changed behavior of All group and fixed acl vulnerability

This commit is contained in:
alejandro-campos 2021-01-20 18:22:43 +01:00
parent 535486a429
commit 731d486455
9 changed files with 96 additions and 41 deletions

View File

@ -556,7 +556,9 @@ foreach ($commands as $command) {
$data = []; $data = [];
$data['name'] = '<span style="font-size: 7.5pt">'; $data['name'] = '<span style="font-size: 7.5pt">';
if (! $command['internal']) {
// (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group.
if (!$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) {
$data['name'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_command&id='.$command['id'].'&pure='.$pure.'">'.$command['name'].'</a>'; $data['name'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_command&id='.$command['id'].'&pure='.$pure.'">'.$command['name'].'</a>';
} else { } else {
$data['name'] .= $command['name']; $data['name'] .= $command['name'];
@ -580,7 +582,9 @@ foreach ($commands as $command) {
); );
$data['action'] = ''; $data['action'] = '';
$table->cellclass[]['action'] = 'action_buttons'; $table->cellclass[]['action'] = 'action_buttons';
if ($is_central_policies_on_node === false && !$command['internal']) {
// (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group.
if ($is_central_policies_on_node === false && !$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) {
$data['action'] = '<span style="display: inline-flex">'; $data['action'] = '<span style="display: inline-flex">';
$data['action'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/alert_commands&amp;copy_command=1&id='.$command['id'].'&pure='.$pure.'" $data['action'] .= '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/alert_commands&amp;copy_command=1&id='.$command['id'].'&pure='.$pure.'"
onClick="if (!confirm(\''.__('Are you sure?').'\')) return false;">'.html_print_image('images/copy.png', true).'</a>'; onClick="if (!confirm(\''.__('Are you sure?').'\')) return false;">'.html_print_image('images/copy.png', true).'</a>';

View File

@ -401,13 +401,17 @@ foreach ($templates as $template) {
$data = []; $data = [];
if (check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')) {
$data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&id='.$template['id'].'&pure='.$pure.'">'.$template['name'].'</a>'; $data[0] = '<a href="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&id='.$template['id'].'&pure='.$pure.'">'.$template['name'].'</a>';
} else {
$data[0] = $template['name'];
}
$data[1] = ui_print_group_icon($template['id_group'], true); $data[1] = ui_print_group_icon($template['id_group'], true);
$data[3] = alerts_get_alert_templates_type_name($template['type']); $data[3] = alerts_get_alert_templates_type_name($template['type']);
if (is_central_policies_on_node() === false if (is_central_policies_on_node() === false
&& check_acl($config['id_user'], $template['id_group'], 'LM') && check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')
) { ) {
$table->cellclass[][4] = 'action_buttons'; $table->cellclass[][4] = 'action_buttons';
$data[4] = '<form method="post" action="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&pure='.$pure.'" style="display: inline; float: left">'; $data[4] = '<form method="post" action="index.php?sec='.$sec.'&sec2=godmode/alerts/configure_alert_template&pure='.$pure.'" style="display: inline; float: left">';

View File

@ -48,15 +48,18 @@ if (is_metaconsole() === true) {
); );
} }
if ($id > 0) {
if ($update_command) {
$id = (int) get_parameter('id');
$alert = alerts_get_alert_command($id); $alert = alerts_get_alert_command($id);
if ($alert['internal']) {
if ($alert['internal'] || !check_acl_restricted_all($config['id_user'], $alert['id_group'], 'LM')) {
db_pandora_audit('ACL Violation', 'Trying to access Alert Management'); db_pandora_audit('ACL Violation', 'Trying to access Alert Management');
include 'general/noaccess.php'; include 'general/noaccess.php';
exit; exit;
} }
}
if ($update_command) {
$alert = alerts_get_alert_command($id);
$name = (string) get_parameter('name'); $name = (string) get_parameter('name');
$command = (string) get_parameter('command'); $command = (string) get_parameter('command');
@ -216,12 +219,18 @@ $table->data['command'][1] = html_print_textarea(
$is_central_policies_on_node $is_central_policies_on_node
); );
$return_all_group = false;
if (users_can_manage_group_all('LM') === true) {
$return_all_group = true;
}
$table->colspan['group'][1] = 3; $table->colspan['group'][1] = 3;
$table->data['group'][0] = __('Group'); $table->data['group'][0] = __('Group');
$table->data['group'][1] = '<div class="w250px inline">'.html_print_select_groups( $table->data['group'][1] = '<div class="w250px inline">'.html_print_select_groups(
false, false,
'LM', 'LM',
true, $return_all_group,
'id_group', 'id_group',
$id_group, $id_group,
false, false,

