From def59508ae162be8540391cd9a6fbcf797385a8a Mon Sep 17 00:00:00 2001 From: alejandro-campos Date: Thu, 22 Oct 2020 12:00:44 +0200 Subject: [PATCH 1/3] changed behavior of all group acl check and fixed acl vulnerabilities --- .../agentes/planned_downtime.editor.php | 40 +++++++++--- .../godmode/agentes/planned_downtime.list.php | 38 ++++++++--- .../godmode/alerts/alert_actions.php | 39 ++++++++++- .../godmode/alerts/configure_alert_action.php | 17 ++++- .../godmode/events/event_edit_filter.php | 18 ++++- .../godmode/events/event_filter.php | 33 +++++++++- .../godmode/events/event_responses.editor.php | 18 ++++- .../godmode/events/event_responses.list.php | 4 ++ .../godmode/gis_maps/configure_gis_map.php | 8 +++ pandora_console/godmode/netflow/nf_edit.php | 35 ++++++++-- .../godmode/reporting/graph_builder.main.php | 12 +++- .../godmode/reporting/graph_builder.php | 14 ++++ pandora_console/godmode/reporting/graphs.php | 15 +++-- .../godmode/reporting/map_builder.php | 10 +-- .../reporting/reporting_builder.main.php | 8 ++- .../godmode/reporting/reporting_builder.php | 28 ++++++-- .../reporting/visual_console_builder.data.php | 9 ++- .../reporting/visual_console_builder.php | 8 +-- .../include/class/CredentialStore.class.php | 25 ++++++- pandora_console/include/functions.php | 65 +++++++++++++++++++ pandora_console/include/functions_events.php | 8 ++- pandora_console/include/functions_users.php | 7 +- .../include/lib/Dashboard/Manager.php | 2 + .../agentes/pandora_networkmap.editor.php | 18 ++++- .../operation/agentes/pandora_networkmap.php | 30 +++++---- .../operation/gis_maps/gis_map.php | 6 +- .../operation/reporting/graph_viewer.php | 13 +++- .../operation/reporting/reporting_viewer.php | 11 +++- .../operation/visual_console/legacy_view.php | 6 +- .../operation/visual_console/view.php | 6 +- .../views/dashboard/formDashboard.php | 17 +++-- pandora_console/views/dashboard/header.php | 4 +- pandora_console/views/dashboard/list.php | 5 ++ 33 files changed, 483 insertions(+), 94 deletions(-) diff --git a/pandora_console/godmode/agentes/planned_downtime.editor.php b/pandora_console/godmode/agentes/planned_downtime.editor.php index b3e7029dbd..a26405aa2c 100644 --- a/pandora_console/godmode/agentes/planned_downtime.editor.php +++ b/pandora_console/godmode/agentes/planned_downtime.editor.php @@ -143,16 +143,29 @@ $user_groups_ad = array_keys( users_get_groups($config['id_user'], $access) ); +// Check AD permission on downtime. +$downtime_group = db_get_value( + 'id_group', + 'tplanned_downtime', + 'id', + $id_downtime +); + +if ($id_downtime > 0) { + if (!check_acl_restricted_all($config['id_user'], $downtime_group, 'AW') + && !check_acl_restricted_all($config['id_user'], $downtime_group, 'AD') + ) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access downtime scheduler' + ); + include 'general/noaccess.php'; + return; + } +} + // INSERT A NEW DOWNTIME_AGENT ASSOCIATION. if ($insert_downtime_agent === 1) { - // Check AD permission on downtime. - $downtime_group = db_get_value( - 'id_group', - 'tplanned_downtime', - 'id', - $id_downtime - ); - if ($downtime_group === false || !in_array($downtime_group, $user_groups_ad) ) { @@ -644,11 +657,20 @@ $table->data[0][1] = html_print_input_text( true, $disabled_in_execution ); + +$return_all_group = false; + +if (users_can_manage_group_all('AW') === true + || users_can_manage_group_all('AD') === true +) { + $return_all_group = true; +} + $table->data[1][0] = __('Group'); $table->data[1][1] = '
'.html_print_select_groups( false, $access, - true, + $return_all_group, 'id_group', $id_group, '', diff --git a/pandora_console/godmode/agentes/planned_downtime.list.php b/pandora_console/godmode/agentes/planned_downtime.list.php index acfa2a9039..c48e9a71d4 100755 --- a/pandora_console/godmode/agentes/planned_downtime.list.php +++ b/pandora_console/godmode/agentes/planned_downtime.list.php @@ -476,22 +476,42 @@ else { if (in_array($downtime['id_group'], $groupsAD)) { // Stop button if ($downtime['type_execution'] == 'once' && $downtime['executed'] == 1) { - $data['stop'] = ''.html_print_image('images/cancel.png', true, ['title' => __('Stop downtime')]); + if (check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AW') + || check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AD') + ) { + $data['stop'] = ''.html_print_image('images/cancel.png', true, ['title' => __('Stop downtime')]); + } else { + $data['stop'] = html_print_image('images/cancel.png', true, ['title' => __('Stop downtime')]); + } } else { $data['stop'] = ''; } // Edit & delete buttons. if ($downtime['executed'] == 0) { - // Edit. - $data['edit'] = ''.html_print_image('images/config.png', true, ['title' => __('Update')]).''; - // Delete. - $data['delete'] = ''.html_print_image('images/cross.png', true, ['title' => __('Delete')]); + if (check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AW') + || check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AD') + ) { + // Edit. + $data['edit'] = ''.html_print_image('images/config.png', true, ['title' => __('Update')]).''; + // Delete. + $data['delete'] = ''.html_print_image('images/cross.png', true, ['title' => __('Delete')]); + } else { + $data['edit'] = ''; + $data['delete'] = ''; + } } else if ($downtime['executed'] == 1 && $downtime['type_execution'] == 'once') { - // Edit. - $data['edit'] = ''.html_print_image('images/config.png', true, ['title' => __('Update')]).''; - // Delete. - $data['delete'] = __('N/A'); + if (check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AW') + || check_acl_restricted_all($config['id_user'], $downtime['id_group'], 'AD') + ) { + // Edit. + $data['edit'] = ''.html_print_image('images/config.png', true, ['title' => __('Update')]).''; + // Delete. + $data['delete'] = __('N/A'); + } else { + $data['edit'] = ''; + $data['delete'] = ''; + } } else { $data['edit'] = ''; $data['delete'] = ''; diff --git a/pandora_console/godmode/alerts/alert_actions.php b/pandora_console/godmode/alerts/alert_actions.php index 70f4c46713..6e3f1c1f42 100644 --- a/pandora_console/godmode/alerts/alert_actions.php +++ b/pandora_console/godmode/alerts/alert_actions.php @@ -77,6 +77,15 @@ if ($copy_action) { $al_action = alerts_get_alert_action($id); + if (!check_acl_restricted_all($config['id_user'], $al_action['id_group'], 'LM')) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access Alert Management' + ); + include 'general/noaccess.php'; + exit; + } + if ($al_action !== false) { // If user tries to copy an action with group=ALL. if ($al_action['id_group'] == 0) { @@ -144,6 +153,15 @@ if ($delete_action) { $al_action = alerts_get_alert_action($id); + if (!check_acl_restricted_all($config['id_user'], $al_action['id_group'], 'LM')) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access Alert Management' + ); + include 'general/noaccess.php'; + exit; + } + if ($al_action !