module_state.id_agente_modulo AND module.nombre = '%s'
+		AND %s", $id, $groups);
+
 	$module_values = db_get_all_rows_sql($sql);
-	
+
 	if (!$module_values) {
 		returnError('error_get_module_value_all_agents', 'Error getting module values from all agents.');
 	}
 	else {
 		$data = array('type' => 'array', 'data' => $module_values);
-		
 		returnData('csv', $data, ';');
 	}
 }
@@ -4267,6 +4278,8 @@ function api_set_delete_alert_template($id_template, $thrash1, $other, $thrash3)
  * @param $thrash3 Don't use.
  */
 function api_get_all_alert_templates($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
@@ -4275,7 +4288,12 @@ function api_get_all_alert_templates($thrash1, $thrash2, $other, $thrash3) {
 		$separator = ';'; // by default
 	else
 		$separator = $other['data'][0];
-	
+
+	if (!check_acl($config["id_user"], 0, "LM")) {
+		returnError("forbidden", "csv");
+		return;
+	}
+
 	$filter_templates = false;
 	
 	$template = alerts_get_alert_templates();
@@ -4356,10 +4374,17 @@ function api_get_alert_template($id_template, $thrash1, $other, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_get_module_groups($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config["id_user"], 0, "PM")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
+
 	if (!isset($other['data'][0]))
 		$separator = ';'; // by default
 	else
@@ -4395,10 +4420,17 @@ function api_get_module_groups($thrash1, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_get_plugins($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config["id_user"], 0, "PM")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
+
 	if (!isset($other['data'][0]))
 		$separator = ';'; // by default
 	else
@@ -5813,15 +5845,18 @@ function api_get_module_from_conf($id_agent, $module_name, $thrash2, $thrash3) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!api_check_agent_and_print_error($id_agent, 'string')) return;
+
+	$module_name = io_safe_output($module_name);
 	$result = enterprise_hook('config_agents_get_module_from_conf',
-		array($id_agent, io_safe_output($module_name)));
-	
-	if ($result !== ENTERPRISE_NOT_HOOK) {
+		array($id_agent, $module_name));
+
+	if ($result !== ENTERPRISE_NOT_HOOK && !empty($result)) {
 		returnData('string', array('type' => 'string', 'data' => $result));
 	}
 	else {
-		returnError('error_adding_module_conf', '');
+		returnError('error_adding_module_conf', __('Remote config of module %s not available', $module_name));
 	}
 }
 
@@ -6574,6 +6609,8 @@ function api_get_module_data($id, $thrash1, $other, $returnType) {
 		return;
 	}
 
+	if (!api_check_agent_and_print_error(modules_get_agentmodule($id), $returnType)) return;
+
 	$separator = $other['data'][0];
 	$periodSeconds = $other['data'][1];
 	$tstart = $other['data'][2];
@@ -6654,7 +6691,9 @@ function api_get_graph_module_data($id, $thrash1, $other, $thrash2) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!api_check_agent_and_print_error(modules_get_agentmodule($id), "string")) return;
+
 	$period = $other['data'][0];
 	$width = $other['data'][1];
 	$height = $other['data'][2];
@@ -8722,10 +8761,17 @@ function api_set_enable_module_alerts ($agent_name, $module_name, $thrash3, $thr
 }
 
 function api_get_tags($thrash1, $thrash2, $other, $returnType, $user_in_db) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config["id_user"], 0, "AR")){
+		returnError("forbidden", $returnType);
+		return;
+	}
+
 	if ($other['type'] == 'string') {
 		if ($other['data'] != '') {
 			returnError('error_parameter', 'Error in the parameters.');
@@ -8760,14 +8806,30 @@ function api_get_tags($thrash1, $thrash2, $other, $returnType, $user_in_db) {
 **/
 // http://localhost/pandora_console/include/api.php?op=get&op2=total_modules&id=1&apipass=1234&user=admin&pass=pandora
 function api_get_total_modules($id_group, $trash1, $trash2, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
-	$sql = "SELECT COUNT(*)
-		FROM tagente_modulo
-		WHERE id_module_group=$id_group AND delete_pending = 0";
-	
+
+	if (!check_acl($config["id_user"], 0, "AR")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+
+	$groups_clause = "1 = 1";
+	if (!users_is_admin($config["id_user"])) {
+		$user_groups = implode (',', array_keys(users_get_groups()));
+		$groups_clause = "(ta.id_grupo IN ($user_groups) OR tasg.id_group IN ($user_groups))";
+	}
+
+	$sql = "SELECT COUNT(DISTINCT(id_agente_modulo))
+		FROM tagente_modulo tam, tagente ta
+		LEFT JOIN tagent_secondary_group tasg
+			ON ta.id_agente = tasg.id_agent
+		WHERE tam.id_agente = ta.id_agente AND id_module_group = $id_group
+			AND delete_pending = 0 AND $groups_clause";
+
 	$total = db_get_value_sql($sql);
 	
 	$data = array('type' => 'string', 'data' => $total);
@@ -8783,15 +8845,20 @@ function api_get_total_modules($id_group, $trash1, $trash2, $returnType) {
 **/
 // http://localhost/pandora_console/include/api.php?op=get&op2=total_agents&id=2&apipass=1234&user=admin&pass=pandora
 function api_get_total_agents($id_group, $trash1, $trash2, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
-	$sql = sprintf('SELECT COUNT(*)
-		FROM tagente
-		WHERE id_grupo=%d AND disabled=0', $id_group);
-	$total_agents = db_get_value_sql($sql);
-	
+
+	// Only for agent reader of specified group
+	if (!check_acl($config["id_user"], $id_group, "AR")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+
+	$total_agents = agents_count_agents_filter(array ('id_group' => $id_group));
+
 	$data = array('type' => 'string', 'data' => $total_agents);
 	returnData($returnType, $data);
 }
@@ -8807,17 +8874,16 @@ function api_get_agent_name($id_agent, $trash1, $trash2, $returnType) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!api_check_agent_and_print_error($id_agent, $returnType)) return;
+
 	$sql = sprintf('SELECT nombre
 		FROM tagente
 		WHERE id_agente = %d', $id_agent);
 	$value = db_get_value_sql($sql);
-	if ($value === false) {
-		returnError('id_not_found', $returnType);
-	}
-	
+
 	$data = array('type' => 'string', 'data' => $value);
-	
+
 	returnData($returnType, $data);
 }
 
@@ -8832,17 +8898,16 @@ function api_get_agent_alias($id_agent, $trash1, $trash2, $returnType) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!api_check_agent_and_print_error($id_agent, $returnType)) return;
+
 	$sql = sprintf('SELECT alias
 		FROM tagente
 		WHERE id_agente = %d', $id_agent);
 	$value = db_get_value_sql($sql);
-	if ($value === false) {
-		returnError('id_not_found', $returnType);
-	}
-	
+
 	$data = array('type' => 'string', 'data' => $value);
-	
+
 	returnData($returnType, $data);
 }
 
@@ -10636,4 +10701,19 @@ function api_get_cluster_status($id_cluster, $trash1, $trash2, $returnType) {
 	returnData($returnType, $data);
 }
 
+function api_check_agent_and_print_error($id_agent, $returnType, $access = "AR") {
+	global $config;
+
+	$check_agent = agents_check_access_agent($id_agent, $access);
+	if ($check_agent === true) return true;
+
+	if ($check_agent === false || !check_acl($config['id_user'], 0, $access)) {
+		returnError('forbidden', $returnType);
+	} elseif ($check_agent === null) {
+		returnError('id_not_found', $returnType);
+	}
+
+	return false;
+}
+
 ?>
\ No newline at end of file
diff --git a/pandora_console/operation/agentes/estado_agente.php b/pandora_console/operation/agentes/estado_agente.php
index 363d0cead7..80783fcf1d 100644
--- a/pandora_console/operation/agentes/estado_agente.php
+++ b/pandora_console/operation/agentes/estado_agente.php
@@ -473,16 +473,16 @@ if ($strict_user) {
 	$agents = tags_get_all_user_agents (false, $config['id_user'], $acltags, $filter, $fields, false, $strict_user, true);
 }
 else {
-	$total_agents = agents_get_agents(array (
-		'disabled' => 0,
-		'id_grupo' => $groups,
-		'search' => $search_sql,
-		'search_custom' => $search_sql_custom,
-		'status' => $status),
-		array ('COUNT(DISTINCT id_agente) as total'), $access, false);
-	$total_agents = isset ($total_agents[0]['total']) ?
-		$total_agents[0]['total'] : 0;
-	
+	$total_agents = agents_count_agents_filter(
+		array (
+			'disabled' => 0,
+			'id_grupo' => $groups,
+			'search' => $search_sql,
+			'search_custom' => $search_sql_custom,
+			'status' => $status
+		), $access
+	);
+
 	$agents = agents_get_agents(array (
 		'order' => 'nombre ' . $order_collation . ' ASC',
 		'id_grupo' => $groups,

From 7f2d583f63de36d2c9f3ea03d62f15666878ada4 Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Wed, 6 Jun 2018 19:04:06 +0200
Subject: [PATCH 07/17] [API ACL] More get functions

---
 pandora_console/include/functions_api.php | 140 +++++++++++++++-------
 1 file changed, 97 insertions(+), 43 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index a21d00661e..679dea360c 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -884,6 +884,8 @@ function api_get_tree_agents($trash1, $trahs2, $other, $returnType) {
  */
 function api_get_module_properties($id_module, $trahs2, $other, $returnType)
 {
+	if (!api_check_agent_and_print_error(modules_get_agentmodule($id_module), $returnType)) return;
+
 	if ($other['type'] == 'array') {
 		$separator = $other['data'][0];
 		$returnReplace = $other['data'][1];
@@ -945,19 +947,20 @@ function api_get_module_properties_by_name($agent_name, $module_name, $other, $r
 	}
 
 	$agent_id = agents_get_agent_id($agent_name);
+	if ($agent_id == 0) {
+		returnError('error_get_module_properties_by_name', __('Does not exist agent with this name.'));
+		return;
+	}
+	if (!api_check_agent_and_print_error($agent_id, $returnType)) return;
+
 	$tagente_modulo = modules_get_agentmodule_id ($module_name, $agent_id);
+	if ($tagente_modulo === false) {
+		returnError('error_get_module_properties_by_name', __('Does not exist module with this name.'));
+		return;
+	}
 	$module_id = $tagente_modulo['id_agente_modulo'];
 
-	if( $agent_id > 0 && $module_id > 0 ) {
-		get_module_properties($module_id, $fields, $separator, $returnType, $returnReplace);
-	}
-	else {
-		if( ! $agent_id || $agent_id < 0 ) {
-			returnError('error_get_module_properties_by_name', __('Does not exist agent with this name.'));
-		} else {
-			returnError('error_get_module_properties_by_name', __('Does not exist module with this name.'));
-		}
-	}
+	get_module_properties($module_id, $fields, $separator, $returnType, $returnReplace);
 }
 
 /*
@@ -1002,22 +1005,19 @@ function api_get_module_properties_by_alias($alias, $module_name, $other, $retur
 		$fields = false;
 	}
 
-	$sql = sprintf('SELECT tagente_modulo.id_agente_modulo FROM tagente_modulo 
+	$sql = sprintf('SELECT tagente_modulo.id_agente_modulo, tagente.id_agente FROM tagente_modulo 
 					INNER JOIN tagente ON tagente_modulo.id_agente = tagente.id_agente 
 					WHERE tagente.alias LIKE "%s" AND tagente_modulo.nombre LIKE "%s"', $alias, $module_name); 
 
-	$module_id = db_get_value_sql($sql);
+	$data = db_get_row_sql($sql);
+	if ($data === false) {
+		returnError('error_get_module_properties_by_name', __('Does not exist the pair alias/module required.'));
+	}
+	if (!api_check_agent_and_print_error($data['id_agente'], $returnType)) return;
 
-	if( !empty($alias) && $module_id > 0 ) {
-		get_module_properties($module_id, $fields, $separator, $returnType, $returnReplace);
-	}
-	else {
-		if(empty($alias)) {
-			returnError('error_get_module_properties_by_name', __('Does not exist agent with this name.'));
-		} else {
-			returnError('error_get_module_properties_by_name', __('Does not exist module with this name.'));
-		}
-	}
+	$module_id = $data['id_agente_modulo'];
+
+	get_module_properties($module_id, $fields, $separator, $returnType, $returnReplace);
 }
 
 /*
@@ -1444,10 +1444,15 @@ function api_get_custom_field_id($t1, $t2, $other, $returnType) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	$name = $other["data"][0];
 	$id = db_get_value ('id_field', 'tagent_custom_fields', 'name', $name);
-	
+
+	if ($id === false) {
+		returnError('id_not_found', $returnType);
+		return;
+	}
+
 	$data['type'] = "string";
 	$data["data"] = $id;
 	returnData("string", $data);
@@ -7712,18 +7717,20 @@ function api_get_gis_agent($id_agent, $trash1, $tresh2, $return_type, $user_in_d
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!api_check_agent_and_print_error($id_agent, $return_type)) return;
+
 	$agent_gis_data = db_get_row_sql("
 		SELECT *
 		FROM tgis_data_status
 		WHERE tagente_id_agente = " . $id_agent);
-	
+
 	if ($agent_gis_data) {
 		returnData($return_type,
 			array('type' => 'array', 'data' => array($agent_gis_data)));
 	}
 	else {
-		returnError('Error.');
+		returnError('get_gis_agent', __('There is not gis data for the agent'));
 	}
 }
 
@@ -8922,7 +8929,9 @@ function api_get_module_name($id_module, $trash1, $trash2, $returnType) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!api_check_agent_and_print_error(modules_get_agentmodule($id_module), $returnType)) return;
+
 	$sql = sprintf('SELECT nombre
 		FROM tagente_modulo
 		WHERE id_agente_modulo = %d', $id_module);
@@ -8940,44 +8949,75 @@ function api_get_module_name($id_module, $trash1, $trash2, $returnType) {
 
 // http://localhost/pandora_console/include/api.php?op=get&op2=alert_action_by_group&id=3&id2=1&apipass=1234&user=admin&pass=pandora
 function api_get_alert_action_by_group($id_group, $id_action, $trash2, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], $id_group, "LW")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+
+	// Get only the user groups
+	$filter_groups = "1 = 1";
+	if (!users_is_admin($config['id_user'])) {
+		$user_groups = implode (',', array_keys(users_get_groups()));
+		$filter_groups = "(ta.id_grupo IN ($user_groups) OR tasg.id_group IN ($user_groups))";
+	}
+
 	$sql = "SELECT SUM(internal_counter)
-		FROM talert_template_modules
-		WHERE id_alert_template IN 
-			(SELECT id
-			FROM talert_templates
-			WHERE id_group=$id_group AND id_alert_action = $id_action)";
-	
+		FROM
+			talert_template_modules tatm,
+			tagente ta LEFT JOIN tagent_secondary_group tasg
+				ON ta.id_agente = tasg.id_agent,
+			tagente_modulo tam
+		WHERE tam.id_agente = ta.id_agente
+			AND tatm.id_agent_module = tam.id_agente_modulo
+			AND ta.disabled = 0
+			AND $filter_groups";
+
 	$value = db_get_value_sql($sql);
-	
+
 	if ($value === false) {
-		returnError('data_not_found', $returnType);
+		returnError('data_not_found', __('No alert found'));
+		return;
 	}
 	else if ($value == '') {
 		$value = 0;
 	}
 	
 	$data = array('type' => 'string', 'data' => $value);
-	
 	returnData($returnType, $data);
 }
 
 // http://localhost/pandora_console/include/api.php?op=get&op2=event_info&id=58&apipass=1234&user=admin&pass=pandora
 function api_get_event_info($id_event, $trash1, $trash, $returnType) {
-	
+	global $config;
+
 	$table_events = 'tevento';
 	if (defined ('METACONSOLE')) {
 		$table_events = 'tmetaconsole_event';
 	}
-	
+
 	$sql = "SELECT *
 		FROM " . $table_events . "
 		WHERE id_evento=$id_event";
 	$event_data = db_get_row_sql($sql);
-	
+
+	// Check the access to group
+	if (!empty($event_data['id_grupo']) && $event_data['id_grupo'] > 0 && !$event_data['id_agente']) {
+		if (!check_acl($config['id_user'], $event_data['id_grupo'], "ER")) {
+			returnError('forbidden', $returnType);
+			return;
+		}
+	}
+	// Check the access to agent
+	if (!empty($event_data['id_agente']) && $event_data['id_agente'] > 0) {
+		if (!api_check_agent_and_print_error($event_data['id_agente'], $returnType)) return;
+	}
+
 	$i = 0;
 	foreach ($event_data as $key => $data) {
 		$data = strip_tags($data);
@@ -9435,10 +9475,17 @@ function api_set_validate_event_by_id ($id, $trash1, $trash2, $returnType) {
  */
 //  http://localhost/pandora_console/include/api.php?op=get&op2=pandora_servers&return_type=csv&apipass=1234&user=admin&pass=pandora
 function api_get_pandora_servers($trash1, $trash2, $other, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "AW")) {
+		returnError("forbidden", $returnType);
+		return;
+	}
+
 	if (!isset($other['data'][0]))
 		$separator = ';'; // by default
 	else
@@ -9631,10 +9678,17 @@ function api_set_pagerduty_webhook($type, $matchup_path, $tresh2, $return_type)
  *
  */
 function api_get_special_days($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
+
 	if (!isset($other['data'][0]))
 		$separator = ';'; // by default
 	else

From b3bdd5d492a8da7ccfbd22bd80b8ff2084aff730 Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Wed, 6 Jun 2018 19:39:57 +0200
Subject: [PATCH 08/17] [API ACL] More get functions (2)

---
 pandora_console/include/functions_api.php | 27 ++++++++++++++---------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index 679dea360c..6f708a7ff1 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -4983,10 +4983,17 @@ function api_set_tag($id, $thrash1, $other, $thrash3) {
  */
 
 function api_get_all_planned_downtimes ($thrash1, $thrash2, $other, $returnType = 'json') {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if(!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+
 	$values = array();
 	$values = array(
 		"name LIKE '%".$other['data'][0]."%'"
@@ -5003,7 +5010,12 @@ function api_get_all_planned_downtimes ($thrash1, $thrash2, $other, $returnType
 		
 	
 	$returned = all_planned_downtimes($values);
-	
+
+	if ($returned === false) {
+		returnError("error_get_all_planned_downtimes", __('No planned downtime retrieved'));
+		return;
+	}
+
 	returnData($returnType,
 			array('type' => 'array', 'data' => $returned));
 }
@@ -10134,14 +10146,9 @@ function api_get_module_graph($id_module, $thrash2, $other, $thrash4) {
 		returnError('error_module_graph', __(''));
 		return;
 	}
-	
-	$id_exist = (bool) db_get_value ('id_agente_modulo', 'tagente_modulo', 'id_agente_modulo', $id_module);
-	
-	if (!$id_exist) {
-		// returnError('id_not_found');
-		return;
-	}
-	
+
+	if (!api_check_agent_and_print_error(modules_get_agentmodule($id_module), 'string')) return;
+
 	$graph_seconds =
 		(!empty($other) && isset($other['data'][0]))
 		?