View File

@ -55,6 +55,15 @@ if (defined('METACONSOLE')) {
if ($a_template !== false) { if ($a_template !== false) {
// If user tries to duplicate/edit a template with group=ALL // If user tries to duplicate/edit a template with group=ALL
if ($a_template['id_group'] == 0) { if ($a_template['id_group'] == 0) {
if (users_can_manage_group_all('LM') === false) {
db_pandora_audit(
'ACL Violation',
'Trying to access Alert Management'
);
include 'general/noaccess.php';
exit;
}
// Header // Header
if (defined('METACONSOLE')) { if (defined('METACONSOLE')) {
alerts_meta_print_header(); alerts_meta_print_header();
@ -1091,18 +1100,18 @@ if ($step == 2) {
$table->data[0][1] .= '&nbsp;&nbsp;'.__('Group'); $table->data[0][1] .= '&nbsp;&nbsp;'.__('Group');
$groups = users_get_groups(); $groups = users_get_groups();
$own_info = get_user_info($config['id_user']); $own_info = get_user_info($config['id_user']);
// Only display group "All" if user is administrator or has "PM" privileges.
if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'PM')) { $return_all_group = false;
$display_all_group = true;
} else { if (users_can_manage_group_all('LM') === true) {
$display_all_group = false; $return_all_group = true;
} }
$table->data[0][1] .= '&nbsp;'; $table->data[0][1] .= '&nbsp;';
$table->data[0][1] .= '<div class="w250px inline">'.html_print_select_groups( $table->data[0][1] .= '<div class="w250px inline">'.html_print_select_groups(
false, false,
'AR', 'AR',
$display_all_group, $return_all_group,
'id_group', 'id_group',
$id_group, $id_group,
'', '',

View File

@ -461,14 +461,15 @@ $table->data[1][1] = "<table style='padding:0px;' class='no-class' border='0' id
</tr> ".gis_add_conection_maps_in_form($map_connection_list).' </tr> ".gis_add_conection_maps_in_form($map_connection_list).'
</table>'; </table>';
$own_info = get_user_info($config['id_user']); $own_info = get_user_info($config['id_user']);
if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'MM')) {
$display_all_group = true; $return_all_group = false;
} else {
$display_all_group = false; if (users_can_manage_group_all('MM') === true) {
$return_all_group = true;
} }
$table->data[2][0] = __('Group'); $table->data[2][0] = __('Group');
$table->data[2][1] = html_print_select_groups(false, 'IW', $display_all_group, 'map_group_id', $map_group_id, '', '', '', true); $table->data[2][1] = html_print_select_groups(false, 'IW', $return_all_group, 'map_group_id', $map_group_id, '', '', '', true);
$table->data[3][0] = __('Default zoom'); $table->data[3][0] = __('Default zoom');
$table->data[3][1] = html_print_input_text('map_zoom_level', $map_zoom_level, '', 2, 4, true).html_print_input_hidden('map_levels_zoom', $map_levels_zoom, true); $table->data[3][1] = html_print_input_text('map_zoom_level', $map_zoom_level, '', 2, 4, true).html_print_input_hidden('map_levels_zoom', $map_levels_zoom, true);