== false) { // If user tries to delete an action with group=ALL. if ($al_action['id_group'] == 0) { @@ -236,11 +254,18 @@ $table_filter->data[0][1] = html_print_input_text( 255, true ); + +$return_all_group = false; + +if (users_can_manage_group_all('LM') === true) { + $return_all_group = true; +} + $table_filter->data[0][2] = __('Group'); $table_filter->data[0][3] = html_print_select_groups( $config['id_user'], 'LM', - true, + $return_all_group, 'group_search', $group_search, '', @@ -370,7 +395,12 @@ foreach ($actions as $action) { $data = []; - $data[0] = ''.$action['name'].''; + if (check_acl_restricted_all($config['id_user'], $action['id_group'], 'LM')) { + $data[0] = ''.$action['name'].''; + } else { + $data[0] = $action['name']; + } + $data[1] = $action['command_name']; $data[2] = ui_print_group_icon($action['id_group'], true).' '; if (!alerts_validate_command_to_action($action['id_group'], $action['command_group'])) { @@ -384,8 +414,11 @@ foreach ($actions as $action) { ); } + $data[3] = ''; + $data[4] = ''; + if (is_central_policies_on_node() === false - && check_acl($config['id_user'], $action['id_group'], 'LM') + && check_acl_restricted_all($config['id_user'], $action['id_group'], 'LM') ) { $table->cellclass[] = [ 3 => 'action_buttons', diff --git a/pandora_console/godmode/alerts/configure_alert_action.php b/pandora_console/godmode/alerts/configure_alert_action.php index 4d49cdd22b..02d86b0d0e 100644 --- a/pandora_console/godmode/alerts/configure_alert_action.php +++ b/pandora_console/godmode/alerts/configure_alert_action.php @@ -101,6 +101,15 @@ if ($id) { $group = $action['id_group']; $action_threshold = $action['action_threshold']; + + if (!check_acl_restricted_all($config['id_user'], $action['id_group'], 'LM')) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access Alert Management' + ); + include 'general/noaccess.php'; + exit; + } } // Hidden div with help hint to fill with javascript. @@ -168,10 +177,16 @@ $table->data[1][0] = __('Group'); $own_info = get_user_info($config['id_user']); +$return_all_group = false; + +if (users_can_manage_group_all('LW') === true) { + $return_all_group = true; +} + $table->data[1][1] = '
'.html_print_select_groups( false, 'LW', - true, + $return_all_group, 'group', $group, '', diff --git a/pandora_console/godmode/events/event_edit_filter.php b/pandora_console/godmode/events/event_edit_filter.php index 56201e3a28..4ae9b2e78c 100644 --- a/pandora_console/godmode/events/event_edit_filter.php +++ b/pandora_console/godmode/events/event_edit_filter.php @@ -40,7 +40,15 @@ $strict_user = db_get_value( ); if ($id) { - $permission = events_check_event_filter_group($id); + $restrict_all_group = false; + + if (!users_can_manage_group_all('EW') === true + && !users_can_manage_group_all('EM') === true + ) { + $restrict_all_group = true; + } + + $permission = events_check_event_filter_group($id, $restrict_all_group); if (!$permission) { // User doesn't have permissions to see this filter include 'general/noaccess.php'; @@ -262,12 +270,18 @@ $table->data[1][1] = '
'.html_print_select_groups( $strict_user ).'
'; +$return_all_group = false; + +if (users_can_manage_group_all('AR') === true) { + $return_all_group = true; +} + $table->data[2][0] = ''.__('Group').''; $display_all_group = (users_is_admin() || users_can_manage_group_all('AR')); $table->data[2][1] = '
'.html_print_select_groups( $config['id_user'], 'AR', - $display_all_group, + $return_all_group, 'id_group', $id_group, '', diff --git a/pandora_console/godmode/events/event_filter.php b/pandora_console/godmode/events/event_filter.php index c9c3f7f226..357a745cb6 100644 --- a/pandora_console/godmode/events/event_filter.php +++ b/pandora_console/godmode/events/event_filter.php @@ -35,6 +35,19 @@ $multiple_delete = (bool) get_parameter('multiple_delete', 0); if ($delete) { $id = (int) get_parameter('id'); + $filter_group = (int) db_get_value('id_group', 'tevent_filter', 'id_filter', $id); + + if (!check_acl_restricted_all($config['id_user'], $filter_group, 'EW') + && !check_acl_restricted_all($config['id_user'], $filter_group, 'EM') + ) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access events filter editor' + ); + include 'general/noaccess.php'; + return; + } + $id_filter = db_get_value('id_filter', 'tevent_filter', 'id_filter', $id); if ($id_filter === false) { @@ -151,13 +164,27 @@ foreach ($filters as $filter) { $data = []; $data[0] = html_print_checkbox_extended('delete_multiple[]', $filter['id_filter'], false, false, '', 'class="check_delete"', true); - $data[1] = ''.$filter['id_name'].''; + + if (!check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EW') + && !check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EM') + ) { + $data[1] = $filter['id_name']; + } else { + $data[1] = ''.$filter['id_name'].''; + } + $data[2] = ui_print_group_icon($filter['id_group_filter'], true); $data[3] = events_get_event_types($filter['event_type']); $data[4] = events_get_status($filter['status']); $data[5] = events_get_severity_types($filter['severity']); - $table->cellclass[][6] = 'action_buttons'; - $data[6] = "".html_print_image('images/cross.png', true, ['title' => __('Delete')]).''; + $data[6] = ''; + + if (check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EW') + || check_acl_restricted_all($config['id_user'], $filter['id_group'], 'EM') + ) { + $table->cellclass[][6] = 'action_buttons'; + $data[6] = "".html_print_image('images/cross.png', true, ['title' => __('Delete')]).''; + } array_push($table->data, $data); } diff --git a/pandora_console/godmode/events/event_responses.editor.php b/pandora_console/godmode/events/event_responses.editor.php index 80ca390b51..7ed046a8cb 100644 --- a/pandora_console/godmode/events/event_responses.editor.php +++ b/pandora_console/godmode/events/event_responses.editor.php @@ -39,6 +39,16 @@ $event_response_id = get_parameter('id_response', 0); if ($event_response_id > 0) { $event_response = db_get_row('tevent_response', 'id', $event_response_id); + + // ACL check for event response edition. + if (!check_acl_restricted_all($config['id_user'], $event_response['id_group'], 'PM')) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access Group Management' + ); + include 'general/noaccess.php'; + return; + } } else { $event_response = []; $event_response['name'] = ''; @@ -84,8 +94,14 @@ $data[1] = html_print_input_text( ); $data[1] .= html_print_input_hidden('id_response', $event_response['id'], true); +$return_all_group = false; + +if (users_can_manage_group_all('PM') === true) { + $return_all_group = true; +} + $data[2] = __('Group'); -$data[3] = html_print_select_groups(false, 'PM', true, 'id_group', $event_response['id_group'], '', '', '', true); +$data[3] = html_print_select_groups(false, 'PM', $return_all_group, 'id_group', $event_response['id_group'], '', '', '', true); $table->data[0] = $data; $data = []; diff --git a/pandora_console/godmode/events/event_responses.list.php b/pandora_console/godmode/events/event_responses.list.php index f8e4de7357..7c4a52bb74 100644 --- a/pandora_console/godmode/events/event_responses.list.php +++ b/pandora_console/godmode/events/event_responses.list.php @@ -55,6 +55,10 @@ $table->head[3] = __('Actions'); $table->data = []; foreach ($event_responses as $response) { + if (!check_acl_restricted_all($config['id_user'], $response['id_group'], 'PM')) { + continue; + } + $data = []; $data[0] = ''.