From 054b915846d3e984dd819192ba423bfffaa0407c Mon Sep 17 00:00:00 2001
From: Fermin <fermin.hernandez@artica.es>
Date: Thu, 7 Jun 2018 13:11:40 +0200
Subject: [PATCH 09/17] [ACL API] Fixed get planned_downtimes_items and added
 ACL to more the rest of get functions

---
 pandora_console/include/functions_api.php     | 43 +++++++++++++++++--
 .../include/functions_planned_downtimes.php   | 28 +++++++++---
 2 files changed, 60 insertions(+), 11 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index f78f73cac0..e973c6bfda 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -93,6 +93,10 @@ function returnError($typeError, $returnType = 'string') {
 			returnData($returnType,
 				array('type' => 'string', 'data' => __('The user has not enough permission to make this action.')));
 			break;
+		case 'no_data_to_show':
+			returnData($returnType,
+				array('type' => 'string', 'data' => __('No data to show.')));
+			break;
 		default:
 			returnData("string",
 				array('type' => 'string', 'data' => __($returnType)));
@@ -2116,6 +2120,7 @@ function api_get_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 	}
 	else {
 		$agent_id = agents_get_agent_id($other['data'][0],true);
+		if (!util_api_check_agent_and_print_error($agent_id, 'csv')) return;
 	
 		$sql = sprintf("SELECT groups.nombre nombre 
 			FROM tagente agents, tgrupo groups
@@ -2149,7 +2154,11 @@ function api_get_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_get_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+	if (!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
 	$group_names =array();
 	
 	if (is_metaconsole()) {
@@ -2188,6 +2197,8 @@ function api_get_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
 		$agent_id = db_get_all_rows_sql($sql);
 
 		foreach ($agent_id as &$id) {
+			if(!users_access_to_agent($id['id_agente'])) continue;
+
 			$sql = sprintf("SELECT groups.nombre nombre 
 			FROM tagente agents, tgrupo groups
 			WHERE id_agente = %d 
@@ -2303,6 +2314,8 @@ function api_get_id_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 	}
 	else {
 		$agent_id = agents_get_agent_id($other['data'][0],true);
+
+		if(!util_api_check_agent_and_print_error($agent_id, 'csv')) return;
 		
 		$sql = sprintf("SELECT groups.id_grupo id_group
 			FROM tagente agents, tgrupo groups
@@ -2336,9 +2349,15 @@ function api_get_id_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_get_id_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
+	if (!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', 'csv');
+		return;
+	}
+
 	$group_names =array();
-	
+
 	if (is_metaconsole()) {
 		$servers = db_get_all_rows_sql ("SELECT *
 			FROM tmetaconsole_setup
@@ -2375,6 +2394,8 @@ function api_get_id_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
 		$agent_id = db_get_all_rows_sql($sql);
 
 		foreach ($agent_id as &$id) {
+			if(!users_access_to_agent($id['id_agente'])) continue;
+
 			$sql = sprintf("SELECT groups.id_grupo id_group
 			FROM tagente agents, tgrupo groups
 			WHERE id_agente = %d 
@@ -5036,10 +5057,17 @@ function api_get_all_planned_downtimes ($thrash1, $thrash2, $other, $returnType
  */
 
 function api_get_planned_downtimes_items ($thrash1, $thrash2, $other, $returnType = 'json') {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
 	
+	if(!check_acl($config['id_user'], 0, "AR")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+ 
 	$values = array();
 	$values = array(
 		"name LIKE '%".$other['data'][0]."%'"
@@ -5066,9 +5094,16 @@ function api_get_planned_downtimes_items ($thrash1, $thrash2, $other, $returnTyp
 		
 		$filter['id_downtime'] = $downtime['id'];
 		
-		$return[] = planned_downtimes_items ($filter);
+		$items = planned_downtimes_items ($filter);
+		if ($items !== false) $return[] = $items;
 	}
 	
+	// If the header is the unique element in the array, return an error
+	if (count($return) == 1) {
+		returnError('no_data_to_show', $returnType);
+		return;
+	}
+
 	if ($is_quiet)
 		$return['list_index'][] = 'modules';
 	
diff --git a/pandora_console/include/functions_planned_downtimes.php b/pandora_console/include/functions_planned_downtimes.php
index 8da0660504..eb0b730649 100644
--- a/pandora_console/include/functions_planned_downtimes.php
+++ b/pandora_console/include/functions_planned_downtimes.php
@@ -752,10 +752,20 @@ function planned_downtimes_items ($filter) {
 	
 	$downtime_agents = db_get_all_rows_filter('tplanned_downtime_agents',$filter, 'id_agent,id_downtime,all_modules');
 	$downtime = db_get_row_filter('tplanned_downtime',array('id' => $filter['id_downtime']), 'type_downtime');
-	
+
+	$return = array(
+		'id_agents' => array(),
+		'id_downtime' => $filter['id_downtime'],
+		'all_modules' => 0,
+		'modules' => array(),
+	);
 	foreach ( $downtime_agents as $key => $data ) {
-		$return = $data;
-		$modules = array();
+		// Do not add the agent information if no permissions
+		if (!agents_check_access_agent($data['id_agent'], "AR")) continue;
+
+		$return['id_agents'][] = $data['id_agent'];
+		$return['id_downtime'] = $data['id_downtime'];
+		$return['all_modules'] = $data['all_modules'];
 		if ($downtime['type_downtime'] === 'quiet') {
 			if (!$data['all_modules']) {
 				$second_filter = array(
@@ -765,14 +775,18 @@ function planned_downtimes_items ($filter) {
 				$downtime_modules = db_get_all_rows_filter('tplanned_downtime_modules',$second_filter, 'id_agent_module');
 				if ( $downtime_modules ) {
 					foreach ( $downtime_modules as $data2 ) {
-						$modules[] = $data2['id_agent_module'];
+						$return['modules'][$data2['id_agent_module']] = $data2['id_agent_module'];
 					}
-					$return['modules'] = implode(',', $modules);
 				}
 			}
 		}
-	}
-	
+	} 
+
+	if (empty($return['id_agents'])) return false;
+
+	// Implode agents and modules
+	$return['id_agents'] = implode(',', $return['id_agents']);
+	$return['modules'] = implode(',', $return['modules']);
 	return $return;
 }
 

From 9bf6102ac6390c3c17f7fe417f437a817fd631d5 Mon Sep 17 00:00:00 2001
From: Fermin <fermin.hernandez@artica.es>
Date: Thu, 7 Jun 2018 19:45:54 +0200
Subject: [PATCH 10/17] [ACL API] Added ACL in some set functions

---
 pandora_console/include/api.php           |   2 -
 pandora_console/include/functions_api.php | 290 +++++++++++++++-------
 2 files changed, 207 insertions(+), 85 deletions(-)

diff --git a/pandora_console/include/api.php b/pandora_console/include/api.php
index 591c353d11..34350a1754 100644
--- a/pandora_console/include/api.php
+++ b/pandora_console/include/api.php
@@ -133,8 +133,6 @@ if ($correctLogin) {
 												
 													$id_os = db_get_value_sql('select id_os from tagente where nombre = "'.$id.'"');
 													
-													html_debug($id_os);
-													
 													if($id_os == 100){
 														returnError('not_allowed_operation_cluster', $returnType);
 														return false;
diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index e973c6bfda..391c97e04f 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -1150,11 +1150,20 @@ function get_module_properties($id_module, $fields, $separator, $returnType, $re
 
 function api_set_update_agent($id_agent, $thrash2, $other, $thrash3) {
 	global $config;
-	
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
 	
+	if (!check_acl($config['id_user'], 0, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', 'AW')) {
+		return;
+	}
+
 	$alias = $other['data'][0];
 	$ip = $other['data'][1];
 	$idParent = $other['data'][2];
@@ -1180,6 +1189,24 @@ function api_set_update_agent($id_agent, $thrash2, $other, $thrash3) {
 	else {
 		$cascadeProtectionModule = 0;
 	}
+	// Check ACL group
+	if (!check_acl($config['id_user'], $idGroup, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
+	// Check selected parent
+	if ($idParent != 0) {
+		$parentCheck = agents_check_access_agent($idParent);
+		if ($parentCheck === null) {
+			returnError('parent_agent_not_exist', __('The agent parent don`t exist.'));
+			return;
+		}
+		if ($parentCheck === false) {
+			returnError('parent_agent_forbidden', __('The user cannot access to parent agent.'));
+			return;
+		}
+	}
 	
 	$group_old = db_get_sql("SELECT id_grupo FROM tagente WHERE id_agente =" .$id_agent);
 	$tpolicy_group_old = db_get_all_rows_sql("SELECT id_policy FROM tpolicy_groups 
@@ -1260,6 +1287,11 @@ function api_set_update_agent($id_agent, $thrash2, $other, $thrash3) {
  */
 function api_set_new_agent($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
+
+	if (!check_acl($config['id_user'], 0, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	
 	if (defined ('METACONSOLE')) {
 		return;
@@ -1315,17 +1347,28 @@ function api_set_new_agent($thrash1, $thrash2, $other, $thrash3) {
 	}
 	
 	$nameServer = db_get_value_sql($sql1);
-	
+
+	// Check ACL group
+	if (!check_acl($config['id_user'], $idGroup, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
+	// Check selected parent
+	if ($idParent != 0) {
+		$parentCheck = agents_check_access_agent($idParent);
+		if ($parentCheck === null) {
+			returnError('parent_agent_not_exist', __('The agent parent don`t exist.'));
+			return;
+		}
+		if ($parentCheck === false) {
+			returnError('parent_agent_forbidden', __('The user cannot access to parent agent.'));
+			return;
+		}
+	}
 	if (agents_get_agent_id ($name)) {
 		returnError('agent_name_exist', 'The name of agent yet exist in DB.');
 	}
-	else if (($idParent != 0) && 
-		(db_get_value_sql('SELECT id_agente
-			FROM tagente
-			WHERE id_agente = ' . $idParent) === false)) {
-		
-		returnError('parent_agent_not_exist', 'The agent parent don`t exist.');
-	}
 	else if (db_get_value_sql('SELECT id_grupo
 		FROM tgrupo
 		WHERE id_grupo = ' . $idGroup) === false) {
@@ -1472,7 +1515,7 @@ function api_get_custom_field_id($t1, $t2, $other, $returnType) {
  * @param $thrash3 Don't use.
  */
 function api_set_delete_agent($id, $thrash1, $thrast2, $thrash3) {
-	
+
 	if (is_metaconsole()) {
 		$servers = db_get_all_rows_sql ("SELECT *
 			FROM tmetaconsole_setup
@@ -1492,12 +1535,11 @@ function api_set_delete_agent($id, $thrash1, $thrast2, $thrash3) {
 		}
 	}
 	else {
-		$agentName = $id;
-		$idAgent[0] = agents_get_agent_id($agentName);
-		if ($idAgent[0])
-			$result = agents_delete_agent ($idAgent, true);
-		else
-			$result = false;
+		$idAgent = agents_get_agent_id($id);
+		if (!util_api_check_agent_and_print_error($idAgent, 'string', "AD")) {
+			return;
+		}
+		$result = agents_delete_agent ($idAgent, true);
 	}
 	if (!$result)
 		returnError('error_delete', 'Error in delete operation.');
@@ -2534,10 +2576,8 @@ function api_set_create_network_module($id, $thrash1, $other, $thrash3) {
 	$agentName = $id;
 	
 	$idAgent = agents_get_agent_id($agentName);
-	
-	if (!$idAgent) {
-		returnError('error_create_network_module',
-			__('Error in creation network module. Agent name doesn\'t exist.'));
+
+	if (!util_api_check_agent_and_print_error($idAgent, 'string', 'AW')) {
 		return;
 	}
 	
@@ -2628,12 +2668,17 @@ function api_set_update_network_module($id_module, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
-	
 	if ($id_module == "") {
 		returnError('error_update_network_module',
 			__('Error updating network module. Module name cannot be left blank.'));
 		return;
 	}
+
+	if (!util_api_check_agent_and_print_error(
+			modules_get_agentmodule($id_module), 'string', 'AW')
+	) {
+		return;
+	}
 	
 	$check_id_module = db_get_value ('id_agente_modulo', 'tagente_modulo', 'id_agente_modulo', $id_module);
 	
@@ -2645,6 +2690,9 @@ function api_set_update_network_module($id_module, $thrash1, $other, $thrash3) {
 	
 	// If we want to change the module to a new agent
 	if ($other['data'][0] != "") {
+		if (!util_api_check_agent_and_print_error($other['data'][0], 'string', 'AW')) {
+			return;
+		}
 		$id_agent_old = db_get_value ('id_agente', 'tagente_modulo', 'id_agente_modulo', $id_module);
 		
 		if ($id_agent_old != $other['data'][0]) {
@@ -2658,12 +2706,6 @@ function api_set_update_network_module($id_module, $thrash1, $other, $thrash3) {
 				return;
 			}
 		}
-		// Check if agent exists
-		$check_id_agent = db_get_value ('id_agente', 'tagente', 'id_agente', $other['data'][0]);
-		if (!$check_id_agent) {
-			returnError('error_update_data_module', __('Error updating network module. Id_agent doesn\'t exist.'));
-			return;
-		}
 	}
 	
 	$network_module_fields = array('id_agente',
@@ -2748,9 +2790,8 @@ function api_set_create_plugin_module($id, $thrash1, $other, $thrash3) {
 	}
 	
 	$idAgent = agents_get_agent_id($agentName);
-	
-	if (!$idAgent) {
-		returnError('error_create_plugin_module', __('Error in creation plugin module. Agent name doesn\'t exist.'));
+ 
+	if (!util_api_check_agent_and_print_error($idAgent, 'string', 'AW')) {
 		return;
 	}
 	
@@ -2844,16 +2885,18 @@ function api_set_update_plugin_module($id_module, $thrash1, $other, $thrash3) {
 		returnError('error_update_plugin_module', __('Error updating plugin module. Id_module cannot be left blank.'));
 		return;
 	}
-	
-	$check_id_module = db_get_value ('id_agente_modulo', 'tagente_modulo', 'id_agente_modulo', $id_module);
-	
-	if (!$check_id_module) {
-		returnError('error_update_plugin_module', __('Error updating plugin module. Id_module doesn\'t exist.'));
+
+	if (!util_api_check_agent_and_print_error(
+			modules_get_agentmodule($id_module), 'string', 'AW')
+	) {
 		return;
 	}
 	
 	// If we want to change the module to a new agent
 	if ($other['data'][0] != "") {
+		if (!util_api_check_agent_and_print_error($other['data'][0], 'string', 'AW')) {
+			return;
+		}
 		$id_agent_old = db_get_value ('id_agente', 'tagente_modulo', 'id_agente_modulo', $id_module);
 		
 		if ($id_agent_old != $other['data'][0]) {
@@ -2963,8 +3006,7 @@ function api_set_create_data_module($id, $thrash1, $other, $thrash3) {
 	
 	$idAgent = agents_get_agent_id($agentName);
 	
-	if (!$idAgent) {
-		returnError('error_create_data_module', __('Error in creation data module. Agent name doesn\'t exist.'));
+	if (!util_api_check_agent_and_print_error($idAgent, 'string', 'AW')) {
 		return;
 	}
 	
@@ -3227,16 +3269,18 @@ function api_set_update_data_module($id_module, $thrash1, $other, $thrash3) {
 		returnError('error_update_data_module', __('Error updating data module. Id_module cannot be left blank.'));
 		return;
 	}
-	
-	$check_id_module = db_get_value ('id_agente_modulo', 'tagente_modulo', 'id_agente_modulo', $id_module);
-	
-	if (!$check_id_module) {
-		returnError('error_update_data_module', __('Error updating data module. Id_module doesn\'t exist.'));
+
+	if (!util_api_check_agent_and_print_error(
+			modules_get_agentmodule($id_module), 'string', 'AW')
+	) {
 		return;
 	}
 	
 	// If we want to change the module to a new agent
 	if ($other['data'][0] != "") {
+		if (!util_api_check_agent_and_print_error($other['data'][0], 'string', 'AW')) {
+			return;
+		}
 		$id_agent_old = db_get_value ('id_agente', 'tagente_modulo', 'id_agente_modulo', $id_module);
 		
 		if ($id_agent_old != $other['data'][0]) {
@@ -3346,8 +3390,7 @@ function api_set_create_snmp_module($id, $thrash1, $other, $thrash3) {
 	
 	$idAgent = agents_get_agent_id($agentName);
 	
-	if (!$idAgent) {
-		returnError('error_create_snmp_module', __('Error in creation SNMP module. Agent name doesn\'t exist.'));
+	if (!util_api_check_agent_and_print_error($idAgent, 'string', 'AW')) {
 		return;
 	}
 	
@@ -3492,16 +3535,18 @@ function api_set_update_snmp_module($id_module, $thrash1, $other, $thrash3) {
 		returnError('error_update_snmp_module', __('Error updating SNMP module. Id_module cannot be left blank.'));
 		return;
 	}
-	
-	$check_id_module = db_get_value ('id_agente_modulo', 'tagente_modulo', 'id_agente_modulo', $id_module);
-	
-	if (!$check_id_module) {
-		returnError('error_update_snmp_module', __('Error updating SNMP module. Id_module doesn\'t exist.'));
+
+	if (!util_api_check_agent_and_print_error(
+			modules_get_agentmodule($id_module), 'string', 'AW')
+	) {
 		return;
 	}
 	
 	// If we want to change the module to a new agent
 	if ($other['data'][0] != "") {
+		if (!util_api_check_agent_and_print_error($other['data'][0], 'string', 'AW')) {
+			return; 
+		}
 		$id_agent_old = db_get_value ('id_agente', 'tagente_modulo', 'id_agente_modulo', $id_module);
 		
 		if ($id_agent_old != $other['data'][0]) {
@@ -3651,9 +3696,15 @@ function api_set_update_snmp_module($id_module, $thrash1, $other, $thrash3) {
 
  */
 function api_set_new_network_component($id, $thrash1, $other, $thrash2) {
+	global $config;
 	if (defined ('METACONSOLE')) {
 		return;
 	}
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	
 	if ($id == "") {
 		returnError('error_set_new_network_component', __('Error creating network component. Network component name cannot be left blank.'));
@@ -3734,11 +3785,17 @@ function api_set_new_network_component($id, $thrash1, $other, $thrash2) {
 
  */
 function api_set_new_plugin_component($id, $thrash1, $other, $thrash2) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id == "") {
 		returnError('error_set_new_plugin_component',
 			__('Error creating plugin component. Plugin component name cannot be left blank.'));
@@ -3824,6 +3881,8 @@ function api_set_new_plugin_component($id, $thrash1, $other, $thrash2) {
 
  */
 function api_set_new_snmp_component($id, $thrash1, $other, $thrash2) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
@@ -3832,6 +3891,11 @@ function api_set_new_snmp_component($id, $thrash1, $other, $thrash2) {
 		returnError('error_set_new_snmp_component', __('Error creating SNMP component. SNMP component name cannot be left blank.'));
 		return;
 	}
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	
 	if ($other['data'][0] < 15 or $other['data'][0] > 17) {
 		returnError('error_set_new_snmp_component', __('Error creating SNMP component. Incorrect value for Snmp component type field.'));
@@ -3972,6 +4036,8 @@ function api_set_new_snmp_component($id, $thrash1, $other, $thrash2) {
 
  */
 function api_set_new_local_component($id, $thrash1, $other, $thrash2) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
@@ -3981,6 +4047,11 @@ function api_set_new_local_component($id, $thrash1, $other, $thrash2) {
 			__('Error creating local component. Local component name cannot be left blank.'));
 		return;
 	}
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	
 	if ($other['data'][1] == "") {
 		returnError('error_set_new_local_component',
@@ -4570,6 +4641,13 @@ function api_set_create_module_template($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
+	$id_module = $other['data'][0];
+	$id_agent = $other['data'][1];
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', "AW")) {
+		return;
+	}
+	
 	$result_template = alerts_get_alert_template($id);
 	
 	if (!$result_template) {
@@ -4578,9 +4656,6 @@ function api_set_create_module_template($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
-	$id_module = $other['data'][0];
-	$id_agent = $other['data'][1];
-	
 	$result_agent = agents_get_name($id_agent);
 	
 	if (!$result_agent) {
@@ -4806,7 +4881,7 @@ function api_set_validate_all_policy_alerts($id, $thrash1, $other, $thrash3) {
 	}
 	
 	# Get all policies
-	$policies = enterprise_hook('policies_get_policies', array(false, false, false, true));
+	$policies = enterprise_hook('policies_get_policies', array(false, false, false));
 	
 	if ($duplicated === ENTERPRISE_NOT_HOOK) {
 		returnError('error_validate_all_policy_alerts', __('Error validating all alert policies.'));
@@ -5290,11 +5365,19 @@ function api_set_add_agent_policy($id, $thrash1, $other, $thrash2) {
 		return;
 	}
 	
-	// Check if the agent exists
-	$result_agent = db_get_value ('id_agente', 'tagente', 'id_agente', (int) $other['data'][0]);
-	
-	if (!$result_agent) {
-		returnError('error_add_agent_policy', __('Error adding agent to policy. Id_agent doesn\'t exist.'));
+	// Check if the agent exists and permissions
+	if (!util_api_check_agent_and_print_error((int) $other['data'][0], 'string', "AW")) {
+		return;
+	}
+
+	// Check the policy permissions and existence
+	if (enterprise_hook('policies_check_user_policy', array($id)) === false) {
+		$result_agent = db_get_value ('id_agente', 'tagente', 'id_agente', (int) $other['data'][0]);
+		if ($result_agent) {
+			returnError('error_add_agent_policy', __('Error adding agent to policy. Id policy doesn\'t exist.'));
+			return;
+		}
+		returnError('forbidden', 'string');
 		return;
 	}
 	
@@ -5349,6 +5432,11 @@ function api_set_add_data_module_policy($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
+	if (enterprise_hook('policies_check_user_policy', array($id)) === false) {
+		returnError('forbidden', 'string');
+		return;
+	}
+	
 	if ($other['data'][0] == "") {
 		returnError('error_add_data_module_policy', __('Error adding data module to policy. Module_name cannot be left blank.'));
 		return;
@@ -5437,6 +5525,10 @@ function api_set_update_data_module_policy($id, $thrash1, $other, $thrash3) {
 		returnError('error_update_data_module_policy', __('Error updating data module in policy. Id_policy cannot be left blank.'));
 		return;
 	}
+
+	if (!util_api_check_agent_and_print_error($id, 'string', "AW")) {
+		return;
+	}
 	
 	if ($other['data'][0] == "") {
 		returnError('error_update_data_module_policy', __('Error updating data module in policy. Id_policy_module cannot be left blank.'));
@@ -5515,6 +5607,11 @@ function api_set_add_network_module_policy($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
+	if (enterprise_hook('policies_check_user_policy', array($id)) === false) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($other['data'][0] == "") {
 		returnError('error_network_data_module_policy',
 			__('Error adding network module to policy. Module_name cannot be left blank.'));
@@ -5687,6 +5784,11 @@ function api_set_add_plugin_module_policy($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
+	if (enterprise_hook('policies_check_user_policy', array($id)) === false) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($other['data'][0] == "") {
 		returnError('error_add_plugin_module_policy', __('Error adding plugin module to policy. Module_name cannot be left blank.'));
 		return;
@@ -6018,6 +6120,11 @@ function api_set_add_snmp_module_policy($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
+	if (enterprise_hook('policies_check_user_policy', array($id)) === false) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($other['data'][0] == "") {
 		returnError('error_add_snmp_module_policy', __('Error adding SNMP module to policy. Module_name cannot be left blank.'));
 		return;
@@ -6302,6 +6409,18 @@ function api_set_apply_policy($id, $thrash1, $other, $thrash3) {
 			return;
 		}
 	}
+
+	$check_acl = enterprise_hook('policies_check_user_policy', array($id));
+	if ($check_acl !== true) {
+		// We want to return a value
+		if ($other == "return") {
+			return -1;
+		}
+		else {
+			returnError('error_apply_policy', __('Error applying policy.'));
+			return;
+		}
+	}
 	
