diff options
| author | artem <artem@97f52cf1-0a1b-0410-bd0e-c28be96e8082> | 2008-06-11 13:06:35 +0000 |
|---|---|---|
| committer | artem <artem@97f52cf1-0a1b-0410-bd0e-c28be96e8082> | 2008-06-11 13:06:35 +0000 |
| commit | 412fd1bca83c5bb8229a9bfa3b9a77a5573db3ba (patch) | |
| tree | dd9031b558ca80e00c862c95424d1dfe0297a92b /frontends/php/include/perm.inc.php | |
| parent | 2d69d2f3070bc71ef09d064da117f69c14b8206d (diff) | |
| download | zabbix-412fd1bca83c5bb8229a9bfa3b9a77a5573db3ba.tar.gz zabbix-412fd1bca83c5bb8229a9bfa3b9a77a5573db3ba.tar.xz zabbix-412fd1bca83c5bb8229a9bfa3b9a77a5573db3ba.zip | |
- [DEV-178] improved the permissions scheme (not finished in DM) (Artem)
git-svn-id: svn://svn.zabbix.com/trunk@5758 97f52cf1-0a1b-0410-bd0e-c28be96e8082
Diffstat (limited to 'frontends/php/include/perm.inc.php')
| -rw-r--r-- | frontends/php/include/perm.inc.php | 995 |
1 files changed, 451 insertions, 544 deletions
diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php index 7e70630b..04b5c6f4 100644 --- a/frontends/php/include/perm.inc.php +++ b/frontends/php/include/perm.inc.php @@ -19,110 +19,110 @@ **/ ?> <?php - function permission2str($group_permission) - { - $str_perm[PERM_READ_WRITE] = S_READ_WRITE; - $str_perm[PERM_READ_ONLY] = S_READ_ONLY; - $str_perm[PERM_DENY] = S_DENY; +function permission2str($group_permission) +{ + $str_perm[PERM_READ_WRITE] = S_READ_WRITE; + $str_perm[PERM_READ_ONLY] = S_READ_ONLY; + $str_perm[PERM_DENY] = S_DENY; - if(isset($str_perm[$group_permission])) - return $str_perm[$group_permission]; + if(isset($str_perm[$group_permission])) + return $str_perm[$group_permission]; - return S_UNKNOWN; - } + return S_UNKNOWN; +} /***************************************** CHECK USER AUTHORISATION *****************************************/ - function check_authorisation(){ - global $page; - global $PHP_AUTH_USER,$PHP_AUTH_PW; - global $USER_DETAILS; - global $ZBX_LOCALNODEID; +function check_authorisation(){ + global $page; + global $PHP_AUTH_USER,$PHP_AUTH_PW; + global $USER_DETAILS; + global $ZBX_LOCALNODEID; - $USER_DETAILS = NULL; - $login = FALSE; - - $sessionid = get_cookie("zbx_sessionid"); - - if(!is_null($sessionid)){ - $login = $USER_DETAILS = DBfetch(DBselect('SELECT u.*,s.* '. - ' FROM sessions s,users u'. - ' WHERE s.sessionid='.zbx_dbstr($sessionid). - ' AND s.userid=u.userid'. - ' AND ((s.lastaccess+u.autologout>'.time().') OR (u.autologout=0))'. - ' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID))); - - if(!$USER_DETAILS){ - $incorect_session = true; - } - else if($login['attempt_failed']){ - error('There was ['.$login['attempt_failed'].'] failed attempts to Login from ['.$login['attempt_ip'].'] at ['.date('d.m.Y H:i',$login['attempt_clock']).'] o\'clock!'); - DBexecute('UPDATE users SET attempt_failed=0 WHERE userid='.zbx_dbstr($login['userid'])); - } + $USER_DETAILS = NULL; + $login = FALSE; + + $sessionid = get_cookie("zbx_sessionid"); + + if(!is_null($sessionid)){ + $login = $USER_DETAILS = DBfetch(DBselect('SELECT u.*,s.* '. + ' FROM sessions s,users u'. + ' WHERE s.sessionid='.zbx_dbstr($sessionid). + ' AND s.userid=u.userid'. + ' AND ((s.lastaccess+u.autologout>'.time().') OR (u.autologout=0))'. + ' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID))); + + if(!$USER_DETAILS){ + $incorect_session = true; } - + else if($login['attempt_failed']){ + error('There was ['.$login['attempt_failed'].'] failed attempts to Login from ['.$login['attempt_ip'].'] at ['.date('d.m.Y H:i',$login['attempt_clock']).'] o\'clock!'); + DBexecute('UPDATE users SET attempt_failed=0 WHERE userid='.zbx_dbstr($login['userid'])); + } + } + + if(!$USER_DETAILS){ + $login = $USER_DETAILS = DBfetch(DBselect('SELECT u.* '. + ' FROM users u '. + ' WHERE u.alias='.zbx_dbstr(ZBX_GUEST_USER). + ' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID))); if(!$USER_DETAILS){ - $login = $USER_DETAILS = DBfetch(DBselect('SELECT u.* '. - ' FROM users u '. - ' WHERE u.alias='.zbx_dbstr(ZBX_GUEST_USER). - ' AND '.DBin_node('u.userid', $ZBX_LOCALNODEID))); - if(!$USER_DETAILS){ - $missed_user_guest = true; - } + $missed_user_guest = true; } + } + + if($login){ + $login = (check_perm2login($USER_DETAILS['userid']) && check_perm2system($USER_DETAILS['userid'])); + } + + if($login){ + zbx_setcookie("zbx_sessionid",$sessionid,$USER_DETAILS['autologin']?