$response['name'].''; $data[1] = $response['description']; diff --git a/pandora_console/godmode/gis_maps/configure_gis_map.php b/pandora_console/godmode/gis_maps/configure_gis_map.php index a56e69dcb1..907786e6fd 100644 --- a/pandora_console/godmode/gis_maps/configure_gis_map.php +++ b/pandora_console/godmode/gis_maps/configure_gis_map.php @@ -30,6 +30,14 @@ require_once 'include/functions_gis.php'; $idMap = (int) get_parameter('map_id', 0); $action = get_parameter('action', 'new_map'); +$gis_map_group = db_get_value('group_id', 'tgis_map', 'id_tgis_map', $idMap); + +if (!check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW') && !check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW')) { + db_pandora_audit('ACL Violation', 'Trying to access map builder'); + include 'general/noaccess.php'; + return; +} + $sec2 = get_parameter_get('sec2'); $sec2 = safe_url_extraclean($sec2); diff --git a/pandora_console/godmode/netflow/nf_edit.php b/pandora_console/godmode/netflow/nf_edit.php index bb7a456a69..37e8f53431 100644 --- a/pandora_console/godmode/netflow/nf_edit.php +++ b/pandora_console/godmode/netflow/nf_edit.php @@ -68,6 +68,19 @@ $multiple_delete = (bool) get_parameter('multiple_delete', 0); $id = (int) get_parameter('id'); $name = (string) get_parameter('name'); +if ($id > 0) { + $filter_group = db_get_value('id_group', 'tnetflow_filter', 'id_sg', $id); + + if (!check_acl_restricted_all($config['id_user'], $filter_group, 'AW')) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access events filter editor' + ); + include 'general/noaccess.php'; + return; + } +} + if ($delete) { $id_filter = db_get_value('id_name', 'tnetflow_filter', 'id_sg', $id); $result = db_process_sql_delete( @@ -164,12 +177,24 @@ $total_filters = $total_filters[0]['total']; foreach ($filters as $filter) { $data = []; - $data[0] = html_print_checkbox_extended('delete_multiple[]', $filter['id_sg'], false, false, '', 'class="check_delete"', true); - $data[1] = ''.$filter['id_name'].''; + $data[0] = ''; + + if (check_acl_restricted_all($config['id_user'], $filter['id_group'], 'AW')) { + $data[0] = html_print_checkbox_extended('delete_multiple[]', $filter['id_sg'], false, false, '', 'class="check_delete"', true); + $data[1] = ''.$filter['id_name'].''; + } else { + $data[1] = $filter['id_name']; + } + + $data[2] = ui_print_group_icon($filter['id_group'], true, 'groups_small', '', !defined('METACONSOLE')); - $table->cellclass[][3] = 'action_buttons'; - $data[3] = "".html_print_image('images/cross.png', true, ['title' => __('Delete')]).''; + $data[3] = ''; + + if (check_acl_restricted_all($config['id_user'], $filter['id_group'], 'AW')) { + $table->cellclass[][3] = 'action_buttons'; + $data[3] = "".html_print_image('images/cross.png', true, ['title' => __('Delete')]).''; + } array_push($table->data, $data); } diff --git a/pandora_console/godmode/reporting/graph_builder.main.php b/pandora_console/godmode/reporting/graph_builder.main.php index d50a5d8b55..ea59795da7 100644 --- a/pandora_console/godmode/reporting/graph_builder.main.php +++ b/pandora_console/godmode/reporting/graph_builder.main.php @@ -132,12 +132,20 @@ $output .= '>'; $own_info = get_user_info($config['id_user']); +$return_all_group = true; + +if (users_can_manage_group_all('RW') === false + && users_can_manage_group_all('RM') === false +) { + $return_all_group = false; +} + $output .= ''.__('Group').''; if (check_acl($config['id_user'], 0, 'RW')) { $output .= html_print_select_groups( $config['id_user'], 'RW', - true, + $return_all_group, 'graph_id_group', $id_group, '', @@ -149,7 +157,7 @@ if (check_acl($config['id_user'], 0, 'RW')) { $output .= html_print_select_groups( $config['id_user'], 'RM', - true, + $return_all_group, 'graph_id_group', $id_group, '', diff --git a/pandora_console/godmode/reporting/graph_builder.php b/pandora_console/godmode/reporting/graph_builder.php index f0262f6e5f..4fde79ed82 100644 --- a/pandora_console/godmode/reporting/graph_builder.php +++ b/pandora_console/godmode/reporting/graph_builder.php @@ -83,6 +83,20 @@ $change_weight = (bool) get_parameter('change_weight', false); $change_label = (bool) get_parameter('change_label', false); $id_graph = (int) get_parameter('id', 0); +if ($id_graph > 0) { + $graph_group = db_get_value('id_group', 'tgraph', 'id_graph', $id_graph); + if (!check_acl_restricted_all($config['id_user'], $graph_group, 'RW') + && !check_acl_restricted_all($config['id_user'], $graph_group, 'RM') + ) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access graph builder' + ); + include 'general/noaccess.php'; + exit; + } +} + if ($id_graph !== 0) { $sql = "SELECT * FROM tgraph WHERE (private = 0 OR (private = 1 AND id_user = '".$config['id_user']."')) diff --git a/pandora_console/godmode/reporting/graphs.php b/pandora_console/godmode/reporting/graphs.php index 958819a95b..980197cd54 100644 --- a/pandora_console/godmode/reporting/graphs.php +++ b/pandora_console/godmode/reporting/graphs.php @@ -88,7 +88,11 @@ ui_print_page_header(__('Reporting').' » '.__('Custom graphs'), 'images/ch // Delete module SQL code if ($delete_graph) { - if ($report_w || $report_m) { + $graph_group = db_get_value('id_group', 'tgraph', 'id_graph', $id); + + if (check_acl_restricted_all($config['id_user'], $graph_group, 'RW') + || check_acl_restricted_all($config['id_user'], $graph_group, 'RM') + ) { $exist = db_get_value('id_graph', 'tgraph_source', 'id_graph', $id); if ($exist) { $result = db_process_sql_delete('tgraph_source', ['id_graph' => $id]); @@ -299,16 +303,17 @@ $table_aux = new stdClass(); $data[4] = ''; $table->cellclass[][4] = 'action_buttons'; - if (($report_w || $report_m)) { + if (check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RM') + || check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RW') + ) { $data[4] = ''.html_print_image('images/config.png', true).''; } - if ($report_m) { + $data[5] = ''; + if (check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RM')) { $data[4] .= ''.html_print_image('images/cross.png', true, ['alt' => __('Delete'), 'title' => __('Delete')]).''; - } - if ($report_m) { $data[5] .= html_print_checkbox_extended('delete_multiple[]', $graph['id_graph'], false, false, '', 'class="check_delete" style="margin-left:2px;"', true); } diff --git a/pandora_console/godmode/reporting/map_builder.php b/pandora_console/godmode/reporting/map_builder.php index 9f8b8f0162..f1fab5f2d8 100644 --- a/pandora_console/godmode/reporting/map_builder.php +++ b/pandora_console/godmode/reporting/map_builder.php @@ -123,8 +123,8 @@ if ($delete_layout || $copy_layout) { // ACL for the visual console // $vconsole_read = check_acl ($config['id_user'], $group_id, "VR"); - $vconsole_write = check_acl($config['id_user'], $group_id, 'VW'); - $vconsole_manage = check_acl($config['id_user'], $group_id, 'VM'); + $vconsole_write = check_acl_restricted_all($config['id_user'], $group_id, 'VW'); + $vconsole_manage = check_acl_restricted_all($config['id_user'], $group_id, 'VM'); if (!