 	$id = enterprise_hook('add_policy_queue_operation', array($id, 0, 'apply'));
 	
@@ -6346,20 +6465,27 @@ function api_set_apply_policy($id, $thrash1, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_apply_all_policies($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
 	if (defined ('METACONSOLE')) {
 		return;
 	}
 	
+	if (!check_acl($config['id_user'], 0, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$policies = array();
 	
 	# Get all policies
-	$policies = enterprise_hook('policies_get_policies', array(false, false, false, true));
+	$policies = enterprise_hook('policies_get_policies', array(false, false, false));
 	
 	if ($policies === ENTERPRISE_NOT_HOOK) {
 		returnError('error_apply_all_policy', __('Error applying all policies.'));
 		return;
 	}
-	
+	if ($policies === false) $policies = array();
+
 	$num_policies = count($policies);
 	$count_results = 0;
 	foreach ($policies as $policy) {
@@ -10674,26 +10800,23 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 function api_set_apply_module_template($id_template, $id_agent, $thrash3, $thrash4) {
 		
 	if (isset ($id_template)) {
+
+		if (!util_api_check_agent_and_print_error($id_agent, 'string', "AW")) return;
 		// Take agent data
 		$row = db_get_row ("tagente", "id_agente", $id_agent);
 		
-		if ($row !== false) {
-			$intervalo = $row["intervalo"];
-			$nombre_agente = $row["nombre"];
-			$direccion_agente =$row["direccion"];
-			$ultima_act = $row["ultimo_contacto"];
-			$ultima_act_remota =$row["ultimo_contacto_remoto"];
-			$comentarios = $row["comentarios"];
-			$id_grupo = $row["id_grupo"];
-			$id_os= $row["id_os"];
-			$os_version = $row["os_version"];
-			$agent_version = $row["agent_version"];
-			$disabled= $row["disabled"];
-		}
-		else {
-			return;
-		}
-		
+		$intervalo = $row["intervalo"];
+		$nombre_agente = $row["nombre"];
+		$direccion_agente =$row["direccion"];
+		$ultima_act = $row["ultimo_contacto"];
+		$ultima_act_remota =$row["ultimo_contacto_remoto"];
+		$comentarios = $row["comentarios"];
+		$id_grupo = $row["id_grupo"];
+		$id_os= $row["id_os"];
+		$os_version = $row["os_version"];
+		$agent_version = $row["agent_version"];
+		$disabled= $row["disabled"];
+
 		$id_np = $id_template;
 		$name_template = db_get_value ('name', 'tnetwork_profile', 'id_np', $id_np);
 		$npc = db_get_all_rows_field_filter ("tnetwork_profile_component", "id_np", $id_np);
@@ -10804,12 +10927,13 @@ function api_set_apply_module_template($id_template, $id_agent, $thrash3, $thras
 		}
 		if ($error_count > 0) {
 			if (empty($modules_already_added))
-				ui_print_error_message(__('Error adding modules') . sprintf(' (%s)', $error_count));
+				returnError('set_apply_module_template', __('Error adding modules') . sprintf(' (%s)', $error_count));
 			else
-				ui_print_error_message(__('Error adding modules. The following errors already exists: ') . implode(', ', $modules_already_added));
+				returnError('set_apply_module_template', __('Error adding modules. The following errors already exists: ') . implode(', ', $modules_already_added));
+		}
+		if ($success_count > 0) {
+			returnData('string',  array('type' => 'string', 'data' => __('Modules successfully added')));
 		}
-		if ($success_count > 0)
-			ui_print_success_message(__('Modules successfully added'));
 	}
 	
 }

From eda5898031c39bcb4652f1344bb4a31a5052399e Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Fri, 8 Jun 2018 15:20:15 +0200
Subject: [PATCH 11/17] [API ACL] More setters

---
 pandora_console/include/functions_api.php | 543 ++++++++++++++++------
 1 file changed, 389 insertions(+), 154 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index 391c97e04f..2e3bef73dc 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -4277,10 +4277,17 @@ function api_set_create_alert_template($name, $thrash1, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_update_alert_template($id_template, $thrash1, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id_template == "") {
 		returnError('error_update_alert_template',
 			__('Error updating alert template. Id_template cannot be left blank.'));
@@ -4571,7 +4578,10 @@ function api_set_create_network_module_from_component($agent_name, $component_na
 	}
 	
 	$agent_id = agents_get_agent_id($agent_name);
-	
+	if (!util_api_check_agent_and_print_error($agent_id, 'string', 'AW')) {
+		return;
+	}
+
 	if (!$agent_id) {
 		returnError('error_network_module_from_component', __('Error creating module from network component. Agent doesn\'t exist.'));
 		return;
@@ -4695,10 +4705,17 @@ function api_set_create_module_template($id, $thrash1, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_delete_module_template($id, $thrash1, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "AD")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id == "") {
 		returnError('error_delete_module_template', __('Error deleting module template. Id_module_template cannot be left blank.'));
 		return;
@@ -4736,19 +4753,32 @@ function api_set_delete_module_template($id, $thrash1, $other, $thrash3) {
  *
  */
 function api_set_delete_module_template_by_names($id, $id2, $other, $trash1) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	$result = 0;
-	
+
 	if ($other['type'] != 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
 		return;
 	}
-	
+
+	if (! check_acl ($config['id_user'], 0, "AD") &&
+		! check_acl ($config['id_user'], 0, "LM")
+	) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$idAgent = agents_get_agent_id($id);
-	
+
+	if (!util_api_check_agent_and_print_error($idAgent, 'string', "AD")) {
+		return;
+	}
+
 	$row = db_get_row_filter('talert_templates', array('name' => $id2));
 	
 	if ($row === false) {
@@ -4795,40 +4825,27 @@ function api_set_delete_module_template_by_names($id, $id2, $other, $trash1) {
  * @param $thrash3 Don't use
  */
 function api_set_validate_all_alerts($id, $thrash1, $other, $thrash3) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
-	// Return all groups
-	$allGroups = db_get_all_rows_filter('tgrupo', array(), 'id_grupo');
-	
-	$groups = array();
-	
-	foreach ($allGroups as $row) {
-		$groups[] = $row['id_grupo'];
+
+	if (!check_acl($config['id_user'], 0, "LM")){
+		returnError('forbidden', 'string');
+		return;
 	}
-	// Added group All
-	$groups[] = 0;
-	
-	$id_groups = implode(',', $groups);
-	
-	$sql = sprintf ("SELECT id_agente  
-		FROM tagente 
-		WHERE id_grupo IN (%s) AND disabled = 0", 
-		$id_groups);
-	
-	$id_agents = array();
-	$result_agents = array();
-	
-	$id_agents = db_get_all_rows_sql($sql);
-	
-	foreach ($id_agents as $id_agent) {
-		$result_agents[] = $id_agent['id_agente'];
+
+	$agents = array();
+	$raw_agents = agents_get_agents(false, 'id_agente');
+	if ($raw_agents !== false) {
+		foreach ($raw_agents  as $agent) {
+			$agents[] = $agent['id_agente'];
+		}
 	}
-	
-	$agents_string = implode(',', $result_agents);
-	
+
+	$agents_string = implode(',', $agents);
+
 	$sql = sprintf ("
 		SELECT talert_template_modules.id
 		FROM talert_template_modules
@@ -4841,6 +4858,7 @@ function api_set_validate_all_alerts($id, $thrash1, $other, $thrash3) {
 		WHERE id_agent_module in (%s)", $agents_string);
 	
 	$alerts = db_get_all_rows_sql($sql);
+	if ($alerts === false) $alerts = array();
 	
 	$total_alerts = count($alerts);
 	$count_results = 0;
@@ -4857,7 +4875,7 @@ function api_set_validate_all_alerts($id, $thrash1, $other, $thrash3) {
 		returnError('error_validate_all_alerts', __('Error validate all alerts. Failed ' . $errors . '.'));
 	}
 	else {
-		returnData('string', array('type' => 'string', 'data' => __('Correct validating of all alerts.')));	
+		returnData('string', array('type' => 'string', 'data' => __('Correct validating of all alerts (total %d).', $count_results)));
 	}
 }
 
@@ -4875,11 +4893,17 @@ function api_set_validate_all_alerts($id, $thrash1, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_validate_all_policy_alerts($id, $thrash1, $other, $thrash3) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	# Get all policies
 	$policies = enterprise_hook('policies_get_policies', array(false, false, false));
 	
@@ -4895,9 +4919,7 @@ function api_set_validate_all_policy_alerts($id, $thrash1, $other, $thrash3) {
 	foreach ($policies as $policy) {
 		$policy_alerts = array();
 		$policy_alerts = enterprise_hook('policies_get_alerts',  array($policy['id'], false, false));
-		
-		
-		
+
 		// Number of alerts in this policy
 		if ($policy_alerts != false) {
 			$partial_alerts = count($policy_alerts);
@@ -4963,10 +4985,17 @@ function api_set_validate_all_policy_alerts($id, $thrash1, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_stop_downtime($id, $thrash1, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if(!check_acl($config['id_user'], 0, "AD")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id == "") {
 		returnError('error_stop_downtime', __('Error stopping downtime. Id_downtime cannot be left blank.'));
 		return;
@@ -4980,11 +5009,13 @@ function api_set_stop_downtime($id, $thrash1, $other, $thrash3) {
 	$values['date_to'] = $date_time_stop;
 	
 	$result_update = db_process_sql_update('tplanned_downtime', $values, array ('id' => $id));
-	
-	if ($result_update < 0)
-		returnError('error_stop_downtime', 'Error stopping downtime.');
-	else
+	if ($result_update == 0) {
+		returnError('error_stop_downtime', __('No action has been taken.'));
+	} elseif ($result_update < 0) {
+		returnError('error_stop_downtime', __('Error stopping downtime.'));
+	} else {
 		returnData('string', array('type' => 'string', 'data' => __('Downtime stopped.')));
+	}
 }
 
 function api_set_add_tag_module($id, $id2, $thrash1, $thrash2) {
@@ -5959,7 +5990,9 @@ function api_set_add_module_in_conf($id_agent, $module_name, $configuration_data
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', "AW")) return;
+
 	$new_configuration_data = io_safe_output(urldecode($configuration_data['data']));
 	
 	// Check if exist a current module with the same name in the conf file
@@ -6033,7 +6066,8 @@ function api_set_delete_module_in_conf($id_agent, $module_name, $thrash2, $thras
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string')) return;
 	$result = config_agents_delete_module_in_conf($id_agent, $module_name);
 	
 	$result = enterprise_hook('config_agents_delete_module_in_conf', array($id_agent, $module_name));
@@ -6064,7 +6098,8 @@ function api_set_update_module_in_conf($id_agent, $module_name, $configuration_d
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string')) return;
 	$new_configuration_data = io_safe_output(urldecode($configuration_data_serialized['data']));
 	
 	// Get current configuration
@@ -6527,11 +6562,15 @@ function api_set_apply_all_policies($thrash1, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_create_group($id, $thrash1, $other, $thrash3) {
-		
+	global $config;
+
 	$group_name = $id;
-	
-	
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id == "") {
 		returnError('error_create_group',
 			__('Error in group creation. Group_name cannot be left blank.'));
@@ -6627,7 +6666,22 @@ function api_set_update_group($id_group, $thrash2, $other, $thrash3) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
+	if (db_get_value('id_grupo', 'tgrupo', 'id_grupo', $id_group) === false) {
+		returnError('error_set_update_group', __('There is not any group with the id provided'));
+		return;
+	}
+
+	if (!check_acl($config['id_user'], $id_group, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$name = $other['data'][0];
 	$icon = $other['data'][1];
 	$parent = $other['data'][2];
@@ -6669,12 +6723,22 @@ function api_set_delete_group($id_group, $thrash2, $other, $thrash3) {
 		return;
 	}
 
+	if (!check_acl($config['id_user'], 0, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$group = db_get_row_filter('tgrupo', array('id_grupo' => $id_group));
 	if (!$group) {
 		returnError('error_delete', 'Error in delete operation. Id does not exist.');
 		return;
 	}
 
+	if (!check_acl($config['id_user'], $id_group, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$usedGroup = groups_check_used($id_group);
 	if ($usedGroup['return']) {
 		returnError('error_delete',
@@ -6933,10 +6997,17 @@ function api_get_graph_module_data($id, $thrash1, $other, $thrash2) {
  * @param $thrash3 Don't use.
  */
 function api_set_new_user($id, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if(!check_acl($config['id_user'], 0, "UM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$values = array ();
 	$values['fullname'] = $other['data'][0];
 	$values['firstname'] = $other['data'][1];
@@ -6969,11 +7040,17 @@ function api_set_new_user($id, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_set_update_user($id, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if(!check_acl($config['id_user'], 0, "UM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$fields_user = array('fullname',
 		'firstname',
 		'lastname',
@@ -7046,18 +7123,23 @@ function api_set_update_user($id, $thrash2, $other, $thrash3) {
  */
 
 function api_set_enable_disable_user ($id, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if(!check_acl($config['id_user'], 0, "UM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id == "") {
 		returnError('error_enable_disable_user',
 			__('Error enable/disable user. Id_user cannot be left blank.'));
 		return;
 	}
 	
-	
 	if ($other['data'][0] != "0" and $other['data'][0] != "1") {
 		returnError('error_enable_disable_user',
 			__('Error enable/disable user. Enable/disable value cannot be left blank.'));
@@ -7280,16 +7362,26 @@ function otherParameter2Filter($other, $return_as_array = false) {
  * @param $trash1
  */
 function api_set_new_alert_template($id, $id2, $other, $trash1) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	if ($other['type'] == 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
 		return;
 	}
 	else if ($other['type'] == 'array') {
 		$idAgent = agents_get_agent_id($id);
+
+		if (!util_api_check_agent_and_print_error($idAgent, 'string', "AW")){
+			return;
+		}
 		
 		$row = db_get_row_filter('talert_templates', array('name' => $id2));
 		
@@ -7338,7 +7430,11 @@ function api_set_delete_module($id, $id2, $other, $trash1) {
 		}
 		
 		$idAgent = agents_get_agent_id($id);
-		
+
+		if (!util_api_check_agent_and_print_error($idAgent, 'string', "AD")) {
+			return;
+		}
+
 		$idAgentModule = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $idAgent, 'nombre' => $id2));
 		
 		if ($idAgentModule === false) {
@@ -7370,13 +7466,14 @@ function api_set_delete_module($id, $id2, $other, $trash1) {
 }
 
 function api_set_module_data($id, $thrash2, $other, $trash1) {
-	global $config;
-	
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	if ($other['type'] == 'array') {
+		if (!util_api_check_agent_and_print_error(modules_get_agentmodule($$id), 'string', 'AW')) {
+			return;
+		}
 		$idAgentModule = $id;
 		$data = $other['data'][0];
 		$time = $other['data'][1];
@@ -7427,7 +7524,7 @@ function api_set_new_module($id, $id2, $other, $trash1) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	if ($other['type'] == 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
 		return;
@@ -7435,6 +7532,9 @@ function api_set_new_module($id, $id2, $other, $trash1) {
 	else if ($other['type'] == 'array') {
 		$values = array();
 		$values['id_agente'] = agents_get_agent_id($id);
+		if (!util_api_check_agent_and_print_error($values['id_agente'], 'string', 'AW')){
+			return;
+		}
 		$values['nombre'] = $id2;
 		
 		$values['id_tipo_modulo'] = db_get_value_filter('id_tipo', 'ttipo_modulo', array('nombre' => $other['data'][0]));
@@ -7535,17 +7635,27 @@ function api_set_new_module($id, $id2, $other, $trash1) {
  * @param unknown_type $trash1
  */
 function api_set_alert_actions($id, $id2, $other, $trash1) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LW")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($other['type'] == 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
 		return;
 	}
 	else if ($other['type'] == 'array') {
 		$idAgent = agents_get_agent_id($id);
-		
+		if (!util_api_check_agent_and_print_error($idAgent, 'string', 'AW')) {
+			return;
+		}
+
 		$row = db_get_row_filter('talert_templates', array('name' => $id2));
 		if ($row === false) {
 			returnError('error_parameter', 'Error in the parameters.');
@@ -7744,9 +7854,13 @@ function api_set_new_event($trash1, $trash2, $other, $trash3) {
 }
 
 function api_set_event_validate_filter_pro($trash1, $trash2, $other, $trash3) {
-	$simulate = false;
-	
-	
+	global $config;
+
+	if (!check_acl($config['id_user'], 0, "EW")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$table_events = 'tevento';
 	if (defined ('METACONSOLE')) {
 		$table_events = 'tmetaconsole_event';
@@ -7802,25 +7916,23 @@ function api_set_event_validate_filter_pro($trash1, $trash2, $other, $trash3) {
 			$filterString .= 'AND utimestamp < ' . $other['data'][7];
 		}
 	}
-	
-	if ($simulate) {
-		$rows = db_get_all_rows_filter($table_events, $filterString);
-		if ($rows !== false) {
-			returnData('string', count($rows));
-			return;
-		}
-	}
-	else {
-		$count = db_process_sql_update($table_events,
-			array('estado' => 1), $filterString);
-		
-		returnData('string',
-			array('type' => 'string', 'data' => $count));
-		return;
-	}
+
+	$count = db_process_sql_update($table_events,
+		array('estado' => 1), $filterString);
+
+	returnData('string',
+		array('type' => 'string', 'data' => $count));
+	return;
 }
 
 function api_set_event_validate_filter($trash1, $trash2, $other, $trash3) {
+	global $config;
+
+	if (!check_acl($config['id_user'], 0, "EW")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$simulate = false;
 	
 	$table_events = 'tevento';
@@ -8543,10 +8655,17 @@ function api_get_events($trash1, $trash2, $other, $returnType, $user_in_db = nul
  * @param $thrash3 Don't use.
  */
 function api_set_delete_user($id, $thrash1, $thrash2, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "UM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if (!delete_user($id))
 		returnError('error_delete_user', 'Error delete user');
 	else
@@ -8569,13 +8688,34 @@ function api_set_delete_user($id, $thrash1, $thrash2, $thrash3) {
 
  */
 function api_set_add_user_profile($id, $thrash1, $other, $thrash2) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$group = $other['data'][0];
 	$profile = $other['data'][1];
-	
+
+	if (db_get_value('id_grupo', 'tgrupo', 'id_grupo', $group) === false) {
+		returnError('error_set_add_user_profile', __('There is not any group with the id provided'));
+		return;
+	}
+	if (db_get_value('id_perfil', 'tperfil', 'id_perfil', $profile) === false) {
+		returnError('error_set_add_user_profile', __('There is not any profile with the id provided'));
+		return;
+	}
+
+	if (!check_acl($config['id_user'], $group, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if (!profile_create_user_profile ($id, $profile, $group,'API'))
 		returnError('error_add_user_profile', 'Error add user profile.');
 	else
@@ -8597,13 +8737,34 @@ function api_set_add_user_profile($id, $thrash1, $other, $thrash2) {
  * @param $thrash2 Don't use.
  */
 function api_set_delete_user_profile($id, $thrash1, $other, $thrash2) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$group = $other['data'][0];
 	$profile = $other['data'][1];
-	
+
+	if (db_get_value('id_grupo', 'tgrupo', 'id_grupo', $group) === false) {
+		returnError('error_set_add_user_profile', __('There is not any group with the id provided'));
+		return;
+	}
+	if (db_get_value('id_perfil', 'tperfil', 'id_perfil', $profile) === false) {
+		returnError('error_set_add_user_profile', __('There is not any profile with the id provided'));
+		return;
+	}
+
+	if (!check_acl($config['id_user'], $group, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$where = array(
 		'id_usuario' => $id,
 		'id_perfil' => $profile,
@@ -8631,10 +8792,17 @@ function api_set_delete_user_profile($id, $thrash1, $other, $thrash2) {
  * @param $thrash3 Don't use.
  */
 function api_set_new_incident($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "IW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$title = $other['data'][0];
 	$description = $other['data'][1];
 	$origin = $other['data'][2];
@@ -8671,10 +8839,17 @@ function api_set_new_incident($thrash1, $thrash2, $other, $thrash3) {
  * @param $thrash2 Don't use.
  */
 function api_set_new_note_incident($id, $id2, $other, $thrash2) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "IW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$values = array(
 		'id_usuario' => $id,
 		'id_incident' => $id2,
@@ -8705,6 +8880,9 @@ function api_set_disable_module ($agent_name, $module_name, $thrast3, $thrash4)
 	}
 	
