- developed group permission system (Eugene)

git-svn-id: svn://svn.zabbix.com/trunk@3371 97f52cf1-0a1b-0410-bd0e-c28be96e8082

1 files changed, 468 insertions, 104 deletions

diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php
index 0d09f82a..7763e327 100644
--- a/frontends/php/include/perm.inc.php
+++ b/frontends/php/include/perm.inc.php
@@ -19,178 +19,542 @@
 **/
 ?>
 <?php
+	require_once "db.inc.php";
 
+	function	permission2str($group_permission)
+	{
+		$str_perm[PERM_READ_WRITE]	= S_READ_WRITE;
+		$str_perm[PERM_READ_ONLY]	= S_READ_ONLY;
+		$str_perm[PERM_DENY]		= S_DENY;
+
+		if(isset($str_perm[$group_permission]))
+			return $str_perm[$group_permission];
+
+		return S_UNCNOWN;
+	}
 
-define("ANY_ELEMENT_RIGHT",	-1);
-define("GROUP_RIGHT",		0);
+/*****************************************
+	CHECK USER AUTHORISATION
+*****************************************/
 
 	function	check_authorisation()
 	{
 		global	$page;
 		global	$PHP_AUTH_USER,$PHP_AUTH_PW;
 		global	$USER_DETAILS;
-		global	$USER_RIGHTS;
 		global	$_COOKIE;
 		global	$_REQUEST;
-		global	$ZBX_CURNODEID;
+		global	$ZBX_LOCALNODEID;
 
 		$USER_DETAILS = NULL;
-		$USER_RIGHTS = array();
-
+		
 		if(isset($_COOKIE["sessionid"]))
 		{
 			$sessionid = $_COOKIE["sessionid"];
-			$USER_DETAILS = DBfetch(DBselect("select u.*,s.* from sessions s,users u".
+			if(!($USER_DETAILS = DBfetch(DBselect("select u.*,s.* from sessions s,users u".
 				" where s.sessionid=".zbx_dbstr($sessionid)." and s.userid=u.userid".
 				" and ((s.lastaccess+u.autologout>".time().") or (u.autologout=0))".
-				" and mod(u.userid,100) = ".$ZBX_CURNODEID));
-
-			if(!$USER_DETAILS)
+				" and ".DBid2nodeid('u.userid')." = ".$ZBX_LOCALNODEID))))
 			{
-				$USER_DETAILS = array("alias"=>"- unknown -","userid"=>0);
-
 				setcookie("sessionid",$sessionid,time()-3600);
+				DBexecute("delete from sessions where sessionid=".zbx_dbstr($sessionid));
 				unset($_COOKIE["sessionid"]);
 				unset($sessionid);
 
-				show_header("Login",0,0,1);
-				show_error_message("Session was ended, please relogin!");
-				show_page_footer();
-				exit;
+				$incorrect_session = true;
 			}
-		} else {
-			$USER_DETAILS = DBfetch(DBselect("select u.* from users u where u.alias='guest' and mod(u.userid,100)=$ZBX_CURNODEID"));
-		}
-
-		if($USER_DETAILS)
-		{
-			if(isset($sessionid))
+			else
 			{
 				setcookie("sessionid",$sessionid);
 				DBexecute("update sessions set lastaccess=".time()." where sessionid=".zbx_dbstr($sessionid));
 			}
-
-			$USER_RIGHTS = array();
-
-			$db_rights = DBselect("select * from rights where userid=".$USER_DETAILS["userid"]);
-			while($db_right = DBfetch($db_rights))
+		}
+		
+		if(!$USER_DETAILS)
+		{
+			if(!($USER_DETAILS = DBfetch(DBselect("select u.* from users u where u.alias='guest'".
+				" and ".DBid2nodeid('u.userid')."=$ZBX_LOCALNODEID"))))
 			{
-				$usr_right = array(
-					"name"=>	$db_right["name"],
-					"id"=>		$db_right["id"],
-					"permission"=>	$db_right["permission"]
-					);
+				$missed_user_guest = true;
+			}
+		}
 