$vconsole_write && !$vconsole_manage) { db_pandora_audit( @@ -441,8 +441,10 @@ if (!$maps && !is_metaconsole()) { $data[1] = ui_print_group_icon($map['id_group'], true); $data[2] = db_get_sql('SELECT COUNT(*) FROM tlayout_data WHERE id_layout = '.$map['id']); - // Fix: IW was the old ACL for report editing, now is RW - if ($vconsoles_write || $vconsoles_manage) { + $vconsoles_write_action_btn = check_acl_restricted_all($config['id_user'], $map['id_group'], 'VW'); + $vconsoles_manage_action_btn = check_acl_restricted_all($config['id_user'], $map['id_group'], 'VM'); + + if ($vconsoles_write_action_btn || $vconsoles_manage_action_btn) { if (!is_metaconsole()) { $table->cellclass[] = [ 3 => 'action_buttons', diff --git a/pandora_console/godmode/reporting/reporting_builder.main.php b/pandora_console/godmode/reporting/reporting_builder.main.php index 224b2ce517..5ba61658fa 100755 --- a/pandora_console/godmode/reporting/reporting_builder.main.php +++ b/pandora_console/godmode/reporting/reporting_builder.main.php @@ -114,11 +114,17 @@ if (isset($write_groups[$idGroupReport]) === false && $idGroupReport) { $write_groups[$idGroupReport] = groups_get_name($idGroupReport); } +$return_all_group = false; + +if (users_can_manage_group_all('RW') === true) { + $return_all_group = true; +} + $table->data['group'][1] = '
'; $table->data['group'][1] .= html_print_select_groups( $config['id_user'], 'AR', - true, + $return_all_group, 'id_group', $idGroupReport, '', diff --git a/pandora_console/godmode/reporting/reporting_builder.php b/pandora_console/godmode/reporting/reporting_builder.php index 8ac3a11e37..5a0fe779c4 100755 --- a/pandora_console/godmode/reporting/reporting_builder.php +++ b/pandora_console/godmode/reporting/reporting_builder.php @@ -158,6 +158,26 @@ $pure = get_parameter('pure', 0); $schedule_report = get_parameter('schbutton', ''); $pagination = (int) get_parameter('pagination', $config['block_size']); +if ($action == 'edit' && $idReport > 0) { + $report_group = db_get_value( + 'id_group', + 'treport', + 'id_report', + $idReport + ); + + if (! check_acl_restricted_all($config['id_user'], $report_group, 'RW') + && ! check_acl_restricted_all($config['id_user'], $report_group, 'RM') + ) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access report builder' + ); + include 'general/noaccess.php'; + exit; + } +} + if ($schedule_report != '') { $id_user_task = 1; $scheduled = 'no'; @@ -909,8 +929,8 @@ switch ($action) { $data = []; - if (check_acl($config['id_user'], $report['id_group'], 'RW') - || check_acl($config['id_user'], $report['id_group'], 'RM') + if (check_acl_restricted_all($config['id_user'], $report['id_group'], 'RW') + || check_acl_restricted_all($config['id_user'], $report['id_group'], 'RM') ) { $data[0] = ''.ui_print_truncate_text($report['name'], 70).''; } else { @@ -994,7 +1014,7 @@ switch ($action) { switch ($type_access_selected) { case 'group_view': - $edit = check_acl( + $edit = check_acl_restricted_all( $config['id_user'], $report['id_group'], 'RW' @@ -1005,7 +1025,7 @@ switch ($action) { break; case 'group_edit': - $edit = check_acl( + $edit = check_acl_restricted_all( $config['id_user'], $report['id_group_edit'], 'RW' diff --git a/pandora_console/godmode/reporting/visual_console_builder.data.php b/pandora_console/godmode/reporting/visual_console_builder.data.php index 5a0d4fb0f5..79b561edf0 100644 --- a/pandora_console/godmode/reporting/visual_console_builder.data.php +++ b/pandora_console/godmode/reporting/visual_console_builder.data.php @@ -133,13 +133,18 @@ if ($action == 'new') { src="">'; } -$table->data[1][0] = __('Group:'); +$table->data[1][0] = __('Group'); +$return_all_group = false; + +if (users_can_manage_group_all('RW') === true) { + $return_all_group = true; +} $table->data[1][1] = '
'.html_print_select_groups( $config['id_user'], 'RW', - true, + $return_all_group, 'id_group', $idGroup, '', diff --git a/pandora_console/godmode/reporting/visual_console_builder.php b/pandora_console/godmode/reporting/visual_console_builder.php index 775230c471..67194d21fa 100755 --- a/pandora_console/godmode/reporting/visual_console_builder.php +++ b/pandora_console/godmode/reporting/visual_console_builder.php @@ -85,8 +85,8 @@ else if ($activeTab != 'data' || ($activeTab == 'data' && $action != 'new')) { // ACL for the existing visual console // $vconsole_read = check_acl ($config['id_user'], $visualConsole['id_group'], "VR"); - $vconsole_write = check_acl($config['id_user'], $visualConsole['id_group'], 'VW'); - $vconsole_manage = check_acl($config['id_user'], $visualConsole['id_group'], 'VM'); + $vconsole_write = check_acl_restricted_all($config['id_user'], $visualConsole['id_group'], 'VW'); + $vconsole_manage = check_acl_restricted_all($config['id_user'], $visualConsole['id_group'], 'VM'); } else { db_pandora_audit( 'ACL Violation', @@ -143,8 +143,8 @@ switch ($activeTab) { // ACL for the new visual console // $vconsole_read_new = check_acl ($config['id_user'], $idGroup, "VR"); - $vconsole_write_new = check_acl($config['id_user'], $idGroup, 'VW'); - $vconsole_manage_new = check_acl($config['id_user'], $idGroup, 'VM'); + $vconsole_write_new = check_acl_restricted_all($config['id_user'], $idGroup, 'VW'); + $vconsole_manage_new = check_acl_restricted_all($config['id_user'], $idGroup, 'VM'); // The user should have permissions on the new group if (!$vconsole_write_new && !$vconsole_manage_new) { diff --git a/pandora_console/include/class/CredentialStore.class.php b/pandora_console/include/class/CredentialStore.class.php index 073f0831a3..0d918e5e5a 100644 --- a/pandora_console/include/class/CredentialStore.class.php +++ b/pandora_console/include/class/CredentialStore.class.php @@ -351,7 +351,21 @@ class CredentialStore extends Wizard return db_get_value_sql($sql); } - return db_get_all_rows_sql($sql); + $return = db_get_all_rows_sql($sql); + + // Filter out those items of group all that cannot be edited by user. + $return = array_filter( + $return, + function ($item) { + if ($item['id_group'] == 0 && users_can_manage_group_all('AR') === false) { + return false; + } else { + return true; + } + } + ); + + return $return; } @@ -826,6 +840,12 @@ class CredentialStore extends Wizard $values = []; } + $return_all_group = false; + + if (users_can_manage_group_all('AR') === true) { + $return_all_group = true; + } + $form = [ 'action' => '#', 'id' => 'modal_form', @@ -855,7 +875,7 @@ class CredentialStore extends Wizard 'id' => 'id_group', 'input_class' => 'flex-row', 'type' => 'select_groups', - 