(time()+86400*31):0); //1 month + DBexecute("update sessions set lastaccess=".time()." where sessionid=".zbx_dbstr($sessionid)); + } + else{ + $USER_DETAILS = NULL; - if($login){ - $login = (check_perm2login($USER_DETAILS['userid']) && check_perm2system($USER_DETAILS['userid'])); - } + zbx_unsetcookie('zbx_sessionid'); + DBexecute("delete from sessions where sessionid=".zbx_dbstr($sessionid)); + unset($sessionid); + } - if($login){ - zbx_setcookie("zbx_sessionid",$sessionid,$USER_DETAILS['autologin']?(time()+86400*31):0); //1 month - DBexecute("update sessions set lastaccess=".time()." where sessionid=".zbx_dbstr($sessionid)); - } - else{ - $USER_DETAILS = NULL; - - zbx_unsetcookie('zbx_sessionid'); - DBexecute("delete from sessions where sessionid=".zbx_dbstr($sessionid)); - unset($sessionid); + if($USER_DETAILS){ + $USER_DETAILS['node'] = DBfetch(DBselect('select * from nodes where nodeid='.id2nodeid($USER_DETAILS['userid']))); + if(empty($USER_DETAILS['node'])) + { + $USER_DETAILS['node']['name'] = '- unknown -'; + $USER_DETAILS['node']['nodeid'] = $ZBX_LOCALNODEID; } - - if($USER_DETAILS){ - $USER_DETAILS['node'] = DBfetch(DBselect('select * from nodes where nodeid='.id2nodeid($USER_DETAILS['userid']))); - if(empty($USER_DETAILS['node'])) - { - $USER_DETAILS['node']['name'] = '- unknown -'; - $USER_DETAILS['node']['nodeid'] = $ZBX_LOCALNODEID; + } + else{ + $USER_DETAILS = array( + "alias" =>ZBX_GUEST_USER, + "userid"=>0, + "lang" =>"en_gb", + "type" =>"0", + "node" =>array( + "name" =>'- unknown -', + "nodeid"=>0)); + } + + if(!$login || isset($incorrect_session) || isset($missed_user_guest)){ + if(isset($incorrect_session)) $message = "Session was ended, please relogin!"; + else if(isset($missed_user_guest)){ + $row = DBfetch(DBselect('SELECT count(u.userid) as user_cnt FROM users u')); + if(!$row || $row['user_cnt'] == 0){ + $message = "Table users is empty. Possible database corruption."; } } - else{ - $USER_DETAILS = array( - "alias" =>ZBX_GUEST_USER, - "userid"=>0, - "lang" =>"en_gb", - "type" =>"0", - "node" =>array( - "name" =>'- unknown -', - "nodeid"=>0)); - } - if(!$login || isset($incorrect_session) || isset($missed_user_guest)){ - if(isset($incorrect_session)) $message = "Session was ended, please relogin!"; - else if(isset($missed_user_guest)){ - $row = DBfetch(DBselect('SELECT count(u.userid) as user_cnt FROM users u')); - if(!$row || $row['user_cnt'] == 0){ - $message = "Table users is empty. Possible database corruption."; - } - } - - if(!isset($_REQUEST['message']) && isset($message)) $_REQUEST['message'] = $message; - - include('index.php'); - exit; - } + if(!isset($_REQUEST['message']) && isset($message)) $_REQUEST['message'] = $message; + + include('index.php'); + exit; } +} /***************************************** LDAP AUTHENTICATION @@ -159,16 +159,16 @@ return $result; * * Author: Aly */ - function check_perm2system($userid){ - $sql = 'SELECT COUNT(g.usrgrpid) as grp_count '. - ' FROM usrgrp g, users_groups ug '. - ' WHERE ug.userid = '.zbx_dbstr($userid). - ' AND g.usrgrpid = ug.usrgrpid '. - ' AND g.users_status = '.GROUP_STATUS_DISABLED; - $res = DBFetch(DBSelect($sql)); - - return ($res['grp_count'] == 0)?true:false; - } +function check_perm2system($userid){ + $sql = 'SELECT COUNT(g.usrgrpid) as grp_count '. + ' FROM usrgrp g, users_groups ug '. + ' WHERE ug.userid = '.zbx_dbstr($userid). + ' AND g.usrgrpid = ug.usrgrpid '. + ' AND g.users_status = '.GROUP_STATUS_DISABLED; + $res = DBFetch(DBSelect($sql)); + +return ($res['grp_count'] == 0)?true:false; +} /* Function: check_perm2login() * @@ -181,305 +181,271 @@ return $result; * Author: Aly */ - function check_perm2login($userid){ - $sql = 'SELECT COUNT(g.usrgrpid) as grp_count '. - ' FROM usrgrp g, users_groups ug '. - ' WHERE ug.userid = '.zbx_dbstr($userid). - ' AND g.usrgrpid = ug.usrgrpid '. - ' AND g.gui_access = '.GROUP_GUI_ACCESS_DISABLED; - $res = DBFetch(DBSelect($sql)); +function check_perm2login($userid){ + $sql = 'SELECT COUNT(g.usrgrpid) as grp_count '. + ' FROM usrgrp g, users_groups ug '. + ' WHERE ug.userid = '.zbx_dbstr($userid). + ' AND g.usrgrpid = ug.usrgrpid '. + ' AND g.gui_access = '.GROUP_GUI_ACCESS_DISABLED; + $res = DBFetch(DBSelect($sql)); - return ($res['grp_count'] == 0)?true:false; - } +return ($res['grp_count'] == 0)?true:false; +} /*********************************************** GET ACCESSIBLE RESOURCES BY USERID ************************************************/ - function perm_mode2comparator($perm_mode) - { - switch($perm_mode) - { - case PERM_MODE_NE: $perm_mode = '!