tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

changed behavior of All group and fixed acl vulnerability

This commit is contained in:
alejandro-campos 2021-01-20 18:22:43 +01:00
parent 535486a429
commit 731d486455
9 changed files with 96 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pandora_console/godmode/alerts/alert_commands.php
View File

@ -556,7 +556,9 @@ foreach ($commands as $command) {
$data = [];
$data['name'] = '<span style="font-size: 7.5pt">';
if (! $command['internal']) {
// (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group.
if (!$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) {
$data['name'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_command&id='.$command['id'].'&pure='.$pure.'">'.$command['name'].'</a>';
} else {
$data['name'] .= $command['name'];
@ -580,7 +582,9 @@ foreach ($commands as $command) {
);
$data['action'] = '';
$table->cellclass[]['action'] = 'action_buttons';
if ($is_central_policies_on_node === false && !$command['internal']) {
// (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group.
if ($is_central_policies_on_node === false && !$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) {
$data['action'] = '<span style="display: inline-flex">';
$data['action'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/alert_commands&amp;copy_command=1&id='.$command['id'].'&pure='.$pure.'"
onClick="if (!confirm(\''.__('Are you sure?').'\')) return false;">'.html_print_image('images/copy.png', true).'</a>';

8
pandora_console/godmode/alerts/alert_templates.php
View File

@ -401,13 +401,17 @@ foreach ($templates as $template) {
$data = [];
$data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&id='.$template['id'].'&pure='.$pure.'">'.$template['name'].'</a>';
if (check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')) {
$data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&id='.$template['id'].'&pure='.$pure.'">'.$template['name'].'</a>';
} else {
$data[0] = $template['name'];
}
$data[1] = ui_print_group_icon($template['id_group'], true);
$data[3] = alerts_get_alert_templates_type_name($template['type']);
if (is_central_policies_on_node() === false
&& check_acl($config['id_user'], $template['id_group'], 'LM')
&& check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')
) {
$table->cellclass[][4] = 'action_buttons';
$data[4] = '<form method="post" action="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&pure='.$pure.'" style="display: inline; float: left">';

19
pandora_console/godmode/alerts/configure_alert_command.php
View File

@ -48,15 +48,18 @@ if (is_metaconsole() === true) {
);
}
if ($update_command) {
$id = (int) get_parameter('id');
if ($id > 0) {
$alert = alerts_get_alert_command($id);
if ($alert['internal']) {
if ($alert['internal'] || !check_acl_restricted_all($config['id_user'], $alert['id_group'], 'LM')) {
db_pandora_audit('ACL Violation', 'Trying to access Alert Management');
include 'general/noaccess.php';
exit;
}
}
if ($update_command) {
$alert = alerts_get_alert_command($id);
$name = (string) get_parameter('name');
$command = (string) get_parameter('command');
@ -216,12 +219,18 @@ $table->data['command'][1] = html_print_textarea(
$is_central_policies_on_node
);
$return_all_group = false;
if (users_can_manage_group_all('LM') === true) {
$return_all_group = true;
}
$table->colspan['group'][1] = 3;
$table->data['group'][0] = __('Group');
$table->data['group'][1] = '<div class="w250px inline">'.html_print_select_groups(
false,
'LM',
true,
$return_all_group,
'id_group',
$id_group,
false,

21
pandora_console/godmode/alerts/configure_alert_template.php
View File

@ -55,6 +55,15 @@ if (defined('METACONSOLE')) {
if ($a_template !== false) {
// If user tries to duplicate/edit a template with group=ALL
if ($a_template['id_group'] == 0) {
if (users_can_manage_group_all('LM') === false) {
db_pandora_audit(
'ACL Violation',
'Trying to access Alert Management'
);
include 'general/noaccess.php';
exit;
}
// Header
if (defined('METACONSOLE')) {
alerts_meta_print_header();
@ -1091,18 +1100,18 @@ if ($step == 2) {
$table->data[0][1] .= '&nbsp;&nbsp;'.__('Group');
$groups = users_get_groups();
$own_info = get_user_info($config['id_user']);
// Only display group "All" if user is administrator or has "PM" privileges.
if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'PM')) {
$display_all_group = true;
} else {
$display_all_group = false;
$return_all_group = false;
if (users_can_manage_group_all('LM') === true) {
$return_all_group = true;
}
$table->data[0][1] .= '&nbsp;';
$table->data[0][1] .= '<div class="w250px inline">'.html_print_select_groups(
false,
'AR',
$display_all_group,
$return_all_group,
'id_group',
$id_group,
'',

11
pandora_console/godmode/gis_maps/configure_gis_map.php
View File

@ -461,14 +461,15 @@ $table->data[1][1] = "<table style='padding:0px;' class='no-class' border='0' id
</tr> ".gis_add_conection_maps_in_form($map_connection_list).'
</table>';
$own_info = get_user_info($config['id_user']);
if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'MM')) {
$display_all_group = true;
} else {
$display_all_group = false;
$return_all_group = false;
if (users_can_manage_group_all('MM') === true) {
$return_all_group = true;
}
$table->data[2][0] = __('Group');
$table->data[2][1] = html_print_select_groups(false, 'IW', $display_all_group, 'map_group_id', $map_group_id, '', '', '', true);
$table->data[2][1] = html_print_select_groups(false, 'IW', $return_all_group, 'map_group_id', $map_group_id, '', '', '', true);
$table->data[3][0] = __('Default zoom');
$table->data[3][1] = html_print_input_text('map_zoom_level', $map_zoom_level, '', 2, 4, true).html_print_input_hidden('map_levels_zoom', $map_levels_zoom, true);