'returnAllGroup' => true, + 'returnAllGroup' => $return_all_group, 'selected' => $values['id_group'], 'return' => true, 'class' => 'w50p', @@ -999,6 +1019,7 @@ class CredentialStore extends Wizard * Process datatable item before draw it. */ function process_datatables_item(item) { + id = item.identifier; idrow = ' $this->dashboardFields['name'], 'hash' => self::generatePublicHash(), 'publicLink' => $this->publicLink, + 'dashboardGroup' => $this->dashboardFields['id_group'], ] ); } else { @@ -1025,6 +1026,7 @@ class Manager 'cells' => $this->cells, 'cellModeSlides' => $this->cellModeSlides, 'cellId' => ($this->cellId === 0) ? $this->cells[0]['id'] : $this->cellId, + 'dashboardGroup' => $this->dashboardFields['id_group'], ] ); } diff --git a/pandora_console/operation/agentes/pandora_networkmap.editor.php b/pandora_console/operation/agentes/pandora_networkmap.editor.php index a16874705c..1858985406 100644 --- a/pandora_console/operation/agentes/pandora_networkmap.editor.php +++ b/pandora_console/operation/agentes/pandora_networkmap.editor.php @@ -80,9 +80,15 @@ if ($edit_networkmap) { } else { $id_group = $values['id_group']; + $id_group_acl_check = $id_group_map; + + if ($id_group_map === null) { + $id_group_acl_check = $values['id_group_map']; + } + // ACL for the network map. - $networkmap_write = check_acl($config['id_user'], $id_group_map, 'MW'); - $networkmap_manage = check_acl($config['id_user'], $id_group_map, 'MM'); + $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_acl_check, 'MW'); + $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_acl_check, 'MM'); if (!$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -265,6 +271,12 @@ if ($not_found) { true ); + $return_all_group = false; + + if (users_can_manage_group_all('AR') === true) { + $return_all_group = true; + } + $table->data[1][0] = __('Group'); $table->data[1][1] = '
'.html_print_select_groups( // Id_user. @@ -272,7 +284,7 @@ if ($not_found) { // Privilege. 'AR', // ReturnAllGroup. - true, + $return_all_group, // Name. 'id_group_map', // Selected. diff --git a/pandora_console/operation/agentes/pandora_networkmap.php b/pandora_console/operation/agentes/pandora_networkmap.php index c50bfd9d0e..3c42108008 100644 --- a/pandora_console/operation/agentes/pandora_networkmap.php +++ b/pandora_console/operation/agentes/pandora_networkmap.php @@ -57,8 +57,8 @@ if (enterprise_installed()) { // ACL for the network map. // $networkmap_read = check_acl ($config['id_user'], $id_group, "MR"); - $networkmap_write = check_acl($config['id_user'], $id_group_map, 'MW'); - $networkmap_manage = check_acl($config['id_user'], $id_group_map, 'MM'); + $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW'); + $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM'); if (!$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -145,8 +145,8 @@ if (enterprise_installed()) { // ACL for the new network map - $networkmap_write_new = check_acl($config['id_user'], $id_group_map, 'MW'); - $networkmap_manage_new = check_acl($config['id_user'], $id_group_map, 'MM'); + $networkmap_write_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW'); + $networkmap_manage_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM'); if (!$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -230,8 +230,8 @@ if ($new_networkmap || $save_networkmap) { // ACL for the network map // $networkmap_read = check_acl ($config['id_user'], $id_group, "MR"); - $networkmap_write = check_acl($config['id_user'], $id_group_map, 'MW'); - $networkmap_manage = check_acl($config['id_user'], $id_group_map, 'MM'); + $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW'); + $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM'); if (!$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -420,8 +420,8 @@ else if ($update_networkmap || $copy_networkmap || $delete) { return; } - $networkmap_write = check_acl($config['id_user'], $id_group_map_old, 'MW'); - $networkmap_manage = check_acl($config['id_user'], $id_group_map_old, 'MM'); + $networkmap_write = check_acl_restricted_all($config['id_user'], $id_group_map_old, 'MW'); + $networkmap_manage = check_acl_restricted_all($config['id_user'], $id_group_map_old, 'MM'); if (!$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -440,8 +440,8 @@ else if ($update_networkmap || $copy_networkmap || $delete) { // ACL for the new network map $id_group_map = (int) get_parameter('id_group_map', 0); - $networkmap_write_new = check_acl($config['id_user'], $id_group_map, 'MW'); - $networkmap_manage_new = check_acl($config['id_user'], $id_group_map, 'MM'); + $networkmap_write_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MW'); + $networkmap_manage_new = check_acl_restricted_all($config['id_user'], $id_group_map, 'MM'); if (!$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -727,9 +727,9 @@ switch ($tab) { foreach ($network_maps as $network_map) { // ACL for the network map - $networkmap_read = check_acl($config['id_user'], $network_map['id_group_map'], 'MR'); - $networkmap_write = check_acl($config['id_user'], $network_map['id_group_map'], 'MW'); - $networkmap_manage = check_acl($config['id_user'], $network_map['id_group_map'], 'MM'); + $networkmap_read = check_acl_restricted_all($config['id_user'], $network_map['id_group_map'], 'MR'); + $networkmap_write = check_acl_restricted_all($config['id_user'], $network_map['id_group_map'], 'MW'); + $networkmap_manage = check_acl_restricted_all($config['id_user'], $network_map['id_group_map'], 'MM'); if (!$networkmap_read && !$networkmap_write && !$networkmap_manage) { db_pandora_audit( @@ -785,6 +785,10 @@ switch ($tab) { $data['groups'] = ui_print_group_icon($network_map['id_group_map'], true); + $data['copy'] = ''; + $data['edit'] = ''; + $data['delete'] = ''; + if ($networkmap_write || $networkmap_manage) { $table->cellclass[] = [ 'copy' => 'action_buttons', diff --git a/pandora_console/operation/gis_maps/gis_map.php b/pandora_console/operation/gis_maps/gis_map.php index 59b3b6da64..01653e958b 100644 --- a/pandora_console/operation/gis_maps/gis_map.php +++ b/pandora_console/operation/gis_maps/gis_map.php @@ -170,8 +170,10 @@ if ($maps !== false) { $data['name'] = ''.$map['map_name'].' '; $data['group'] = ui_print_group_icon($map['group_id'], true); - if ($edit_gis_maps) { - if ($display_default_column) { + $data['op'] = ''; + + if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW') || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM')) { + if (check_acl_restricted_all($config['id_user'], 0, 'MM')) { $checked = false; if ($map['default_map']) { $checked = true; diff --git a/pandora_console/operation/reporting/graph_viewer.php b/pandora_console/operation/reporting/graph_viewer.php index 68acde60a1..47610af86a 100644 --- a/pandora_console/operation/reporting/graph_viewer.php +++ b/pandora_console/operation/reporting/graph_viewer.php @@ -145,7 +145,9 @@ if ($view_graph) { $options = []; - if (check_acl($config['id_user'], 0, 'RW')) { + if (check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RW') + || check_acl_restricted_all($config['id_user'], $graph['id_group'], 'RM') + ) { $options = [ 'graph_list' => [ 'active' => false, @@ -160,6 +162,13 @@ if ($view_graph) { 'text' => ''.html_print_image('images/builder.png', true, ['title' => __('Graph editor')]).'', ], ]; + } else { + $options = [ + 'graph_list' => [ + 'active' => false, + 'text' => ''.html_print_image('images/list.png', true, ['title' => __('Graph list')]).'', + ], + ]; } $options['view']['text'] = ''.html_print_image( @@ -275,7 +284,7 @@ if ($view_graph) { echo ''; echo ""; - echo "