-				array_push($USER_RIGHTS,$usr_right);
+		if($USER_DETAILS)
+		{
+			$USER_DETAILS['node'] = DBfetch(DBselect('select * from nodes where nodeid='.id2nodeid($USER_DETAILS['userid'])));
+			if(empty($USER_DETAILS['node']))
+			{
+				$USER_DETAILS['node']['name'] = '- uncnown -';
+				$USER_DETAILS['node']['nodeid'] = $ZBX_LOCALNODEID;
 			}
-			return;
 		}
 		else
 		{
-			$USER_DETAILS = array("alias"=>"- unknown -","userid"=>0);
+			$USER_DETAILS = array(
+				"alias"	=>"- unknown -",
+				"userid"=>0,
+				"lang"	=>"en_gb",
+				"type"	=>"0",
+				"node"	=>array(
+					"name"	=>'- uncnown -',
+					"nodeid"=>0));
 		}
-
-// Incorrect login
-
-		if(isset($sessionid))
+		
+		if(isset($incorrect_session) || isset($missed_user_guest))
 		{
-			setcookie("sessionid",$sessionid,time()-3600);
-			unset($_COOKIE["sessionid"]);
+			if(isset($incorrect_session))	$message = "Session was ended, please relogin!";
+			else if(isset($missed_user_guest))		$message = "Database corrupted, missed default user 'guest'";
+			
+			if($page["file"]!="index.php")
+			{
+				Redirect("index.php?message=".addslashes($message));
+				exit;
+			}
+			if(!isset($_REQUEST['message'])) $_REQUEST['message'] = $message;
 		}
+	}
 
-		if($page["file"]!="index.php")
+/***********************************************
+	GET ACCESSIBLE RESOURCES BY USERID
+************************************************/
+	function	perm_mode2comparator($perm_mode)
+	{
+		switch($perm_mode)
 		{
-			echo "<meta http-equiv=\"refresh\" content=\"0; url=index.php\">";
-			exit;
+			case PERM_MODE_NE:	$perm_mode = '!='; break;
+			case PERM_MODE_EQ:	$perm_mode = '=='; break;
+			case PERM_MODE_GT:	$perm_mode = '>'; break;
+			case PERM_MODE_LT:	$perm_mode = '<'; break;
+			case PERM_MODE_LE:	$perm_mode = '<='; break;
+			case PERM_MODE_GE:
+			default:		$perm_mode = '>='; break;
 		}
-		show_header("Login",0,0,1);
-		show_error_message("Login name or password is incorrect");
-		insert_login_form();
-		show_page_footer();
-		
-		//END TODO
-		exit;
+		return $perm_mode;
 	}
 
-	function	permission2int($permission)
+	function	get_accessible_hosts_by_user(&$user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null,$hostid=null)
 	{
-		$int_rights = array(
-			"A" => 3,
-			"U" => 2,
-			"R" => 1,
-			"H" => 0
-			);
+		if(is_null($perm_res))		$perm_res	= PERM_RES_STRING_LINE;
+		if($perm == PERM_READ_LIST)	$perm		= PERM_READ_ONLY;
+
+		$result = array();
+
+		$userid =& $user_data['userid'];
+
+		if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_hosts_by_user"');
 
-		if(isset($int_rights[$permission])) 
-			return ($int_rights[$permission]);
+		switch($perm_res)
+		{
+			case PERM_RES_DATA_ARRAY:	$resdata = '$host_data'; break;
+			default:			$resdata = '$host_data["hostid"]'; break;
+		}
+
+COpt::counter_up('perm_host['.$userid.','.$perm.','.$perm_mode.','.$perm_res.','.$nodeid.']');
+COpt::counter_up('perm');
+
+		if(is_null($nodeid))		$where_nodeid = '';
+		else if(is_array($nodeid))	$where_nodeid = ' and n.nodeid in ('.implode(',', $nodeid).') ';
+		else 				$where_nodeid = ' and n.nodeid in ('.$nodeid.') ';
+	
+		if(is_null($hostid))		$where_hostid = '';
+		else if(is_array($hostid))	$where_hostid = ' and h.hostid in ('.implode(',', $hostid).') ';
+		else 				$where_hostid = ' and h.hostid in ('.$hostid.') ';
+	
+		$db_hosts = DBselect('select distinct n.nodeid,n.name as node_name,h.hostid,h.host, min(r.permission) as permission '.
+			' from nodes n, users_groups ug '.
+			' left join rights r on r.groupid=ug.usrgrpid and r.type='.RESOURCE_TYPE_GROUP.' and ug.userid='.$userid.
+			' right join groups g on r.id=g.groupid '.
+			' left join hosts_groups hg on g.groupid=hg.groupid '.
+			' right join hosts h on hg.hostid=h.hostid '.
+			' where '.DBid2nodeid('h.hostid').'=n.nodeid '.$where_nodeid.$where_hostid.' group by h.hostid'.
+			' order by n.name, g.name, h.host');
+
+
+		while($host_data = DBfetch($db_hosts))
+		{
+			/* if no rights defined used node rights */
+			if(is_null($host_data['permission']))
+			{
+				if(!isset($nodes))
+				{
+					$nodes = get_accessible_nodes_by_user($user_data,
+						PERM_DENY,PERM_MODE_GE,PERM_RES_DATA_ARRAY);
+				}
+				$host_data['permission'] = $nodes[$host_data['nodeid']]['permission'];
+			}
 
