2009-03-27 Evi Vanoost <vanooste@rcbi.rochester.edu>

* include/functions_db.php: Fixed group functions that would return data even if the user didn't have access to the group. Added safe_acl_group which filters out groups the user doesn't have access to out of an array of groups. Added check_acl which deprecates give_acl (new naming scheme) git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1576 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2009-03-27 20:01:13 +00:00 · 2009-03-27 20:01:13 +00:00 · e4512f4544
parent be7618ad03
commit e4512f4544
2 changed files with 140 additions and 84 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,11 @@
+2009-03-27  Evi Vanoost  <vanooste@rcbi.rochester.edu>
+
+	* include/functions_db.php: Fixed group functions that would return
+	data even if the user didn't have access to the group. Added 
+	safe_acl_group which filters out groups the user doesn't have access to
+	out of an array of groups. Added check_acl which deprecates give_acl
+	(new naming scheme)
+
 2009-03-27  Esteban Sanchez  <estebans@artica.es>

 	* include/functions_ui.php: Put template details icon on the left of
--- a/pandora_console/include/functions_db.php
+++ b/pandora_console/include/functions_db.php
@ -59,37 +59,38 @@ function check_login () {
 * PM - Pandora Management
 *
 * @param int $id_user User id
- * @param int $id_group Agents group id
+ * @param int $id_group Agents group id to check from
 * @param string $access Access privilege
 *
 * @return bool 1 if the user has privileges, 0 if not.
 */
-function give_acl ($id_user, $id_group, $access) {
-	// IF user is level = 1 then always return 1
-
-	global $config;
-	$nivel = is_user_admin ($id_user);
-	if ($nivel) {
+function check_acl ($id_user, $id_group, $access) {
+	if (empty ($id_user)) {
+		//User ID needs to be specified
+		trigger_error ("Security error: check_acl got an empty string for user id", E_USER_WARNING);
+		return 0;
+	} elseif (is_user_admin ($id_user)) {
 		return 1;
-		//Apparently nivel is 1 if user has full admin access
+	} else {
+		$id_group = (int) $id_group;
 	}
 			
 	//Joined multiple queries into one. That saves on the query overhead and query cache.
 	if ($id_group == 0) {
-		$query1=sprintf("SELECT tperfil.incident_view,tperfil.incident_edit,tperfil.incident_management,tperfil.agent_view,tperfil.agent_edit,tperfil.alert_edit,tperfil.alert_management,tperfil.pandora_management,tperfil.db_management,tperfil.user_management FROM tusuario_perfil,tperfil WHERE tusuario_perfil.id_perfil = tperfil.id_perfil AND tusuario_perfil.id_usuario = '%s'", $id_user);
-		//GroupID = 0, access doesnt matter (use with caution!) - Any user gets access to group 0
+		$query = sprintf("SELECT tperfil.incident_view,tperfil.incident_edit,tperfil.incident_management,tperfil.agent_view,tperfil.agent_edit,tperfil.alert_edit,tperfil.alert_management,tperfil.pandora_management,tperfil.db_management,tperfil.user_management FROM tusuario_perfil,tperfil WHERE tusuario_perfil.id_perfil = tperfil.id_perfil AND tusuario_perfil.id_usuario = '%s'", $id_user);
+		//GroupID = 0, group id doesnt matter (use with caution!)
 	} else {
-		$query1=sprintf("SELECT tperfil.incident_view,tperfil.incident_edit,tperfil.incident_management,tperfil.agent_view,tperfil.agent_edit,tperfil.alert_edit,tperfil.alert_management,tperfil.pandora_management,tperfil.db_management,tperfil.user_management FROM tusuario_perfil,tperfil WHERE tusuario_perfil.id_perfil = tperfil.id_perfil 
-						AND tusuario_perfil.id_usuario = '%s' AND (tusuario_perfil.id_grupo = %d OR tusuario_perfil.id_grupo= 1)", $id_user, $id_group);
+		$query = sprintf("SELECT tperfil.incident_view,tperfil.incident_edit,tperfil.incident_management,tperfil.agent_view,tperfil.agent_edit,tperfil.alert_edit,tperfil.alert_management,tperfil.pandora_management,tperfil.db_management,tperfil.user_management FROM tusuario_perfil,tperfil WHERE tusuario_perfil.id_perfil = tperfil.id_perfil 
+						AND tusuario_perfil.id_usuario = '%s' AND (tusuario_perfil.id_grupo = %d OR tusuario_perfil.id_grupo = 1)", $id_user, $id_group);
 	}
 	
-	$rowdup = get_db_all_rows_sql ($query1);
+	$rowdup = get_db_all_rows_sql ($query);
+	
+	if (empty ($rowdup))
+		return 0;
+	
 	$result = 0;
-
-	if (!$rowdup)
-		return $result;
-
-	foreach($rowdup as $row) {
+	foreach ($rowdup as $row) {
 		// For each profile for this pair of group and user do...
 		switch ($access) {
 			case "IR":
@ -124,11 +125,59 @@ function give_acl ($id_user, $id_group, $access) {
 				break;
 		}
 	}
-	if ($result > 1)
-		$result = 1;
-	return $result; 
+	
+	if ($result >= 1)
+		return 1;
+		
+	return 0;
 }