 	$id_agent = agents_get_agent_id($agent_name);
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', 'AD')) {
+		return;
+	}
 	$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent, 'nombre' => $module_name));
 	
 	$result = modules_change_disabled($id_agent_module, 1);
@@ -8728,12 +8906,14 @@ function api_set_disable_module ($agent_name, $module_name, $thrast3, $thrash4)
  */
 
 function api_set_enable_module ($agent_name, $module_name, $thrast3, $thrash4) {
-	
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	$id_agent = agents_get_agent_id($agent_name);
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', 'AD')) {
+		return;
+	}
 	$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent, 'nombre' => $module_name));
 	
 	$result = modules_change_disabled($id_agent_module, 0);
@@ -8759,11 +8939,18 @@ function api_set_enable_module ($agent_name, $module_name, $thrast3, $thrash4) {
  */
 
 function api_set_disable_alert ($agent_name, $module_name, $template_name, $thrash4) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	$id_agent = agents_get_agent_id($agent_name);
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', "AD")) return;
 	$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent, 'nombre' => $module_name));
 	$id_template = db_get_value_filter('id', 'talert_templates', array('name' => $template_name["data"]));
 	
@@ -8791,13 +8978,23 @@ function api_set_disable_alert ($agent_name, $module_name, $template_name, $thra
  */
 
 function api_set_disable_alert_alias ($agent_alias, $module_name, $template_name, $thrash4) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$agent_id = agents_get_agent_id_by_alias($agent_alias);
 	$result = false;
 	foreach ($agent_id as $key => $id_agent) {
+		if (!util_api_check_agent_and_print_error($id_agent['id_agente'], 'string', "AD")) {
+			continue;
+		}
 		$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent['id_agente'], 'nombre' => $module_name));
 		$id_template = db_get_value_filter('id', 'talert_templates', array('name' => $template_name["data"]));
 		
@@ -8828,12 +9025,19 @@ function api_set_disable_alert_alias ($agent_alias, $module_name, $template_name
  */
 
 function api_set_enable_alert ($agent_name, $module_name, $template_name, $thrash4) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LW")) {
+		returnError('forbidden');
+		return;
+	}
+
 	$id_agent = agents_get_agent_id($agent_name);
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', "AW")) return;
 	$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent, 'nombre' => $module_name));
 	$id_template = db_get_value_filter('id', 'talert_templates', array('name' => $template_name["data"]));
 	
@@ -8841,49 +9045,59 @@ function api_set_enable_alert ($agent_name, $module_name, $template_name, $thras
 		SET disabled = 0
 		WHERE id_agent_module = $id_agent_module AND id_alert_template = $id_template");
 	
+	if ($result) {
+		returnData('string', array('type' => 'string', 'data' => "Correct alert enable"));
+	} else {
+		returnData('string', array('type' => 'string', 'data' => __('Error alert enable')));
+	}
+}
+
+/**
+ * Enable an alert with alias
+ * 
+ * @param string $agent_alias Alias of agent (for example "myagent")
+ * @param string $module_name Name of the module (for example "Host alive")
+ * @param string $template_name Name of the alert template (for example, "Warning event")
+ * @param $thrash4 Don't use.
+
+// http://localhost/pandora_console/include/api.php?op=set&op2=enable_alert_alias&id=garfio&id2=Status&other=Warning%20condition
+	*/
+
+function api_set_enable_alert_alias ($agent_alias, $module_name, $template_name, $thrash4) {
+	global $config;
+
+	if (defined ('METACONSOLE')) {
+		return;
+	}
+
+	if (!check_acl($config['id_user'], 0, "LW")) {
+		returnError('forbidden');
+		return;
+	}
+
+	$agent_id = agents_get_agent_id_by_alias($agent_alias);
+	$result = false;
+	foreach ($agent_id as $key => $id_agent) {
+		if (!util_api_check_agent_and_print_error($id_agent['id_agente'], 'string', "AW")) {
+			continue;
+		}
+		$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent['id_agente'], 'nombre' => $module_name));
+		$id_template = db_get_value_filter('id', 'talert_templates', array('name' => $template_name["data"]));
+		
+		$result = db_process_sql("UPDATE talert_template_modules
+			SET disabled = 0
+			WHERE id_agent_module = $id_agent_module AND id_alert_template = $id_template");
+		
 		if ($result) {
-				returnData('string', array('type' => 'string', 'data' => "Correct alert enable"));
-			} else {
-				returnData('string', array('type' => 'string', 'data' => __('Error alert enable')));
-			}
-		}
-
-		/**
-		 * Enable an alert with alias
-		 * 
-		 * @param string $agent_alias Alias of agent (for example "myagent")
-		 * @param string $module_name Name of the module (for example "Host alive")
-		 * @param string $template_name Name of the alert template (for example, "Warning event")
-		 * @param $thrash4 Don't use.
-
-		// http://localhost/pandora_console/include/api.php?op=set&op2=enable_alert_alias&id=garfio&id2=Status&other=Warning%20condition
-		 */
-
-		function api_set_enable_alert_alias ($agent_alias, $module_name, $template_name, $thrash4) {
-			if (defined ('METACONSOLE')) {
-				return;
-			}
-			
-			$agent_id = agents_get_agent_id_by_alias($agent_alias);
-			$result = false;
-			foreach ($agent_id as $key => $id_agent) {
-				$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent['id_agente'], 'nombre' => $module_name));
-				$id_template = db_get_value_filter('id', 'talert_templates', array('name' => $template_name["data"]));
-				
-				$result = db_process_sql("UPDATE talert_template_modules
-					SET disabled = 0
-					WHERE id_agent_module = $id_agent_module AND id_alert_template = $id_template");
-				
-				if ($result) {
-					returnData('string', array('type' => 'string', 'data' => "Correct alert enable"));
-					return;
-				}
-			}
-			
-			if(!$result){
-				returnData('string', array('type' => 'string', 'data' => __('Error alert enable')));
-			}
+			returnData('string', array('type' => 'string', 'data' => "Correct alert enable"));
+			return;
 		}
+	}
+	
+	if(!$result){
+		returnData('string', array('type' => 'string', 'data' => __('Error alert enable')));
+	}
+}
 
 
 /**
@@ -8898,13 +9112,19 @@ function api_set_enable_alert ($agent_name, $module_name, $template_name, $thras
  */
 
 function api_set_disable_module_alerts ($agent_name, $module_name, $thrash3, $thrash4) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
-	
+
+	if (!check_acl($config['id_user'], 0, "LW")) {
+		returnError('forbidden');
+		return;
+	}
+
 	$id_agent = agents_get_agent_id($agent_name);
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', "AW")) return;
 	$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent, 'nombre' => $module_name));
 	
 	db_process_sql("UPDATE talert_template_modules
@@ -8926,12 +9146,19 @@ function api_set_disable_module_alerts ($agent_name, $module_name, $thrash3, $th
  */
 
 function api_set_enable_module_alerts ($agent_name, $module_name, $thrash3, $thrash4) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LW")) {
+		returnError('forbidden');
+		return;
+	}
+
 	$id_agent = agents_get_agent_id($agent_name);
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', "AW")) return;
 	$id_agent_module = db_get_value_filter('id_agente_modulo', 'tagente_modulo', array('id_agente' => $id_agent, 'nombre' => $module_name));
 	
 	db_process_sql("UPDATE talert_template_modules
@@ -9294,6 +9521,12 @@ function api_set_create_tag ($id, $trash1, $other, $returnType) {
 
 //http://127.0.0.1/pandora_console/include/api.php?op=set&op2=create_event&id=name_event&other=2|system|3|admin|2|1|10|0|comments||Pandora||critical_inst|warning_inst|unknown_inst|other||&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
 function api_set_create_event($id, $trash1, $other, $returnType) {
+	global $config;
+
+	if (!check_acl($config['id_user'], 0, "EW")){
+		returnError('forbidden', 'string');
+		return;
+	}
 
 	if ($other['type'] == 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
@@ -9320,12 +9553,8 @@ function api_set_create_event($id, $trash1, $other, $returnType) {
 		}
 		$error_msg ='';
 		if ($other['data'][2] != '') {
-			$id_agent_exist = db_get_value('id_agente', 'tagente', 'id_agente', $other['data'][2]);
-			if($id_agent_exist){
-				$values['id_agente'] = $other['data'][2];
-			}
-			else{
-				$error_msg = 'id_not_exist';
+			if (!util_api_check_agent_and_print_error($other['data'][2], 'string', 'AR')) {
+				return;
 			}
 		}
 		else {
@@ -9513,10 +9742,16 @@ function api_set_create_event($id, $trash1, $other, $returnType) {
  *   http://127.0.0.1/pandora_console/include/api.php?op=set&op2=add_event_comment&id=event_id&other=string|&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
  */
 function api_set_add_event_comment($id, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if(!check_acl($config['id_user'], 0, 'EW')) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	if ($other['type'] == 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
 		return;

From e3fbef309b3107ce3aacd38f1b2182409e7e6217 Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Mon, 11 Jun 2018 15:39:58 +0200
Subject: [PATCH 12/17] [API ACL] Added ACL to set functions

---
 pandora_console/include/functions_api.php | 292 +++++++++++++++++-----
 1 file changed, 235 insertions(+), 57 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index 2e3bef73dc..198e6d2cc4 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -1431,10 +1431,17 @@ function api_set_new_agent($thrash1, $thrash2, $other, $thrash3) {
  * @param boolean $display_front Flag to display custom field in agent's operation view
  */
 function api_set_create_custom_field($t1, $t2, $other, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
+
 	if ($other['type'] == 'string') {
 		returnError('error_parameter', 'Error in the parameters.');
 		return;
@@ -3097,6 +3104,8 @@ function api_set_create_synthetic_module($id, $thrash1, $other, $thrash3) {
 	
 	$idAgent = agents_get_agent_id(io_safe_output($agentName),true);
 	
+	if (!util_api_check_agent_and_print_error($idAgent, 'string', "AW")) return;
+
 	if (!$idAgent) {
 		returnError('error_create_data_module', __('Error in creation synthetic module. Agent name doesn\'t exist.'));
 		return;
@@ -5022,14 +5031,18 @@ function api_set_add_tag_module($id, $id2, $thrash1, $thrash2) {
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
 	$id_module = $id;
 	$id_tag = $id2;
-	
+
+	if (!util_api_check_agent_and_print_error(modules_get_agentmodule($id_module), 'string', "AW")) {
+		return;
+	}
+
 	$exists = db_get_row_filter('ttag_module',
 		array('id_agente_modulo' => $id_module,
 			'id_tag' => $id_tag));
-	
+
 	if (empty($exists)) {
 		db_process_sql_insert('ttag_module',
 			array('id_agente_modulo' => $id_module,
@@ -5054,7 +5067,11 @@ function api_set_remove_tag_module($id, $id2, $thrash1, $thrash2) {
 	
 	$id_module = $id;
 	$id_tag = $id2;
-	
+
+	if (!util_api_check_agent_and_print_error(modules_get_agentmodule($id_module), 'string', "AW")) {
+		return;
+	}
+
 	$row = db_get_row_filter('ttag_module',
 		array('id_agente_modulo' => $id_module,
 			'id_tag' => $id_tag));
@@ -5077,10 +5094,17 @@ function api_set_remove_tag_module($id, $id2, $thrash1, $thrash2) {
 }
 
 function api_set_tag($id, $thrash1, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$values = array();
 	$values['name'] = $id;
 	$values['description'] = $other['data'][0];
@@ -5091,7 +5115,7 @@ function api_set_tag($id, $thrash1, $other, $thrash3) {
 	$id_tag = tags_create_tag($values);
 	
 	if (empty($id_tag))
-		returnError('error_set_tag', 'Error set tag.');
+		returnError('error_set_tag', __('Error set tag.'));
 	else
 		returnData('string',
 			array('type' => 'string', 'data' => $id_tag));
@@ -5233,9 +5257,16 @@ function api_get_planned_downtimes_items ($thrash1, $thrash2, $other, $returnTyp
  */
 
 function api_set_planned_downtimes_deleted ($id, $thrash1, $thrash2, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
+
+	if(!check_acl($config['id_user'], 0, "AD")) {
+		returnError('forbidden', $returnType);
+		return;
+	}
 	
 	$values = array();
 	$values = array(
@@ -5265,12 +5296,19 @@ function api_set_planned_downtimes_deleted ($id, $thrash1, $thrash2, $returnType
  */
 
 function api_set_planned_downtimes_created ($id, $thrash1, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
 
-        $date_from = strtotime(html_entity_decode($other['data'][1]));
-        $date_to = strtotime(html_entity_decode($other['data'][2]));
+	if (!check_acl($config['id_user'], 0, "AD")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
+	$date_from = strtotime(html_entity_decode($other['data'][1]));
+	$date_to = strtotime(html_entity_decode($other['data'][2]));
 
 	$values = array();
 	$values['name'] = $id;
@@ -5330,7 +5368,7 @@ function api_set_planned_downtimes_additem ($id, $thrash1, $other, $thrash3) {
 	$bad_agents = array();
 	$i = 0;
 	foreach ($total_agents as $agent_id) {
-		$result_agent = (bool) db_get_value ('id_agente', 'tagente', 'id_agente', $agent_id);
+		$result_agent = agents_check_access_agent($agent_id, "AD");
 		if ( !$result_agent ) {
 			$bad_agents[] = $agent_id;
 			unset($agents[$i]);
@@ -6776,10 +6814,17 @@ function api_set_delete_group($id_group, $thrash2, $other, $thrash3) {
  * @param $thrash3 Don't use
  */
 function api_set_create_netflow_filter($thrash1, $thrash2, $other, $thrash3) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($other['data'][0] == "") {
 		returnError('error_create_netflow_filter', __('Error in netflow filter creation. Filter name cannot be left blank.'));
 		return;
@@ -6793,7 +6838,12 @@ function api_set_create_netflow_filter($thrash1, $thrash2, $other, $thrash3) {
 		$group = groups_get_group_by_id($other['data'][1]);
 		
 		if ($group == false) {
-			returnError('error_create_group', __('Error in group creation. Id_parent_group doesn\'t exist.'));
+			returnError('error_create_group', __('Error in netflow filter creation. Id_group doesn\'t exist.'));
+			return;
+		}
+
+		if (!check_acl($config['id_user'], 0, "AW")) {
+			returnError('forbidden', 'string');
 			return;
 		}
 	}
@@ -8026,7 +8076,9 @@ function api_set_gis_agent_only_position($id_agent, $trash1, $other, $return_typ
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', 'AW')) return;
+
 	$new_gis_data = $other['data'];
 	
 	$correct = true;
@@ -8048,6 +8100,8 @@ function api_set_gis_agent_only_position($id_agent, $trash1, $other, $return_typ
 	
 	if (!$config['activate_gis']) {
 		$correct = false;
+		returnError('error_gis_agent_only_position', __('Gis not activated'));
+		return;
 	}
 	else {
 		if ($correct) {
@@ -8056,6 +8110,9 @@ function api_set_gis_agent_only_position($id_agent, $trash1, $other, $return_typ
 				1, __('Save by %s Console', get_product_name()),
 				__('Update by %s Console', get_product_name()),
 				__('Insert by %s Console', get_product_name()));
+		} else {
+			returnError('error_gis_agent_only_position', __('Missing parameters'));
+			return;
 		}
 	}
 	
@@ -8071,7 +8128,9 @@ function api_set_gis_agent($id_agent, $trash1, $other, $return_type, $user_in_db
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!util_api_check_agent_and_print_error($id_agent, 'string', 'AW')) return;
+
 	$new_gis_data = $other['data'];
 	
 	$correct = true;
@@ -8133,6 +8192,8 @@ function api_set_gis_agent($id_agent, $trash1, $other, $return_type, $user_in_db
 	
 	if (!$config['activate_gis']) {
 		$correct = false;
+		returnError('error_gis_agent_only_position', __('Gis not activated'));
+		return;
 	}
 	else {
 		if ($correct) {
@@ -8141,6 +8202,9 @@ function api_set_gis_agent($id_agent, $trash1, $other, $return_type, $user_in_db
 				$manual_placement, $start_timestamp, $end_timestamp,
 				$number_of_packages, $description_save_history,
 				$description_update_gis, $description_first_insert);
+		} else {
+			returnError('error_set_ig_agent', __('Missing parameters'));
+			return;
 		}
 	}
 	
@@ -9473,11 +9537,17 @@ function api_get_event_info($id_event, $trash1, $trash, $returnType) {
 
 //http://127.0.0.1/pandora_console/include/api.php?op=set&op2=create_tag&other=tag_name|tag_description|tag_url|tag_email&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
 function api_set_create_tag ($id, $trash1, $other, $returnType) {
-	
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")){
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$data = array();
 	
 	if ($other['type'] == 'string') {
@@ -10012,7 +10082,10 @@ function api_set_enable_disable_agent ($id, $thrash2, $other, $thrash3) {
 			__('Error enable/disable agent. Id_agent cannot be left blank.'));
 		return;
 	}
-	
+
+	if (!util_api_check_agent_and_print_error($id, 'string', "AD")) {
+		return;
+	}
 	
 	if ($other['data'][0] != "0" and $other['data'][0] != "1") {
 		returnError('error_enable_disable_agent',
@@ -10064,11 +10137,16 @@ function api_set_enable_disable_agent ($id, $thrash2, $other, $thrash3) {
  
 function api_set_pagerduty_webhook($type, $matchup_path, $tresh2, $return_type) {
 	global $config;
-	
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$pagerduty_data = json_decode(file_get_contents('php://input'), true);
 	
 	foreach($pagerduty_data['messages'] as $pm) {
@@ -10169,11 +10247,16 @@ function api_get_special_days($thrash1, $thrash2, $other, $thrash3) {
  */
 function api_set_create_special_day($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
-	
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$special_day = $other['data'][0];
 	$same_day = $other['data'][1];
 	$description = $other['data'][2];
@@ -10223,7 +10306,8 @@ function api_set_create_special_day($thrash1, $thrash2, $other, $thrash3) {
  * &other=test1%7CDescripcion de prueba%7C12%7C1%7C0.5%7C1&other_mode=url_encode_separator_%7C&apipass=1234&user=admin&pass=pandora
  */
 function api_set_create_service($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
 	$name = $other['data'][0];
 	$description = $other['data'][1];
 	$id_group = $other['data'][2];
@@ -10246,6 +10330,10 @@ function api_set_create_service($thrash1, $thrash2, $other, $thrash3) {
 		// By default applications
 		$id_group = 12;
 	}
+	if (!check_acl($config['id_user'], $id_group, "AR")) {
+		returnError('forbidden', 'string');
+		return;
+	}
 	if(empty($critical)){
 		$critical = 1;
 	}
@@ -10255,6 +10343,10 @@ function api_set_create_service($thrash1, $thrash2, $other, $thrash3) {
 	if(empty($id_agent)){
 		returnError('error_create_service', __('Error in creation service. No agent id'));
 		return;
+	} else {
+		if (!util_api_check_agent_and_print_error($id_agent, 'string', "AR")) {
+			return;
+		}
 	}
 	if(empty($sla_interval)){
 		// By default one month
@@ -10303,16 +10395,22 @@ function api_set_create_service($thrash1, $thrash2, $other, $thrash3) {
  *
  */
 function api_set_update_service($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
 	$id_service = $thrash1;
 	if(empty($id_service)){
 		returnError('error_update_service', __('Error in update service. No service id'));
 		return;
 	}
-	
+
 	$service = db_get_row('tservice',
 		'id', $id_service);
-	
+
+	if (!check_acl($config['id_user'],$service['id_group'], "AD")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$name = $other['data'][0];
 	if(empty($name)){
 		$name = $service['name'];
@@ -10324,6 +10422,11 @@ function api_set_update_service($thrash1, $thrash2, $other, $thrash3) {
 	$id_group = $other['data'][2];
 	if(empty($id_group)){
 		$id_group = $service['id_group'];
+	} else {
+		if (!check_acl($config['id_user'], $id_group, "AD")) {
+			returnError('forbidden', 'string');
+			return;
+		}
 	}
 	$critical = $other['data'][3];
 	if(empty($critical)){
@@ -10339,6 +10442,10 @@ function api_set_update_service($thrash1, $thrash2, $other, $thrash3) {
 	$id_agent = $other['data'][5];
 	if(empty($id_agent)){
 		$id_agent = $service['id_agent_module'];
+	} else {
+		if (!util_api_check_agent_and_print_error($id_agent, 'string', "AR")) {
+			return;
+		}
 	}
 	$sla_interval = $other['data'][6];
 	if(empty($sla_interval)){
@@ -10396,14 +10503,22 @@ function api_set_update_service($thrash1, $thrash2, $other, $thrash3) {
  *
  */
 function api_set_add_element_service($thrash1, $thrash2, $other, $thrash3) {
-	
+	global $config;
+
 	$id = $thrash1;
 	
 	if(empty($id)){
 		returnError('error_add_service_element', __('Error adding elements to service. No service id'));
 		return;
 	}
-	
+
+	$service_group = db_get_value('id_group', 'tservice', 'id', $id);
+
+	if (!check_acl($config['id_user'], $service_group, "AD")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$array_json = json_decode(base64_decode(io_safe_output($other['data'][0])), true);
 	if(!empty($array_json)){
 		$results = false;
@@ -10416,18 +10531,30 @@ function api_set_add_element_service($thrash1, $thrash2, $other, $thrash3) {
 					$id_agente_modulo = 0;
 					$id_service_child = 0;
 					$agent_id = $element['id'];
+					if (!agents_check_access_agent($agent_id, "AR")) {
+						continue;
+					}
 					break;
 				
 				case 'module':
 					$agent_id = 0;
 					$id_service_child = 0;
 					$id_agente_modulo = $element['id'];
+					if (!agents_check_access_agent(modules_get_agentmodule($id_agente_modulo), "AR")) {
+						continue;
+					}
 					break;
 					
 				case 'service':
 					$agent_id = 0;
 					$id_agente_modulo = 0;
 					$id_service_child = $element['id'];
+					$service_group = db_get_value(
+						'id_group', 'tservice', 'id', $id_service_child
+					);
+					if ($service_group === false || !check_acl($config['id_user'], $service_group, "AD")) {
+						continue;
+					}
 					break;
 			}
 			
