diff --git a/pandora_console/godmode/agentes/agent_manager.php b/pandora_console/godmode/agentes/agent_manager.php index c5f41df3ae..89ac922aed 100644 --- a/pandora_console/godmode/agentes/agent_manager.php +++ b/pandora_console/godmode/agentes/agent_manager.php @@ -273,7 +273,12 @@ if(is_array($modules)){ } $table->data[4][0] = __('Primary group'); -$table->data[4][1] = html_print_select_groups(false, "AR", false, 'grupo', $grupo, '', '', 0, true); +// Cannot change primary group if user have not permission for that group +if (isset($groups[$grupo]) || $new_agent) { + $table->data[4][1] = html_print_select_groups(false, "AR", false, 'grupo', $grupo, '', '', 0, true); +} else { + $table->data[4][1] = groups_get_name($grupo); +} $table->data[4][1] .= ' '; $table->data[4][1] .= ui_print_group_icon ($grupo, true); $table->data[4][1] .= ''; diff --git a/pandora_console/godmode/agentes/configurar_agente.php b/pandora_console/godmode/agentes/configurar_agente.php index 3e0aac7af1..b183d1a365 100644 --- a/pandora_console/godmode/agentes/configurar_agente.php +++ b/pandora_console/godmode/agentes/configurar_agente.php @@ -32,15 +32,18 @@ $tab = get_parameter ('tab', 'main'); //See if id_agente is set (either POST or GET, otherwise -1 $id_agente = (int) get_parameter ("id_agente"); $group = 0; -if ($id_agente) +$all_groups = array($group); +if ($id_agente) { $group = agents_get_agent_group ($id_agente); + $all_groups = agents_get_all_groups_agent($id_agente, $group); +} -if (!check_acl ($config["id_user"], $group, "AW", $id_agente)) { +if (!check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) { $access_granted = false; switch ($tab) { case 'alert': case 'module': - if (check_acl ($config["id_user"], $group, "AD", $id_agente)) { + if (check_acl_one_of_groups ($config["id_user"], $all_groups, "AD")) { $access_granted = true; } break; @@ -447,7 +450,7 @@ if ($id_agente) { $incidenttab['active'] = false; } - if (check_acl ($config["id_user"], $group, "AW", $id_agente)) { + if (check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) { if ($has_remote_conf) { $agent_name = agents_get_name($id_agente); $agent_name = io_safe_output($agent_name); @@ -909,7 +912,7 @@ if ($update_agent) { // if modified some agent paramenter if ($id_agente) { //This has been done in the beginning of the page, but if an agent was created, this id might change $id_grupo = agents_get_agent_group ($id_agente); - if (!check_acl ($config["id_user"], $id_grupo, "AW") && !check_acl ($config["id_user"], $id_grupo, "AD")) { + if (!check_acl_one_of_groups ($config["id_user"], $all_groups, "AW") && !check_acl_one_of_groups ($config["id_user"], $all_groups, "AD")) { db_pandora_audit("ACL Violation","Trying to admin an agent without access"); require ("general/noaccess.php"); exit; @@ -1586,8 +1589,9 @@ if ($delete_module) { // DELETE agent module ! WHERE tam.id_agente_modulo = tae.id_agente_modulo AND tam.id_agente_modulo = ' . $id_borrar_modulo); $id_grupo = (int) agents_get_agent_group($id_agente); + $all_groups = agents_get_all_groups_agent ($id_agente, $id_grupo); - if (! check_acl ($config["id_user"], $id_grupo, "AW")) { + if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) { db_pandora_audit("ACL Violation", "Trying to delete a module without admin rights"); require ("general/noaccess.php"); diff --git a/pandora_console/godmode/agentes/modificar_agente.php b/pandora_console/godmode/agentes/modificar_agente.php index 5e2ffc3533..62b0773e63 100644 --- a/pandora_console/godmode/agentes/modificar_agente.php +++ b/pandora_console/godmode/agentes/modificar_agente.php @@ -79,16 +79,18 @@ $result = null; if ($agent_to_delete) { $id_agente = $agent_to_delete; - $agent_name = agents_get_name ($id_agente); - $id_grupo = agents_get_agent_group($id_agente); - if (check_acl ($config["id_user"], $id_grupo, "AW")) { + if (check_acl_one_of_groups ( + $config["id_user"], + agents_get_all_groups_agent($id_agente), + "AW" + )) { $id_agentes[0] = $id_agente; $result = agents_delete_agent($id_agentes); } else { // NO permissions. db_pandora_audit("ACL Violation", - "Trying to delete agent \'$agent_name\'"); + "Trying to delete agent \'" . agents_get_name ($id_agente). "\'"); require ("general/noaccess.php"); exit; } diff --git a/pandora_console/godmode/agentes/module_manager.php b/pandora_console/godmode/agentes/module_manager.php index b22bc0f626..85f2fd8f5f 100644 --- a/pandora_console/godmode/agentes/module_manager.php +++ b/pandora_console/godmode/agentes/module_manager.php @@ -111,7 +111,13 @@ if (($policy_page) || (isset($agent))) { $show_creation = true; } else { - if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) + if (!isset($all_groups)) { + $all_groups = agents_get_all_groups_agent ( + $agent['id_agente'], + $agent['id_grupo'] + ); + } + if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) $show_creation = true; } @@ -164,8 +170,9 @@ if ($multiple_delete) { $count_correct_delete_modules = 0; foreach($id_agent_modules_delete as $id_agent_module_del) { $id_grupo = (int) agents_get_agent_group($id_agente); + $all_groups = agents_get_all_groups_agent($id_agente, $id_grupo); - if (! check_acl ($config["id_user"], $id_grupo, "AW")) { + if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) { db_pandora_audit("ACL Violation", "Trying to delete a module without admin rights"); require ("general/noaccess.php"); @@ -604,7 +611,7 @@ if ($checked) { } foreach ($modules as $module) { - if (! check_acl ($config["id_user"], $group, "AW", $id_agente) && ! check_acl ($config["id_user"], $group, "AD", $id_agente)) { + if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AW") && ! check_acl_one_of_groups ($config["id_user"], $all_groups, "AD")) { continue; } @@ -762,7 +769,7 @@ foreach ($modules as $module) { array('alt' => __('Disable module'), 'title' => __('Disable module'))) .""; } - if (check_acl ($config['id_user'], $agent['id_grupo'], "AW") && $module['id_tipo_modulo'] != 25) { + if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW") && $module['id_tipo_modulo'] != 25) { $data[8] .= ' '; $data[8] .= html_print_image ('images/copy.png', true, @@ -798,7 +805,7 @@ foreach ($modules as $module) { } } - if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) { + if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) { // Delete module $data[9] = html_print_checkbox('id_delete[]', $module['id_agente_modulo'], false, true); $data[9] .= ' data, $data); } -if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) { +if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) { echo '
'; } html_print_table ($table); -if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) { +if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) { echo '
'; html_print_input_hidden ('multiple_delete', 1); html_print_submit_button (__('Delete'), 'multiple_delete', false, 'class="sub delete"'); diff --git a/pandora_console/godmode/alerts/alert_list.list.php b/pandora_console/godmode/alerts/alert_list.list.php index 8a2a7c6702..e802647693 100644 --- a/pandora_console/godmode/alerts/alert_list.list.php +++ b/pandora_console/godmode/alerts/alert_list.list.php @@ -443,12 +443,11 @@ foreach ($simple_alerts as $alert) { if (! $id_agente) { $id_agent = modules_get_agentmodule_agent ($alert['id_agent_module']); - - $agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agent); + $all_groups = agents_get_all_groups_agent($id_agent); $data[0] = ''; - if (check_acl ($config['id_user'], $agent_group, "AW")) { + if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) { $main_tab = 'main'; } else { @@ -467,7 +466,7 @@ foreach ($simple_alerts as $alert) { $data[0] .= ''; } else { - $agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agente); + $all_groups = agents_get_all_groups_agent($id_agente); } $module_name = modules_get_agentmodule_name ($alert['id_agent_module']); @@ -544,7 +543,7 @@ foreach ($simple_alerts as $alert) { $data[2] .= ''; // Is possible manage actions if have LW permissions in the agent group of the alert module - if (check_acl ($config['id_user'], $agent_group, "LW")) { + if (check_acl_one_of_groups ($config['id_user'], $all_groups, "LW")) { //~ $data[2] .= ''; $data[2] .= ''; $data[2] .= html_print_input_image ('delete', @@ -568,7 +567,7 @@ foreach ($simple_alerts as $alert) { $data[2] .= '
