[Secondary groups] Fixed some problems in agent view

2025-07-29 16:55:05 +02:00 · 2018-03-27 16:38:17 +02:00 · 2018-03-27 16:38:17 +02:00 · 88375a2460
commit 88375a2460
parent c96b883614
11 changed files with 68 additions and 45 deletions
--- a/pandora_console/godmode/agentes/agent_manager.php
+++ b/pandora_console/godmode/agentes/agent_manager.php
@ -273,7 +273,12 @@ if(is_array($modules)){
 }
 $table->data[4][0] = __('Primary group');
-$table->data[4][1] = html_print_select_groups(false, "AR", false, 'grupo', $grupo, '', '', 0, true);
+// Cannot change primary group if user have not permission for that group
 if (isset($groups[$grupo]) || $new_agent) {
 	$table->data[4][1] = html_print_select_groups(false, "AR", false, 'grupo', $grupo, '', '', 0, true);
 } else {
 	$table->data[4][1] = groups_get_name($grupo);
 }
 $table->data[4][1] .= ' <span id="group_preview">';
 $table->data[4][1] .= ui_print_group_icon ($grupo, true);
 $table->data[4][1] .= '</span>';
--- a/pandora_console/godmode/agentes/configurar_agente.php
+++ b/pandora_console/godmode/agentes/configurar_agente.php
@ -32,15 +32,18 @@ $tab = get_parameter ('tab', 'main');
 //See if id_agente is set (either POST or GET, otherwise -1
 $id_agente = (int) get_parameter ("id_agente");
 $group = 0;
-if ($id_agente)
+$all_groups = array($group);
 if ($id_agente) {
 	$group = agents_get_agent_group ($id_agente);
 	$all_groups = agents_get_all_groups_agent($id_agente, $group);
 }
-if (!check_acl ($config["id_user"], $group, "AW", $id_agente)) {
+if (!check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) {
 	$access_granted = false;
 	switch ($tab) {
 		case 'alert':
 		case 'module':
-			if (check_acl ($config["id_user"], $group, "AD", $id_agente)) {
+			if (check_acl_one_of_groups ($config["id_user"], $all_groups, "AD")) {
 				$access_granted = true;
 			}
 			break;
@ -447,7 +450,7 @@ if ($id_agente) {
 			$incidenttab['active'] = false;
 	}
-	if (check_acl ($config["id_user"], $group, "AW", $id_agente)) {
+	if (check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) {
 		if ($has_remote_conf) {
 			$agent_name = agents_get_name($id_agente);
 			$agent_name = io_safe_output($agent_name);
@ -909,7 +912,7 @@ if ($update_agent) { // if modified some agent paramenter
 if ($id_agente) {
 	//This has been done in the beginning of the page, but if an agent was created, this id might change
 	$id_grupo = agents_get_agent_group ($id_agente);
-	if (!check_acl ($config["id_user"], $id_grupo, "AW") && !check_acl ($config["id_user"], $id_grupo, "AD")) {
+	if (!check_acl_one_of_groups ($config["id_user"], $all_groups, "AW") && !check_acl_one_of_groups ($config["id_user"], $all_groups, "AD")) {
 		db_pandora_audit("ACL Violation","Trying to admin an agent without access");
 		require ("general/noaccess.php");
 		exit;
@ -1586,8 +1589,9 @@ if ($delete_module) { // DELETE agent module !
 		WHERE tam.id_agente_modulo = tae.id_agente_modulo
 			AND tam.id_agente_modulo = ' . $id_borrar_modulo);
 	$id_grupo = (int) agents_get_agent_group($id_agente);
 	$all_groups = agents_get_all_groups_agent ($id_agente, $id_grupo);
-	if (! check_acl ($config["id_user"], $id_grupo, "AW")) {
+	if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) {
 		db_pandora_audit("ACL Violation",
 			"Trying to delete a module without admin rights");
 		require ("general/noaccess.php");
--- a/pandora_console/godmode/agentes/modificar_agente.php
+++ b/pandora_console/godmode/agentes/modificar_agente.php
@ -79,16 +79,18 @@ $result = null;
 if ($agent_to_delete) {
 	$id_agente = $agent_to_delete;
-	$agent_name = agents_get_name ($id_agente);
+	if (check_acl_one_of_groups (
-	$id_grupo = agents_get_agent_group($id_agente);
+		$config["id_user"],
-	if (check_acl ($config["id_user"], $id_grupo, "AW")) {
+		agents_get_all_groups_agent($id_agente),
 		"AW"
 	)) {
 		$id_agentes[0] = $id_agente;
 		$result = agents_delete_agent($id_agentes);
 	}
 	else {
 		// NO permissions.