-		return ($int_rights["R"]);
+			if(eval('return ('.$host_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;'))
+				continue;
+
+			$result[$host_data['hostid']] = eval('return '.$resdata.';');
+		}
+
+		if($perm_res == PERM_RES_STRING_LINE) 
+		{
+			if(count($result) == 0) 
+				$result = '-1';
+			else
+				$result = implode(',',$result);
+		}
+
+		return $result;
 	}
 
-	function	permission_min($permission1, $permission2) // NOTE: only for integer permissions !!! see: permission2int
+	function	get_accessible_groups_by_user($user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null)
 	{
-		if(is_null($permission1) && is_null($permission2)) return NULL;
-		if(is_null($permission1))	return $permission2;
-		if(is_null($permission2))	return $permission1;
-		return min($permission1,$permission2);
+		global $ZBX_LOCALNODEID;
+
+		if(is_null($perm_mode))		$perm_mode	= PERM_MODE_GE;
+		if(is_null($perm_res))		$perm_res	= PERM_RES_STRING_LINE;
+
+		$result = array();
+
+		$userid =& $user_data['userid'];
+		if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_groups_by_user"');
+
+		switch($perm_res)
+		{
+			case PERM_RES_DATA_ARRAY:	$resdata = '$group_data'; break;
+			default:			$resdata = '$group_data["groupid"]'; break;
+		}
+
+COpt::counter_up('perm_group['.$userid.','.$perm.','.$perm_mode.','.$perm_res.','.$nodeid.']');
+COpt::counter_up('perm');
+
+		if(is_null($nodeid))		$where_nodeid = '';
+		else if(is_array($nodeid))	$where_nodeid = ' and n.nodeid in ('.implode(',', $nodeid).') ';
+		else 				$where_nodeid = ' and n.nodeid in ('.$nodeid.') ';
+
+		/* if no rights defined used node rights */
+		$db_groups = DBselect('select n.nodeid,n.name as node_name,hg.groupid,hg.name, min(r.permission) as permission '.
+			' from  nodes n, users_groups g '.
+			' left join rights r on r.groupid=g.usrgrpid and r.type='.RESOURCE_TYPE_GROUP.' and g.userid='.$userid.
+			' right join groups hg on r.id=hg.groupid '.
+			' where '.DBid2nodeid('hg.groupid').'=n.nodeid '.$where_nodeid.
+			' group by hg.groupid, hg.name, g.userid order by n.name, hg.name');
+
+		while($group_data = DBfetch($db_groups))
+		{
+			/* deny if no rights defined */
+			if(is_null($group_data['permission']))
+			{
+				if(!isset($nodes))
+				{
+					$nodes = get_accessible_nodes_by_user($user_data,
+						PERM_DENY,PERM_MODE_GE,PERM_RES_DATA_ARRAY);
+				}
+				$group_data['permission'] = $nodes[$group_data['nodeid']]['permission'];
+			}
+
+			if(eval('return ('.$group_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;'))
+				continue;
+
+			$result[$group_data['groupid']] = eval('return '.$resdata.';');
+		}
+
+		if($perm_res == PERM_RES_STRING_LINE) 
+		{
+			if(count($result) == 0) 
+				$result = '-1';
+			else
+				$result = implode(',',$result);
+		}
+
+		return $result;
 	}
-	function	permission_max($permission1, $permission2) // NOTE: only for integer permissions !!! see: permission2int
+
+	function	get_accessible_nodes_by_user(&$user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null)
 	{
-		if(is_null($permission1) && is_null($permission2)) return NULL;
-		if(is_null($permission1))	return $permission2;
-		if(is_null($permission2))	return $permission1;
-		return max($permission1,$permission2);
+		global $ZBX_LOCALNODEID;
+
+		if(is_null($perm_mode)) $perm_mode=PERM_MODE_GE;
+		if(is_null($perm_res))	$perm_res=PERM_RES_STRING_LINE;
+
+		$userid		=& $user_data['userid'];
+		$user_type	=& $user_data['type'];
+		if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_nodes_by_user"');
+
+		$result= array();
+
+		switch($perm_res)
+		{
+			case PERM_RES_DATA_ARRAY:	$resdata = '$node_data'; break;
+			default:			$resdata = '$node_data["nodeid"]'; break;
+		}
+
+COpt::counter_up('perm_nodes['.$userid.','.$perm.','.$perm_mode.','.$perm_res.','.$nodeid.']');
+COpt::counter_up('perm');
+
+		if(is_null($nodeid))		$where_nodeid = '';
+		else if(is_array($nodeid))	$where_nodeid = ' where n.nodeid in ('.implode(',', $nodeid).') ';
+		else 				$where_nodeid = ' where  n.nodeid in ('.$nodeid.') ';
+
+		$db_nodes = DBselect('select n.nodeid,n.name,min(r.permission) as permission'.
+			' from users_groups g left join rights r on r.groupid=g.usrgrpid and'.
+			' r.type='.RESOURCE_TYPE_NODE.' and g.userid='.$userid.
+			' right join nodes n on r.id=n.nodeid'.$where_nodeid.
+			' group by n.nodeid');
+
+		while($node_data = DBfetch($db_nodes))
+		{
+
+			/* deny if no rights defined (for local node read/write)*/
+			if(is_null($node_data['permission']))
+			{
+				if($user_type == USER_TYPE_SUPPER_ADMIN)
+					$node_data['permission'] = PERM_READ_WRITE;
+				else
+					$node_data['permission'] = 
+						($node_data['nodeid'] == $ZBX_LOCALNODEID) ? PERM_READ_WRITE : PERM_DENY;
+			}
+
+			/* special processing for PERM_READ_LIST*/
+			if(PERM_DENY == $node_data['permission'] && PERM_READ_LIST == $perm)
+			{
+				$groups = get_accessible_groups_by_user($user_data,
+					$perm, PERM_MODE_GE,PERM_RES_DATA_ARRAY,$node_data['nodeid']);
+				if(count($groups) == 0)  continue;
+			}
+			else
+			{
+				if(eval('return ('.$node_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;'))
+					continue;
+			}
+
+			$result[$node_data["nodeid"]] = eval('return '.$resdata.';');
+		}
+
+		if($perm_res == PERM_RES_STRING_LINE) 
+		{
+			if(count($result) == 0) 
+				$result = '-1';
+			else
+				$result = implode(',',$result);
+		}
+
+		return $result;
 	}
 