'; $data[2] .= ''; // Is possible manage actions if have LW permissions in the agent group of the alert module - if (check_acl ($config['id_user'], $agent_group, "LW") || check_acl ($config['id_user'], $template_group, "LM")) { + if (check_acl_one_of_groups ($config['id_user'], $all_groups, "LW") || check_acl ($config['id_user'], $template_group, "LM")) { $own_info = get_user_info($config['id_user']); if (check_acl ($config['id_user'], $template_group, "LW")) $own_groups = users_get_groups($config['id_user'], 'LW', true); @@ -666,7 +665,7 @@ foreach ($simple_alerts as $alert) { $data[4] .= '
'; // To manage alert is necessary LW permissions in the agent group - if(check_acl ($config['id_user'], $agent_group, "LW")) { + if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LW")) { $data[4] .= '  
'; if (!$alert['standby']) { $data[4] .= html_print_input_image ('standby_off', 'images/bell.png', 1, 'padding:0px;', true); @@ -681,7 +680,7 @@ foreach ($simple_alerts as $alert) { } // To access to policy page is necessary have AW permissions in the agent - if(check_acl ($config['id_user'], $agent_group, "AW")) { + if(check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) { if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { $policyInfo = policies_is_alert_in_policy2($alert['id'], false); if ($policyInfo === false) @@ -697,7 +696,7 @@ foreach ($simple_alerts as $alert) { } // To manage alert is necessary LW permissions in the agent group - if(check_acl ($config['id_user'], $agent_group, "LW")) { + if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LW")) { $data[4] .= '  '; if ($alert['disabled']) { $data[4] .= html_print_image('images/add.disabled.png', @@ -714,7 +713,7 @@ foreach ($simple_alerts as $alert) { $data[4] .= '
'; } - if(check_acl ($config['id_user'], $agent_group, "LM")) { + if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LM")) { $data[4] .= '
'; $data[4] .= html_print_input_image ('view_alert', 'images/eye.png', 1, '', true, array('title' => __('View alert advanced details'))); $data[4] .= html_print_input_hidden ('id_alert', $alert['id'], true); diff --git a/pandora_console/godmode/alerts/alert_list.php b/pandora_console/godmode/alerts/alert_list.php index a56ed8bcac..259def322b 100644 --- a/pandora_console/godmode/alerts/alert_list.php +++ b/pandora_console/godmode/alerts/alert_list.php @@ -294,8 +294,8 @@ if ($id_agente) { echo $messageAction; require_once('godmode/alerts/alert_list.list.php'); - - if(check_acl ($config['id_user'], $agent['id_grupo'], "LW") || check_acl ($config['id_user'], $agent['id_grupo'], "LM")) { + $all_groups = agents_get_all_groups_agent ($id_agente, $agent['id_grupo']); + if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LW") || check_acl_one_of_groups ($config['id_user'], $all_groups, "LM")) { require_once('godmode/alerts/alert_list.builder.php'); } diff --git a/pandora_console/include/functions_agents.php b/pandora_console/include/functions_agents.php index 0822bc3341..974b073878 100644 --- a/pandora_console/include/functions_agents.php +++ b/pandora_console/include/functions_agents.php @@ -1836,8 +1836,8 @@ function agents_delete_agent ($id_agents, $disableACL = false) { $agent_alias = io_safe_output(agents_get_alias($id_agent)); /* Check for deletion permissions */ - $id_group = agents_get_agent_group ($id_agent); - if ((! check_acl ($config['id_user'], $id_group, "AW")) && !$disableACL) { + $all_groups = agents_get_all_groups_agent ($id_agent); + if ((! check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) && !