Module: check_mk Branch: master Commit: 0fe2ad1c69e7b40fd04f49168a21614bb9fad300 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2ad1c69e7b4… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Fri Sep 18 09:05:45 2015 +0200 #2611 FIX Fixed host view permission checks on host related pages Different host related pages (properties, services, rulesets, diagnose) were lacking a "read host" permission checks. So user were able to view details about hosts which they were not permitted. --- .werks/2611 | 12 ++++++++++++ ChangeLog | 1 + web/htdocs/wato.py | 13 +++++++++++++ 3 files changed, 26 insertions(+) diff --git a/.werks/2611 b/.werks/2611 new file mode 100644 index 0000000..3b4c2dc --- /dev/null +++ b/.werks/2611 @@ -0,0 +1,12 @@ +Title: Fixed host view permission checks on host related pages +Level: 1 +Component: wato +Class: fix +Compatible: compat +State: unknown +Version: 1.2.7i3 +Date: 1442559852 + +Different host related pages (properties, services, rulesets, diagnose) were lacking +a "read host" permission checks. So user were able to view details about hosts which +they were not permitted. diff --git a/ChangeLog b/ChangeLog index 11e3c61..759efe1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -267,6 +267,7 @@ * 2560 FIX: Fixed rare exception when using bulk host move... * 2603 FIX: Git integration: Preventing issues with *.mk.new files... * 2610 FIX: Fixed host search showing results of not permitted folder + * 2611 FIX: Fixed host view permission checks on host related pages... Notifications: * 2478 Integrated notification plugin for mobile phone push messages via Pushover... diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index 4635fdb..b1f3526 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -2003,11 +2003,14 @@ def mode_edithost(phase, new, cluster): host = g_folder[".hosts"][clonename] cluster = ".nodes" in host mode = "clone" + check_host_permissions(clonename) + elif not new and hostname in g_folder[".hosts"]: title = _("Properties of host") + " " + hostname host = g_folder[".hosts"][hostname] cluster = ".nodes" in host mode = "edit" + check_host_permissions(hostname) else: if cluster: title = _("Create new cluster") @@ -2017,6 +2020,7 @@ def mode_edithost(phase, new, cluster): host = {} mode = "new" new = True + check_new_host_permissions(g_folder, host, hostname) if phase == "title": return title @@ -2252,6 +2256,8 @@ def mode_rename_host(phase): if hostname not in g_folder[".hosts"]: raise MKGeneralException(_("You called this page with an invalid host name.")) + check_host_permissions(hostname) + host = g_folder[".hosts"][hostname] is_cluster = ".nodes" in host @@ -2545,6 +2551,9 @@ def mode_object_parameters(phase): is_cluster = ".nodes" in host service = html.var("service") + if hostname: + check_host_permissions(hostname) + if phase == "title": title = _("Parameters of") + " " + hostname if service: @@ -2903,6 +2912,8 @@ def mode_diag_host(phase): if not hostname: raise MKGeneralException(_('The hostname is missing.')) + check_host_permissions(hostname) + if phase == 'title': return _('Diagnostic of host') + " " + hostname @@ -3125,6 +3136,8 @@ def mode_inventory(phase, firsttime): raise MKGeneralException(_("You called this page for a non-existing host.")) host = g_folder[".hosts"][hostname] + check_host_permissions(hostname) + if phase == "title": title = _("Services of host %s") % hostname if html.var("_scan"):