[icinga-checkins] icinga.org: icingaweb2/bugfix/ assertpermission-allows-everything-for-unauthenticated-requests-12108: Don 't assert only module/... permissions if the controller doesn' t require authentication

git at icinga.org git at icinga.org
Wed Aug 31 13:20:14 CEST 2016


Module: icingaweb2
Branch: bugfix/assertpermission-allows-everything-for-unauthenticated-requests-12108
Commit: 50abb9a50ca71fd060fb19c6cce1f9bfa04115a0
URL:    https://git.icinga.org/?p=icingaweb2.git;a=commit;h=50abb9a50ca71fd060fb19c6cce1f9bfa04115a0

Author: Alexander A. Klimov <alexander.klimov at netways.de>
Date:   Wed Aug 31 13:19:30 2016 +0200

Don't assert only module/... permissions if the controller doesn't require authentication

refs #12108

refs #12108

---

 library/Icinga/Web/Controller/ActionController.php       |    2 +-
 library/Icinga/Web/Controller/ModuleActionController.php |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/library/Icinga/Web/Controller/ActionController.php b/library/Icinga/Web/Controller/ActionController.php
index 0703e4e..655a85a 100644
--- a/library/Icinga/Web/Controller/ActionController.php
+++ b/library/Icinga/Web/Controller/ActionController.php
@@ -179,7 +179,7 @@ class ActionController extends Zend_Controller_Action
      */
     public function assertPermission($permission)
     {
-        if ($this->requiresAuthentication && ! $this->Auth()->hasPermission($permission)) {
+        if (! $this->Auth()->hasPermission($permission)) {
             throw new SecurityException('No permission for %s', $permission);
         }
     }
diff --git a/library/Icinga/Web/Controller/ModuleActionController.php b/library/Icinga/Web/Controller/ModuleActionController.php
index 1ae32e1..f235a1b 100644
--- a/library/Icinga/Web/Controller/ModuleActionController.php
+++ b/library/Icinga/Web/Controller/ModuleActionController.php
@@ -26,7 +26,8 @@ class ModuleActionController extends ActionController
     protected function prepareInit()
     {
         $this->moduleInit();
-        if ($this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
+        if ($this->requiresAuthentication
+            && $this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
             $this->assertPermission(Manager::MODULE_PERMISSION_NS . $this->getModuleName());
         }
     }



More information about the icinga-checkins mailing list