  ".__('Equalize maximum thresholds').''.ui_print_help_tip(__('If an option is selected, all graphs will have the highest value from all modules included in the graph as a maximum threshold'), true); + echo "
  ".__('Equalize maxiddmum thresholds').''.ui_print_help_tip(__('If an option is selected, all graphs will have the highest value from all modules included in the graph as a maximum threshold'), true); html_print_checkbox('threshold', CUSTOM_GRAPH_BULLET_CHART_THRESHOLD, $check, false, false, '', false); echo '
'; diff --git a/pandora_console/operation/reporting/reporting_viewer.php b/pandora_console/operation/reporting/reporting_viewer.php index 7528f15253..cc35a6cdfa 100755 --- a/pandora_console/operation/reporting/reporting_viewer.php +++ b/pandora_console/operation/reporting/reporting_viewer.php @@ -80,7 +80,16 @@ $options['list_reports'] = [ ).'', ]; -if (check_acl($config['id_user'], 0, 'RW')) { +if ($id_report > 0) { + $report_group = db_get_value( + 'id_group', + 'treport', + 'id_report', + $id_report + ); +} + +if (check_acl_restricted_all($config['id_user'], $report_group, 'RW')) { $options['main']['text'] = ''.html_print_image( 'images/op_reporting.png', true, diff --git a/pandora_console/operation/visual_console/legacy_view.php b/pandora_console/operation/visual_console/legacy_view.php index d4405876c4..986830f086 100644 --- a/pandora_console/operation/visual_console/legacy_view.php +++ b/pandora_console/operation/visual_console/legacy_view.php @@ -97,9 +97,9 @@ $bheight = $layout['height']; $pure_url = '&pure='.$config['pure']; // ACL -$vconsole_read = check_acl($config['id_user'], $id_group, 'VR'); -$vconsole_write = check_acl($config['id_user'], $id_group, 'VW'); -$vconsole_manage = check_acl($config['id_user'], $id_group, 'VM'); +$vconsole_read = check_acl_restricted_all($config['id_user'], $id_group, 'VR'); +$vconsole_write = check_acl_restricted_all($config['id_user'], $id_group, 'VW'); +$vconsole_manage = check_acl_restricted_all($config['id_user'], $id_group, 'VM'); if (! $vconsole_read && !$vconsole_write && !$vconsole_manage) { db_pandora_audit( diff --git a/pandora_console/operation/visual_console/view.php b/pandora_console/operation/visual_console/view.php index 3b70215aa2..164d38ac2c 100644 --- a/pandora_console/operation/visual_console/view.php +++ b/pandora_console/operation/visual_console/view.php @@ -95,9 +95,9 @@ $groupId = $visualConsoleData['groupId']; $visualConsoleName = $visualConsoleData['name']; // ACL. -$aclRead = check_acl($config['id_user'], $groupId, 'VR'); -$aclWrite = check_acl($config['id_user'], $groupId, 'VW'); -$aclManage = check_acl($config['id_user'], $groupId, 'VM'); +$aclRead = check_acl_restricted_all($config['id_user'], $groupId, 'VR'); +$aclWrite = check_acl_restricted_all($config['id_user'], $groupId, 'VW'); +$aclManage = check_acl_restricted_all($config['id_user'], $groupId, 'VM'); if (!$aclRead && !$aclWrite && !$aclManage) { db_pandora_audit( diff --git a/pandora_console/views/dashboard/formDashboard.php b/pandora_console/views/dashboard/formDashboard.php index b80f3ab557..bcbdd67622 100644 --- a/pandora_console/views/dashboard/formDashboard.php +++ b/pandora_console/views/dashboard/formDashboard.php @@ -43,6 +43,12 @@ if (empty($arrayDashboard) === true) { } } +$return_all_group = false; + +if (users_can_manage_group_all('RW') === true) { + $return_all_group = true; +} + $dataQuery = ['dashboardId' => $dashboardId]; $url = ui_get_full_url( @@ -100,11 +106,12 @@ $inputs = [ [ 'label' => __('Group'), 'arguments' => [ - 'name' => 'id_group', - 'id' => 'id_group', - 'type' => 'select_groups', - 'selected' => $arrayDashboard['id_group'], - 'return' => true, + 'name' => 'id_group', + 'id' => 'id_group', + 'type' => 'select_groups', + 'returnAllGroup' => $return_all_group, + 'selected' => $arrayDashboard['id_group'], + 'return' => true, ], ], ], diff --git a/pandora_console/views/dashboard/header.php b/pandora_console/views/dashboard/header.php index f54a7c04b6..082011cb8e 100644 --- a/pandora_console/views/dashboard/header.php +++ b/pandora_console/views/dashboard/header.php @@ -194,7 +194,7 @@ if ($config['public_dashboard'] === true) { 'combo_refresh_countdown' => $comboRefreshCountdown, ]; } else if ($config['pure']) { - if (check_acl($config['id_user'], 0, 'RW') === 0) { + if (check_acl_restricted_all($config['id_user'], $dashboardGroup, 'RW') === 0) { $buttons = [ 'back_to_dashboard_list' => $back_to_dashboard_list, 'normalscreen' => $normalscreen, @@ -221,7 +221,7 @@ if ($config['public_dashboard'] === true) { } } } else { - if (check_acl($config['id_user'], 0, 'RW') === 0) { + if (check_acl_restricted_all($config['id_user'], $dashboardGroup, 'RW') === 0) { $buttons = [ 'back_to_dashboard_list' => $back_to_dashboard_list, 'fullscreen' => $fullscreen, diff --git a/pandora_console/views/dashboard/list.php b/pandora_console/views/dashboard/list.php index e5c37b2500..629c5f8eae 100644 --- a/pandora_console/views/dashboard/list.php +++ b/pandora_console/views/dashboard/list.php @@ -155,6 +155,11 @@ if (empty($dashboards) === true) { $data['full_screen'] .= ''; if ($manageDashboards === 1) { + $data['copy'] = ''; + $data['delete'] = ''; + } + + if (check_acl_restricted_all($config['id_user'], $dashboard['id_group'], 'RM')) { $dataQueryCopy = [ 'dashboardId' => $dashboard['id'], 'copyDashboard' => 1, From cd52b30eb5b218b86171a03e950656a309d1670b Mon Sep 17 00:00:00 2001 From: alejandro-campos Date: Thu, 22 Oct 2020 15:47:39 +0200 Subject: [PATCH 2/3] visual fixes --- .../godmode/gis_maps/configure_gis_map.php | 2 +- pandora_console/operation/gis_maps/gis_map.php | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/pandora_console/godmode/gis_maps/configure_gis_map.php b/pandora_console/godmode/gis_maps/configure_gis_map.php index 907786e6fd..b89ad86fad 100644 --- a/pandora_console/godmode/gis_maps/configure_gis_map.php +++ b/pandora_console/godmode/gis_maps/configure_gis_map.php @@ -32,7 +32,7 @@ $action = get_parameter('action', 'new_map'); $gis_map_group = db_get_value('group_id', 'tgis_map', 'id_tgis_map', $idMap); -if (!check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW') && !check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW')) { +if ($idMap > 0 && !check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW') && !check_acl_restricted_all($config['id_user'], $gis_map_group, 'MW')) { db_pandora_audit('ACL Violation', 'Trying to access map builder'); include 'general/noaccess.php'; return; diff --git a/pandora_console/operation/gis_maps/gis_map.php b/pandora_console/operation/gis_maps/gis_map.php index 01653e958b..ca66058050 100644 --- a/pandora_console/operation/gis_maps/gis_map.php +++ b/pandora_console/operation/gis_maps/gis_map.php @@ -170,9 +170,16 @@ if ($maps !