-	function	check_right($right,$permission,$id = GROUP_RIGHT)
+/***********************************************
+	GET ACCESSIBLE RESOURCES BY RIGHTS
+************************************************/
+	/* NOTE: right structure is
+
+		$rights[i]['type']	= type of resource
+		$rights[i]['permission']= permission for resource
+		$rights[i]['id']	= resource id
+		
+	*/
+
+	function	get_accessible_hosts_by_rights(&$rights,$user_type,$perm,$perm_mode=null,$perm_res=null,$nodeid=null)
 	{
-		global $USER_RIGHTS;
+		if(is_null($perm_res))		$perm_res	= PERM_RES_STRING_LINE;
+		if($perm == PERM_READ_LIST)	$perm		= PERM_READ_ONLY;
 
-		$default_permission = permission2int("H");
-		$group_permission = NULL;
-		$id_permission = NULL;
-		$any_permission = NULL;
+		$result = array();
 
-		$permission = permission2int($permission);
+		switch($perm_res)
+		{
+			case PERM_RES_DATA_ARRAY:	$resdata = '$host_data'; break;
+			default:			$resdata = '$host_data["hostid"]'; break;
+		}
+
+		if(is_null($nodeid))		$where_nodeid = '';
+		else if(is_array($nodeid))	$where_nodeid = ' and n.nodeid in ('.implode(',', $nodeid).') ';
+		else 				$where_nodeid = ' and n.nodeid in ('.$nodeid.') ';
 
