Module: nagvis Branch: master Commit: 3d2239f52d376e172826ee67d9e355734e137e65 URL: http://nagvis.git.sourceforge.net/git/gitweb.cgi?p=nagvis/nagvis;a=commit;h=3d2239f52d376e172826ee67d9e355734e137e65
Author: Lars Michelsen <[email protected]> Date: Sun Oct 18 22:02:34 2009 +0200 #16 The objects (maps, automaps) in the automap and map modules are checked now by authorisation modules --- .../nagvis-js/classes/FrontendModAutomap.php | 7 +++ .../frontend/nagvis-js/classes/FrontendModMap.php | 7 +++ share/frontend/nagvis-js/index.php | 10 ++++- share/server/core/ajax_handler.php | 10 ++++- share/server/core/classes/CoreAuthModSQLite.php | 2 +- share/server/core/classes/CoreModAutoMap.php | 7 +++ share/server/core/classes/CoreModMap.php | 7 +++ share/server/core/classes/CoreModule.php | 40 ++++++++++++++++++-- share/server/core/classes/GlobalCore.php | 4 +- 9 files changed, 85 insertions(+), 9 deletions(-) diff --git a/share/frontend/nagvis-js/classes/FrontendModAutomap.php b/share/frontend/nagvis-js/classes/FrontendModAutomap.php index df1d56a..27186a9 100644 --- a/share/frontend/nagvis-js/classes/FrontendModAutomap.php +++ b/share/frontend/nagvis-js/classes/FrontendModAutomap.php @@ -22,9 +22,16 @@ class FrontendModAutoMap extends FrontendModule { unset($aVals['show']); $this->opts = $aVals; + // Register valid actions $this->aActions = Array( 'view' => REQUIRES_AUTHORISATION ); + + // Register valid objects + $this->aObjects = $this->CORE->getAvailableAutomaps(); + + // Set the requested object for later authorisation + $this->setObject($this->name); } public function handleAction() { diff --git a/share/frontend/nagvis-js/classes/FrontendModMap.php b/share/frontend/nagvis-js/classes/FrontendModMap.php index 64107ba..19e7716 100644 --- a/share/frontend/nagvis-js/classes/FrontendModMap.php +++ b/share/frontend/nagvis-js/classes/FrontendModMap.php @@ -14,9 +14,16 @@ class FrontendModMap extends FrontendModule { $this->name = $aVals['show']; $this->search = $aVals['search']; + // Register valid actions $this->aActions = Array( 'view' => REQUIRES_AUTHORISATION ); + + // Register valid objects + $this->aObjects = $this->CORE->getAvailableMaps(); + + // Set the requested object for later authorisation + $this->setObject($this->name); } public function handleAction() { diff --git a/share/frontend/nagvis-js/index.php b/share/frontend/nagvis-js/index.php index a9f6f22..a6dde72 100644 --- a/share/frontend/nagvis-js/index.php +++ b/share/frontend/nagvis-js/index.php @@ -118,8 +118,16 @@ $MODULE->setAction($UHANDLER->get('act')); if($MODULE->actionRequiresAuthorisation()) { // Only proceed with authenticated users if($AUTH->isAuthenticated()) { + // In some modules not only the mod and the action need to be authorized + // The called object needs separate authorisation too (e.g. in maps) + if($MODULE->checkForObjectAuthorisation()) { + $sObj = $MODULE->getObject(); + } else { + $sObj = null; + } + // Check if the user is permited to this action in the module - if(!isset($AUTHORISATION) || !$AUTHORISATION->isPermitted($UHANDLER->get('mod'), $UHANDLER->get('act'))) { + if(!isset($AUTHORISATION) || !$AUTHORISATION->isPermitted($UHANDLER->get('mod'), $UHANDLER->get('act'), $sObj)) { new GlobalMessage('ERROR', $CORE->LANG->getText('You are not permitted to access this page'), null, $CORE->LANG->getText('Access denied')); } } else { diff --git a/share/server/core/ajax_handler.php b/share/server/core/ajax_handler.php index 56a7987..b7e3086 100644 --- a/share/server/core/ajax_handler.php +++ b/share/server/core/ajax_handler.php @@ -113,8 +113,16 @@ $MODULE->setAction($UHANDLER->get('act')); if($MODULE->actionRequiresAuthorisation()) { // Only proceed with authenticated users if($AUTH->isAuthenticated()) { + // In some modules not only the mod and the action need to be authorized + // The called object needs separate authorisation too (e.g. in maps) + if($MODULE->checkForObjectAuthorisation()) { + $sObj = $MODULE->getObject(); + } else { + $sObj = null; + } + // Check if the user is permited to this action in the module - if(!isset($AUTHORISATION) || !$AUTHORISATION->isPermitted($UHANDLER->get('mod'), $UHANDLER->get('act'))) { + if(!isset($AUTHORISATION) || !