 		db_pandora_audit("ACL Violation",
-			"Trying to delete agent \'$agent_name\'");
+			"Trying to delete agent \'" . agents_get_name ($id_agente). "\'");
 		require ("general/noaccess.php");
 		exit;
 	}
--- a/pandora_console/godmode/agentes/module_manager.php
+++ b/pandora_console/godmode/agentes/module_manager.php
@ -111,7 +111,13 @@ if (($policy_page) || (isset($agent))) {
 		$show_creation = true;
 	}
 	else {
-		if (check_acl ($config['id_user'], $agent['id_grupo'], "AW"))
+		if (!isset($all_groups)) {
 			$all_groups = agents_get_all_groups_agent (
 				$agent['id_agente'],
 				$agent['id_grupo']
 			);
 		}
 		if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW"))
 			$show_creation = true;
 	}
@ -164,8 +170,9 @@ if ($multiple_delete) {
 	$count_correct_delete_modules = 0;
 	foreach($id_agent_modules_delete as $id_agent_module_del) {
 		$id_grupo = (int) agents_get_agent_group($id_agente);
 		$all_groups = agents_get_all_groups_agent($id_agente, $id_grupo);
-		if (! check_acl ($config["id_user"], $id_grupo, "AW")) {
+		if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AW")) {
 			db_pandora_audit("ACL Violation",
 			"Trying to delete a module without admin rights");
 			require ("general/noaccess.php");
@ -604,7 +611,7 @@ if ($checked) {
 }
 foreach ($modules as $module) {
-	if (! check_acl ($config["id_user"], $group, "AW", $id_agente) && ! check_acl ($config["id_user"], $group, "AD", $id_agente)) {
+	if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AW") && ! check_acl_one_of_groups ($config["id_user"], $all_groups, "AD")) {
 		continue;
 	}
@ -762,7 +769,7 @@ foreach ($modules as $module) {
 			array('alt' => __('Disable module'), 'title' => __('Disable module'))) ."</a>";
 	}
-	if (check_acl ($config['id_user'], $agent['id_grupo'], "AW") && $module['id_tipo_modulo'] != 25) {
+	if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW") && $module['id_tipo_modulo'] != 25) {
 		$data[8] .= '&nbsp;<a href="index.php?sec=gagente&tab=module&sec2=godmode/agentes/configurar_agente&id_agente='.$id_agente.'&duplicate_module='.$module['id_agente_modulo'].'"
 			onClick="if (!confirm(\' ' . __('Are you sure?') . '\')) return false;">';
 		$data[8] .= html_print_image ('images/copy.png', true,
@ -798,7 +805,7 @@ foreach ($modules as $module) {
 		}
 	}
-	if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) {
+	if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) {
 		// Delete module
 		$data[9] = html_print_checkbox('id_delete[]', $module['id_agente_modulo'], false, true);
 		$data[9] .= '&nbsp;<a href="index.php?sec=gagente&tab=module&sec2=godmode/agentes/configurar_agente&id_agente='.$id_agente.'&delete_module='.$module['id_agente_modulo'].'"
@ -811,14 +818,14 @@ foreach ($modules as $module) {
 	array_push ($table->data, $data);
 }
-if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) {
+if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) {
 	echo '<form method="post" action="index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&id_agente='.$id_agente.'&tab=module"
 		onsubmit="if (! confirm (\'' . __('Are you sure?') . '\')) return false">';
 }
 html_print_table ($table);
-if (check_acl ($config['id_user'], $agent['id_grupo'], "AW")) {
+if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) {
 	echo '<div class="action-buttons" style="width: ' . $table->width . '">';
 	html_print_input_hidden ('multiple_delete', 1);
 	html_print_submit_button (__('Delete'), 'multiple_delete', false, 'class="sub delete"');
--- a/pandora_console/godmode/alerts/alert_list.list.php
+++ b/pandora_console/godmode/alerts/alert_list.list.php
@ -443,12 +443,11 @@ foreach ($simple_alerts as $alert) {
 	if (! $id_agente) {
 		$id_agent = modules_get_agentmodule_agent ($alert['id_agent_module']);
-		
+		$all_groups = agents_get_all_groups_agent($id_agent);
 		$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agent);
 		$data[0] = '';
-		if (check_acl ($config['id_user'], $agent_group, "AW")) {
+		if (check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) {