-		if(count($USER_RIGHTS) > 0)
+		$db_hosts = DBselect('select n.nodeid,n.name as node_name,hg.groupid,h.hostid,h.host '.
+			' from nodes n, hosts h left join hosts_groups hg on hg.hostid=h.hostid '.
+			' where n.nodeid='.DBid2nodeid('h.hostid').$where_nodeid.' order by n.name,h.host');
+
+		$res_perm = array();
+		foreach($rights as $right)
 		{
-			foreach($USER_RIGHTS as $usr_right)
+			$res_perm[$right['type']][$right['id']] = $right['permission'];
+		}
+
+		$host_perm = array();
+
+		while($host_data = DBfetch($db_hosts))
+		{
+			if(isset($host_data['groupid']) && isset($res_perm[RESOURCE_TYPE_GROUP][$host_data['groupid']]))
 			{
-				$int_permision = permission2int($usr_right["permission"]);
-				if($usr_right["name"] == $right) {
+				$host_perm[$host_data['hostid']][RESOURCE_TYPE_GROUP][$host_data['groupid']] =
+					$res_perm[RESOURCE_TYPE_GROUP][$host_data['groupid']];
+			}
 
-					if($usr_right["id"] == $id)
-						$id_permission = permission_max($id_permission, $int_permision);
-					if($usr_right["id"] == GROUP_RIGHT)
-						$group_permission = permission_max($group_permission, $int_permision);
-					else
-						$any_permission = permission_max($any_permission, $int_permision);
-				}
-				if($usr_right["name"] == 'Default permission') 
+			if(isset($res_perm[RESOURCE_TYPE_NODE][$host_data['nodeid']]))
+			{
+				$host_perm[$host_data['hostid']][RESOURCE_TYPE_NODE] = $res_perm[RESOURCE_TYPE_NODE][$host_data['nodeid']];
+			}
+			$host_perm[$host_data['hostid']]['data'] = $host_data;
+
+		}
+
+		foreach($host_perm as $hostid => $host_data)
+		{
+			$host_data = $host_data['data'];
+
+			if(isset($host_perm[$hostid][RESOURCE_TYPE_GROUP]))
+			{
+				$host_data['permission'] = min($host_perm[$hostid][RESOURCE_TYPE_GROUP]);
+			}
+			else if(isset($host_perm[$hostid][RESOURCE_TYPE_NODE]))
+			{
+				$host_data['permission'] = $host_perm[$hostid][RESOURCE_TYPE_NODE];
+			}
+			else
+			{
+				if(!isset($node_data[$host_data['nodeid']]))
 				{
-					$default_permission = permission_max($default_permission, $int_permision);
+					$node_data = get_accessible_nodes_by_rights($rights,$user_type,
+						PERM_DENY, PERM_MODE_GE, PERM_RES_DATA_ARRAY, $host_data['nodeid']);
 				}
+				$host_data['permission'] = $node_data[$host_data['nodeid']]['permission'];
 			}
+			
+			if(eval('return ('.$host_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;'))
+				continue;
+
+			$result[$host_data['hostid']] = eval('return '.$resdata.';');
+
 		}
 
-		if($id == ANY_ELEMENT_RIGHT)
-			$access = $any_permission;
-		else
-			$access = $id_permission;
-		
-		if(is_null($access))	$access = $group_permission;
-		if(is_null($access))    $access = $default_permission;
+		if($perm_res == PERM_RES_STRING_LINE) 
+		{
+			if(count($result) == 0) 
+				$result = '-1';
+			else
+				$result = implode(',',$result);
+		}
+
+		return $result;
+	}
+	function	get_accessible_groups_by_rights(&$rights,$user_type,$perm,$perm_mode=null,$perm_res=null,$nodeid=null)
+	{
+		if(is_null($perm_mode)) $perm_mode=PERM_MODE_GE;
+		if(is_null($perm_res))	$perm_res=PERM_RES_STRING_LINE;
+
+		$result= array();
+
+		switch($perm_res)
+		{
+			case PERM_RES_DATA_ARRAY:	$resdata = '$group_data'; break;
+			default:			$resdata = '$group_data["groupid"]'; break;
+		}
+
+		if(is_null($nodeid))		$where_nodeid = '';
+		else if(is_array($nodeid))	$where_nodeid = ' and n.nodeid in ('.implode(',', $nodeid).') ';
+		else 				$where_nodeid = ' and n.nodeid in ('.$nodeid.') ';
+
+		$group_perm = array();
+		foreach($rights as $right)
+		{
+			if($right['type'] != RESOURCE_TYPE_GROUP) continue;
+			$group_perm[$right['id']] = $right['permission'];
+		}
 