@@ -10472,11 +10599,16 @@ function api_set_add_element_service($thrash1, $thrash2, $other, $thrash3) {
  */
 function api_set_update_special_day($id_special_day, $thrash2, $other, $thrash3) {
 	global $config;
-	
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$special_day = $other['data'][0];
 	$same_day = $other['data'][1];
 	$description = $other['data'][2];
@@ -10524,10 +10656,17 @@ function api_set_update_special_day($id_special_day, $thrash2, $other, $thrash3)
  *
  */
 function api_set_delete_special_day($id_special_day, $thrash2, $thrash3, $thrash4) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	if (!check_acl($config['id_user'], 0, "LM")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	if ($id_special_day == "") {
 		returnError('error_update_special_day', __('Error deleting special day. Id cannot be left blank.'));
 		return;
@@ -10714,39 +10853,39 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 	$cluster_type = $other['data'][1];
 	$description = $other['data'][2];
 	$idGroup = $other['data'][3];
-		
-	
+
+	if(!check_acl($config['id_user'], $idGroup, "AW")) {
+		returnError('forbidden', 'string');
+		return;
+	}
+
 	$server_name = db_process_sql('select name from tserver where server_type=5 limit 1');	
 	
 	$server_name_agent = $server_name[0]['name'];
 		
-  $values_agent = array(
+	$values_agent = array(
 		'nombre' => $name,
-    'alias' => $name,
+		'alias' => $name,
 		'comentarios' => $description,
 		'id_grupo' => $idGroup,
 		'id_os' => 100,
 		'server_name' => $server_name_agent
-		);
+	);
 	
 	if (trim($name) != "") {
-		
-    // $id_agent = db_process_sql_insert('tagente',$values_agent);
-		
 		$id_agent = agents_create_agent($values_agent['nombre'],$values_agent['id_grupo'],300,'127.0.0.1',$values_agent);
 		
 		// Create cluster
 		$values_cluster = array(
 			'name' => $name,
-	    'cluster_type' => $cluster_type,
+			'cluster_type' => $cluster_type,
 			'description' => $description,
 			'group' => $idGroup,
 			'id_agent' => $id_agent
-			);
+		);
 			
 		$id_cluster = db_process_sql_insert('tcluster', $values_cluster);
 		
-		
 		$values_module = array(
 			'nombre' => 'Cluster status',
 			'id_modulo' => 5,
@@ -10761,33 +10900,37 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 			
 		$id_module = 	modules_create_agent_module($values_module['id_agente'],$values_module['nombre'],$values_module);
 		
-		
 		if ($id_cluster !== false)
 			db_pandora_audit("Report management", "Create cluster #$id_cluster");
 		else
 			db_pandora_audit("Report management", "Fail try to create cluster");
       
-    if ($id_agent !== false)
+    	if ($id_agent !== false)
 			db_pandora_audit("Report management", "Create cluster #$id_agent");
 		else
 			db_pandora_audit("Report management", "Fail try to create agent");
 		
 		returnData('string',
 			array('type' => 'string', 'data' => (int)$id_cluster));
-		}
+	} else {
+		returnError('error_set_new_cluster', __('Agent name cannot be empty.'));
+		return;
 	}
-	
+}
 	
 	function api_set_add_cluster_agent($thrash1, $thrash2, $other, $thrash3) {
+		global $config;
 		
 		$array_json = json_decode(base64_decode(io_safe_output($other['data'][0])), true);
-		
 		if(!empty($array_json)){
 			$results = false;
 			
 			foreach ($array_json as $key => $element) {
-				
-				if($element['id'] == 0){
+				$check_cluster_group = clusters_get_group ($element['id']);
+				if(!$check_cluster_group ||
+					!check_acl($config['id_user'], $check_cluster_group, "AW") ||
+					!agents_check_access_agent($element['id_agent'], "AW")
+				){
 					continue;
 				}
 				
@@ -10819,9 +10962,11 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 			
 			// 
 			foreach ($array_json as $key => $element) {
-			// 	
+				$cluster_group = clusters_get_group ($element['id']);
+				if(!$cluster_group ||	!check_acl($config['id_user'], $cluster_group, "AW")){
+					continue;
+				}
 				if($element["type"] == "AA"){
-			// 								
 						$tcluster_module = db_process_sql_insert('tcluster_item',array('name'=>io_safe_input($element["name"]),'id_cluster'=>$element["id_cluster"],'critical_limit'=>$element["critical_limit"],'warning_limit'=>$element["warning_limit"]));
 						
 						$id_agent = db_process_sql('select id_agent from tcluster where id = '.$element["id_cluster"]);
@@ -10956,13 +11101,18 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 	
 	
 	function api_set_delete_cluster($id, $thrash1, $thrast2, $thrash3) {
-		
 		global $config;
 		
 		if (defined ('METACONSOLE')) {
 			return;
 		}
-		
+
+		$cluster_group = clusters_get_group($id);
+		if(!$cluster_group || !check_acl($config['id_user'], $cluster_group, "AD")){
+			returnError('error_set_delete_cluster', __('The user cannot access to the cluster'));
+			return;
+		}
+
 		$temp_id_cluster = db_process_sql('select id_agent from tcluster where id ='.$id);
 		
 		$tcluster_modules_delete_get = db_process_sql('select id_agente_modulo from tagente_modulo where custom_integer_1 = '.$id);
@@ -10990,7 +11140,6 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 	
 	
 	function api_set_delete_cluster_agent($thrash1, $thrast2, $other, $thrash3) {
-		
 		global $config;
 		
 		if (defined ('METACONSOLE')) {
@@ -10999,6 +11148,14 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 		
 		$id_agent = $other['data'][0];
 		$id_cluster = $other['data'][1];
+
+		$cluster_group = clusters_get_group($id_agent);
+		if(!$cluster_group
+			|| !check_acl($config['id_user'], $cluster_group, "AW")
+			|| !agents_check_access_agent($id_agent, "AW")){
+			returnError('error_set_delete_cluster_agent', __('The user cannot access to the cluster'));
+			return;
+		}
 		
 		$tcluster_agent_delete = db_process_sql('delete from tcluster_agent where id_agent = '.$id_agent.' and id_cluster = '.$id_cluster);
 		
@@ -11012,13 +11169,18 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 	
 	
 	function api_set_delete_cluster_item($id, $thrash1, $thrast2, $thrast3) {
-		
 		global $config;
 		
 		if (defined ('METACONSOLE')) {
 			return;
 		}
-		
+
+		$cluster_group = clusters_get_group($id);
+		if(!$cluster_group || !check_acl($config['id_user'], $cluster_group, "AD")){
+			returnError('error_set_delete_cluster_item', __('The user cannot access to the cluster'));
+			return;
+		}
+
 		$delete_module_aa_get = db_process_sql('select id_agente_modulo from tagente_modulo where custom_integer_2 = '.$id);
 								
 		$delete_module_aa_get_result = modules_delete_agent_module($delete_module_aa_get[0]['id_agente_modulo']);
@@ -11174,10 +11336,18 @@ function api_set_apply_module_template($id_template, $id_agent, $thrash3, $thras
 }
 
 function api_get_cluster_status($id_cluster, $trash1, $trash2, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
-	
+
+	$cluster_group = clusters_get_group($id_cluster);
+	if(!$cluster_group || !check_acl($config['id_user'], $cluster_group, "AR")){
+		returnError('error_get_cluster_status', __('The user cannot access to the cluster'));
+		return;
+	}
+
 	$sql = "select estado from tagente_estado INNER JOIN tagente_modulo ON tagente_estado.id_agente_modulo = tagente_modulo.id_agente_modulo and tagente_modulo.nombre = 'Cluster status' and tagente_modulo.id_agente = (select id_agent from tcluster where id = ".$id_cluster.")";
 	
 	$value = db_get_value_sql($sql);
@@ -11192,6 +11362,8 @@ function api_get_cluster_status($id_cluster, $trash1, $trash2, $returnType) {
 }
 
 function api_get_cluster_id_by_name($cluster_name, $trash1, $trash2, $returnType) {
+	global $config;
+
 	if (defined ('METACONSOLE')) {
 		return;
 	}
@@ -11203,7 +11375,13 @@ function api_get_cluster_id_by_name($cluster_name, $trash1, $trash2, $returnType
 	if ($value === false) {
 		returnError('id_not_found', $returnType);
 	}
-	
+
+	$cluster_group = clusters_get_group($id_cluster);
+	if(!$cluster_group || !check_acl($config['id_user'], $cluster_group, "AR")){
+		returnError('error_get_cluster_status', __('The user cannot access to the cluster'));
+		return;
+	}
+
 	$data = array('type' => 'string', 'data' => $value);
 	
 	returnData($returnType, $data);

From fac3e21829aa36c361a2ac153afa7c2d8749c8b9 Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Mon, 11 Jun 2018 16:40:10 +0200
Subject: [PATCH 13/17] Added a lot of fixes to the dates stored as strings
 without timezone information to made them use the user timezone

---
 pandora_console/extensions/insert_data.php    | 65 ++++++++++---------
 pandora_console/godmode/admin_access_logs.php |  3 +-
 .../agentes/planned_downtime.editor.php       | 19 ++++--
 .../alerts/configure_alert_template.php       |  4 ++
 .../reporting_builder.item_editor.php         |  3 +-
 .../godmode/servers/servers.build_table.php   |  2 +-
 pandora_console/godmode/setup/news.php        | 32 ++++-----
 .../godmode/users/configure_user.php          |  9 ++-
 pandora_console/include/ajax/module.php       | 11 ++--
 pandora_console/include/functions.php         | 59 ++++++++++++++++-
 pandora_console/include/functions_agents.php  | 21 ++----
 pandora_console/include/functions_alerts.php  |  8 +--
 pandora_console/include/functions_api.php     |  4 +-
 pandora_console/include/functions_events.php  | 16 ++---
 pandora_console/include/functions_ui.php      | 18 ++++-
 pandora_console/mobile/include/user.class.php |  2 +
 pandora_console/mobile/operation/agents.php   |  8 ++-
 pandora_console/mobile/operation/events.php   |  2 +-
 .../agentes/estado_generalagente.php          |  2 +-
 .../operation/agentes/exportdata.php          | 27 +++++---
 .../operation/agentes/gis_view.php            |  4 +-
 .../operation/events/events.build_query.php   | 37 +++++------
 .../operation/events/export_csv.php           | 36 +++++++---
 pandora_console/operation/gis_maps/ajax.php   |  4 +-
 .../operation/incidents/incident_detail.php   |  4 +-
 pandora_console/operation/search_agents.php   |  4 +-
 26 files changed, 258 insertions(+), 146 deletions(-)

diff --git a/pandora_console/extensions/insert_data.php b/pandora_console/extensions/insert_data.php
index 8357c96113..ff5b113627 100644
--- a/pandora_console/extensions/insert_data.php
+++ b/pandora_console/extensions/insert_data.php
@@ -25,7 +25,7 @@ function createXMLData($agent, $agentModule, $time, $data) {
 	
 	$xmlTemplate = "<?xml version='1.0' encoding='UTF-8'?>
 		<agent_data description='' group='' os_name='%s' " .
-		" os_version='%s' interval='%d' version='%s' timestamp='%s' agent_name='%s' timezone_offset='%d'>
+		" os_version='%s' interval='%d' version='%s' timestamp='%s' agent_name='%s' timezone_offset='0'>
 			<module>
 				<name><![CDATA[%s]]></name>
 				<description><![CDATA[%s]]></description>
@@ -34,20 +34,22 @@ function createXMLData($agent, $agentModule, $time, $data) {
 			</module>
 		</agent_data>";
 	
-	$xml = sprintf($xmlTemplate, io_safe_output(get_os_name($agent['id_os'])),
-		io_safe_output($agent['os_version']), $agent['intervalo'],
-		io_safe_output($agent['agent_version']), $time,
+	$xml = sprintf(
+		$xmlTemplate,
+		io_safe_output(get_os_name($agent['id_os'])),
+		io_safe_output($agent['os_version']),
+		$agent['intervalo'],
+		io_safe_output($agent['agent_version']),
+		$time,
 		io_safe_output($agent['nombre']),
-		$agent['timezone_offset'],
-		io_safe_output($agentModule['nombre']), io_safe_output($agentModule['descripcion']), modules_get_type_name($agentModule['id_tipo_modulo']), $data);
-
-
-	if (false === @file_put_contents($config['remote_config'] . '/' . io_safe_output($agent['alias']) . '.' . strtotime($time) . '.data', $xml)) {
-		return false;
-	}
-	else {
-		return true;
-	}
+		io_safe_output($agentModule['nombre']),
+		io_safe_output($agentModule['descripcion']),
+		modules_get_type_name($agentModule['id_tipo_modulo']),
+		$data
+	);
+	
+	$file_name = $config["remote_config"] . "/" . io_safe_output($agent["alias"]) . "." . str_replace($time, " ", "_") . ".data";
+	return (bool) @file_put_contents($file_name, $xml);
 }
 
 function mainInsertData() {
@@ -61,18 +63,12 @@ function mainInsertData() {
 		return;
 	}
 	
-	$save = (bool)get_parameter('save', false);
-	$id_agent = (string)get_parameter('id_agent', '');
+	$save = (bool) get_parameter("save");
+	$agent_id = (int) get_parameter("agent_id");
+	$agent_name = (string) get_parameter("agent_name");
 	
-	foreach ($_POST as $key => $value) {
-		if(strpos($key,"agent_autocomplete_idagent")!== false){
-			$id_agente = $value;
-		}
-	}
-	
-	
-	$id_agent_module = (int)get_parameter('id_agent_module', '');
-	$data = (string)get_parameter('data');
+	$id_agent_module = (int) get_parameter("id_agent_module");
+	$data = (string) get_parameter('data');
 	$date = (string) get_parameter('date', date(DATE_FORMAT));
 	$time = (string) get_parameter('time', date(TIME_FORMAT));
 	if (isset($_FILES['csv'])) {
@@ -89,12 +85,11 @@ function mainInsertData() {
 	
 	
 	if ($save) {
-		if (!check_acl($config['id_user'], agents_get_agent_group(agents_get_agent_id($id_agent)), "AW")) {
+		if (!check_acl($config['id_user'], agents_get_agent_group($agent_id), "AW")) {
 			ui_print_error_message(__('You haven\'t privileges for insert data in the agent.'));
 		}
 		else {
-			
-			$agent = db_get_row_filter('tagente', array('id_agente' => $id_agente));
+			$agent = db_get_row_filter('tagente', array('id_agente' => $agent_id));
 			$agentModule = db_get_row_filter('tagente_modulo', array('id_agente_modulo' => $id_agent_module));
 			
 			$done = 0;
@@ -104,7 +99,9 @@ function mainInsertData() {
 				foreach ($file as $line) {
 					$tokens = explode(';', $line);
 					
-					$result = createXMLData($agent, $agentModule, trim($tokens[0]), trim($tokens[1]));
+					$utimestamp = strtotime(trim($tokens[0])) - get_fixed_offset();
+					$timestamp = date(DATE_FORMAT . " " . TIME_FORMAT, $utimestamp);
+					$result = createXMLData($agent, $agentModule, $timestamp, trim($tokens[1]));
 					
 					if ($result) {
 						$done++;
@@ -115,7 +112,9 @@ function mainInsertData() {
 				}
 			}
 			else {
-				$result = createXMLData($agent, $agentModule, $date . ' ' . $time, $data);
+				$utimestamp = strtotime($date . " " . $time) - get_fixed_offset();
+				$timestamp = date(DATE_FORMAT . " " . TIME_FORMAT, $utimestamp);
+				$result = createXMLData($agent, $agentModule, $timestamp, $data);
 				
 				if ($result) {
 					$done++;
@@ -159,14 +158,16 @@ function mainInsertData() {
 	$params = array();
 	$params['return'] = true;
 	$params['show_helptip'] = true;
-	$params['input_name'] = 'id_agent';
-	$params['value'] = $id_agent;
+	$params['input_name'] = 'agent_name';
+	$params['value'] = $agent_name;
 	$params['javascript_is_function_select'] = true;
 	$params['javascript_name_function_select'] = 'custom_select_function';
 	$params['javascript_code_function_select'] = '';
 	$params['use_hidden_input_idagent'] = true;
 	$params['print_hidden_input_idagent'] = true;
 	$params['hidden_input_idagent_id'] = 'hidden-autocomplete_id_agent';
+	$params['hidden_input_idagent_name'] = 'agent_id';
+	$params['hidden_input_idagent_value'] = $agent_id;
 	
 	$table->data[0][1] = ui_print_agent_autocomplete_input($params);
 	
diff --git a/pandora_console/godmode/admin_access_logs.php b/pandora_console/godmode/admin_access_logs.php
index 5bfdfb4fcf..160eb1180c 100644
--- a/pandora_console/godmode/admin_access_logs.php
+++ b/pandora_console/godmode/admin_access_logs.php
@@ -232,7 +232,8 @@ foreach ($result as $row) {
 	$data = array();
 	$data[0] = $row["id_usuario"];
 	$data[1] = ui_print_session_action_icon($row["accion"], true) . $row["accion"];
-	$data[2] = ui_print_help_tip($row["fecha"], true) . ui_print_timestamp($row["utimestamp"], true);
+	$data[2] = ui_print_help_tip(date($config["date_format"], $row["utimestamp"]), true)
+		. ui_print_timestamp($row["utimestamp"], true);
 	$data[3] = $row["ip_origen"];
 	$data[4] = $row["descripcion"];
 	
diff --git a/pandora_console/godmode/agentes/planned_downtime.editor.php b/pandora_console/godmode/agentes/planned_downtime.editor.php
index d9646c5a98..0122f4e03a 100644
--- a/pandora_console/godmode/agentes/planned_downtime.editor.php
+++ b/pandora_console/godmode/agentes/planned_downtime.editor.php
@@ -60,15 +60,19 @@ $type_downtime 			= (string) get_parameter('type_downtime', 'quiet');
 $type_execution 		= (string) get_parameter('type_execution', 'once');
 $type_periodicity 		= (string) get_parameter('type_periodicity', 'weekly');
 
-$once_date_from 		= (string) get_parameter ('once_date_from', date(DATE_FORMAT));
-$once_time_from 		= (string) get_parameter ('once_time_from', date(TIME_FORMAT));
-$once_date_to 			= (string) get_parameter ('once_date_to', date(DATE_FORMAT));
-$once_time_to 			= (string) get_parameter ('once_time_to', date(TIME_FORMAT, time() + SECONDS_1HOUR));
+$utimestamp = get_system_time();
+// Fake utimestamp to retrieve the string date of the system
+$system_time = $utimestamp - get_fixed_offset();
+
+$once_date_from 		= (string) get_parameter ('once_date_from', date(DATE_FORMAT, $utimestamp));
+$once_time_from 		= (string) get_parameter ('once_time_from', date(TIME_FORMAT, $utimestamp));
+$once_date_to 			= (string) get_parameter ('once_date_to', date(DATE_FORMAT, $utimestamp));
+$once_time_to 			= (string) get_parameter ('once_time_to', date(TIME_FORMAT, $utimestamp + SECONDS_1HOUR));
 
 $periodically_day_from 	= (int) get_parameter ('periodically_day_from', 1);
 $periodically_day_to 	= (int) get_parameter ('periodically_day_to', 31);
-$periodically_time_from = (string) get_parameter ('periodically_time_from', date(TIME_FORMAT));
-$periodically_time_to 	= (string) get_parameter ('periodically_time_to', date(TIME_FORMAT, time() + SECONDS_1HOUR));
+$periodically_time_from = (string) get_parameter ('periodically_time_from', date(TIME_FORMAT, $system_time));
+$periodically_time_to 	= (string) get_parameter ('periodically_time_to', date(TIME_FORMAT, $system_time + SECONDS_1HOUR));
 