='; break; - case PERM_MODE_EQ: $perm_mode = '=='; break; - case PERM_MODE_GT: $perm_mode = '>'; break; - case PERM_MODE_LT: $perm_mode = '<'; break; - case PERM_MODE_LE: $perm_mode = '<='; break; - case PERM_MODE_GE: - default: $perm_mode = '>='; break; - } - return $perm_mode; +function perm_mode2comparator($perm_mode){ + switch($perm_mode){ + case PERM_MODE_NE: $perm_mode = '!='; break; + case PERM_MODE_EQ: $perm_mode = '=='; break; + case PERM_MODE_GT: $perm_mode = '>'; break; + case PERM_MODE_LT: $perm_mode = '<'; break; + case PERM_MODE_LE: $perm_mode = '<='; break; + case PERM_MODE_GE: + default: $perm_mode = '>='; break; } +return $perm_mode; +} - function get_accessible_hosts_by_user(&$user_data,$perm,$perm_res=null,$nodeid=null,$cache=1){ - global $DB; - static $available_hosts; +function get_accessible_hosts_by_user(&$user_data,$perm,$perm_res=null,$nodeid=null,$cache=1){ +// global $DB; + static $available_hosts; - if(is_null($perm_res)) $perm_res = PERM_RES_STRING_LINE; - if($perm == PERM_READ_LIST) $perm = PERM_READ_ONLY; - - $result = array(); + if(is_null($perm_res)) $perm_res = PERM_RES_STRING_LINE; + if($perm == PERM_READ_LIST) $perm = PERM_READ_ONLY; + + $result = array(); - $userid =& $user_data['userid']; - $user_type =& $user_data['type']; + $userid =& $user_data['userid']; + $user_type =& $user_data['type']; - if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_hosts_by_user"'); - if(is_null($nodeid)) $nodeid = get_current_nodeid(); + if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_hosts_by_user"'); + if(is_null($nodeid)) $nodeid = get_current_nodeid(); - $nodeid_str =(is_array($nodeid))?md5(implode('',$nodeid)):strval($nodeid); - - if($cache && isset($available_hosts[$userid][$perm][$perm_res][$nodeid_str])){ - return $available_hosts[$userid][$perm][$perm_res][$nodeid_str]; - } + $nodeid_str =(is_array($nodeid))?md5(implode('',$nodeid)):strval($nodeid); - switch($perm_res){ - case PERM_RES_DATA_ARRAY: - $resdata = '$host_data'; - break; - default: - $resdata = '$host_data["hostid"]'; - break; - } + if($cache && isset($available_hosts[$userid][$perm][$perm_res][$nodeid_str])){ + return $available_hosts[$userid][$perm][$perm_res][$nodeid_str]; + } COpt::counter_up('perm_host['.$userid.','.$perm.','.$perm_res.','.$nodeid.']'); COpt::counter_up('perm'); - $where = array(); + $where = array(); - if(!is_null($nodeid)) - array_push($where, DBin_node('h.hostid', $nodeid)); - - if(count($where)) - $where = ' WHERE '.implode(' AND ',$where); - else - $where = ''; - + if(!is_null($nodeid)) + array_push($where, DBin_node('h.hostid', $nodeid)); + + if(count($where)) + $where = ' WHERE '.implode(' AND ',$where); + else + $where = ''; + // $sortorder = (isset($DB['TYPE']) && (($DB['TYPE'] == 'MYSQL') || ($DB['TYPE'] == 'SQLITE3')))?' DESC ':''; - - $sql = 'SELECT DISTINCT n.nodeid, n.name as node_name, h.hostid, h.host, min(r.permission) as permission, ug.userid '. - ' FROM hosts h '. - ' LEFT JOIN hosts_groups hg ON hg.hostid=h.hostid '. - ' LEFT JOIN groups g ON g.groupid=hg.groupid '. - ' LEFT JOIN rights r ON r.id=g.groupid and r.type='.RESOURCE_TYPE_GROUP. - ' LEFT JOIN users_groups ug ON ug.usrgrpid=r.groupid and ug.userid='.$userid. - ' LEFT JOIN nodes n ON '.DBid2nodeid('h.hostid').'=n.nodeid '. - $where. - ' GROUP BY h.hostid,n.nodeid,n.name,h.host,ug.userid '. - ' ORDER BY n.name,n.nodeid, h.host, permission, ug.userid '; - - $db_hosts = DBselect($sql); - - $processed = array(); - while($host_data = DBfetch($db_hosts)){ - if(zbx_empty($host_data['nodeid'])) $host_data['nodeid'] = id2nodeid($host_data['hostid']); - - /* if no rights defined used node rights */ - - if( zbx_empty($host_data['permission']) || zbx_empty($host_data['userid'])){ - if(isset($processed[$host_data['hostid']]) ) continue; - - if(!isset($nodes)){ - $nodes = get_accessible_nodes_by_user($user_data, PERM_DENY, PERM_MODE_GE, PERM_RES_DATA_ARRAY); + + $sql = 'SELECT DISTINCT n.nodeid, n.name as node_name, h.hostid, h.host, min(r.permission) as permission, ug.userid '. + ' FROM hosts h '. + ' LEFT JOIN hosts_groups hg ON hg.hostid=h.hostid '. + ' LEFT JOIN groups g ON g.groupid=hg.groupid '. + ' LEFT JOIN rights r ON r.id=g.groupid and r.type='.RESOURCE_TYPE_GROUP. + ' LEFT JOIN users_groups ug ON ug.usrgrpid=r.groupid and ug.userid='.$userid. + ' LEFT JOIN nodes n ON '.DBid2nodeid('h.hostid').'