Module: check_mk
Branch: master
Commit: 28463b4498455b8796394dafaae1c5fac8f9077b
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=28463b4498455b…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Mon May 15 11:45:01 2017 +0200
4658 FIX Fixed permissions in BI packs using rules from other packs
Change-Id: I272bcc753b6d287f5f9e063bc3c2915f3aed7874
---
.werks/4658 | 13 +++++++++++++
web/plugins/wato/bi.py | 19 +++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/.werks/4658 b/.werks/4658
new file mode 100644
index 0000000..193c8a9
--- /dev/null
+++ b/.werks/4658
@@ -0,0 +1,13 @@
+Title: Fixed permissions in BI packs using rules from other packs
+Level: 1
+Component: bi
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1494836173
+
+If users use rules with node rules from other BI packs for which they have
+no permissions, these parent rules could be damaged by editing them. Now they
+get an error message and editing is not allowed any more.
diff --git a/web/plugins/wato/bi.py b/web/plugins/wato/bi.py
index 295fa6a..b9c1c75 100644
--- a/web/plugins/wato/bi.py
+++ b/web/plugins/wato/bi.py
@@ -1490,6 +1490,7 @@ class ModeBIEditRule(ModeBI):
def page(self):
+ self._may_use_rules_from_packs()
if self._new:
cloneid = html.var("clone")
if cloneid:
@@ -1518,6 +1519,24 @@ class ModeBIEditRule(ModeBI):
html.end_form()
+ def _may_use_rules_from_packs(self):
+ rules_without_permissions = {}
+ for node in self._pack["rules"][self._ruleid]["nodes"]:
+ node_type, node_content = node
+ node_name = node_content[0]
+ pack = self.pack_containing_rule(node_name)
+ if node_type == 'call' and not self.may_use_rules_in_pack(pack):
+ packid = (pack['id'], pack['title'])
+ rules_without_permissions.setdefault(packid, [])
+ rules_without_permissions[packid].append(node_name)
+
+ if rules_without_permissions:
+ message = ", ".join([_("in BI rules %s used in pack
'%s'") % \
+ (", ".join([ "'%s'" % ruleid
for ruleid in ruleids]), title)
+ for (nodeid, title), ruleids in
rules_without_permissions.items()])
+ raise MKAuthException(_("You have no permission for changes %s.") %
message)
+
+
def valuespec(self):
elements = [
( "id",