52
pandora_console/godmode/snmpconsole/snmp_alert.php
View File

@ -494,6 +494,15 @@ if ($update_alert || $duplicate_alert) {
$position = $alert['position'];
$disable_event = $alert['disable_event'];
$group = $alert['id_group'];
if (!check_acl_restricted_all($config['id_user'], $group, 'LW')) {
db_pandora_audit(
'ACL Violation',
'Trying to access SNMP Alert Management'
);
include 'general/noaccess.php';
return;
}
} else if ($create_alert) {
// Variable init
$id_as = -1;
@ -814,13 +823,19 @@ if ($create_alert || $update_alert) {
html_print_input_text('source_ip', $source_ip, '', 20);
echo '</td></tr>';
$return_all_group = false;
if (users_can_manage_group_all('LW') === true) {
$return_all_group = true;
}
// Group
echo '<tr id="tr-group"><td class="datos2">'.__('Group').'</td><td class="datos2">';
echo '<div class="w250px">';
html_print_select_groups(
$config['id_user'],
'AR',
true,
$return_all_group,
'group',
$group,
'',
@ -1346,10 +1361,17 @@ if ($create_alert || $update_alert) {
$url = 'index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'id_alert_snmp='.$row['id_as'].'&'.'update_alert=1';
$data[1] = '<table>';
$data[1] .= '<tr>';
$data[1] .= '<a href="'.$url.'">'.alerts_get_alert_action_name($row['id_alert']).'</a>';
if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) {
$data[1] .= '<a href="'.$url.'">'.alerts_get_alert_action_name($row['id_alert']).'</a>';
} else {
$data[1] .= alerts_get_alert_action_name($row['id_alert']);
}
$other_actions = db_get_all_rows_filter('talert_snmp_action', ['id_alert_snmp' => $row['id_as']]);
$data[1] .= '</tr>';
if ($other_actions != false) {
foreach ($other_actions as $action) {
$data[1] .= '<tr>';
@ -1361,6 +1383,7 @@ if ($create_alert || $update_alert) {
$data[1] .= '</table>';
$data[2] = $row['agent'];
$data[3] = $row['oid'];
$data[4] = $row['custom_oid'];
@ -1373,18 +1396,23 @@ if ($create_alert || $update_alert) {
$data[7] = __('Never');
}
$data[8] = '<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'duplicate_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).'</a>'.'<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'update_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).'</a>'.'<a href="javascript:show_add_action_snmp(\''.$row['id_as'].'\');">'.html_print_image('images/add.png', true, ['title' => __('Add action')]).'</a>'.'<a href="index.php?sec=snmpconsole&sec2=godmode/snmpconsole/snmp_alert&delete_alert='.$row['id_as'].'" onClick="javascript:return confirm(\''.__('Are you sure?').'\')">'.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).'</a>';
if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) {
$data[8] = '<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'duplicate_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).'</a>'.'<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'update_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).'</a>'.'<a href="javascript:show_add_action_snmp(\''.$row['id_as'].'\');">'.html_print_image('images/add.png', true, ['title' => __('Add action')]).'</a>'.'<a href="index.php?sec=snmpconsole&sec2=godmode/snmpconsole/snmp_alert&delete_alert='.$row['id_as'].'" onClick="javascript:return confirm(\''.__('Are you sure?').'\')">'.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).'</a>';
$data[9] = html_print_checkbox_extended(
'delete_ids[]',
$row['id_as'],
false,
false,
false,
'class="chk_delete"',
true
);
$data[9] = html_print_checkbox_extended(
'delete_ids[]',
$row['id_as'],
false,
false,
false,
'class="chk_delete"',
true
);
} else {
$data[8] = '';
$data[9] = '';
}
$idx = count($table->data);
// The current index of the table is 1 less than the count of table data so we count before adding to table->data

8
pandora_console/operation/gis_maps/gis_map.php
View File

@ -170,12 +170,8 @@ if ($maps !== false) {
$data['name'] = '<a href="index.php?sec=gismaps&amp;sec2=operation/gis_maps/render_view&amp;map_id='.$map['id_tgis_map'].'">'.$map['map_name'].'</a> ';
$data['group'] = ui_print_group_icon($map['group_id'], true);
if (check_acl($config['id_user'], 0, 'MW')
|| check_acl($config['id_user'], 0, 'MM')
) {
$data['default'] = '';
$data['op'] = '';
}
$data['default'] = '';
$data['op'] = '';
if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW')
|| check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM')

4
pandora_console/operation/gis_maps/render_view.php
View File

@ -114,8 +114,8 @@ $controls = [
$layers = gis_get_layers($idMap);
// Render map
$has_management_acl = check_acl($config['id_user'], $map['group_id'], 'MW')
|| check_acl($config['id_user'], $map['group_id'], 'MM');
$has_management_acl = check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW')
|| check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM');
$buttons = [];

6
pandora_console/operation/visual_console/view.php
View File

@ -300,7 +300,11 @@ if ($pure === false) {
);
echo '</div>';
echo '</div>';
echo html_print_checkbox_switch('edit-mode', 1, false, true);
if ($aclWrite || $aclManage) {
echo html_print_checkbox_switch('edit-mode', 1, false, true);
}
echo '</div>';
}
}