=n.nodeid '. + $where. + ' GROUP BY h.hostid,n.nodeid,n.name,h.host,ug.userid '. + ' ORDER BY n.name,n.nodeid, h.host, permission, ug.userid '; +//SDI($sql); + $db_hosts = DBselect($sql); + + $processed = array(); + while($host_data = DBfetch($db_hosts)){ + if(zbx_empty($host_data['nodeid'])) $host_data['nodeid'] = id2nodeid($host_data['hostid']); + +/* if no rights defined */ + if(USER_TYPE_SUPER_ADMIN == $user_type){ + $host_data['permission'] = PERM_MAX; + } + else{ + if(zbx_empty($host_data['permission']) || zbx_empty($host_data['userid'])) continue; + + if(isset($processed[$host_data['hostid']])){ + if(PERM_DENY == $host_data['permission']){ + unset($result[$host_data['hostid']]); + } + else if($processed[$host_data['hostid']] > $host_data['permission']){ + unset($processed[$host_data['hostid']]); + } + else{ + continue; } - - if(!isset($nodes[$host_data['nodeid']]) || $user_type==USER_TYPE_ZABBIX_USER ) - $host_data['permission'] = PERM_DENY; - else - $host_data['permission'] = $nodes[$host_data['nodeid']]['permission']; } - - $processed[$host_data['hostid']] = true; - - if($host_data['permission'] < $perm) continue; - - $result[$host_data['hostid']] = eval('return '.$resdata.';'); } - unset($processed, $host_data, $db_hosts); + $processed[$host_data['hostid']] = $host_data['permission']; + if($host_data['permission']<$perm) continue; - if(PERM_RES_STRING_LINE == $perm_res){ - if(count($result) == 0) - $result = '-1'; - else - $result = implode(',',$result); + switch($perm_res){ + case PERM_RES_DATA_ARRAY: + $result[$host_data['hostid']] = $host_data; + break; + default: + $result[$host_data['hostid']] = $host_data["hostid"]; } + } - $available_hosts[$userid][$perm][$perm_res][$nodeid_str] = $result; - return $result; + unset($processed, $host_data, $db_hosts); + + if(PERM_RES_STRING_LINE == $perm_res){ + if(count($result) == 0) + $result = '-1'; + else + $result = implode(',',$result); } - function get_accessible_groups_by_user($user_data,$perm,$perm_res=null,$nodeid=null){ - global $ZBX_LOCALNODEID; + $available_hosts[$userid][$perm][$perm_res][$nodeid_str] = $result; +return $result; +} - if(is_null($nodeid)) $nodeid = get_current_nodeid(); - if(is_null($perm_res)) $perm_res = PERM_RES_STRING_LINE; +function get_accessible_groups_by_user($user_data,$perm,$perm_res=null,$nodeid=null){ + global $ZBX_LOCALNODEID; - $result = array(); - - $userid =& $user_data['userid']; - if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_groups_by_user"'); - $user_type =& $user_data['type']; + if(is_null($nodeid)) $nodeid = get_current_nodeid(); + if(is_null($perm_res)) $perm_res = PERM_RES_STRING_LINE; - switch($perm_res){ - case PERM_RES_DATA_ARRAY: - $resdata = '$group_data'; - break; - default: - $resdata = '$group_data["groupid"]'; - break; - } + $result = array(); + + $userid =& $user_data['userid']; + if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_groups_by_user"'); + $user_type =& $user_data['type']; COpt::counter_up('perm_group['.$userid.','.$perm.','.$perm_res.','.$nodeid.']'); COpt::counter_up('perm'); - $where = array(); + $where = array(); - if(!is_null($nodeid)) - array_push($where, DBin_node('hg.groupid', $nodeid)); - - $where = count($where)?' where '.implode(' and ',$where):''; - - /* if no rights defined used node rights */ - $db_groups = DBselect('SELECT n.nodeid as nodeid,n.name as node_name,hg.groupid,hg.name,min(r.permission) as permission,g.userid'. - ' FROM groups hg '. - ' LEFT JOIN rights r ON r.id=hg.groupid AND r.type='.RESOURCE_TYPE_GROUP. - ' LEFT JOIN users_groups g ON r.groupid=g.usrgrpid AND g.userid='.$userid. - ' LEFT JOIN nodes n ON '.DBid2nodeid('hg.groupid').'=n.nodeid '. - $where. - ' GROUP BY n.nodeid, n.name, hg.groupid, hg.name, g.userid, g.userid '. - ' ORDER BY n.name, hg.name, permission '); - - $processed = array(); - while($group_data = DBfetch($db_groups)){ - if(zbx_empty($group_data['nodeid'])) $group_data['nodeid'] = id2nodeid($group_data['groupid']); - - /* deny if no rights defined */ - if( zbx_empty($group_data['permission']) || zbx_empty($group_data['userid']) ){ - if(isset($processed[$group_data['groupid']])) continue; - - if(!isset($nodes)){ - $nodes = get_accessible_nodes_by_user($user_data, - PERM_DENY,PERM_MODE_GE,PERM_RES_DATA_ARRAY); - } - - if( !isset($nodes[$group_data['nodeid']]) || $user_type==USER_TYPE_ZABBIX_USER ) - $group_data['permission'] = PERM_DENY; - else - $group_data['permission'] = $nodes[$group_data['nodeid']]['permission']; - } - - $processed[$group_data['groupid']] = true; - if($group_data['permission'] < $perm) continue; -// if(eval('return ('.$group_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;')) continue; + if(!is_null($nodeid)) + array_push($where, DBin_node('hg.groupid', $nodeid)); - $result[$group_data['groupid']] = eval('return '.