[checkmk-commits] 7191 FIX get_all_hosts: Users with read but not write access to all hosts/ folders can now use this call

Module: check_mk Branch: master Commit: 664a20212837fc226e1c4d4544eeeab1ec7e5009 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=664a20212837fc… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Fri Mar 1 14:12:09 2019 +0100 7191 FIX get_all_hosts: Users with read but not write access to all hosts/folders can now use this call There was a bug in the permission checking logic of the get_all_hosts API call. In case one tried to create a "read only" for exporting all hosts, this was not possible without the write permission. The following permissions should be needed: <ul> <li>Use Multisite at all</li> <li>Access to Web-API</li> <li>Use WATO</li> <li>Read access to all hosts and folders</li> </ul> In previous versions the permission "Write access to all hosts and folders" was needed in addition. Change-Id: I1a14cce597ec727f87f336fd12a4210c0eaa489e --- .werks/7191 | 25 +++++++++++++++++++++++++ cmk/gui/watolib/hosts_and_folders.py | 10 +++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/.werks/7191 b/.werks/7191 new file mode 100644 index 0000000..ff941cf --- /dev/null +++ b/.werks/7191 @@ -0,0 +1,25 @@ +Title: get_all_hosts: Users with read but not write access to all hosts/folders can now use this call +Level: 1 +Component: wato +Class: fix +Compatible: compat +Edition: cre +State: unknown +Version: 1.6.0i1 +Date: 1551431255 + +There was a bug in the permission checking logic of the get_all_hosts API call. In case one +tried to create a "read only" for exporting all hosts, this was not possible without the write +permission. + +The following permissions should be needed: + +<ul> +<li>Use Multisite at all</li> +<li>Access to Web-API</li> +<li>Use WATO</li> +<li>Read access to all hosts and folders</li> +</ul> + +In previous versions the permission "Write access to all hosts and folders" was needed in +addition. diff --git a/cmk/gui/watolib/hosts_and_folders.py b/cmk/gui/watolib/hosts_and_folders.py index 290b2f2..0046c4c 100644 --- a/cmk/gui/watolib/hosts_and_folders.py +++ b/cmk/gui/watolib/hosts_and_folders.py @@ -1149,8 +1149,9 @@ class CREFolder(BaseFolder): return host def _user_needs_permission(self, how): - if config.user.may("wato.all_folders"): + if how == "write" and config.user.may("wato.all_folders"): return + if how == "read" and config.user.may("wato.see_all_folders"): return @@ -1976,8 +1977,11 @@ class CREHost(WithPermissionsAndAttributes): return self.folder().groups(self) def _user_needs_permission(self, how): - if config.user.may("wato.all_folders"): - return True + if how == "write" and config.user.may("wato.all_folders"): + return + + if how == "read" and config.user.may("wato.see_all_folders"): + return if how == "write": config.user.need_permission("wato.edit_hosts")