$AUTHORISATION->isPermitted($UHANDLER->get('mod'), $UHANDLER->get('act'), $sObj)) { new GlobalMessage('ERROR', $CORE->LANG->getText('You are not permitted to access this page'), null, $CORE->LANG->getText('Access denied')); } } else { diff --git a/share/server/core/classes/CoreAuthModSQLite.php b/share/server/core/classes/CoreAuthModSQLite.php index d650827..212fa9c 100644 --- a/share/server/core/classes/CoreAuthModSQLite.php +++ b/share/server/core/classes/CoreAuthModSQLite.php @@ -48,7 +48,7 @@ class CoreAuthModSQLite extends CoreAuthModule { $this->DB->query('INSERT INTO perms (permId, mod, act, obj) VALUES (8, \'Map\', \'view\', \'demo\')'); $this->DB->query('INSERT INTO perms (permId, mod, act, obj) VALUES (9, \'Map\', \'getMapProperties\', \'demo\')'); $this->DB->query('INSERT INTO perms (permId, mod, act, obj) VALUES (10, \'Map\', \'getMapObjects\', \'demo\')'); - $this->DB->query('INSERT INTO perms (permId, mod, act, obj) VALUES (11, \'Map\', \'getObjectsStates\', \'demo\')'); + $this->DB->query('INSERT INTO perms (permId, mod, act, obj) VALUES (11, \'Map\', \'getObjectStates\', \'demo\')'); // nagiosadmin => Administrators $this->DB->query('INSERT INTO users2roles (userId, roleId) VALUES (1, 1)'); diff --git a/share/server/core/classes/CoreModAutoMap.php b/share/server/core/classes/CoreModAutoMap.php index 6427046..167bce2 100644 --- a/share/server/core/classes/CoreModAutoMap.php +++ b/share/server/core/classes/CoreModAutoMap.php @@ -9,12 +9,19 @@ class CoreModAutoMap extends CoreModule { $aVals = $this->getCustomOptions($aOpts); $this->name = $aVals['show']; + // Register valid actions $this->aActions = Array( 'parseAutomap' => REQUIRES_AUTHORISATION, 'getAutomapProperties' => REQUIRES_AUTHORISATION, 'getAutomapObjects' => REQUIRES_AUTHORISATION, 'getObjectStates' => REQUIRES_AUTHORISATION ); + + // Register valid objects + $this->aObjects = $this->CORE->getAvailableAutomaps(); + + // Set the requested object for later authorisation + $this->setObject($this->name); } public function handleAction() { diff --git a/share/server/core/classes/CoreModMap.php b/share/server/core/classes/CoreModMap.php index da07102..8ceb677 100644 --- a/share/server/core/classes/CoreModMap.php +++ b/share/server/core/classes/CoreModMap.php @@ -9,11 +9,18 @@ class CoreModMap extends CoreModule { $aVals = $this->getCustomOptions($aOpts); $this->name = $aVals['show']; + // Register valid actions $this->aActions = Array( 'getMapProperties' => REQUIRES_AUTHORISATION, 'getMapObjects' => REQUIRES_AUTHORISATION, 'getObjectStates' => REQUIRES_AUTHORISATION, ); + + // Register valid objects + $this->aObjects = $this->CORE->getAvailableMaps(); + + // Set the requested object for later authorisation + $this->setObject($this->name); } public function handleAction() { diff --git a/share/server/core/classes/CoreModule.php b/share/server/core/classes/CoreModule.php index 851208a..19ec42e 100644 --- a/share/server/core/classes/CoreModule.php +++ b/share/server/core/classes/CoreModule.php @@ -6,8 +6,9 @@ abstract class CoreModule { protected $UHANDLER = null; protected $aActions = Array(); + protected $aObjects = Array(); protected $sAction = ''; - protected $bRequiresAuthorisation; + protected $sObject = ''; public function passAuth($AUTHENTICATION, $AUTHORISATION) { $this->AUTHENTICATION = $AUTHENTICATION; @@ -32,13 +33,44 @@ abstract class CoreModule { } public function actionRequiresAuthorisation() { + $bRequiresAuthorisation = false; + if(isset($this->aActions[$this->sAction]) && $this->aActions[$this->sAction] === REQUIRES_AUTHORISATION) { - $this->bRequiresAuthorisation = true; + $bRequiresAuthorisation = true; + } + + return $bRequiresAuthorisation; + } + + public function offersObject($sObject) { + if(isset($this->aObjects[$sObject])) { + return true; } else { - $this->bRequiresAuthorisation = false; + return false; + } + } + + public function setObject($sObject) { + if($this->offersObject($sObject)) { + $this->sObject = $sObject; + return true; + } else { + return false; + } + } + + public function getObject() { + return $this->sObject; + } + + public function checkForObjectAuthorisation() { + $bRet = false; + + if($this->sObject !== '') { + $bRet = true; } - return $this->bRequiresAuthorisation; + return $bRet; } protected function getCustomOptions($aKeys) { diff --git a/share/server/core/classes/GlobalCore.php b/share/server/core/classes/GlobalCore.php index 8132bbc..e597fdd 100644 --- a/share/server/core/classes/GlobalCore.php +++ b/share/server/core/classes/GlobalCore.php @@ -342,7 +342,7 @@ class GlobalCore { while (false !== ($file = readdir($handle))) { if(preg_match(MATCH_CFG_FILE, $file, $arrRet)) { if($strMatch == NULL || ($strMatch != NULL && preg_match($strMatch, $arrRet[1]))) { - $files[] = $arrRet[1]; + $files[$arrRet[1]] = $arrRet[1]; } } } @@ -371,7 +371,7 @@ class GlobalCore { while (false !== ($file = readdir($handle))) { if(preg_match(MATCH_CFG_FILE, $file, $arrRet)) { if($strMatch == NULL || ($strMatch != NULL && preg_match($strMatch, $arrRet[1]))) { - $files[] = $arrRet[1]; + $files[$arrRet[1]] = $arrRet[1]; } } } ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Nagvis-checkins mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagvis-checkins