$resdata.';'); - } + $where = count($where)?' WHERE '.implode(' AND ',$where):''; - unset($processed, $group_data, $db_groups); + $sql = 'SELECT n.nodeid as nodeid,n.name as node_name,hg.groupid,hg.name,min(r.permission) as permission,g.userid'. + ' FROM groups hg '. + ' LEFT JOIN rights r ON r.id=hg.groupid AND r.type='.RESOURCE_TYPE_GROUP. + ' LEFT JOIN users_groups g ON r.groupid=g.usrgrpid AND g.userid='.$userid. + ' LEFT JOIN nodes n ON '.DBid2nodeid('hg.groupid').'=n.nodeid '. + $where. + ' GROUP BY n.nodeid, n.name, hg.groupid, hg.name, g.userid, g.userid '. + ' ORDER BY n.name, hg.name, permission '; - if($perm_res == PERM_RES_STRING_LINE) { - if(count($result) == 0) - $result = '-1'; - else - $result = implode(',',$result); - } + $db_groups = DBselect($sql); - return $result; - } + $processed = array(); + while($group_data = DBfetch($db_groups)){ + if(zbx_empty($group_data['nodeid'])) $group_data['nodeid'] = id2nodeid($group_data['groupid']); - function get_accessible_nodes_by_user(&$user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null) - { - global $ZBX_LOCALNODEID; - if(is_null($perm_mode)) $perm_mode=PERM_MODE_GE; - if(is_null($perm_res)) $perm_res=PERM_RES_STRING_LINE; +/* deny if no rights defined */ + if(USER_TYPE_SUPER_ADMIN == $user_type){ + $group_data['permission'] = PERM_MAX; + } + else{ + if(zbx_empty($group_data['permission']) || zbx_empty($group_data['userid'])) continue; + + if(isset($processed[$group_data['groupid']])){ + if(PERM_DENY == $group_data['permission']){ + unset($result[$group_data['groupid']]); + } + else if($processed[$group_data['groupid']] > $group_data['permission']){ + unset($processed[$group_data['groupid']]); + } + else{ + continue; + } + } + } - $userid =& $user_data['userid']; - $user_type =& $user_data['type']; - if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_nodes_by_user"'); + $processed[$group_data['groupid']] = $group_data['permission']; + if($group_data['permission'] < $perm) continue; - $result= array(); + switch($perm_res){ + case PERM_RES_DATA_ARRAY: + $result[$group_data['groupid']] = $group_data; + break; + default: + $result[$group_data['groupid']] = $group_data["groupid"]; + break; + } + } -COpt::counter_up('perm_nodes['.$userid.','.$perm.','.$perm_mode.','.$perm_res.','.$nodeid.']'); -COpt::counter_up('perm'); + unset($processed, $group_data, $db_groups); - if(is_null($nodeid)) - $where_nodeid = ''; - else if(is_array($nodeid)) - $where_nodeid = ' where n.nodeid in ('.implode(',', $nodeid).') '; + if($perm_res == PERM_RES_STRING_LINE) { + if(count($result) == 0) + $result = '-1'; else - $where_nodeid = ' where n.nodeid in ('.$nodeid.') '; - - - $db_nodes = DBselect('SELECT n.nodeid,min(r.permission) as permission, g.userid'. - ' FROM nodes n '. - ' left join rights r on r.id=n.nodeid and r.type='.RESOURCE_TYPE_NODE. - ' left join users_groups g on r.groupid=g.usrgrpid and g.userid='.$userid. - $where_nodeid. - ' GROUP BY n.nodeid, g.userid '. - ' ORDER BY nodeid desc, userid desc, permission desc'); + $result = implode(',',$result); + } - while(($node_data = DBfetch($db_nodes)) || (!isset($do_break) && !ZBX_DISTRIBUTED)){ + return $result; +} - if($node_data && ($perm_res == PERM_RES_DATA_ARRAY)){ - $node_data += DBfetch(DBselect('select * from nodes where nodeid='.$node_data['nodeid'])); - } +function get_accessible_nodes_by_user(&$user_data,$perm,$perm_res=null,$nodeid=null){ + global $ZBX_LOCALNODEID; - if($node_data && isset($processed_nodeids[$node_data["nodeid"]])) continue; + if(is_null($perm_res)) $perm_res=PERM_RES_STRING_LINE; - if(!ZBX_DISTRIBUTED){ - if(!$node_data){ - $node_data = array( - 'nodeid' => $ZBX_LOCALNODEID, - 'name' => 'local', - 'permission' => PERM_READ_WRITE, - 'userid' => null - ); + $userid =& $user_data['userid']; + $user_type =& $user_data['type']; + if(!isset($userid)) fatal_error('Incorrect user data in "get_accessible_nodes_by_user"'); - $do_break = true; + $node_data = array(); + $result = array(); + +//COpt::counter_up('perm_nodes['.$userid.','.$perm.','.$perm_mode.','.$perm_res.','.$nodeid.']'); +//COpt::counter_up('perm'); - if(isset($nodeid) && is_array($nodeid)){ - if(!uint_in_array($node_data['nodeid'],$nodeid)) continue; + $available_hosts = get_accessible_hosts_by_user($user_data,$perm,PERM_RES_IDS_ARRAY,$nodeid); + foreach($available_hosts as $id => $hostid){ + $node_data[id2nodeid($hostid)] = id2nodeid($hostid); + } + + switch($perm_res){ + case PERM_RES_DATA_ARRAY: + foreach($node_data as $nodeid => $node){ + $node = DBfetch(DBselect('SELECT * FROM nodes WHERE nodeid='.$nodeid)); + + if(!ZBX_DISTRIBUTED){ + if(!