== false) { $data['name'] = ''.$map['map_name'].' '; $data['group'] = ui_print_group_icon($map['group_id'], true); - $data['op'] = ''; + if (check_acl($config['id_user'], 0, 'MW') + || check_acl($config['id_user'], 0, 'MM') + ) { + $data['default'] = ''; + $data['op'] = ''; + } - if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW') || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM')) { + if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW') + || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM') + ) { if (check_acl_restricted_all($config['id_user'], 0, 'MM')) { $checked = false; if ($map['default_map']) { From 731d486455f532e6120fda1fc69893f04175d35a Mon Sep 17 00:00:00 2001 From: alejandro-campos Date: Wed, 20 Jan 2021 18:22:43 +0100 Subject: [PATCH 3/3] changed behavior of All group and fixed acl vulnerability --- .../godmode/alerts/alert_commands.php | 8 ++- .../godmode/alerts/alert_templates.php | 8 ++- .../alerts/configure_alert_command.php | 19 +++++-- .../alerts/configure_alert_template.php | 21 +++++--- .../godmode/gis_maps/configure_gis_map.php | 11 ++-- .../godmode/snmpconsole/snmp_alert.php | 52 ++++++++++++++----- .../operation/gis_maps/gis_map.php | 8 +-- .../operation/gis_maps/render_view.php | 4 +- .../operation/visual_console/view.php | 6 ++- 9 files changed, 96 insertions(+), 41 deletions(-) diff --git a/pandora_console/godmode/alerts/alert_commands.php b/pandora_console/godmode/alerts/alert_commands.php index 53272f6273..001cfc0430 100644 --- a/pandora_console/godmode/alerts/alert_commands.php +++ b/pandora_console/godmode/alerts/alert_commands.php @@ -556,7 +556,9 @@ foreach ($commands as $command) { $data = []; $data['name'] = ''; - if (! $command['internal']) { + + // (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group. + if (!$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) { $data['name'] .= ''.$command['name'].''; } else { $data['name'] .= $command['name']; @@ -580,7 +582,9 @@ foreach ($commands as $command) { ); $data['action'] = ''; $table->cellclass[]['action'] = 'action_buttons'; - if ($is_central_policies_on_node === false && !$command['internal']) { + + // (IMPORTANT, DO NOT CHANGE!) only users with permissions over "All" group have access to edition of commands belonging to "All" group. + if ($is_central_policies_on_node === false && !$command['internal'] && check_acl_restricted_all($config['id_user'], $command['id_group'], 'LM')) { $data['action'] = ''; $data['action'] .= ''.html_print_image('images/copy.png', true).''; diff --git a/pandora_console/godmode/alerts/alert_templates.php b/pandora_console/godmode/alerts/alert_templates.php index cc762068ae..f38682617a 100644 --- a/pandora_console/godmode/alerts/alert_templates.php +++ b/pandora_console/godmode/alerts/alert_templates.php @@ -401,13 +401,17 @@ foreach ($templates as $template) { $data = []; - $data[0] = ''.$template['name'].''; + if (check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM')) { + $data[0] = ''.$template['name'].''; + } else { + $data[0] = $template['name']; + } $data[1] = ui_print_group_icon($template['id_group'], true); $data[3] = alerts_get_alert_templates_type_name($template['type']); if (is_central_policies_on_node() === false - && check_acl($config['id_user'], $template['id_group'], 'LM') + && check_acl_restricted_all($config['id_user'], $template['id_group'], 'LM') ) { $table->cellclass[][4] = 'action_buttons'; $data[4] = '
'; diff --git a/pandora_console/godmode/alerts/configure_alert_command.php b/pandora_console/godmode/alerts/configure_alert_command.php index f5596a58eb..2882d260db 100644 --- a/pandora_console/godmode/alerts/configure_alert_command.php +++ b/pandora_console/godmode/alerts/configure_alert_command.php @@ -48,15 +48,18 @@ if (is_metaconsole() === true) { ); } - -if ($update_command) { - $id = (int) get_parameter('id'); +if ($id > 0) { $alert = alerts_get_alert_command($id); - if ($alert['internal']) { + + if ($alert['internal'] || !check_acl_restricted_all($config['id_user'], $alert['id_group'], 'LM')) { db_pandora_audit('ACL Violation', 'Trying to access Alert Management'); include 'general/noaccess.php'; exit; } +} + +if ($update_command) { + $alert = alerts_get_alert_command($id); $name = (string) get_parameter('name'); $command = (string) get_parameter('command'); @@ -216,12 +219,18 @@ $table->data['command'][1] = html_print_textarea( $is_central_policies_on_node ); +$return_all_group = false; + +if (users_can_manage_group_all('LM') === true) { + $return_all_group = true; +} + $table->colspan['group'][1] = 3; $table->data['group'][0] = __('Group'); $table->data['group'][1] = '
'.html_print_select_groups( false, 'LM', - true, + $return_all_group, 'id_group', $id_group, false, diff --git a/pandora_console/godmode/alerts/configure_alert_template.php b/pandora_console/godmode/alerts/configure_alert_template.php index 4d4966878c..57c4cb98cb 100644 --- a/pandora_console/godmode/alerts/configure_alert_template.php +++ b/pandora_console/godmode/alerts/configure_alert_template.php @@ -55,6 +55,15 @@ if (defined('METACONSOLE')) { if ($a_template !== false) { // If user tries to duplicate/edit a template with group=ALL if ($a_template['id_group'] == 0) { + if (users_can_manage_group_all('LM') === false) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access Alert Management' + ); + include 'general/noaccess.php'; + exit; + } + // Header if (defined('METACONSOLE')) { alerts_meta_print_header(); @@ -1091,18 +1100,18 @@ if ($step == 2) { $table->data[0][1] .= '  '.__('Group'); $groups = users_get_groups(); $own_info = get_user_info($config['id_user']); - // Only display group "All" if user is administrator or has "PM" privileges. - if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'PM')) { - $display_all_group = true; - } else { - $display_all_group = false; + + $return_all_group = false; + + if (users_can_manage_group_all('LM') === true) { + $return_all_group = true; } $table->data[0][1] .= ' '; $table->data[0][1] .= '
'.html_print_select_groups( false, 'AR', - $display_all_group, + $return_all_group, 'id_group', $id_group, '', diff --git a/pandora_console/godmode/gis_maps/configure_gis_map.php b/pandora_console/godmode/gis_maps/configure_gis_map.php index 4fb38b3d38..1a0625d030 100644 --- a/pandora_console/godmode/gis_maps/configure_gis_map.php +++ b/pandora_console/godmode/gis_maps/configure_gis_map.php @@ -461,14 +461,15 @@ $table->data[1][1] = " ".gis_add_conection_maps_in_form($map_connection_list).'