 $monday 				= (bool) get_parameter ('monday');
 $tuesday 				= (bool) get_parameter ('tuesday');
@@ -542,6 +546,7 @@ $table->data[5][1] = "
 	</div>
 	<div id='periodically_time' style='display: none;'>
 		<table>
+			<tr><td>" . ui_get_using_system_timezone_warning() . "</td></tr>
 			<tr>
 				<td>" . __('Type Periodicity:') . "&nbsp;".
 					html_print_select(array(
@@ -1226,7 +1231,7 @@ ui_require_jquery_file("ui.datepicker-" . get_user_language(), "include/javascri
 		// Warning message about the problems caused updating a past planned downtime
 		var type_execution = "<?php echo $type_execution; ?>";
 		var datetime_from = <?php echo json_encode(strtotime($once_date_from . ' ' . $once_time_from)); ?>;
-		var datetime_now = <?php echo json_encode(strtotime(date(DATE_FORMAT). ' ' . date(TIME_FORMAT))); ?>;
+		var datetime_now = <?php echo json_encode($utimestamp); ?>;
 		var create = <?php echo json_encode($create); ?>;
 		if (!create && (type_execution == 'periodically' || (type_execution == 'once' && datetime_from < datetime_now))) {
 			$("input#submit-updbutton, input#submit-add_item, table#list a").click(function (e) {
diff --git a/pandora_console/godmode/alerts/configure_alert_template.php b/pandora_console/godmode/alerts/configure_alert_template.php
index cdd9186946..54a66e20c1 100644
--- a/pandora_console/godmode/alerts/configure_alert_template.php
+++ b/pandora_console/godmode/alerts/configure_alert_template.php
@@ -782,6 +782,10 @@ else {
 	}
 }
 
+if ($step == 2) {
+	echo ui_get_using_system_timezone_warning();
+}
+
 /* If it's the last step it will redirect to template lists */
 if ($step >= LAST_STEP) {
 	echo '<form method="post" action="index.php?sec='.$sec.'&sec2=godmode/alerts/alert_templates&pure='.$pure.'">';
diff --git a/pandora_console/godmode/reporting/reporting_builder.item_editor.php b/pandora_console/godmode/reporting/reporting_builder.item_editor.php
index 8018d90243..0c36c85339 100755
--- a/pandora_console/godmode/reporting/reporting_builder.item_editor.php
+++ b/pandora_console/godmode/reporting/reporting_builder.item_editor.php
@@ -202,7 +202,7 @@ switch ($action) {
 			$dyn_height = $style['dyn_height'];
 			$type = $item['type'];
 			$name = $item['name'];
-			
+
 			switch ($type) {
 				case 'event_report_log':
 					$period = $item['period'];
@@ -839,6 +839,7 @@ You can of course remove the warnings, that's why we include the source and do n
 				<?php echo __('Working time');?>
 			</td>
 			<td>
+				<?php echo ui_get_using_system_timezone_warning(); ?>
 				<table border="0">
 					<tr>
 						<td>
diff --git a/pandora_console/godmode/servers/servers.build_table.php b/pandora_console/godmode/servers/servers.build_table.php
index 04481885a2..eaeb612826 100644
--- a/pandora_console/godmode/servers/servers.build_table.php
+++ b/pandora_console/godmode/servers/servers.build_table.php
@@ -87,7 +87,7 @@ foreach ($servers as $server) {
 	
 	//Status
 	$data[1] = ui_print_status_image (STATUS_SERVER_OK, '', true);
-	if (($server['status'] == 0) || (($date - strtotime($server['keepalive'])) > ($server['server_keepalive'])*2)) {
+	if (($server['status'] == 0) || (($date - time_w_fixed_tz($server['keepalive'])) > ($server['server_keepalive'])*2)) {
 		$data[1] = ui_print_status_image (STATUS_SERVER_DOWN, '', true);
 	}
 	
diff --git a/pandora_console/godmode/setup/news.php b/pandora_console/godmode/setup/news.php
index 7f6e251d00..f32cdaa410 100644
--- a/pandora_console/godmode/setup/news.php
+++ b/pandora_console/godmode/setup/news.php
@@ -36,10 +36,11 @@ if (isset ($_POST["create"])) { // If create
 	$id_group = get_parameter ("id_group");
 	$modal =  get_parameter ("modal");
 	$expire = get_parameter ("expire");
-	$expire_date = get_parameter ("expire_date");
-	$expire_date = date('Y-m-d', strtotime($expire_date));
-	$expire_time = get_parameter ("expire_time");
-	$expire_timestamp = "$expire_date $expire_time";
+	$expire_date = get_parameter("expire_date");
+	$expire_time = get_parameter("expire_time");
+	// Change the user's timezone to the system's timezone
+	$expire_timestamp = strtotime("$expire_date $expire_time") - get_fixed_offset();
+	$expire_timestamp = date("Y-m-d H:i:s", $expire_timestamp);
 		
 	$values = array('subject' => $subject, 
 					'text' => $text, 
@@ -64,10 +65,11 @@ if (isset ($_POST["update"])) { // if update
 	$id_group = get_parameter ("id_group");
 	$modal =  get_parameter ("modal");
 	$expire = get_parameter ("expire");
-	$expire_date = get_parameter ("expire_date");
-	$expire_date = date('Y-m-d', strtotime($expire_date));
-	$expire_time = get_parameter ("expire_time");
-	$expire_timestamp = "$expire_date $expire_time";
+	$expire_date = get_parameter("expire_date");
+	$expire_time = get_parameter("expire_time");
+	// Change the user's timezone to the system's timezone
+	$expire_timestamp = strtotime("$expire_date $expire_time") - get_fixed_offset();
+	$expire_timestamp = date("Y-m-d H:i:s", $expire_timestamp);
 	
 	//NOW() column exists in any table and always displays the current date and time, so let's get the value from a row in a table which can't be deleted.
 	//This way we prevent getting no value for this variable
@@ -117,10 +119,10 @@ if ((isset ($_GET["form_add"])) || (isset ($_GET["form_edit"]))) {
 			
 			if ($expire) {
 				$expire_timestamp = $result["expire_timestamp"];
-				$expire_utimestamp = strtotime($expire_timestamp);
+				$expire_utimestamp = time_w_fixed_tz($expire_timestamp);
 			}
 			else {
-				$expire_utimestamp = time() + SECONDS_1WEEK;
+				$expire_utimestamp = get_system_time() + SECONDS_1WEEK;
 			}
 			
 			$expire_date = date('Y/m/d', $expire_utimestamp);
@@ -138,8 +140,8 @@ if ((isset ($_GET["form_add"])) || (isset ($_GET["form_edit"]))) {
 		$id_group = 0;
 		$modal = 0;
 		$expire = 0;
-		$expire_date = date('Y/m/d', time() + SECONDS_1WEEK);
-		$expire_time = date('H:i:s', time());
+		$expire_date = date('Y/m/d', get_system_time() + SECONDS_1WEEK);
+		$expire_time = date('H:i:s', get_system_time());
 	}
 	
 	// Create news
@@ -246,10 +248,10 @@ else {
 			}
 			
 			echo "<td class='$tdcolor'>".$row["author"]."</b></td>";
-			$utimestamp = strtotime($row["timestamp"]);
-			echo "<td class='$tdcolor'>" . date($config['date_format'], strtotime($row["timestamp"])) . "</b></td>";
+			$utimestamp = time_w_fixed_tz($row["timestamp"]);
+			echo "<td class='$tdcolor'>" . date($config['date_format'], $utimestamp) . "</b></td>";
 			if ($row["expire"]) {
-				$expire_utimestamp = strtotime($row["expire_timestamp"]);
+				$expire_utimestamp = time_w_fixed_tz($row["expire_timestamp"]);
 				$expire_in_secs = $expire_utimestamp - $utimestamp;
 				
 				if( $expire_in_secs <= 0) {
diff --git a/pandora_console/godmode/users/configure_user.php b/pandora_console/godmode/users/configure_user.php
index b2cb189449..e53ce3efc0 100644
--- a/pandora_console/godmode/users/configure_user.php
+++ b/pandora_console/godmode/users/configure_user.php
@@ -126,6 +126,7 @@ if ($new_user && $config['admin_can_add_user']) {
 	$user_info['comments'] = '';
 	$user_info['is_admin'] = 0;
 	$user_info['language'] = 'default';
+	$user_info['timezone'] = '';
 	$user_info["not_login"] = false;
 	$user_info["strict_acl"] = false;
 	$user_info["session_time"] = 0;
@@ -164,6 +165,7 @@ if ($create_user) {
 	$values['comments'] = (string) get_parameter ('comments');
 	$values['is_admin'] = (int) get_parameter ('is_admin', 0);
 	$values['language'] = get_parameter ('language', 'default');
+	$values['timezone'] = (string) get_parameter('timezone');
 	$values['default_event_filter'] = (int) get_parameter('default_event_filter');
 	$dashboard = get_parameter('dashboard', '');
 	$visual_console = get_parameter('visual_console', '');
@@ -222,7 +224,7 @@ if ($create_user) {
 	}
 	else {
 		$info = 
-		'{"Id_user":"' . $values['id_user'] . '","FullName":"' . $values['fullname'] . '","Firstname":"'. $values['firstname'] .'","Lastname":"'. $values['lastname'] . '","Email":"' . $values['email'] . '","Phone":"' . $values['phone'] . '","Comments":"' . $values['comments'] .'","Is_admin":"' . $values['is_admin'] .'","Language":"' . $values['language'] . '","Block size":"' . $values['block_size'] . '","Interactive Charts":"' . $values['flash_chart'].'"';
+		'{"Id_user":"' . $values['id_user'] . '","FullName":"' . $values['fullname'] . '","Firstname":"'. $values['firstname'] .'","Lastname":"'. $values['lastname'] . '","Email":"' . $values['email'] . '","Phone":"' . $values['phone'] . '","Comments":"' . $values['comments'] .'","Is_admin":"' . $values['is_admin'] .'","Language":"' . $values['language'] .'","Timezone":"' . $values['timezone'] . '","Block size":"' . $values['block_size'] . '","Interactive Charts":"' . $values['flash_chart'].'"';
 			
 		if ($isFunctionSkins !== ENTERPRISE_NOT_HOOK) {
 			$info .= ',"Skin":"' . $values['id_skin'].'"}';
@@ -287,6 +289,7 @@ if ($update_user) {
 	$values['comments'] = (string) get_parameter ('comments');
 	$values['is_admin'] = get_parameter ('is_admin', 0 );
 	$values['language'] = (string) get_parameter ('language');
+	$values['timezone'] = (string) get_parameter('timezone');
 	$values['default_event_filter'] = (int) get_parameter('default_event_filter');
 	$dashboard = get_parameter('dashboard', '');
 	$visual_console = get_parameter('visual_console', '');
@@ -376,6 +379,7 @@ if ($update_user) {
 				"Comments":"' . $values['comments'] . '",
 				"Is_admin":"' . $values['is_admin'] . '",
 				"Language":"' . $values['language'] . '",
+				"Timezone":"' . $values['timezone'] . '",
 				"Block size":"' . $values['block_size'] . '",
 				"Flash Chats":"' . $values['flash_chart'] . '",
 				"Section":"' . $values['section'].'"';
@@ -522,6 +526,9 @@ $table->data[2][0] = __('Language');
 $table->data[2][1] = html_print_select_from_sql ('SELECT id_language, name FROM tlanguage',
 	'language', $user_info['language'], '', __('Default'), 'default', true);
 
+$table->data[3][0] = __('Timezone');
+$table->data[3][1] = html_print_timezone_select("timezone", $user_info["timezone"]);
+
 if ($config['user_can_update_password']) {
 	$table->data[4][0] = __('Password');
 	$table->data[4][1] = html_print_input_text_extended ('password_new', '', '', '',
diff --git a/pandora_console/include/ajax/module.php b/pandora_console/include/ajax/module.php
index a98d65ed1e..d0089fdcef 100755
--- a/pandora_console/include/ajax/module.php
+++ b/pandora_console/include/ajax/module.php
@@ -118,13 +118,14 @@ if ($get_module_detail) {
 		$conexion = false;
 	}
 
-	$selection_mode = get_parameter('selection_mode', 'fromnow');
-	$date_from = (string) get_parameter ('date_from', date ('Y-m-j'));
-	$time_from = (string) get_parameter ('time_from', date ('h:iA'));
-	$date_to = (string) get_parameter ('date_to', date ('Y-m-j'));
-	$time_to = (string) get_parameter ('time_to', date ('h:iA'));
 	$freesearch = (string) get_parameter ('freesearch', '');
 	$free_checkbox = (bool) get_parameter ('free_checkbox', false);
+	$selection_mode = get_parameter('selection_mode', 'fromnow');
+	$utimestamp = get_system_time();
+	$date_from = (string) get_parameter ('date_from', date(DATE_FORMAT, $utimestamp - SECONDS_1DAY));
+	$time_from = (string) get_parameter ('time_from', date(TIME_FORMAT, $utimestamp - SECONDS_1DAY));
+	$date_to = (string) get_parameter ('date_to', date(DATE_FORMAT, $utimestamp));
+	$time_to = (string) get_parameter ('time_to', date(TIME_FORMAT, $utimestamp));
 
 	$formtable->width = '98%';
 	$formtable->class = "databox";
diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 4f3ab76149..3af30c2b4a 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -313,7 +313,7 @@ function human_time_comparation ($timestamp, $units = 'large') {
 	global $config;
 	
 	if (!is_numeric ($timestamp)) {
-		$timestamp = strtotime ($timestamp);
+		$timestamp = time_w_fixed_tz($timestamp);
 	}
 	
 	$seconds = get_system_time () - $timestamp;
@@ -2827,4 +2827,61 @@ function validate_address($address){
 	}
 	return true;
 }
+
+/**
+ * Used to get the offset in seconds to the UTC date.
+ *
+ * @param string Timezone identifier.
+ */
+function get_utc_offset ($timezone) {
+	if (empty($timezone)) return 0;
+
+	$dtz = new DateTimeZone($timezone);
+	$dt = new DateTime("now", $dtz);
+
+	return $dtz->getOffset($dt);
+}
+
+function get_system_utc_offset () {
+	global $config;
+	return get_utc_offset($config["timezone"]);
+}
+
+function get_current_utc_offset () {
+	return get_utc_offset(date_default_timezone_get());
+}
+
+function get_fixed_offset () {
+	return get_current_utc_offset() - get_system_utc_offset();
+}
+
+/**
+ * Used to transform the dates without timezone information (like '2018/05/23 10:10:10')
+ * to a unix timestamp compatible with the user custom timezone.
+ *
+ * @param string Date without timezone information.
+ * @param number Offset between the date timezone and the user's default timezone.
+ */
+function time_w_fixed_tz ($date, $timezone_offset = null) {
+	if ($timezone_offset === null) $timezone_offset = get_fixed_offset();
+
+	return strtotime($date) + $timezone_offset;
+}
+
+/**
+ * Used to transform the dates without timezone information (like '2018/05/23 10:10:10')
+ * to a date compatible with the user custom timezone.
+ *
+ * @param string Date without timezone information.
+ * @param string Date format.
+ * @param number Offset between the date timezone and the user's default timezone.
+ */
+function date_w_fixed_tz ($date, $format = null, $timezone_offset = null) {
+	global $config;
+
+	if ($format === null) $format = $config["date_format"];
+
+	return date($format, time_w_fixed_tz($date, $timezone_offset));
+}
+
 ?>
diff --git a/pandora_console/include/functions_agents.php b/pandora_console/include/functions_agents.php
index 0d90d8f725..961202f308 100644
--- a/pandora_console/include/functions_agents.php
+++ b/pandora_console/include/functions_agents.php
@@ -696,20 +696,13 @@ function agents_process_manage_config ($source_id_agent, $destiny_id_agents, $co
 }
 
 function agents_get_next_contact($idAgent, $maxModules = false) {
-	$agent = db_get_row_sql("SELECT *
-		FROM tagente
-		WHERE id_agente = " . $idAgent);
+	$agent = db_get_row("tagente", "id_agente", $idAgent);
+	$last_contact = time_w_fixed_tz($agent["ultimo_contacto"]);
+	$difference = time() - $last_contact;
 	
-	
-	$difference = get_system_time () - strtotime ($agent["ultimo_contacto"]);
-	
-	
-	if ($agent["intervalo"] > 0 && strtotime($agent["ultimo_contacto"]) > 0) {
-		return round ($difference / ($agent["intervalo"] / 100));
-	}
-	else {
-		return 0;
-	}
+	return ($agent["intervalo"] > 0 && $last_contact > 0)
+		? round ($difference / ($agent["intervalo"] / 100))
+		: 0;
 }
 
 /**
@@ -1453,7 +1446,7 @@ function agents_get_interval ($id_agent) {
 function agents_get_interval_status ($agent) {
 	
 	$return = '';
-	$last_time = strtotime ($agent["ultimo_contacto"]);
+	$last_time = time_w_fixed_tz($agent["ultimo_contacto"]);
 	$now = time ();
 	$diferencia = $now - $last_time;
 	$time = ui_print_timestamp ($last_time, true, array('style' => 'font-size:6.5pt'));
diff --git a/pandora_console/include/functions_alerts.php b/pandora_console/include/functions_alerts.php
index 6c1938e4d8..3e3d424227 100644
--- a/pandora_console/include/functions_alerts.php
+++ b/pandora_console/include/functions_alerts.php
@@ -1603,10 +1603,10 @@ function get_alert_type ($id_type) {
  */
 function get_agent_alert_fired ($id_agent, $id_alert, $period, $date = 0) {
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
-		$date = get_system_time ();
+		$date = get_system_time();
 	}
 	
 	$datelimit = $date - $period;
@@ -1635,10 +1635,10 @@ function get_agent_alert_fired ($id_agent, $id_alert, $period, $date = 0) {
 function get_module_alert_fired ($id_agent_module, $id_alert, $period, $date = 0) {
 	
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
-		$date = get_system_time ();
+		$date = get_system_time();
 	}
 	
 	$datelimit = $date - $period;
diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index a4a737b280..582ee8be02 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -4838,9 +4838,7 @@ function api_set_stop_downtime($id, $thrash1, $other, $thrash3) {
 		return;
 	}
 	
-	$date_stop = date ("Y-m-j",get_system_time ());
-	$time_stop = date ("h:iA",get_system_time ());
-	$date_time_stop = strtotime ($date_stop.' '.$time_stop);
+	$date_time_stop = get_system_time();
 	
 	$values = array();
 	$values['date_to'] = $date_time_stop;
diff --git a/pandora_console/include/functions_events.php b/pandora_console/include/functions_events.php
index 5549c3508e..fc034a8dd5 100644
--- a/pandora_console/include/functions_events.php
+++ b/pandora_console/include/functions_events.php
@@ -1273,7 +1273,7 @@ function events_get_agent ($id_agent, $period, $date = 0,
 	global $config;
 
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
 		$date = get_system_time ();
@@ -1920,7 +1920,7 @@ function events_get_response_target($event_id, $response_id, $server_id, $histor
 	if (strpos($target, '_event_date_') !== false) {
 		$target = str_replace(
 			'_event_date_',
-			date ($config["date_format"], strtotime($event["timestamp"])),
+			date ($config["date_format"], $event["utimestamp"]),
 			$target
 		);
 	}
@@ -2153,12 +2153,12 @@ function events_page_details ($event, $server = "") {
 		
 		$data = array();
 		$data[0] = '<div style="font-weight:normal; margin-left: 20px;">'.__('Last contact').'</div>';
-		$data[1] = $agent["ultimo_contacto"] == "1970-01-01 00:00:00" ? '<i>'.__('N/A').'</i>' : $agent["ultimo_contacto"];
+		$data[1] = $agent["ultimo_contacto"] == "1970-01-01 00:00:00" ? '<i>'.__('N/A').'</i>' : date_w_fixed_tz($agent["ultimo_contacto"]);
 		$table_details->data[] = $data;
 		
 		$data = array();
 		$data[0] = '<div style="font-weight:normal; margin-left: 20px;">'.__('Last remote contact').'</div>';
-		$data[1] = $agent["ultimo_contacto_remoto"] == "1970-01-01 00:00:00" ? '<i>'.__('N/A').'</i>' : $agent["ultimo_contacto_remoto"];
+		$data[1] = $agent["ultimo_contacto_remoto"] == "1970-01-01 00:00:00" ? '<i>'.__('N/A').'</i>' : date_w_fixed_tz($agent["ultimo_contacto_remoto"]);
 		$table_details->data[] = $data;
 		
 		$data = array();
@@ -2716,7 +2716,7 @@ function events_get_count_events_by_agent ($id_group, $period, $date,
 
 	//date
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
 		$date = get_system_time ();
@@ -2871,7 +2871,7 @@ function events_get_count_events_validated_by_user ($filter, $period, $date,
 
 	//date
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
 		$date = get_system_time ();
@@ -3016,7 +3016,7 @@ function events_get_count_events_by_criticity ($filter, $period, $date,
 	}
 
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
 		$date = get_system_time ();
@@ -3158,7 +3158,7 @@ function events_get_count_events_validated ($filter, $period = null, $date = nul
 	