$node){ + $node = array( + 'nodeid' => $ZBX_LOCALNODEID, + 'name' => 'local', + 'permission' => PERM_READ_WRITE, + 'userid' => null + ); + } + else{ + continue; } - else if(isset($nodeid) && (bccomp($node_data['nodeid'] ,$nodeid) != 0)) continue; - } - else{ - $node_data['permission'] = PERM_DENY; } + + $result[$nodeid] = $node; } + break; + default: + $result = $node_data; + break; + } - $processed_nodeids[$node_data["nodeid"]] = $node_data["nodeid"]; - - /* deny if no rights defined (for local node read/write)*/ - if(zbx_empty($node_data['permission']) || zbx_empty($node_data['userid'])){ - if($user_type == USER_TYPE_SUPER_ADMIN) - $node_data['permission'] = PERM_READ_WRITE; - else - $node_data['permission'] = - (bccomp($node_data['nodeid'] ,$ZBX_LOCALNODEID)==0) ? PERM_READ_WRITE : PERM_DENY; - } - - /* special processing for PERM_READ_LIST*/ - if(PERM_DENY == $node_data['permission'] && PERM_READ_LIST == $perm){ - $groups = get_accessible_groups_by_user($user_data,$perm,PERM_RES_DATA_ARRAY,$node_data['nodeid']); - if(count($groups) == 0) continue; - } - else{ - if(eval('return ('.$node_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;')) - continue; - } - $result[$node_data["nodeid"]]= ($perm_res == PERM_RES_DATA_ARRAY)?$node_data:$node_data["nodeid"]; - } - - if($perm_res == PERM_RES_STRING_LINE) { - if(count($result) == 0) - $result = '-1'; - else - $result = implode(',',$result); - } - - return $result; + if($perm_res == PERM_RES_STRING_LINE) { + if(count($result) == 0) + $result = '-1'; + else + $result = implode(',',$result); } +return $result; +} + /*********************************************** GET ACCESSIBLE RESOURCES BY RIGHTS ************************************************/ @@ -491,253 +457,194 @@ COpt::counter_up('perm'); */ - function get_accessible_hosts_by_rights(&$rights,$user_type,$perm,$perm_mode=null,$perm_res=null,$nodeid=null) - { - if(is_null($perm_res)) $perm_res = PERM_RES_STRING_LINE; - if($perm == PERM_READ_LIST) $perm = PERM_READ_ONLY; - - $result = array(); - - switch($perm_res) - { - case PERM_RES_DATA_ARRAY: $resdata = '$host_data'; break; - default: $resdata = '$host_data["hostid"]'; break; - } +function get_accessible_hosts_by_rights(&$rights,$user_type,$perm,$perm_res=null,$nodeid=null){ + if(is_null($perm_res)) $perm_res = PERM_RES_STRING_LINE; + if($perm == PERM_READ_LIST) $perm = PERM_READ_ONLY; - $where = array(); - - if ( !is_null($nodeid) ) array_push($where, DBin_node('h.hostid', $nodeid)); + $result = array(); + $res_perm = array(); - if(count($where)) $where = ' where '.implode(' and ',$where); - else $where = ''; - - $db_hosts = DBselect('select n.nodeid as nodeid,n.name as node_name,hg.groupid as groupid,h.* '. - ' from hosts h left join hosts_groups hg on hg.hostid=h.hostid '. - ' left join nodes n on n.nodeid='.DBid2nodeid('h.hostid'). - $where.' order by n.name,h.host'); - - $res_perm = array(); - foreach($rights as $right) - { - $res_perm[$right['type']][$right['id']] = $right['permission']; - } + foreach($rights as $right){ + $res_perm[$right['type']][$right['id']] = $right['permission']; + } - $host_perm = array(); + $host_perm = array(); - while($host_data = DBfetch($db_hosts)) - { - if(isset($host_data['groupid']) && isset($res_perm[RESOURCE_TYPE_GROUP][$host_data['groupid']])) - { - $host_perm[$host_data['hostid']][RESOURCE_TYPE_GROUP][$host_data['groupid']] = - $res_perm[RESOURCE_TYPE_GROUP][$host_data['groupid']]; - } + $where = array(); + if(!is_null($nodeid)) array_push($where, DBin_node('h.hostid', $nodeid)); + $where = count($where)?$where = ' WHERE '.implode(' AND ',$where):''; - if(isset($res_perm[RESOURCE_TYPE_NODE][$host_data['nodeid']])) - { - $host_perm[$host_data['hostid']][RESOURCE_TYPE_NODE] = $res_perm[RESOURCE_TYPE_NODE][$host_data['nodeid']]; - } - $host_perm[$host_data['hostid']]['data'] = $host_data; + $sql = 'SELECT n.nodeid as nodeid,n.name as node_name,hg.groupid as groupid,h.hostid, h.host '. + ' FROM hosts h '. + ' LEFT JOIN hosts_groups hg ON hg.hostid=h.hostid '. + ' LEFT JOIN nodes n ON n.nodeid='.DBid2nodeid('h.hostid'). + $where. + ' ORDER BY n.name,h.host'; + $db_hosts = DBselect($sql); + while($host_data = DBfetch($db_hosts)){ + if(isset($host_data['groupid']) && isset($res_perm[RESOURCE_TYPE_GROUP][$host_data['groupid']])){ + $host_perm[$host_data['hostid']][RESOURCE_TYPE_GROUP][$host_data['groupid']] = $res_perm[RESOURCE_TYPE_GROUP][$host_data['groupid']]; } - foreach($host_perm as $hostid => $host_data) - { - $host_data = $host_data['data']; + if(isset($res_perm[RESOURCE_TYPE_NODE][$host_data['nodeid']])){ + $host_perm[$host_data['hostid']][RESOURCE_TYPE_NODE] = $res_perm[RESOURCE_TYPE_NODE][$host_data['nodeid']]; + } + + $host_perm[$host_data['hostid']]['data'] = $host_data; + } - if(isset($host_perm[$hostid][RESOURCE_TYPE_GROUP])) - { + foreach($host_perm as $hostid => $host_data){ + $host_data = $host_data['data']; + +// Select Min rights from groups + if(USER_TYPE_SUPER_ADMIN == $user_type){ + $host_data['permission'] = PERM_MAX; + } + else{ + if(isset($host_perm[$hostid][RESOURCE_TYPE_GROUP])){ $host_data['permission'] = min($host_perm[$hostid][RESOURCE_TYPE_GROUP]); } - else if(isset($host_perm[$hostid][RESOURCE_TYPE_NODE])) - { - $host_data['permission'] = $host_perm[$hostid][RESOURCE_TYPE_NODE]; - } - else - { + else{ if(is_null($host_data['nodeid'])) $host_data['nodeid'] = id2nodeid($host_data['groupid']); - - if(!isset($node_data[$host_data['nodeid']])) - { - $node_data = get_accessible_nodes_by_rights($rights,$user_type, - PERM_DENY, PERM_MODE_GE, PERM_RES_DATA_ARRAY, $host_data['nodeid']); - } - if( !isset($node_data[$host_data['nodeid']]) || $user_type==USER_TYPE_ZABBIX_USER ) - $host_data['permission'] = PERM_DENY; - else - $host_data['permission'] = $node_data[$host_data['nodeid']]['permission']; + + $host_data['permission'] = PERM_DENY; } - - if(eval('return ('.$host_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;')) - continue; - - $result[$host_data['hostid']] = eval('return '.$resdata.';'); - } - - if($perm_res == PERM_RES_STRING_LINE) - { - if(count($result) == 0) - $result = '-1'; - else - $result = implode(',',$result); + + if($host_data['permission']<$perm) continue; + switch($perm_res){ + case PERM_RES_DATA_ARRAY: + $result[$host_data['hostid']] = $host_data; + break; + default: + $result[$host_data['hostid']] = $host_data['hostid']; } + } - return $result; + if($perm_res == PERM_RES_STRING_LINE) { + if(count($result) == 0) + $result = '-1'; + else + $result = implode(',',$result); } - function get_accessible_groups_by_rights(&$rights,$user_type,$perm,$perm_mode=null,$perm_res=null,$nodeid=null) - { - if(is_null($perm_mode)) $perm_mode=PERM_MODE_GE; - if(is_null($perm_res)) $perm_res=PERM_RES_STRING_LINE; - $result= array(); +return $result; +} - switch($perm_res) - { - case PERM_RES_DATA_ARRAY: $resdata = '$group_data'; break; - default: $resdata = '$group_data["groupid"]'; break; - } +function get_accessible_groups_by_rights(&$rights,$user_type,$perm,$perm_res=null,$nodeid=null){ + if(is_null($perm_res)) $perm_res=PERM_RES_STRING_LINE; + $result= array(); - $where = array(); + $where = array(); - if ( !is_null($nodeid) ) array_push($where, DBin_node('g.groupid', $nodeid)); - - if(count($where)) $where = ' where '.implode(' and ',$where); - else $where = ''; + if(!is_null($nodeid)) + array_push($where, DBin_node('g.groupid', $nodeid)); - $group_perm = array(); - foreach($rights as $right) - { - if($right['type'] != RESOURCE_TYPE_GROUP) continue; - $group_perm[$right['id']] = $right['permission']; - } + if(count($where)) $where = ' WHERE '.implode(' AND ',$where); + else $where = ''; + + $group_perm = array(); + foreach($rights as $right){ + if($right['type'] != RESOURCE_TYPE_GROUP) continue; + $group_perm[$right['id']] = $right['permission']; + } - $db_groups = DBselect('select n.nodeid as nodeid,n.name as node_name, g.*, '.PERM_DENY.' as permission from groups g '. - ' left join nodes n on '.DBid2nodeid('g.groupid').'=n.nodeid '. - $where.' order by n.name, g.name'); + $sql = 'SELECT n.nodeid as nodeid,n.name as node_name, g.*, '.PERM_DENY.' as permission '. + ' FROM groups g '. + ' LEFT JOIN nodes n ON '.DBid2nodeid('g.groupid').'=n.nodeid '. + $where. + ' ORDER BY n.name, g.name'; - while($group_data = DBfetch($db_groups)) - { - if(isset($group_perm[$group_data['groupid']])) - { + $db_groups = DBselect($sql); + + while($group_data = DBfetch($db_groups)){ + + if(USER_TYPE_SUPER_ADMIN == $user_type){ + $group_data['permission'] = PERM_MAX; + } + else{ + if(isset($group_perm[$group_data['groupid']])){ $group_data['permission'] = $group_perm[$group_data['groupid']]; } - else - { + else{ if(is_null($group_data['nodeid'])) $group_data['nodeid'] = id2nodeid($group_data['groupid']); - - if(!isset($node_data[$group_data['nodeid']])) - { - $node_data = get_accessible_nodes_by_rights($rights,$user_type, - PERM_DENY, PERM_MODE_GE, PERM_RES_DATA_ARRAY, $group_data['nodeid']); - } - if( !isset($node_data[$group_data['nodeid']]) || $user_type==USER_TYPE_ZABBIX_USER ) - $group_data['permission'] = PERM_DENY; - else - $group_data['permission'] = $node_data[$group_data['nodeid']]['permission']; + $group_data['permission'] = PERM_DENY; } - - if(eval('return ('.