- improvements in permissions (Artem)

git-svn-id: svn://svn.zabbix.com/trunk@5577 97f52cf1-0a1b-0410-bd0e-c28be96e8082

4 files changed, 146 insertions, 70 deletions

diff --git a/frontends/php/include/graphs.inc.php b/frontends/php/include/graphs.inc.php
index 50d28c44..554887ae 100644
--- a/frontends/php/include/graphs.inc.php
+++ b/frontends/php/include/graphs.inc.php
@@ -29,8 +29,7 @@
  *     Eugene Grigorjev 
  *
  */
-	function	graph_item_type2str($type,$count=null)
-	{
+	function	graph_item_type2str($type,$count=null){
 		switch($type){
 			case GRAPH_ITEM_SUM:	
 				$type = S_GRAPH_SUM;
@@ -56,8 +55,7 @@
  *     Eugene Grigorjev 
  *
  */
-	function	graph_item_drawtypes()
-	{
+	function	graph_item_drawtypes(){
 		return array(
 				GRAPH_ITEM_DRAWTYPE_LINE,
 				GRAPH_ITEM_DRAWTYPE_FILLED_REGION,
@@ -66,7 +64,7 @@
 				GRAPH_ITEM_DRAWTYPE_DASHED_LINE
 			    );
 	}
-
+	
 /*
  * Function: graph_item_drawtype2str
  *
@@ -77,19 +75,17 @@
  *     Eugene Grigorjev 
  *
  */
-	function	graph_item_drawtype2str($drawtype,$type=null)
-	{
-	if($type == GRAPH_ITEM_AGGREGATED) return '-';
+	function	graph_item_drawtype2str($drawtype,$type=null){
+		if($type == GRAPH_ITEM_AGGREGATED) return '-';
 
-	switch($drawtype)
-	{
-		case GRAPH_ITEM_DRAWTYPE_LINE:		$drawtype = "Line";		break;
-		case GRAPH_ITEM_DRAWTYPE_FILLED_REGION:	$drawtype = "Filled region";	break;
-		case GRAPH_ITEM_DRAWTYPE_BOLD_LINE:	$drawtype = "Bold line";	break;
-		case GRAPH_ITEM_DRAWTYPE_DOT:		$drawtype = "Dot";		break;
-		case GRAPH_ITEM_DRAWTYPE_DASHED_LINE:	$drawtype = "Dashed line";	break;
-		default: $drawtype = S_UNKNOWN;		break;
-	}
+		switch($drawtype){
+			case GRAPH_ITEM_DRAWTYPE_LINE:		$drawtype = "Line";		break;
+			case GRAPH_ITEM_DRAWTYPE_FILLED_REGION:	$drawtype = "Filled region";	break;
+			case GRAPH_ITEM_DRAWTYPE_BOLD_LINE:	$drawtype = "Bold line";	break;
+			case GRAPH_ITEM_DRAWTYPE_DOT:		$drawtype = "Dot";		break;
+			case GRAPH_ITEM_DRAWTYPE_DASHED_LINE:	$drawtype = "Dashed line";	break;
+			default: $drawtype = S_UNKNOWN;		break;
+		}
 	return $drawtype;
 	}
 
@@ -157,16 +153,100 @@
 					' ORDER BY itemid,drawtype,sortorder,color,yaxisside'); 
 	}
 