View File

@ -494,6 +494,15 @@ if ($update_alert || $duplicate_alert) {
$position = $alert['position']; $position = $alert['position'];
$disable_event = $alert['disable_event']; $disable_event = $alert['disable_event'];
$group = $alert['id_group']; $group = $alert['id_group'];
if (!check_acl_restricted_all($config['id_user'], $group, 'LW')) {
db_pandora_audit(
'ACL Violation',
'Trying to access SNMP Alert Management'
);
include 'general/noaccess.php';
return;
}
} else if ($create_alert) { } else if ($create_alert) {
// Variable init // Variable init
$id_as = -1; $id_as = -1;
@ -814,13 +823,19 @@ if ($create_alert || $update_alert) {
html_print_input_text('source_ip', $source_ip, '', 20); html_print_input_text('source_ip', $source_ip, '', 20);
echo '</td></tr>'; echo '</td></tr>';
$return_all_group = false;
if (users_can_manage_group_all('LW') === true) {
$return_all_group = true;
}
// Group // Group
echo '<tr id="tr-group"><td class="datos2">'.__('Group').'</td><td class="datos2">'; echo '<tr id="tr-group"><td class="datos2">'.__('Group').'</td><td class="datos2">';
echo '<div class="w250px">'; echo '<div class="w250px">';
html_print_select_groups( html_print_select_groups(
$config['id_user'], $config['id_user'],
'AR', 'AR',
true, $return_all_group,
'group', 'group',
$group, $group,
'', '',
@ -1346,10 +1361,17 @@ if ($create_alert || $update_alert) {
$url = 'index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'id_alert_snmp='.$row['id_as'].'&'.'update_alert=1'; $url = 'index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'id_alert_snmp='.$row['id_as'].'&'.'update_alert=1';
$data[1] = '<table>'; $data[1] = '<table>';
$data[1] .= '<tr>'; $data[1] .= '<tr>';
if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) {
$data[1] .= '<a href="'.$url.'">'.alerts_get_alert_action_name($row['id_alert']).'</a>'; $data[1] .= '<a href="'.$url.'">'.alerts_get_alert_action_name($row['id_alert']).'</a>';
} else {
$data[1] .= alerts_get_alert_action_name($row['id_alert']);
}
$other_actions = db_get_all_rows_filter('talert_snmp_action', ['id_alert_snmp' => $row['id_as']]); $other_actions = db_get_all_rows_filter('talert_snmp_action', ['id_alert_snmp' => $row['id_as']]);
$data[1] .= '</tr>'; $data[1] .= '</tr>';
if ($other_actions != false) { if ($other_actions != false) {
foreach ($other_actions as $action) { foreach ($other_actions as $action) {
$data[1] .= '<tr>'; $data[1] .= '<tr>';
@ -1361,6 +1383,7 @@ if ($create_alert || $update_alert) {
$data[1] .= '</table>'; $data[1] .= '</table>';
$data[2] = $row['agent']; $data[2] = $row['agent'];
$data[3] = $row['oid']; $data[3] = $row['oid'];
$data[4] = $row['custom_oid']; $data[4] = $row['custom_oid'];
@ -1373,6 +1396,7 @@ if ($create_alert || $update_alert) {
$data[7] = __('Never'); $data[7] = __('Never');
} }
if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) {
$data[8] = '<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'duplicate_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).'</a>'.'<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'update_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).'</a>'.'<a href="javascript:show_add_action_snmp(\''.$row['id_as'].'\');">'.html_print_image('images/add.png', true, ['title' => __('Add action')]).'</a>'.'<a href="index.php?sec=snmpconsole&sec2=godmode/snmpconsole/snmp_alert&delete_alert='.$row['id_as'].'" onClick="javascript:return confirm(\''.__('Are you sure?').'\')">'.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).'</a>'; $data[8] = '<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'duplicate_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).'</a>'.'<a href="index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'update_alert=1&'.'id_alert_snmp='.$row['id_as'].'">'.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).'</a>'.'<a href="javascript:show_add_action_snmp(\''.$row['id_as'].'\');">'.html_print_image('images/add.png', true, ['title' => __('Add action')]).'</a>'.'<a href="index.php?sec=snmpconsole&sec2=godmode/snmpconsole/snmp_alert&delete_alert='.$row['id_as'].'" onClick="javascript:return confirm(\''.__('Are you sure?').'\')">'.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).'</a>';
@ -1385,6 +1409,10 @@ if ($create_alert || $update_alert) {
'class="chk_delete"', 'class="chk_delete"',
true true
); );
} else {
$data[8] = '';
$data[9] = '';
}
$idx = count($table->data); $idx = count($table->data);
// The current index of the table is 1 less than the count of table data so we count before adding to table->data // The current index of the table is 1 less than the count of table data so we count before adding to table->data

View File

@ -170,12 +170,8 @@ if ($maps !== false) {
$data['name'] = '<a href="index.php?sec=gismaps&amp;sec2=operation/gis_maps/render_view&amp;map_id='.$map['id_tgis_map'].'">'.$map['map_name'].'</a> '; $data['name'] = '<a href="index.php?sec=gismaps&amp;sec2=operation/gis_maps/render_view&amp;map_id='.$map['id_tgis_map'].'">'.$map['map_name'].'</a> ';
$data['group'] = ui_print_group_icon($map['group_id'], true); $data['group'] = ui_print_group_icon($map['group_id'], true);
if (check_acl($config['id_user'], 0, 'MW')
|| check_acl($config['id_user'], 0, 'MM')
) {
$data['default'] = ''; $data['default'] = '';
$data['op'] = ''; $data['op'] = '';
}
if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW') if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW')
|| check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM') || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM')

View File

@ -114,8 +114,8 @@ $controls = [
$layers = gis_get_layers($idMap); $layers = gis_get_layers($idMap);
// Render map // Render map
$has_management_acl = check_acl($config['id_user'], $map['group_id'], 'MW') $has_management_acl = check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW')
|| check_acl($config['id_user'], $map['group_id'], 'MM'); || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM');
$buttons = []; $buttons = [];

View File

@ -300,7 +300,11 @@ if ($pure === false) {
); );
echo '</div>'; echo '</div>';
echo '</div>'; echo '</div>';
if ($aclWrite || $aclManage) {
echo html_print_checkbox_switch('edit-mode', 1, false, true); echo html_print_checkbox_switch('edit-mode', 1, false, true);
}
echo '</div>'; echo '</div>';
} }
} }