 			$main_tab = 'main';
 		}
 		else {
@ -467,7 +466,7 @@ foreach ($simple_alerts as $alert) {
 		$data[0] .= '</a>';
 	}
 	else {
-		$agent_group = db_get_value('id_grupo', 'tagente', 'id_agente', $id_agente);
+		$all_groups = agents_get_all_groups_agent($id_agente);
 	}
 	$module_name = modules_get_agentmodule_name ($alert['id_agent_module']);
@ -544,7 +543,7 @@ foreach ($simple_alerts as $alert) {
 				$data[2] .= '</ul>';
 				// Is possible manage actions if have LW permissions in the agent group of the alert module
-				if (check_acl ($config['id_user'], $agent_group, "LW")) {
+				if (check_acl_one_of_groups ($config['id_user'], $all_groups, "LW")) {
 					//~ $data[2] .= '<form method="post" action="' . $url . '" class="delete_link" style="display: inline; vertical-align: -50%;">';
 					$data[2] .= '<form method="post" action="' . $url . '" class="delete_link" style="display: inline;">';
 					$data[2] .= html_print_input_image ('delete',
@ -568,7 +567,7 @@ foreach ($simple_alerts as $alert) {
 	$data[2] .= '</div>';
 	$data[2] .= '</table>';
 	// Is possible manage actions if have LW permissions in the agent group of the alert module
-	if (check_acl ($config['id_user'], $agent_group, "LW") || check_acl ($config['id_user'], $template_group, "LM")) {
+	if (check_acl_one_of_groups ($config['id_user'], $all_groups, "LW") || check_acl ($config['id_user'], $template_group, "LM")) {
 		$own_info = get_user_info($config['id_user']);
 		if (check_acl ($config['id_user'], $template_group, "LW"))
 			$own_groups = users_get_groups($config['id_user'], 'LW', true);
@ -666,7 +665,7 @@ foreach ($simple_alerts as $alert) {
 	$data[4] .= '</form>';
 	// To manage alert is necessary LW permissions in the agent group
-	if(check_acl ($config['id_user'], $agent_group, "LW")) {
+	if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LW")) {
 		$data[4] .= '&nbsp;&nbsp;<form class="standby_alert_form" action="' . $url . '" method="post" style="display: inline;">';
 		if (!$alert['standby']) {
 			$data[4] .= html_print_input_image ('standby_off', 'images/bell.png', 1, 'padding:0px;', true);
@ -681,7 +680,7 @@ foreach ($simple_alerts as $alert) {
 	}
 	// To access to policy page is necessary have AW permissions in the agent
-	if(check_acl ($config['id_user'], $agent_group, "AW")) {
+	if(check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) {
 		if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
 			$policyInfo = policies_is_alert_in_policy2($alert['id'], false);
 			if ($policyInfo === false)
@ -697,7 +696,7 @@ foreach ($simple_alerts as $alert) {
 	}
 	// To manage alert is necessary LW permissions in the agent group 
-	if(check_acl ($config['id_user'], $agent_group, "LW")) {
+	if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LW")) {
 		$data[4] .= '&nbsp;&nbsp;<form class="delete_alert_form" action="' . $url . '" method="post" style="display: inline;">';
 		if ($alert['disabled']) {
 			$data[4] .= html_print_image('images/add.disabled.png',
@ -714,7 +713,7 @@ foreach ($simple_alerts as $alert) {
 		$data[4] .= '</form>';
 	}
-	if(check_acl ($config['id_user'], $agent_group, "LM")) {
+	if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LM")) {
 		$data[4] .= '<form class="view_alert_form" method="post" style="display: inline;" action="index.php?sec=galertas&sec2=godmode/alerts/alert_view">';
 		$data[4] .= html_print_input_image ('view_alert', 'images/eye.png', 1, '', true, array('title' => __('View alert advanced details')));
 		$data[4] .= html_print_input_hidden ('id_alert', $alert['id'], true);
--- a/pandora_console/godmode/alerts/alert_list.php
+++ b/pandora_console/godmode/alerts/alert_list.php
@ -294,8 +294,8 @@ if ($id_agente) {
 	echo $messageAction;
 	require_once('godmode/alerts/alert_list.list.php');
-	
+	$all_groups = agents_get_all_groups_agent ($id_agente, $agent['id_grupo']);
-	if(check_acl ($config['id_user'], $agent['id_grupo'], "LW") || check_acl ($config['id_user'], $agent['id_grupo'], "LM")) {