-	/*
-	 * Function: get_min_itemclock_by_graphid
-	 *
-	 * Description:
-	 *     Return the time of the 1st apearance of items included in graph in trends
-	 *
-	 * Author:
-	 *     Aly
-	 *
-	 */	
+/*
+ * Function: graph_accessible
+ *
+ * Description:
+ *     Checks if graph is accessible to USER
+ *
+ * Author:
+ *     Aly
+ *
+ */		
+	function graph_accessible($graphid){
+		global $USER_DETAILS;
+		$available_hosts = get_accessible_hosts_by_user($USER_DETAILS, PERM_READ_ONLY);
+		
+		$sql = 	'SELECT g.graphid '.
+				' FROM graphs as g, graphs_items as gi, items as i '.
+				' WHERE g.graphid='.$graphid.
+					' AND g.graphid=gi.graphid '.
+					' AND i.itemid=gi.itemid '.
+					' AND i.hostid NOT IN ('.$available_hosts.')';
+
+		if(DBfetch(DBselect($sql,1))){
+			return false;
+		}
+	return true;
+	}
+
+
+/*
+ * Function: get_accessible_graphs_by_host
+ *
+ * Description:
+ *     returns string of accessible graphid's
+ *
+ * Author:
+ *     Aly
+ *
+ */		
+	function get_accessible_graphs($perm,$perm_res=null,$nodeid=null,$hostid=null){
+		global $USER_DETAILS;
+
+		if(is_null($perm_res))
+			$perm_res = PERM_RES_STRING_LINE;
+		
+		$available_hosts = get_accessible_hosts_by_user($USER_DETAILS, $perm, null, null, $nodeid);
+		
+		$denied_graphs = array();
+		$available_graphs = array();
+		
+		$sql = 	'SELECT DISTINCT g.graphid '.
+				' FROM graphs as g, graphs_items as gi, items as i '.
+				' WHERE g.graphid=gi.graphid '.
+					(!empty($hostid)?' AND i.hostid='.$hostid:'').
+					' AND i.itemid=gi.itemid '.
+					' AND i.hostid NOT IN ('.$available_hosts.')';
+
+		$result = DBselect($sql);
+		while($graph = DBfetch($result)){
+			$denied_graphs[] = $graph['graphid'];
+		}
+
+		$sql = 	'SELECT DISTINCT g.graphid '.
+				' FROM graphs as g, graphs_items as gi, items as i '.
+				' WHERE g.graphid=gi.graphid '.
+					(!empty($hostid)?' AND i.hostid='.$hostid:'').
+					' AND i.itemid=gi.itemid '.
+					' AND i.status='.ITEM_STATUS_ACTIVE.
+					(!empty($denied_graphs)?' AND g.graphid  NOT IN ('.implode(',',$denied_graphs).')':'');
+					
+		$result = DBselect($sql);
+		while($graph = DBfetch($result)){
+			$available_graphs[$graph['graphid']] = $graph['graphid'];
+		}
+		
+		if(PERM_RES_STRING_LINE == $perm_res){
+			if(count($result) == 0) 
+				$available_graphs = '-1';
+			else
+				$available_graphs = implode(',',$available_graphs);
+		}
+		
+	return $available_graphs;
+	}
+
+/*
+ * Function: get_min_itemclock_by_graphid
+ *
+ * Description:
+ *     Return the time of the 1st apearance of items included in graph in trends
+ *
+ * Author:
+ *     Aly
+ *
+ */	
 	function get_min_itemclock_by_graphid($graphid){
 		$row = DBfetch(DBselect('SELECT MIN(t.clock) as clock '.
 						' FROM graphs_items gi, trends t '.
diff --git a/frontends/php/include/maps.inc.php b/frontends/php/include/maps.inc.php
index ceb490d0..d598ba76 100644
--- a/frontends/php/include/maps.inc.php
+++ b/frontends/php/include/maps.inc.php
@@ -83,20 +83,18 @@
 
 		$result = false;
 
-		if($db_result = DBselect('select * from sysmaps_elements where sysmapid='.$sysmapid.
-			' and '.DBin_node('sysmapid', get_current_nodeid($perm))))
+		if($db_result = DBselect('SELECT * '.
+						' FROM sysmaps_elements '.
+						' WHERE sysmapid='.$sysmapid.
+							' AND '.DBin_node('sysmapid', get_current_nodeid($perm))))
 		{
 			$result = true;
-			
-			$denyed_hosts = get_accessible_hosts_by_user($USER_DETAILS,PERM_READ_ONLY, PERM_MODE_LT);
+			$available_hosts = get_accessible_hosts_by_user($USER_DETAILS,PERM_READ_ONLY);
 						