$group_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;')) - continue; - - $result[$group_data["groupid"]] = eval('return '.$resdata.';'); } + + if($group_data['permission']<$perm) continue; - if($perm_res == PERM_RES_STRING_LINE) - { - if(count($result) == 0) - $result = '-1'; - else - $result = implode(',',$result); + switch($perm_res){ + case PERM_RES_DATA_ARRAY: + $result[$group_data['groupid']] = $group_data; + break; + default: + $result[$group_data['groupid']] = $group_data['groupid']; } - - return $result; } - function get_accessible_nodes_by_rights(&$rights,$user_type,$perm,$perm_mode=null,$perm_res=null,$nodeid=null) - { - global $ZBX_LOCALNODEID; - - if(is_null($perm_mode)) $perm_mode=PERM_MODE_GE; - if(is_null($perm_res)) $perm_res=PERM_RES_STRING_LINE; - - $result= array(); - - if(is_null($user_type)) $user_type = USER_TYPE_ZABBIX_USER; + if($perm_res == PERM_RES_STRING_LINE) { + if(count($result) == 0) + $result = '-1'; + else + $result = implode(',',$result); + } - switch($perm_res) - { - case PERM_RES_DATA_ARRAY: $resdata = '$node_data'; break; - default: $resdata = '$node_data["nodeid"]'; break; - } +return $result; +} - if(is_null($nodeid)) $where_nodeid = ''; - else if(is_array($nodeid)) $where_nodeid = ' where n.nodeid in ('.implode(',', $nodeid).') '; - else $where_nodeid = ' where n.nodeid in ('.$nodeid.') '; +function get_accessible_nodes_by_rights(&$rights,$user_type,$perm,$perm_res=null,$nodeid=null){ + global $ZBX_LOCALNODEID; - $node_perm = array(); - foreach($rights as $right) - { - if($right['type'] != RESOURCE_TYPE_NODE) continue; - $node_perm[$right['id']] = $right['permission']; - } + if(is_null($perm_res)) $perm_res=PERM_RES_STRING_LINE; + if(is_null($user_type)) $user_type = USER_TYPE_ZABBIX_USER; - $db_nodes = DBselect('select n.*, '.PERM_DENY.' as permission from nodes n '.$where_nodeid.' order by n.name'); + $node_data = array(); + $result = array(); + +//COpt::counter_up('perm_nodes['.$userid.','.$perm.','.$perm_mode.','.$perm_res.','.$nodeid.']'); +//COpt::counter_up('perm'); - while(($node_data = DBfetch($db_nodes)) || (!isset($do_break) && !ZBX_DISTRIBUTED)) - { - if(!ZBX_DISTRIBUTED) - { - if(!$node_data) - { - $node_data = array( - 'nodeid' => $ZBX_LOCALNODEID, - 'name' => 'local', - 'permission' => PERM_READ_WRITE - ); - - $do_break = true; - - if(is_array($nodeid) && !uint_in_array($node_data['nodeid'],$nodeid)) continue; - else if(isset($nodeid) and (bccomp($node_data['nodeid'] ,$nodeid) != 0)) continue; - } - else - { - $node_perm[$node_data['nodeid']] = PERM_DENY; + $available_hosts = get_accessible_hosts_by_rights($rights,$user_type,$perm,PERM_RES_IDS_ARRAY,$nodeid); + foreach($available_hosts as $id => $hostid){ + $node_data[id2nodeid($hostid)] = id2nodeid($hostid); + } + + switch($perm_res){ + case PERM_RES_DATA_ARRAY: + foreach($node_data as $nodeid => $node){ + $node = DBfetch(DBselect('SELECT * FROM nodes WHERE nodeid='.$nodeid)); + + if(!ZBX_DISTRIBUTED){ + if(!$node){ + $node = array( + 'nodeid' => $ZBX_LOCALNODEID, + 'name' => 'local', + 'permission' => PERM_READ_WRITE, + 'userid' => null + ); + } + else{ + continue; + } } + + $result[$nodeid] = $node; } + break; + default: + $result = $node_data; + break; + } - if(isset($node_perm[$node_data['nodeid']])) - $node_data['permission'] = $node_perm[$node_data['nodeid']]; - elseif((bccomp($node_data['nodeid'], $ZBX_LOCALNODEID)==0) || $user_type == USER_TYPE_SUPER_ADMIN) - /* for local node or superuser default permission is READ_WRITE */ - $node_data['permission'] = PERM_READ_WRITE; - - - /* special processing for PERM_READ_LIST*/ - if(PERM_DENY == $node_data['permission'] && PERM_READ_LIST == $perm) - { - $groups = get_accessible_groups_by_rights($rights,$user_type, - $perm, PERM_MODE_GE, PERM_RES_DATA_ARRAY, $node_data['nodeid']); - if(count($groups) == 0) continue; - } - else - { - if(eval('return ('.$node_data["permission"].' '.perm_mode2comparator($perm_mode).' '.$perm.')? 0 : 1;')) - continue; - } - - $result[$node_data["nodeid"]] = eval('return '.$resdata.';'); - } - - if($perm_res == PERM_RES_STRING_LINE) - { - if(count($result) == 0) - $result = '-1'; - else - $result = implode(',',$result); - } - - return $result; + if($perm_res == PERM_RES_STRING_LINE) { + if(count($result) == 0) + $result = '-1'; + else + $result = implode(',',$result); } -?> +return $result; +} +?>
\ No newline at end of file |