+	if(check_acl_one_of_groups ($config['id_user'], $all_groups, "LW") || check_acl_one_of_groups ($config['id_user'], $all_groups, "LM")) {
 		require_once('godmode/alerts/alert_list.builder.php');
 	}
--- a/pandora_console/include/functions_agents.php
+++ b/pandora_console/include/functions_agents.php
@ -1836,8 +1836,8 @@ function agents_delete_agent ($id_agents, $disableACL = false) {
 		$agent_alias = io_safe_output(agents_get_alias($id_agent));
 		/* Check for deletion permissions */
-		$id_group = agents_get_agent_group ($id_agent);
+		$all_groups = agents_get_all_groups_agent ($id_agent);
-		if ((! check_acl ($config['id_user'], $id_group, "AW")) && !$disableACL) {
+		if ((! check_acl_one_of_groups ($config['id_user'], $all_groups, "AW")) && !$disableACL) {
 			return false;
 		}
--- a/pandora_console/include/functions_users.php
+++ b/pandora_console/include/functions_users.php
@ -428,9 +428,10 @@ function users_access_to_agent ($id_agent, $mode = "AR", $id_user = false) {
 		$id_user = $config['id_user'];
 	}
-	$id_group = (int) db_get_value ('id_grupo', 'tagente', 'id_agente', (int) $id_agent);
+	return (bool) check_acl_one_of_groups (
-	
+		$id_user,
-	return (bool) check_acl ($id_user, $id_group, $mode);
+		agents_get_all_groups_agent((int)$id_agent),
 		$mode);
 }
 /**
--- a/pandora_console/operation/agentes/alerts_status.php
+++ b/pandora_console/operation/agentes/alerts_status.php
@ -503,7 +503,7 @@ if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
 		$table->head[1] = "<span title='" . __('Standby') . "'>" . __('S.') . "</span>";
 		if (!is_metaconsole()) {
-			if (check_acl($config['id_user'], $id_group, "AW") || check_acl ($config["id_user"], $id_group, "LM"))
+			if (check_acl_one_of_groups($config['id_user'], $all_groups, "AW") || check_acl_one_of_groups ($config["id_user"], $all_groups, "LM"))
 				$table->head[2] = "<span title='" . __('Force execution') . "'>" . __('F.') . "</span>";
 		}
@ -514,7 +514,7 @@ if ($isFunctionPolicies !== ENTERPRISE_NOT_HOOK) {
 		$table->head[7] = __('Status');
 		if (!is_metaconsole()) {
 			$table->size[7] = '5%';
-			if (check_acl ($config["id_user"], $id_group, "LW") || check_acl ($config["id_user"], $id_group, "LM")) {
+			if (check_acl_one_of_groups ($config["id_user"], $all_groups, "LW") || check_acl_one_of_groups ($config["id_user"], $all_groups, "LM")) {
 				$table->head[8] = __('Validate');
 				$table->align[8] = 'center';
 				$table->size[8] = '5%';
--- a/pandora_console/operation/agentes/custom_fields.php
+++ b/pandora_console/operation/agentes/custom_fields.php
@ -29,15 +29,20 @@ if ($id_agente === -1) {
 	return;
 }
-if (! check_acl ($config["id_user"], $agent["id_grupo"], "AR") && ! check_acl ($config['id_user'], 0, "AW")) {
+// All groups is calculated in ver_agente.php. Avoid to calculate it again
 if (!isset($all_groups)) {
 	$all_groups = agents_get_all_groups_agent ($idAgent, $id_group);
 }
 if (! check_acl_one_of_groups ($config["id_user"], $all_groups, "AR") && ! check_acl ($config['id_user'], 0, "AW")) {
 	db_pandora_audit("ACL Violation",
 		"Trying to access Agent General Information");
 	require_once ("general/noaccess.php");
 	return;
 }
-$all_customs_fields = (bool)check_acl($config["id_user"],
+$all_customs_fields = (bool)check_acl_one_of_groups($config["id_user"],
-	$agent["id_grupo"], "AW");
+	$all_groups, "AW");
 if ($all_customs_fields) {
 	$fields = db_get_all_rows_filter('tagent_custom_fields');
--- a/pandora_console/operation/agentes/estado_agente.php
+++ b/pandora_console/operation/agentes/estado_agente.php
@ -95,8 +95,8 @@ if (is_ajax ()) {
 	if ($get_agent_module_last_value) {
 		$id_module = (int) get_parameter ('id_agent_module');
-		
+		$id_agent = (int) modules_get_agentmodule_agent ((int) $id_module);
-		if (! check_acl ($config['id_user'], agents_get_agentmodule_group ($id_module), "AR")) {
+		if (! check_acl_one_of_groups ($config['id_user'], agents_get_all_groups_agent ($id_agent), "AR")) {
 			db_pandora_audit("ACL Violation",
 				"Trying to access agent main list view");
 			echo json_encode (false);