-			while(($se_data = DBfetch($db_result)) && $result)
-			{
-				switch($se_data['elementtype'])
-				{
+			while(($se_data = DBfetch($db_result)) && $result){
+				switch($se_data['elementtype']){
 					case SYSMAP_ELEMENT_TYPE_HOST:
-						if(uint_in_array($se_data['elementid'],explode(',',$denyed_hosts)))
-						{
+						if(!uint_in_array($se_data['elementid'],explode(',',$available_hosts))){
 							$result = false;
 						}
 						break;
@@ -104,21 +102,26 @@
 						$result &= sysmap_accessiable($se_data['elementid'], PERM_READ_ONLY);
 						break;
 					case SYSMAP_ELEMENT_TYPE_TRIGGER:
-						if( DBfetch(DBselect('select triggerid from triggers where triggerid='.$se_data['elementid'])) &&
-						    !DBfetch(DBselect('SELECT DISTINCT t.*'.
+						if(DBfetch(DBselect('SELECT triggerid FROM triggers WHERE triggerid='.$se_data['elementid']))){
+							$sql = 'SELECT DISTINCT t.triggerid'.
 							' FROM triggers t,items i,functions f'.
 							' WHERE f.itemid=i.itemid '.
 								' AND t.triggerid=f.triggerid'.
-								' AND i.hostid NOT IN ('.$denyed_hosts.') '.
-								' AND t.triggerid='.$se_data['elementid'])))
-						{
-							$result = false;
-						}
+								' AND i.hostid NOT IN ('.$available_hosts.') '.
+								' AND t.triggerid='.$se_data['elementid'];
+							if(DBfetch(DBselect($sql,1))){
+								$result = false;
+							}
+						} 
 						break;
 					case SYSMAP_ELEMENT_TYPE_HOST_GROUP:
-						if( DBfetch(DBselect('SELECT groupid FROM groups WHERE groupid='.$se_data['elementid'])) &&
-						    uint_in_array($se_data['elementid'],get_accessible_groups_by_user($USER_DETAILS,PERM_READ_ONLY, PERM_MODE_LT, PERM_RES_IDS_ARRAY)))
-						{
+						$available_groups = get_accessible_groups_by_user($USER_DETAILS,PERM_READ_ONLY, null, PERM_RES_IDS_ARRAY);
+						
+						$sql = 'SELECT groupid '.
+							' FROM groups '.
+							' WHERE groupid='.$se_data['elementid'];
+							
+						if(DBfetch(DBselect($sql,1)) && !uint_in_array($se_data['elementid'],$available_groups)){
 							$result = false;
 						}
 						break;
diff --git a/frontends/php/include/perm.inc.php b/frontends/php/include/perm.inc.php
index 4da32399..e96b77bc 100644
--- a/frontends/php/include/perm.inc.php
+++ b/frontends/php/include/perm.inc.php
@@ -184,7 +184,7 @@
 		return $perm_mode;
 	}
 
-	function	get_accessible_hosts_by_user(&$user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null,$cache=1){
+	function get_accessible_hosts_by_user(&$user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null,$cache=1){
 		static $available_hosts;
 
 		if(is_null($perm_res))		$perm_res	= PERM_RES_STRING_LINE;
@@ -244,19 +244,15 @@ COpt::counter_up('perm');
 
 		$processed = array();
 		while($host_data = DBfetch($db_hosts)){
-//			It seems that host details are not required by the logic
-//			$host_data += DBfetch(DBselect('select * from hosts where hostid='.$host_data['hostid']));
-
 			if(empty($host_data['nodeid'])) $host_data['nodeid'] = id2nodeid($host_data['hostid']);
 