+		$db_groups = DBselect('select n.nodeid,n.name as node_name, g.groupid,g.name, '.PERM_DENY.' as permission from groups g, nodes n '.
+				' where '.DBid2nodeid('g.groupid').'=n.nodeid '.$where_nodeid.
+				' order by n.name, g.name');
 
-//SDI($right.": ".$access." >= ".$permission);
-		return (($access >= $permission) ? 1 : 0);
+		while($group_data = DBfetch($db_groups))
+		{
+			if(isset($group_perm[$group_data['groupid']]))
+			{
+				$group_data['permission'] = $group_perm[$group_data['groupid']];
+			}
+			else
+			{
+				if(!isset($node_data[$group_data['nodeid']]))
+				{
+					$node_data = get_accessible_nodes_by_rights($rights,$user_type,
+						PERM_DENY, PERM_MODE_GE, PERM_RES_DATA_ARRAY, $group_data['nodeid']);
+				}
+				$group_data['permission'] = $node_data[$group_data['nodeid']]['permission'];
+			}
+					
+			if(eval('return ('.$group_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;'))
+				continue;
+
+			$result[$group_data["groupid"]] = eval('return '.$resdata.';');
+		}
+
+		if($perm_res == PERM_RES_STRING_LINE) 
+		{
+			if(count($result) == 0) 
+				$result = '-1';
+			else
+				$result = implode(',',$result);
+		}
+
+		return $result;
 	}
 
-	function	check_anyright($right,$permission)
+	function	get_accessible_nodes_by_rights(&$rights,$user_type,$perm,$perm_mode=null,$perm_res=null,$nodeid=null)
 	{
-		return check_right($right,$permission, ANY_ELEMENT_RIGHT);
-	}
+		global $ZBX_LOCALNODEID;
+
+		if(is_null($perm_mode)) $perm_mode=PERM_MODE_GE;
+		if(is_null($perm_res))	$perm_res=PERM_RES_STRING_LINE;
+
+		$result= array();
+
+		if(is_null($user_type)) $user_type = USER_TYPE_ZABBIX_USER;
 
+		switch($perm_res)
+		{
+			case PERM_RES_DATA_ARRAY:	$resdata = '$node_data'; break;
+			default:			$resdata = '$node_data["nodeid"]'; break;
+		}
+
+		if(is_null($nodeid))		$where_nodeid = '';
+		else if(is_array($nodeid))	$where_nodeid = ' where n.nodeid in ('.implode(',', $nodeid).') ';
+		else 				$where_nodeid = ' where  n.nodeid in ('.$nodeid.') ';
+
+		$node_perm = array();
+		foreach($rights as $right)
+		{
+			if($right['type'] != RESOURCE_TYPE_NODE) continue;
+			$node_perm[$right['id']] = $right['permission'];
+		}
+
+		$db_nodes = DBselect('select n.nodeid,n.name, '.PERM_DENY.' as permission from nodes n '.$where_nodeid.' order by n.name');
+
+		while($node_data = DBfetch($db_nodes))
+		{
+			if(isset($node_perm[$node_data['nodeid']]))
+				$node_data['permission'] = $node_perm[$node_data['nodeid']];
+			elseif($node_data['nodeid'] == $ZBX_LOCALNODEID || $user_type == USER_TYPE_SUPPER_ADMIN)
+			/* for local node or superuser default permission is READ_WRITE */
+					$node_data['permission'] = PERM_READ_WRITE;
+
+
+			/* special processing for PERM_READ_LIST*/
+			if(PERM_DENY == $node_data['permission'] && PERM_READ_LIST == $perm)
+			{
+				$groups = get_accessible_groups_by_rights($rights,$user_type,
+					$perm, PERM_MODE_GE, PERM_RES_DATA_ARRAY, $node_data['nodeid']);
+				if(count($groups) == 0)  continue;
+			}
+			else
+			{
+				if(eval('return ('.$node_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;'))
+					continue;
+			}
+
+			$result[$node_data["nodeid"]] = eval('return '.$resdata.';');
+		}
+
+		if($perm_res == PERM_RES_STRING_LINE) 
+		{
+			if(count($result) == 0) 
+				$result = '-1';
+			else
+				$result = implode(',',$result);
+		}
+
+		return $result;
+	}
 
 ?>