 	//date
 	if (!is_numeric ($date)) {
-		$date = strtotime ($date);
+		$date = time_w_fixed_tz($date);
 	}
 	if (empty ($date)) {
 		$date = get_system_time ();
diff --git a/pandora_console/include/functions_ui.php b/pandora_console/include/functions_ui.php
index 43c075b733..42d50dbcf4 100755
--- a/pandora_console/include/functions_ui.php
+++ b/pandora_console/include/functions_ui.php
@@ -446,7 +446,7 @@ function ui_print_timestamp ($unixtime, $return = false, $option = array ()) {
 	}
 	
 	if (!is_numeric ($unixtime)) {
-		$unixtime = strtotime ($unixtime);
+		$unixtime = time_w_fixed_tz($unixtime);
 	}
 	
 	//prominent_time is either timestamp or comparation
@@ -3968,4 +3968,20 @@ function ui_get_snapshot_link($params, $only_params = false) {
 	// Return the function call to inline js execution
 	return "winopeng_var('" . implode("', '", $link_parts) . "')";
 }
+
+
+function ui_get_using_system_timezone_warning ($tag = "h3", $return = true) {
+	global $config;
+
+	$user_offset = (-get_fixed_offset() / 60) / 60;
+
+	$message = sprintf(
+		__("This controls are using the timezone of the system (%s) instead of yours (%s). The difference in hours to your timezone is %s."),
+		$config["timezone"],
+		date_default_timezone_get(),
+		$user_offset > 0 ? "+" . $user_offset : $user_offset
+	);
+	return ui_print_info_message($message, '', $return, $tag);
+}
+
 ?>
diff --git a/pandora_console/mobile/include/user.class.php b/pandora_console/mobile/include/user.class.php
index cf5dcfea11..5d79ec1880 100644
--- a/pandora_console/mobile/include/user.class.php
+++ b/pandora_console/mobile/include/user.class.php
@@ -52,6 +52,8 @@ class User {
 			
 			$system->setSessionBase('id_usuario', $this->user);
 			$system->setSession('user', $this);
+
+			config_user_set_custom_config();
 		}
 	}
 	
diff --git a/pandora_console/mobile/operation/agents.php b/pandora_console/mobile/operation/agents.php
index 5dbe1c9ee8..012c8850b0 100644
--- a/pandora_console/mobile/operation/agents.php
+++ b/pandora_console/mobile/operation/agents.php
@@ -232,7 +232,7 @@ class Agents {
 	
 	private function getListAgents($page = 0, $ajax = false) {
 		$system = System::getInstance();
-		
+
 		$total = 0;
 		$agents = array();
 		
@@ -351,8 +351,10 @@ class Agents {
 				'<span class="show_collapside" style="vertical-align: 0%; display: none; font-weight: bolder;">' . __('Modules') . ' </span>' .
 				'<span class="agents_tiny_stats">' . reporting_tiny_stats($agent, true, 'agent', '&nbsp;') . ' </span>';
 			
-			$last_time = strtotime ($agent["ultimo_contacto"]);
-			$now = time ();
+			$last_time = time_w_fixed_tz($agent["ultimo_contacto"]);
+			html_debug(date('r', $last_time), true);
+			html_debug(get_current_utc_offset(), true);
+			$now = get_system_time();
 			$diferencia = $now - $last_time;
 			$time = ui_print_timestamp ($last_time, true, array('style' => 'font-size: 12px; margin-left: 20px;', 'units' => 'tiny'));
 			$style = '';
diff --git a/pandora_console/mobile/operation/events.php b/pandora_console/mobile/operation/events.php
index 8dda4384e2..8010bd3d8f 100644
--- a/pandora_console/mobile/operation/events.php
+++ b/pandora_console/mobile/operation/events.php
@@ -162,7 +162,7 @@ class Events {
 						$event['evento'] = io_safe_output($event['evento']);
 						
 						$event['clean_tags'] = events_clean_tags($event['tags']);
-						$event["timestamp"] = date($system->getConfig("date_format"), strtotime($event["timestamp"]));
+						$event["timestamp"] = date($system->getConfig("date_format"), $event["utimestamp"]);
 						if (empty($event["owner_user"])) {
 							$event["owner_user"] = '<i>' . __('N/A') . '</i>';
 						}
diff --git a/pandora_console/operation/agentes/estado_generalagente.php b/pandora_console/operation/agentes/estado_generalagente.php
index 57b87cb6eb..a4c7b7a23c 100755
--- a/pandora_console/operation/agentes/estado_generalagente.php
+++ b/pandora_console/operation/agentes/estado_generalagente.php
@@ -239,7 +239,7 @@ if ($agent["ultimo_contacto_remoto"] == "01-01-1970 00:00:00") {
 	$data[1] .= __('Never');
 }
 else {
-	$data[1] .= $agent["ultimo_contacto_remoto"];
+	$data[1] .= date_w_fixed_tz($agent["ultimo_contacto_remoto"]);
 }
 
 $table_contact->data[] = $data;
diff --git a/pandora_console/operation/agentes/exportdata.php b/pandora_console/operation/agentes/exportdata.php
index b79b558ef5..731294ce64 100644
--- a/pandora_console/operation/agentes/exportdata.php
+++ b/pandora_console/operation/agentes/exportdata.php
@@ -71,13 +71,16 @@ if (!empty ($export_btn) && !empty ($module)) {
 	$sql_cache = array ('saved' => array());
 	
 	
-	//Convert start time and end time to unix timestamps
-	$start = strtotime ($start_date . " " . $start_time);
-	$end = strtotime ($end_date . " " . $end_time);
+	// Convert start time and end time to unix timestamps.
+	// The date/time will have the user's timezone,
+	// so we need to change it to the system's timezone.
+	$fixed_offset = get_fixed_offset();
+	$start = strtotime ($start_date . " " . $start_time) - $fixed_offset;
+	$end = strtotime ($end_date . " " . $end_time) - $fixed_offset;
 	$period = $end - $start;
 	$data = array ();
 	
-	//If time is negative or zero, don't process - it's invalid
+	// If time is negative or zero, don't process - it's invalid
 	if ($start < 1 || $end < 1) {
 		ui_print_error_message (__('Invalid time specified'));
 		return;
@@ -168,12 +171,16 @@ if (!empty ($export_btn) && !empty ($module)) {
 						$output .= $module['data'];
 						$output .= $divider;
 						switch($export_type) {
-						case "data":
-							$output .= date("Y-m-d G:i:s", $module['utimestamp']);
-							break;
-						case "avg":
-							$output .= date ("Y-m-d G:i:s", $work_start) . ' - ' . date ("Y-m-d G:i:s", $work_end);
-							break;
+							case "data":
+								// Change from the system's timezone to the user's timezone
+								$output .= date("Y-m-d G:i:s", $module['utimestamp'] + $fixed_offset);
+								break;
+							case "avg":
+								// Change from the system's timezone to the user's timezone
+								$output .= date ("Y-m-d G:i:s", $work_start + $fixed_offset)
+									. ' - '
+									. date ("Y-m-d G:i:s", $work_end + $fixed_offset);
+								break;
 						}
 						$output .= $rowend;
 					}
diff --git a/pandora_console/operation/agentes/gis_view.php b/pandora_console/operation/agentes/gis_view.php
index 9784d65fc0..c67a97037a 100644
--- a/pandora_console/operation/agentes/gis_view.php
+++ b/pandora_console/operation/agentes/gis_view.php
@@ -33,7 +33,9 @@ ui_require_javascript_file('openlayers.pandora');
 /* Get the parameters */
 $period = (int)get_parameter ("period", SECONDS_1DAY);
 $agentId = (int)get_parameter('id_agente');
+$id_agente = $agentId;
 $agent_name = agents_get_name($id_agente);
+$agent_alias = agents_get_alias($id_agente);
 $agentData = gis_get_data_last_position_agent($id_agente);
 
 //Avoid the agents with characters that fails the div.
@@ -206,7 +208,7 @@ if ($result !== false) {
 		__("Manual placement"));
 	$table->class = 'position_data_table';
 	$table->id = $agent_name.'_position_data_table';
-	$table->title = $agent_name_original . " " . __("positional data");
+	$table->title = $agent_alias . " " . __("positional data");
 	$table->titlestyle = "background-color:#799E48;";
 	html_print_table($table); unset($table);
 
diff --git a/pandora_console/operation/events/events.build_query.php b/pandora_console/operation/events/events.build_query.php
index 5d373aa535..421a60ac65 100755
--- a/pandora_console/operation/events/events.build_query.php
+++ b/pandora_console/operation/events/events.build_query.php
@@ -209,27 +209,24 @@ if (($date_from == '') && ($date_to == '')) {
 	}
 }
 else {
-	if ($date_from != '') {
-		if($time_from != '') {
-			$filter_resume['time_from'] = $date_from . " " . $time_from;
-			$udate_from = strtotime($date_from . " " . $time_from);
-			$sql_post .= " AND (utimestamp >= " . $udate_from . ")";
-		} else {
-			$filter_resume['time_from'] = $date_from; 
-			$udate_from = strtotime($date_from . " 00:00:00");
-			$sql_post .= " AND (utimestamp >= " . $udate_from . ")";
-		}
+	// Some of this values will have the user's timezone,
+	// so we need to reverse it to the system's timezone
+	// before using it into the db
+	$fixed_offset = get_fixed_offset();
+
+	if (!empty($date_from)) {
+		if (empty($time_from)) $time_from = "00:00:00";
+		
+		$utimestamp_from = strtotime($date_from . " " . $time_from) - $fixed_offset;
+		$filter_resume['time_from'] = date(DATE_FORMAT . " " . TIME_FORMAT, $utimestamp_from);
+		$sql_post .= " AND (utimestamp >= " . $utimestamp_from . ")";
 	}
-	if ($date_to != '') {
-		if($time_to != '') {
-			$filter_resume['time_to'] = $date_to . " " . $time_to;
-			$udate_to = strtotime($date_to . " " . $time_to);
-			$sql_post .= " AND (utimestamp <= " . $udate_to . ")";
-		} else {
-			$filter_resume['time_to'] = $date_to;
-			$udate_to = strtotime($date_to . " 23:59:59");
-			$sql_post .= " AND (utimestamp <= " . $udate_to . ")";
-		}
+	if (!empty($date_to)) {
+		if (empty($time_to)) $time_to = "23:59:59";
+		
+		$utimestamp_to = strtotime($date_to . " " . $time_to) - $fixed_offset;
+		$filter_resume['time_to'] = date(DATE_FORMAT . " " . TIME_FORMAT, $utimestamp_to);
+		$sql_post .= " AND (utimestamp <= " . $utimestamp_to . ")";
 	}
 }
 
diff --git a/pandora_console/operation/events/export_csv.php b/pandora_console/operation/events/export_csv.php
index 04d0bd3154..4b342b0d97 100644
--- a/pandora_console/operation/events/export_csv.php
+++ b/pandora_console/operation/events/export_csv.php
@@ -101,7 +101,23 @@ $now = date ("Y-m-d");
 Header ("Content-type: text/txt");
 header ('Content-Disposition: attachment; filename="pandora_export_event'.$now.'.csv"');
 
-echo "timestamp, agent, group, event, status, user, event_type, severity, id";
+echo "timestamp";
+echo $config["csv_divider"];
+echo "agent";
+echo $config["csv_divider"];
+echo "group";
+echo $config["csv_divider"];
+echo "event";
+echo $config["csv_divider"];
+echo "status";
+echo $config["csv_divider"];
+echo "user";
+echo $config["csv_divider"];
+echo "event_type";
+echo $config["csv_divider"];
+echo "severity";
+echo $config["csv_divider"];
+echo "id";
 echo chr (13);
 
 $new = true;
@@ -113,22 +129,22 @@ while ($event = db_get_all_row_by_steps_sql($new, $result, $sql)) {
 	(!check_acl($config["id_user"], 0, "PM") && $event["event_type"] == 'system'))
 		continue;
 	
-	echo $event["timestamp"];
-	echo ",";
+	echo date($config["date_format"], $event["utimestamp"]);
+	echo $config["csv_divider"];
 	echo io_safe_output($alias);
-	echo ",";
+	echo $config["csv_divider"];
 	echo io_safe_output(groups_get_name($event["id_grupo"]));
-	echo ",";
+	echo $config["csv_divider"];
 	echo io_safe_output($event["evento"]);
-	echo ",";
+	echo $config["csv_divider"];
 	echo io_safe_output($event["estado"]);
-	echo ",";
+	echo $config["csv_divider"];
 	echo io_safe_output($event["id_usuario"]);
-	echo ",";
+	echo $config["csv_divider"];
 	echo io_safe_output($event["event_type"]);
-	echo ",";
+	echo $config["csv_divider"];
 	echo $event["criticity"];
-	echo ",";
+	echo $config["csv_divider"];
 	echo $event["id_evento"];
 	echo chr (13);
 }
diff --git a/pandora_console/operation/gis_maps/ajax.php b/pandora_console/operation/gis_maps/ajax.php
index e706b11414..758382f425 100644
--- a/pandora_console/operation/gis_maps/ajax.php
+++ b/pandora_console/operation/gis_maps/ajax.php
@@ -325,7 +325,7 @@ switch ($opt) {
 			$row[] = __('Never');
 		}
 		else {
-			$row[] = $agent["ultimo_contacto"];
+			$row[] = date_w_fixed_tz($agent["ultimo_contacto"]);
 		}
 		$table->data[] = $row;
 
@@ -336,7 +336,7 @@ switch ($opt) {
 			$row[] = __('Never');
 		}
 		else {
-			$row[] = $agent["ultimo_contacto_remoto"];
+			$row[] = date_w_fixed_tz($agent["ultimo_contacto_remoto"]);
 		}
 		$table->data[] = $row;
 
diff --git a/pandora_console/operation/incidents/incident_detail.php b/pandora_console/operation/incidents/incident_detail.php
index afc57daf45..ebe6c94b90 100755
--- a/pandora_console/operation/incidents/incident_detail.php
+++ b/pandora_console/operation/incidents/incident_detail.php
@@ -41,8 +41,8 @@ if (isset ($_GET["id"])) {
 	// Get values
 	$titulo = $row["titulo"];
 	$texto = $row["descripcion"];
-	$inicio = strtotime ($row["inicio"]); 
-	$actualizacion = strtotime ($row["actualizacion"]);
+	$inicio = time_w_fixed_tz($row["inicio"]); 
+	$actualizacion = time_w_fixed_tz($row["actualizacion"]);
 	$estado = $row["estado"];
 	$prioridad = $row["prioridad"];
 	$origen = $row["origen"];
diff --git a/pandora_console/operation/search_agents.php b/pandora_console/operation/search_agents.php
index 3282deaa70..33f206edeb 100755
--- a/pandora_console/operation/search_agents.php
+++ b/pandora_console/operation/search_agents.php
@@ -111,8 +111,8 @@ else {
 			$cellName .= "</em>";
 		}
 		
-		$last_time = strtotime ($agent["ultimo_contacto"]);
-		$now = time ();
+		$last_time = time_w_fixed_tz($agent["ultimo_contacto"]);
+		$now = get_system_time();
 		$diferencia = $now - $last_time;
 		$time = ui_print_timestamp ($last_time, true);
 		$time_style = $time;

From 2150f58ec0f47d7611bcec0e2435289f805d5279 Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Mon, 11 Jun 2018 18:39:19 +0200
Subject: [PATCH 14/17] [API ACL] Metaconsole functions

---
 pandora_console/include/functions_api.php | 36 +++++++++++++++++++++--
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index 96d0459eef..3fa323b3f0 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -1522,8 +1522,13 @@ function api_get_custom_field_id($t1, $t2, $other, $returnType) {
  * @param $thrash3 Don't use.
  */
 function api_set_delete_agent($id, $thrash1, $thrast2, $thrash3) {
+	global $config;
 
 	if (is_metaconsole()) {
+		if (!check_acl($config['id_user'], 0, "PM")) {
+			returnError('forbidden', 'string');
+			return;
+		}
 		$servers = db_get_all_rows_sql ("SELECT *
 			FROM tmetaconsole_setup
 				WHERE disabled = 0");
@@ -2204,6 +2209,11 @@ function api_get_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
  */
 function api_get_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
+
+	if (is_metaconsole()) {
+		return;
+	}
+
 	if (!check_acl($config['id_user'], 0, "AR")) {
 		returnError('forbidden', 'csv');
 		return;
@@ -2296,7 +2306,7 @@ function api_get_locate_agent($id, $thrash1, $thrash2, $thrash3) {
 		if (metaconsole_connect($server) == NOERR) {
 			$agent_id = agents_get_agent_id($id,true);
 			
-			if ($agent_id) {
+			if ($agent_id && agents_check_access_agent($agent_id)) {
 				$group_servers[]['server'] = $id_server;
 			}
 		}
@@ -2328,7 +2338,10 @@ function api_get_locate_agent($id, $thrash1, $thrash2, $thrash3) {
  * @param $thrash3 Don't use.
  */
 function api_get_id_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
-	
+	if (is_metaconsole()) {
+		return;
+	}
+
 	$group_names =array();
 	
 	if (is_metaconsole()) {
@@ -2400,6 +2413,10 @@ function api_get_id_group_agent_by_name($thrash1, $thrash2, $other, $thrash3) {
 function api_get_id_group_agent_by_alias($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
 
+	if (is_metaconsole()) {
+		return;
+	}
+
 	if (!check_acl($config['id_user'], 0, "AR")) {
 		returnError('forbidden', 'csv');
 		return;
@@ -6602,6 +6619,8 @@ function api_set_apply_all_policies($thrash1, $thrash2, $other, $thrash3) {
 function api_set_create_group($id, $thrash1, $other, $thrash3) {
 	global $config;
 
+	if (is_metaconsole()) return;
+
 	$group_name = $id;
 
 	if (!check_acl($config['id_user'], 0, "PM")){
@@ -10310,6 +10329,8 @@ function api_set_create_special_day($thrash1, $thrash2, $other, $thrash3) {
 function api_set_create_service($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
 
+	if (is_metaconsole()) return;
+
 	$name = $other['data'][0];
 	$description = $other['data'][1];
 	$id_group = $other['data'][2];
@@ -10399,6 +10420,8 @@ function api_set_create_service($thrash1, $thrash2, $other, $thrash3) {
 function api_set_update_service($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
 
+	if (is_metaconsole()) return;
+
 	$id_service = $thrash1;
 	if(empty($id_service)){
 		returnError('error_update_service', __('Error in update service. No service id'));
@@ -10507,6 +10530,8 @@ function api_set_update_service($thrash1, $thrash2, $other, $thrash3) {
 function api_set_add_element_service($thrash1, $thrash2, $other, $thrash3) {
 	global $config;
 
+	if (is_metaconsole()) return;
+
 	$id = $thrash1;
 	
 	if(empty($id)){
@@ -10774,8 +10799,13 @@ function api_get_module_graph($id_module, $thrash2, $other, $thrash4) {
 }
 
 function api_set_metaconsole_synch($keys) {
-	
+	global $config;
+
 	if (defined('METACONSOLE')) {
+		if (!check_acl($config['id_user'], 0, "PM")) {
+			returnError('forbidden', 'string');
+			return;
+		}
 		$data['keys'] = array('customer_key'=>$keys);
 		foreach ($data['keys'] as $key => $value) {
 			db_process_sql_update(

From a258dc7e43fe8f0c3f3f1c049dbeccedee5a1970 Mon Sep 17 00:00:00 2001
From: Alejandro Gallardo Escobar <alejandro.gallardo@artica.es>
Date: Tue, 12 Jun 2018 10:04:33 +0200
Subject: [PATCH 15/17] Fixed a message

---
 pandora_console/include/functions_ui.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pandora_console/include/functions_ui.php b/pandora_console/include/functions_ui.php
index f074b4be70..633f007784 100755
--- a/pandora_console/include/functions_ui.php
+++ b/pandora_console/include/functions_ui.php
@@ -3922,7 +3922,7 @@ function ui_get_using_system_timezone_warning ($tag = "h3", $return = true) {
 	$user_offset = (-get_fixed_offset() / 60) / 60;
 
 	$message = sprintf(
-		__("This controls are using the timezone of the system (%s) instead of yours (%s). The difference in hours to your timezone is %s."),
+		__("These controls are using the timezone of the system (%s) instead of yours (%s). The difference with your time zone in hours is %s."),
 		$config["timezone"],
 		date_default_timezone_get(),
 		$user_offset > 0 ? "+" . $user_offset : $user_offset

From fd368aec862b371e3135f3ac81c53647a8d00610 Mon Sep 17 00:00:00 2001
From: enriquecd <enrique.camargo@artica.com>
Date: Tue, 12 Jun 2018 12:08:57 +0200
Subject: [PATCH 16/17] Add mode 1 and empty ip on create agent by API 
 new_cluster, and get cluster items by API - #2294

---
 pandora_console/include/functions_api.php | 39 ++++++++++++++++++-----
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/pandora_console/include/functions_api.php b/pandora_console/include/functions_api.php
index 309bb9b215..a87de34dd7 100644
--- a/pandora_console/include/functions_api.php
+++ b/pandora_console/include/functions_api.php
@@ -10845,6 +10845,13 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 		returnError('forbidden', 'string');
 		return;
 	}
+	
+	$name_exist = db_process_sql('select count(name) as already_exist from tcluster as already_exist where name = "'.$name.'"');	
+
+	if($name_exist[0]['already_exist'] > 0){
+		returnError('error_set_new_cluster', __('A cluster with this name already exists.'));
+		return false;
+	}
 