 			/* if no rights defined used node rights */
-			if( (empty($host_data['permission']) || is_null($host_data['userid'])) ){
+			if( (empty($host_data['permission']) || empty($host_data['userid'])) ){
 				if( isset($processed[$host_data['hostid']]) )
 					continue;
 
 				if(!isset($nodes)){
-					$nodes = get_accessible_nodes_by_user($user_data,
-						PERM_DENY,PERM_MODE_GE,PERM_RES_DATA_ARRAY);
+					$nodes = get_accessible_nodes_by_user($user_data, PERM_DENY, PERM_MODE_GE, PERM_RES_DATA_ARRAY);
 				}
 				if( !isset($nodes[$host_data['nodeid']]) || $user_type==USER_TYPE_ZABBIX_USER )
 					$host_data['permission'] = PERM_DENY;
@@ -285,8 +281,7 @@ COpt::counter_up('perm');
 	return $result;
 	}
 
-	function	get_accessible_groups_by_user($user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null)
-	{
+	function get_accessible_groups_by_user($user_data,$perm,$perm_mode=null,$perm_res=null,$nodeid=null){
 		global $ZBX_LOCALNODEID;
 
 		if(is_null($perm_mode))		$perm_mode	= PERM_MODE_GE;
diff --git a/frontends/php/include/screens.inc.php b/frontends/php/include/screens.inc.php
index 6190aaa9..cce172ee 100644
--- a/frontends/php/include/screens.inc.php
+++ b/frontends/php/include/screens.inc.php
@@ -28,24 +28,20 @@
 
 		$result = false;
 
-		if(DBselect('select screenid from screens where screenid='.$screenid.
-			' and '.DBin_node('screenid', get_current_nodeid($perm))))
+		if(DBfetch(DBselect('SELECT screenid FROM screens WHERE screenid='.$screenid.' AND '.DBin_node('screenid', get_current_nodeid($perm)))))
 		{
 			$result = true;
+			$available_hosts = get_accessible_hosts_by_user($USER_DETAILS,PERM_READ_ONLY);
 			
-			$denyed_hosts = get_accessible_hosts_by_user($USER_DETAILS,PERM_READ_ONLY, PERM_MODE_LT);
-			$denyed_groups = get_accessible_groups_by_user($USER_DETAILS,PERM_READ_ONLY, PERM_MODE_LT);
-			
-			$db_result = DBselect("select * from screens_items where screenid=".$screenid);
-			while(($ac_data = DBfetch($db_result)) && $result)
-			{
-				switch($ac_data['resourcetype'])
-				{
+			$db_result = DBselect('SELECT * FROM screens_items WHERE screenid='.$screenid);
+			while(($ac_data = DBfetch($db_result)) && $result){
+				switch($ac_data['resourcetype']){
 					case SCREEN_RESOURCE_GRAPH:
 						$itemid = array();
 
-						$db_gitems = DBselect("select distinct itemid from graphs_items ".
-							" where graphid=".$ac_data['resourceid']);
+						$db_gitems = DBselect('SELECT DISTINCT itemid '.
+										' FROM graphs_items '.
+										' WHERE graphid='.$ac_data['resourceid']);
 						
 						while($gitem_data = DBfetch($db_gitems)) array_push($itemid, $gitem_data['itemid']);
 						
@@ -57,8 +53,10 @@
 						if(!isset($itemid))
 							$itemid = array($ac_data['resourceid']);
 
-						if(DBfetch(DBselect("select itemid from items where itemid in (".implode(',',$itemid).") ".
-							" and hostid in (".$denyed_hosts.")")))
+						if(DBfetch(DBselect('SELECT itemid '.
+										' FROM items '.
+										' WHERE itemid IN ('.implode(',',$itemid).') '.
+											' AND hostid NOT IN ('.$available_hosts.')')))
 						{
 							$result = false;
 						}