'; $own_info = get_user_info($config['id_user']); -if ($own_info['is_admin'] || check_acl($config['id_user'], 0, 'MM')) { - $display_all_group = true; -} else { - $display_all_group = false; + +$return_all_group = false; + +if (users_can_manage_group_all('MM') === true) { + $return_all_group = true; } $table->data[2][0] = __('Group'); -$table->data[2][1] = html_print_select_groups(false, 'IW', $display_all_group, 'map_group_id', $map_group_id, '', '', '', true); +$table->data[2][1] = html_print_select_groups(false, 'IW', $return_all_group, 'map_group_id', $map_group_id, '', '', '', true); $table->data[3][0] = __('Default zoom'); $table->data[3][1] = html_print_input_text('map_zoom_level', $map_zoom_level, '', 2, 4, true).html_print_input_hidden('map_levels_zoom', $map_levels_zoom, true); diff --git a/pandora_console/godmode/snmpconsole/snmp_alert.php b/pandora_console/godmode/snmpconsole/snmp_alert.php index deb248ae2d..7ede6706c6 100755 --- a/pandora_console/godmode/snmpconsole/snmp_alert.php +++ b/pandora_console/godmode/snmpconsole/snmp_alert.php @@ -494,6 +494,15 @@ if ($update_alert || $duplicate_alert) { $position = $alert['position']; $disable_event = $alert['disable_event']; $group = $alert['id_group']; + + if (!check_acl_restricted_all($config['id_user'], $group, 'LW')) { + db_pandora_audit( + 'ACL Violation', + 'Trying to access SNMP Alert Management' + ); + include 'general/noaccess.php'; + return; + } } else if ($create_alert) { // Variable init $id_as = -1; @@ -814,13 +823,19 @@ if ($create_alert || $update_alert) { html_print_input_text('source_ip', $source_ip, '', 20); echo ''; + $return_all_group = false; + + if (users_can_manage_group_all('LW') === true) { + $return_all_group = true; + } + // Group echo ''.__('Group').''; echo '
'; html_print_select_groups( $config['id_user'], 'AR', - true, + $return_all_group, 'group', $group, '', @@ -1346,10 +1361,17 @@ if ($create_alert || $update_alert) { $url = 'index.php?'.'sec=snmpconsole&'.'sec2=godmode/snmpconsole/snmp_alert&'.'id_alert_snmp='.$row['id_as'].'&'.'update_alert=1'; $data[1] = ''; $data[1] .= ''; - $data[1] .= ''.alerts_get_alert_action_name($row['id_alert']).''; + + if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) { + $data[1] .= ''.alerts_get_alert_action_name($row['id_alert']).''; + } else { + $data[1] .= alerts_get_alert_action_name($row['id_alert']); + } + $other_actions = db_get_all_rows_filter('talert_snmp_action', ['id_alert_snmp' => $row['id_as']]); $data[1] .= ''; + if ($other_actions != false) { foreach ($other_actions as $action) { $data[1] .= ''; @@ -1361,6 +1383,7 @@ if ($create_alert || $update_alert) { $data[1] .= '
'; + $data[2] = $row['agent']; $data[3] = $row['oid']; $data[4] = $row['custom_oid']; @@ -1373,18 +1396,23 @@ if ($create_alert || $update_alert) { $data[7] = __('Never'); } - $data[8] = ''.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).''.''.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).''.''.html_print_image('images/add.png', true, ['title' => __('Add action')]).''.''.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).''; + if (check_acl_restricted_all($config['id_user'], $row['id_group'], 'LW')) { + $data[8] = ''.html_print_image('images/copy.png', true, ['alt' => __('Duplicate'), 'title' => __('Duplicate')]).''.''.html_print_image('images/config.png', true, ['border' => '0', 'alt' => __('Update')]).''.''.html_print_image('images/add.png', true, ['title' => __('Add action')]).''.''.html_print_image('images/cross.png', true, ['border' => '0', 'alt' => __('Delete')]).''; - $data[9] = html_print_checkbox_extended( - 'delete_ids[]', - $row['id_as'], - false, - false, - false, - 'class="chk_delete"', - true - ); + $data[9] = html_print_checkbox_extended( + 'delete_ids[]', + $row['id_as'], + false, + false, + false, + 'class="chk_delete"', + true + ); + } else { + $data[8] = ''; + $data[9] = ''; + } $idx = count($table->data); // The current index of the table is 1 less than the count of table data so we count before adding to table->data diff --git a/pandora_console/operation/gis_maps/gis_map.php b/pandora_console/operation/gis_maps/gis_map.php index bbc552bc31..6bf81d8db5 100644 --- a/pandora_console/operation/gis_maps/gis_map.php +++ b/pandora_console/operation/gis_maps/gis_map.php @@ -170,12 +170,8 @@ if ($maps !== false) { $data['name'] = ''.$map['map_name'].' '; $data['group'] = ui_print_group_icon($map['group_id'], true); - if (check_acl($config['id_user'], 0, 'MW') - || check_acl($config['id_user'], 0, 'MM') - ) { - $data['default'] = ''; - $data['op'] = ''; - } + $data['default'] = ''; + $data['op'] = ''; if (check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW') || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM') diff --git a/pandora_console/operation/gis_maps/render_view.php b/pandora_console/operation/gis_maps/render_view.php index 0494949d76..f8f183ec78 100644 --- a/pandora_console/operation/gis_maps/render_view.php +++ b/pandora_console/operation/gis_maps/render_view.php @@ -114,8 +114,8 @@ $controls = [ $layers = gis_get_layers($idMap); // Render map -$has_management_acl = check_acl($config['id_user'], $map['group_id'], 'MW') - || check_acl($config['id_user'], $map['group_id'], 'MM'); +$has_management_acl = check_acl_restricted_all($config['id_user'], $map['group_id'], 'MW') + || check_acl_restricted_all($config['id_user'], $map['group_id'], 'MM'); $buttons = []; diff --git a/pandora_console/operation/visual_console/view.php b/pandora_console/operation/visual_console/view.php index 511c2eaa59..f6c796fb5e 100644 --- a/pandora_console/operation/visual_console/view.php +++ b/pandora_console/operation/visual_console/view.php @@ -300,7 +300,11 @@ if ($pure === false) { ); echo '
'; echo '
'; - echo html_print_checkbox_switch('edit-mode', 1, false, true); + + if ($aclWrite || $aclManage) { + echo html_print_checkbox_switch('edit-mode', 1, false, true); + } + echo '
'; } }