 	$server_name = db_process_sql('select name from tserver where server_type=5 limit 1');	
 	
@@ -10856,11 +10863,12 @@ function api_set_new_cluster($thrash1, $thrash2, $other, $thrash3) {
 		'comentarios' => $description,
 		'id_grupo' => $idGroup,
 		'id_os' => 100,
-		'server_name' => $server_name_agent
+		'server_name' => $server_name_agent,
+		'modo' => 1
 	);
 	
 	if (trim($name) != "") {
-		$id_agent = agents_create_agent($values_agent['nombre'],$values_agent['id_grupo'],300,'127.0.0.1',$values_agent);
+		$id_agent = agents_create_agent($values_agent['nombre'],$values_agent['id_grupo'],300,'',$values_agent);
 		
 		// Create cluster
 		$values_cluster = array(
@@ -11363,7 +11371,8 @@ function api_get_cluster_id_by_name($cluster_name, $trash1, $trash2, $returnType
 		returnError('id_not_found', $returnType);
 	}
 
-	$cluster_group = clusters_get_group($id_cluster);
+	$cluster_group = clusters_get_group($value);
+		
 	if(!$cluster_group || !check_acl($config['id_user'], $cluster_group, "AR")){
 		returnError('error_get_cluster_status', __('The user cannot access to the cluster'));
 		return;
@@ -11382,7 +11391,7 @@ function api_get_agents_id_name_by_cluster_id($cluster_id, $trash1, $trash2, $re
 	$all_agents = cluster_get_agents_id_name_by_cluster_id($cluster_id);	
 	
 	if (count($all_agents) > 0 and $all_agents !== false) {
-		$data = array('type' => 'array', 'data' => $all_agents);
+		$data = array('type' => 'json', 'data' => $all_agents);
 		
 		returnData('json', $data);
 	}
@@ -11399,7 +11408,7 @@ function api_get_agents_id_name_by_cluster_name($cluster_name, $trash1, $trash2,
 	$all_agents = cluster_get_agents_id_name_by_cluster_name($cluster_name);
 	
 	if (count($all_agents) > 0 and $all_agents !== false) {
-		$data = array('type' => 'array', 'data' => $all_agents);
+		$data = array('type' => 'json', 'data' => $all_agents);
 		
 		returnData('json', $data);
 	}
@@ -11416,7 +11425,7 @@ function api_get_modules_id_name_by_cluster_id ($cluster_id){
 	$all_modules = cluster_get_modules_id_name_by_cluster_id($cluster_id);	
 	
 	if (count($all_modules) > 0 and $all_modules !== false) {
-		$data = array('type' => 'array', 'data' => $all_modules);
+		$data = array('type' => 'json', 'data' => $all_modules);
 		
 		returnData('json', $data);
 	}
@@ -11431,10 +11440,10 @@ function api_get_modules_id_name_by_cluster_name ($cluster_name){
 		return;
 	}
 	
-	$all_modules = cluster_get_modules_id_name_by_cluster_name($cluster_name);	
+	$all_modules = cluster_get_modules_id_name_by_cluster_name($cluster_name);
 	
 	if (count($all_modules) > 0 and $all_modules !== false) {
-		$data = array('type' => 'array', 'data' => $all_modules);
+		$data = array('type' => 'json', 'data' => $all_modules);
 		
 		returnData('json', $data);
 	}
@@ -11463,6 +11472,20 @@ function util_api_check_agent_and_print_error($id_agent, $returnType, $access =
 	return false;
 }
 
+function api_get_cluster_items ($cluster_id){
+	
+	$all_items = cluster_get_items($cluster_id);	
+	
+	if (count($all_items) > 0 and $all_items !== false) {
+		$data = array('type' => 'json', 'data' => $all_items);
+		
+		returnData('json', $data);
+	}
+	else {
+		returnError('error_cluster_items', 'No items retrieved.');
+	}
+}
+
 
 
 ?>
\ No newline at end of file

From 632fc26be21ba44788e997e1cd49da86b67f4ca6 Mon Sep 17 00:00:00 2001
From: enriquecd <enrique.camargo@artica.com>
Date: Tue, 12 Jun 2018 12:39:05 +0200
Subject: [PATCH 17/17] Thermometer graph only for intracom - #2214

---
 .../godmode/reporting/graph_builder.main.php  |   3 +-
 pandora_console/include/constants.php         |   1 -
 pandora_console/include/functions_graph.php   |  89 -------
 pandora_console/include/graphs/fgraph.php     |  27 ---
 .../include/graphs/functions_d3.php           |  25 --
 pandora_console/include/graphs/pandora.d3.js  | 223 ------------------
 .../operation/reporting/graph_viewer.php      |   7 -
 7 files changed, 1 insertion(+), 374 deletions(-)

diff --git a/pandora_console/godmode/reporting/graph_builder.main.php b/pandora_console/godmode/reporting/graph_builder.main.php
index 5055e5b39a..a66dc235cd 100644
--- a/pandora_console/godmode/reporting/graph_builder.main.php
+++ b/pandora_console/godmode/reporting/graph_builder.main.php
@@ -167,8 +167,7 @@ $stackeds = array(
 	CUSTOM_GRAPH_GAUGE => __('Gauge'),
 	CUSTOM_GRAPH_HBARS => __('Horizontal bars'),
 	CUSTOM_GRAPH_VBARS => __('Vertical bars'),
-	CUSTOM_GRAPH_PIE => __('Pie'),
-	CUSTOM_GRAPH_THERMOMETER => __('Thermometer')
+	CUSTOM_GRAPH_PIE => __('Pie')
 	);
 html_print_select ($stackeds, 'stacked', $stacked);
 
diff --git a/pandora_console/include/constants.php b/pandora_console/include/constants.php
index 27f4421b3e..a4aaefbbe9 100644
--- a/pandora_console/include/constants.php
+++ b/pandora_console/include/constants.php
@@ -444,7 +444,6 @@ define("CUSTOM_GRAPH_LINE",			2);
 define("CUSTOM_GRAPH_STACKED_LINE",	3);
 define("CUSTOM_GRAPH_BULLET_CHART",	4);
 define("CUSTOM_GRAPH_GAUGE",		5);
-define("CUSTOM_GRAPH_THERMOMETER",		10);
 define("CUSTOM_GRAPH_HBARS",		6);
 define("CUSTOM_GRAPH_VBARS",		7);
 define("CUSTOM_GRAPH_PIE",			8);
diff --git a/pandora_console/include/functions_graph.php b/pandora_console/include/functions_graph.php
index 732bb8147d..354973e411 100644
--- a/pandora_console/include/functions_graph.php
+++ b/pandora_console/include/functions_graph.php
@@ -1991,95 +1991,6 @@ function graphic_combined_module (
 				);
 			}
 
-			break;
-		case CUSTOM_GRAPH_THERMOMETER:
-			$datelimit = $params['date'] - $params['period'];
-			$i = 0;
-			foreach ($module_list as $module_item) {
-				$automatic_custom_graph_meta = false;
-				if ($config['metaconsole']) {
-					// Automatic custom graph from the report template in metaconsole
-					if (is_array($module_list[$i])) {
-						$server = metaconsole_get_connection_by_id ($module_item['server']);
-						metaconsole_connect($server);
-						$automatic_custom_graph_meta = true;
-					}
-				}
-
-				if ($automatic_custom_graph_meta)
-					$module = $module_item['module'];
-				else
-					$module = $module_item;
-
-				$temp[$module] = modules_get_agentmodule($module);
-				$query_last_value = sprintf('
-					SELECT datos
-					FROM tagente_datos
-					WHERE id_agente_modulo = %d
-						AND utimestamp < %d
-						ORDER BY utimestamp DESC',
-					$module, $params['date']);
-				$temp_data = db_get_value_sql($query_last_value);
-				if ( $temp_data ) {
-					if (is_numeric($temp_data))
-						$value = $temp_data;
-					else
-						$value = count($value);
-				}
-				else {
-					$value = false;
-				}
-				$temp[$module]['label'] = ($labels[$module] != '') ? $labels[$module] : $temp[$module]['nombre'];
-				$temp[$module]['value'] = $value;
-				$temp[$module]['label'] = ui_print_truncate_text($temp[$module]['label'],"module_small",false,true,false,"..");
-
-				if ($temp[$module]['unit'] == '%') {
-					$temp[$module]['min'] =	0;
-					$temp[$module]['max'] = 100;
-				}
-				else {
-					$min = $temp[$module]['min'];
-					if ($temp[$module]['max'] == 0)
-						$max = reporting_get_agentmodule_data_max($module,$params['period'],$params['date']);
-					else
-						$max = $temp[$module]['max'];
-					$temp[$module]['min'] = ($min == 0 ) ? 0 : $min;
-					$temp[$module]['max'] = ($max == 0 ) ? 100 : $max;
-				}
-				$temp[$module]['gauge'] = uniqid('gauge_');
-
-				if ($config['metaconsole']) {
-					// Automatic custom graph from the report template in metaconsole
-					if (is_array($module_list[0])) {
-						metaconsole_restore_db();
-					}
-				}
-				$i++;
-
-				$color = color_graph_array();
-
-				$graph_values = $temp;
-
-				return stacked_thermometers(
-					$flash_charts,
-					$graph_values,
-					$width,
-					$height,
-					$color,
-					$module_name_list,
-					$long_index,
-					ui_get_full_url("images/image_problem_area_small.png", false, false, false),
-					"",
-					"",
-					$water_mark,
-					$config['fontpath'],
-					$fixed_font_size,
-					"",
-					$ttl,
-					$homeurl,
-					$background_color
-				);
-			}
 			break;
 		case CUSTOM_GRAPH_PIE:
 			$total_modules = 0;
diff --git a/pandora_console/include/graphs/fgraph.php b/pandora_console/include/graphs/fgraph.php
index 9639ac210d..eb638f2c2a 100644
--- a/pandora_console/include/graphs/fgraph.php
+++ b/pandora_console/include/graphs/fgraph.php
@@ -271,33 +271,6 @@ function stacked_bullet_chart($chart_data, $width, $height,
 
 }
 
-function stacked_thermometers($flash_chart, $chart_data, $width, $height,
-	$color, $legend, $long_index, $no_data_image, $xaxisname = "",
-	$yaxisname = "", $water_mark = "", $font = '', $font_size = '',
-	$unit = '', $ttl = 1, $homeurl = '', $backgroundColor = 'white') {
-
-	include_once('functions_d3.php');
-
-	setup_watermark($water_mark, $water_mark_file, $water_mark_url);
-
-	if (empty($chart_data)) {
-		return '<img src="' . $no_data_image . '" />';
-	}
-
-	return d3_thermometers(
-			$chart_data,
-			$width,
-			$height,
-			$color,
-			$legend,
-			$homeurl,
-			$unit,
-			$font,
-			$font_size + 2,
-			$no_data_image
-			);
-}
-
 function stacked_gauge($chart_data, $width, $height,
 	$color, $legend, $no_data_image, $font = '', $font_size = '',
 	$unit = '', $homeurl = '') {
diff --git a/pandora_console/include/graphs/functions_d3.php b/pandora_console/include/graphs/functions_d3.php
index f740f2feff..a0e4ea4a8d 100644
--- a/pandora_console/include/graphs/functions_d3.php
+++ b/pandora_console/include/graphs/functions_d3.php
@@ -285,31 +285,6 @@ function d3_gauges($chart_data, $width, $height, $color, $legend,
 	return $output;
 }
 
-function d3_thermometers($chart_data, $width, $height, $color, $legend,
-				$homeurl, $unit, $font, $font_size, $no_data_image) {
-	global $config;
-	
-	foreach ($chart_data as $key => $value) {
-		$chart_data[$key]['agent_name'] = agents_get_alias($chart_data[$key]['id_agente']);
-		$chart_data[$key]['label'] = io_safe_output($chart_data[$key]['label']);
-	}
-	
-	if (is_array($chart_data))
-		$data = json_encode($chart_data);
-	$output = include_javascript_d3(true);
-	
-	$count = 0;
-	
-	$output .= "<div id='thermometers_div' style='float:left; overflow: hidden; margin-left: 10px;'></div>";
-	
-	$output .= "<script language=\"javascript\" type=\"text/javascript\">
-					var data = $data;
-					createthermometers(data, '$width', '$height','$font_size','$no_data_image','$font');
-				</script>";
-
-	return $output;
-}
-
 function ux_console_phases_donut ($phases, $id, $return = false) {
 	global $config;
 
diff --git a/pandora_console/include/graphs/pandora.d3.js b/pandora_console/include/graphs/pandora.d3.js
index dde73526ef..29728984e1 100644
--- a/pandora_console/include/graphs/pandora.d3.js
+++ b/pandora_console/include/graphs/pandora.d3.js
@@ -1060,229 +1060,6 @@ function createGauges(data, width, height, font_size, no_data_image, font) {
 	}
 }
 
-function createthermometers(data, width, height, font_size, no_data_image, font) {
-	
-for (var variable in data) {
-	module_data = data[variable];
-}
-
-// var svg = d3.select('.databox,.filters td')
-
-var svg = d3.select('#thermometers_div')
-		.append("svg")
-			.attr("width", 250)
-			.attr("height", 400);
-	
-	
-var rect = svg.append("rect")
-		.attr("x", 50)
-		.attr("y", 50)
-		.attr("width", 150)
-		.attr("height", 330)
-		.attr("fill", "black")
-		.attr("stroke-width", 5)
-		.attr("stroke", "rgb(37,133,177)")
-		.attr("rx", "10")
-		.attr("ry", "10")
-		.attr("fill", "rgb(235,235,235)");
-		
-		var circle = svg.append("circle")
-				.attr("cx", 130)
-				.attr("cy", 280)
-				.attr("r", 12)
-				.attr("height", 300)
-				.attr("fill", "rgb(74,185,197)");
-				
-		var progress_back = svg.append('rect')
-			.attr('fill', 'rgb(51,51,53)')
-			.attr('height', 200)
-			.attr('width', 12)
-			.attr('x', 123)
-			.attr('y', 70);
-			
-			
-			
-var defs = svg.append("defs");
-
-var gradient = defs.append("linearGradient")
-   .attr("id", "svgGradient")
-   .attr("x1", "0%")
-   .attr("x2", "0%")
-   .attr("y1", "100%")
-   .attr("y2", "0%");
-	 
-gradient.append("stop")
-   .attr('class', 'start')
-   .attr("offset", "0%")
-   .attr("stop-color", "rgb(74,185,197)");
-
-	 if(parseFloat(module_data.value) >= parseFloat(module_data.min_warning) && parseFloat(module_data.value) < parseFloat(module_data.min_critical)){
-	 		gradient.append("stop")
-	 		   .attr('class', 'end')
-	 		   .attr("offset", "100%")
-	 		   .attr("stop-color", "yellow");
-	 	}
-	 	else if((module_data.min_critical != 0 && module_data.max_critical != 0) && parseFloat(module_data.value) >= parseFloat(module_data.min_critical) && (parseFloat(module_data.value) <= parseFloat(module_data.max_critical) || parseFloat(module_data.max_critical) == 0)){
-	 		gradient.append("stop")
-	 		   .attr('class', 'end')
-	 		   .attr("offset", "100%")
-	 		   .attr("stop-color", "red");
-	 	}
-	 	else{
-	 		gradient.append("stop")
-	 			 .attr('class', 'end')
-	 			 .attr("offset", "100%")
-	 			 .attr("stop-color", "rgb(130,185,46)");
-	 	}
-
-		var progress_front = svg.append('rect')
-			.attr('fill', 'red')
-			.attr('height', 0)
-			.attr('width', 12)
-			.attr('x', 123)
-			.attr('y', 270)
-			.attr("fill", "url(#svgGradient)");
-			
-			if(module_data.value.toString().indexOf('.') != -1){
-				if(Math.trunc(module_data.value).toString().length > 1){
-						module_data.value = Math.trunc(module_data.value);
-				}
-				else {
-						module_data.value = parseFloat(module_data.value).toFixed(2);
-				}
-			}
-		
-			if(module_data.value >= 1000){
-				module_data.value_label = Math.trunc(module_data.value/1000);
-				var text = svg.append("text")
-						.attr("x", 100)
-						.attr("y", 320)
-						.style("font-size", "1.5em")
-						.text(module_data.value_label+"k"+" ["+module_data.unit+"]");
-			}
-			else{
-				var text = svg.append("text")
-						.attr("x", 100)
-						.attr("y", 320)
-						.style("font-size", "1.5em")
-						.text(module_data.value+" ["+module_data.unit+"]");
-			}
-			
-			
-			agent_text = module_data.agent_name;
-			
-			if(agent_text.length > 12){
-				agent_text = agent_text.substring(0, 10)+"...";
-			}
-			
-			var text = svg.append("text")
-					.attr("x", 65)
-					.attr("y", 370)
-					.style("font-size", "1.5em")
-					.text(agent_text);
-					
-					
-			label_text = module_data.label;
-					
-			if(label_text.length > 12){
-				label_text = label_text.substring(0, 10)+"...";
-			}
-			
-			var text = svg.append("text")
-					.attr("x", 65)
-					.attr("y", 350)
-					.style("font-size", "1.5em")
-					.text(label_text);
-					
-			var temp_sum = module_data.max-module_data.min;
-			var div_sum = (temp_sum/10);
-			var max_temp = module_data.max;
-			var min_temp = module_data.min;
-			var y = 75;
-			
-			var count = 0;
-			
-			var startPercent = 0;
-			var endPercent = module_data.value * 200 / max_temp;
-			
-			var step = endPercent / 20;
-			
-			while (max_temp >= min_temp) {
-								
-				if(count != 9){
-						if(max_temp.toString().indexOf('.') != -1){
-							if(Math.trunc(max_temp).toString().length > 1){
-									max_temp = Math.trunc(max_temp);
-							}
-							else {
-									max_temp = parseFloat(max_temp).toFixed(2);
-							}
-						}
-					
-						if(max_temp >= 1000){
-							max_temp_label = Math.trunc(max_temp/1000);
-							var text = svg.append("text")
-									.attr("x", 160)
-									.attr("y", y)
-									.style("font-size", "1.2em")
-									.text(max_temp_label+'k');
-						}
-						else{
-							var text = svg.append("text")
-									.attr("x", 160)
-									.attr("y", y)
-									.style("font-size", "1.2em")
-									.text(max_temp);
-						}
-						
-						var line = svg.append("line")
-								.attr("x1", 142)
-								.attr("y1", y-4)
-								.attr("x2", 153)
-								.attr("y2", y-4)
-								.attr("stroke", "black")
-								.style("font-size", "1.2em")
-								.text(max_temp);
-						
-						y += 20;
-				
-				max_temp = max_temp-div_sum;
-			}
-			if(count==10){
-				max_temp = module_data.min;
-			}
-			
-			count++;
-			}
-			
-			
-			
-			function updateProgress(bar_progress) {
-				var bar_progress = Number(bar_progress);
-				progress_front.attr('height', (bar_progress));
-				progress_front.attr('y', (270-bar_progress));
-			}
-
-			var bar_progress = startPercent;
-
-			(function loops() {
-				updateProgress(bar_progress);
-
-				if (bar_progress < endPercent) {
-					bar_progress += step;
-					setTimeout(loops, 30);
-				}
-				else{					
-					delete data[module_data['id_agente_modulo']];
-					if(Object.keys(data).length > 0){
-						createthermometers(data, width, height, font_size, no_data_image, font)
-					}
-				}
-			})();
-			
-}
-
-
 function Gauge(placeholderName, configuration, font)
 {
 
diff --git a/pandora_console/operation/reporting/graph_viewer.php b/pandora_console/operation/reporting/graph_viewer.php
index eb08db35e3..bef9eab3d8 100644
--- a/pandora_console/operation/reporting/graph_viewer.php
+++ b/pandora_console/operation/reporting/graph_viewer.php
@@ -124,12 +124,6 @@ if ($view_graph) {
 		$height = $graph["height"];
 	}
 	
-	if ($stacked == CUSTOM_GRAPH_THERMOMETER ){
-		// Use the defined graph height, that's why
-		// the user can setup graph height.
-		$height = $graph["height"];
-	}
-	
 	$name = $graph["name"];
 	if (($graph["private"]==1) && ($graph["id_user"] != $id_user)) {
 		db_pandora_audit("ACL Violation",
@@ -265,7 +259,6 @@ if ($view_graph) {
 	$stackeds[CUSTOM_GRAPH_HBARS] = __('Horizontal Bars');
 	$stackeds[CUSTOM_GRAPH_VBARS] = __('Vertical Bars');
 	$stackeds[CUSTOM_GRAPH_PIE] = __('Pie');
-	$stackeds[CUSTOM_GRAPH_THERMOMETER] = __('Thermometer');
 	html_print_select ($stackeds, 'stacked', $stacked , '', '', -1, false, false);
 	echo "</td>";