+/*
+ * @deprecated Use check_acl instead
+ */
+function give_acl ($id_user, $id_group, $access) {
+	return check_acl ($id_user, $id_group, $access);
+}
+
+/**
+ * Filter out groups the user doesn't have access to
+ *
+ * Access can be:
+ * IR - Incident Read
+ * IW - Incident Write
+ * IM - Incident Management
+ * AR - Agent Read
+ * AW - Agent Write
+ * LW - Alert Write
+ * UM - User Management
+ * DM - DB Management
+ * LM - Alert Management
+ * PM - Pandora Management
+ *
+ * @param int $id_user User id
+ * @param mixed $id_group Group ID(s) to check
+ * @param string $access Access privilege
+ *
+ * @return array Groups the user DOES have acces to (or an empty array)
+ */
+function safe_acl_group ($id_user, $id_groups, $access) {
+	if (!is_array ($id_groups) && check_acl ($id_user, $id_groups, $access)) {
+		return array ($id_groups);
+	} elseif (!is_array ($id_groups)) {
+		return array ();
+	}
+	
+	foreach ($id_groups as $group) {
+		//Check ACL. If it doesn't match, remove the group
+		if (!check_acl ($id_user, $group, $access)) {
+			unset ($id_groups[$group]);
+		}
+	}
+	
+	return $id_groups;
+}
+
+	
 /** 
 * Adds an audit log entry.
 * 
@ -266,7 +315,7 @@ function give_disabled_group ($id_group) {
 }

 /**
- * Get all the agents within a group(s). For non-godmode usage get_user_groups should be used.
+ * Get all the agents within a group(s).
 *
 * @param mixed $id_group Group id or an array of ID's. If nothing is selected, it will select all
 * @param bool $disabled Add disabled agents to agents. Default: False.
@ -275,27 +324,22 @@ function give_disabled_group ($id_group) {
 * @return array An array with all agents in the group or an empty array
 */
 function get_group_agents ($id_group = 0, $disabled = false, $case = "lower") {
-	$id_group = safe_int ($id_group, 1);
+	global $config;
 	
-	//If id_group is an array, then 
-	if (empty ($id_group) || in_array (1, (array) $id_group)) {
-		//If All is included in the group list, just select All
-		$id_group = 1;
-	} else {
-		//If All is not included, select what we need
-		$id_group = implode (",", (array) $id_group);
+	$id_group = safe_acl_group ($config["id_user"], $id_group, "AR");
+	
+	if (empty ($id_group)) {
+		//An empty array means the user doesn't have access
+		return array ();
 	}
 	
-	/* 'All' group must return all agents */
-	$search = '';
-	if (!empty ($id_group) && $id_group > 1) {
-		$search .= sprintf (' WHERE id_grupo IN (%s)', $id_group);
-	}
-	if ($disabled !== false) {
-		$search .= (($search == '') ? ' WHERE' : ' AND' ).' disabled = 0';
+	$search = sprintf ('WHERE id_grupo IN (%s)', implode (",", $id_group));
+	
+	if (!empty ($disabled)) {
+		$search .= ' AND disabled = 0';
 	}
 	
-	$sql = sprintf ("SELECT id_agente, nombre FROM tagente%s ORDER BY nombre", $search);
+	$sql = sprintf ("SELECT id_agente, nombre FROM tagente %s ORDER BY nombre", $search);
 	$result = get_db_all_rows_sql ($sql);
 	
 	if ($result === false)
@ -666,27 +710,29 @@ function get_monitors_in_group ($id_group) {
 *
 * The returned events will be in the time interval ($date - $period, $date]
 * 
- * @param int $id_group Group id to get events.
+ * @param mixed $id_group Group id to get events for.
 * @param int $period Period of time in seconds to get events.
 * @param int $date Beginning date to get events.
 * 
 * @return array An array with all the events happened.
 */
 function get_group_events ($id_group, $period, $date) {
+	global $config;
+	
+	$id_group = safe_acl_group ($config["id_user"], $id_group, "AR");
+	
+	if (empty ($id_group)) {
+		//An empty array means the user doesn't have access
+		return false;
+	}
+	
 	$datelimit = $date - $period;
 	
-	if ($id_group == 1) {
 	$sql = sprintf ('SELECT * FROM tevento 
 			WHERE utimestamp > %d AND utimestamp <= %d
+			AND id_grupo IN (%s)
 			ORDER BY utimestamp ASC',
-			$datelimit, $date);
-	} else {
-		$sql = sprintf ('SELECT * FROM tevento 
-			WHERE utimestamp > %d AND utimestamp <= %d
-			AND id_grupo = %d
-			ORDER BY utimestamp ASC',
-			$datelimit, $date, $id_group);
-	}
+			$datelimit, $date, implode (",", $id_group));
 	
 	return get_db_all_rows_sql ($sql);
 }
@ -794,9 +840,11 @@ function get_alert_fires_in_period ($id_alert_module, $period, $date = 0) {
 * @return array An array with alerts dictionaries defined in a group.
 */
 function get_group_alerts ($id_group) {
+	require_once ('include/functions_agents.php');
+	
 	$alerts = array ();
 	$agents = get_group_agents ($id_group, false, "none");
-	require_once ('include/functions_agents.php');
+		
 	foreach ($agents as $agent_id => $agent_name) {
 		$agent_alerts = get_agent_alerts ($agent_id);
 		$alerts = array_merge ($alerts, $agent_alerts);