[icinga-checkins] icinga.org: icingaweb2/master: Security: Introduce AdmissionLoader:: getPermissionsAndRestrictions() for loading permissins and restrictions from roles.ini

git at icinga.org git at icinga.org
Wed Nov 19 16:31:57 CET 2014


Module: icingaweb2
Branch: master
Commit: b01a9a65e06e2e1e510dd5fbec622fb26817db4b
URL:    https://git.icinga.org/?p=icingaweb2.git;a=commit;h=b01a9a65e06e2e1e510dd5fbec622fb26817db4b

Author: Eric Lippmann <eric.lippmann at netways.de>
Date:   Wed Nov 19 15:10:09 2014 +0100

Security: Introduce AdmissionLoader::getPermissionsAndRestrictions() for loading permissins and restrictions from roles.ini

When loading from roles.ini there's currently an empty permission added which is of course a bug and will be fixed asap.

refs #5647

---

 library/Icinga/Authentication/AdmissionLoader.php |   45 +++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php
index 65d99f4..4a65d15 100644
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
@@ -5,6 +5,7 @@
 namespace Icinga\Authentication;
 
 use Icinga\Application\Config;
+use Icinga\Application\Logger;
 use Icinga\Exception\NotReadableError;
 use Icinga\Data\ConfigObject;
 use Icinga\User;
@@ -43,6 +44,50 @@ class AdmissionLoader
     }
 
     /**
+     * Get user permissions and restrictions
+     *
+     * @param   User $user
+     *
+     * @return  array
+     */
+    public function getPermissionsAndRestrictions(User $user)
+    {
+        $permissions = array();
+        $restrictions = array();
+        $username = $user->getUsername();
+        try {
+            $roles = Config::app('roles');
+        } catch (NotReadableError $e) {
+            Logger::error(
+                'Can\'t get permissions and restrictions for user \'%s\'. An exception was thrown:',
+                $username,
+                $e
+            );
+            return array($permissions, $restrictions);
+        }
+        $userGroups = $user->getGroups();
+        foreach ($roles as $role) {
+            if ($this->match($username, $userGroups, $role)) {
+                $permissions = array_merge(
+                    $permissions,
+                    array_diff(String::trimSplit($role->permissions), $permissions)
+                );
+                $restrictionsFromRole = $role->toArray();
+                unset($restrictionsFromRole['users']);
+                unset($restrictionsFromRole['groups']);
+                unset($restrictionsFromRole['permissions']);
+                foreach ($restrictionsFromRole as $name => $restriction) {
+                    if (! isset($restrictions[$name])) {
+                        $restrictions[$name] = array();
+                    }
+                    $restrictions[$name][] = $restriction;
+                }
+            }
+        }
+        return array($permissions, $restrictions);
+    }
+
+    /**
      * Get user permissions
      *
      * @param   User  $user



More information about the icinga-checkins mailing list