$disableACL) { return false; } diff --git a/pandora_console/include/functions_users.php b/pandora_console/include/functions_users.php index 486e4c7b23..331e08845b 100755 --- a/pandora_console/include/functions_users.php +++ b/pandora_console/include/functions_users.php @@ -422,15 +422,16 @@ function users_get_first_group ($id_user = false, $privilege = "AR", $all_group function users_access_to_agent ($id_agent, $mode = "AR", $id_user = false) { if (empty ($id_agent)) return false; - + if ($id_user == false) { global $config; $id_user = $config['id_user']; } - - $id_group = (int) db_get_value ('id_grupo', 'tagente', 'id_agente', (int) $id_agent); - - return (bool) check_acl ($id_user, $id_group, $mode); + + return (bool) check_acl_one_of_groups ( + $id_user, + agents_get_all_groups_agent((int)$id_agent), + $mode); } /** diff --git a/pandora_console/operation/agentes/alerts_status.php b/pandora_console/operation/agentes/alerts_status.php index 90c367bb64..93b31abf14 100755 --- a/pandora_console/operation/agentes/alerts_status.php +++ b/pandora_console/operation/agentes/alerts_status.php @@ -503,7 +503,7 @@ if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { $table->head[1] = "" . __('S.') . ""; if (!is_metaconsole()) { - if (check_acl($config['id_user'], $id_group, "AW") || check_acl ($config["id_user"], $id_group, "LM")) + if (check_acl_one_of_groups($config['id_user'], $all_groups, "AW") || check_acl_one_of_groups ($config["id_user"], $all_groups, "LM")) $table->head[2] = "" . __('F.') . ""; } @@ -514,7 +514,7 @@ if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) { $table->head[7] = __('Status'); if (!is_metaconsole()) { $table->size[7] = '5%'; - if (check_acl ($config["id_user"], $id_group, "LW") || check_acl ($config["id_user"], $id_group, "LM")) { + if (check_acl_one_of_groups ($config["id_user"], $all_groups, "LW") || check_acl_one_of_groups ($config["id_user"], $all_groups, "LM")) { $table->head[8] = __('Validate'); $table->align[8] = 'center'; $table->size[8] = '5%'; diff --git a/pandora_console/operation/agentes/custom_fields.php b/pandora_console/operation/agentes/custom_fields.php index b9f33aa672..5bd57d834c 100644 --- a/pandora_console/operation/agentes/custom_fields.php +++ b/pandora_console/operation/agentes/custom_fields.php @@ -29,15 +29,20 @@ if ($id_agente === -1) { return; } -if (! check_acl ($config["id_user"], $agent["id_grupo"], "AR") && ! check_acl ($config['id_user'], 0, "AW")) { - db_pandora_audit("ACL Violation", +// All groups is calculated in ver_agente.php. Avoid to calculate it again +if (!isset($all_groups)) { + $all_groups = agents_get_all_groups_agent ($idAgent, $id_group); +} + +if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AR") && ! check_acl ($config['id_user'], 0, "AW")) { + db_pandora_audit("ACL Violation", "Trying to access Agent General Information"); require_once ("general/noaccess.php"); return; } -$all_customs_fields = (bool)check_acl($config["id_user"], - $agent["id_grupo"], "AW"); +$all_customs_fields = (bool)check_acl_one_of_groups($config["id_user"], + $all_groups, "AW"); if ($all_customs_fields) { $fields = db_get_all_rows_filter('tagent_custom_fields'); diff --git a/pandora_console/operation/agentes/estado_agente.php b/pandora_console/operation/agentes/estado_agente.php index d272c5e2f4..1523610680 100644 --- a/pandora_console/operation/agentes/estado_agente.php +++ b/pandora_console/operation/agentes/estado_agente.php @@ -95,8 +95,8 @@ if (is_ajax ()) { if ($get_agent_module_last_value) { $id_module = (int) get_parameter ('id_agent_module'); - - if (! check_acl ($config['id_user'], agents_get_agentmodule_group ($id_module), "AR")) { + $id_agent = (int) modules_get_agentmodule_agent ((int) $id_module); + if (! check_acl_one_of_groups ($config['id_user'], agents_get_all_groups_agent ($id_agent), "AR")) { db_pandora_audit("ACL Violation", "Trying to access agent main list view"); echo json_encode (false);