Add support to restrict users using defined prefix

jhoxhaa · yhabteab · commit 2c0d71cd9f11 · 2023-07-10T15:36:37.000+02:00
* Introduce new restriction 'reporting/prefix'
* Introduce new permission 'reporting/reports/modify'
diff --git a/application/controllers/ReportController.php b/application/controllers/ReportController.php
@@ -97,7 +97,7 @@ public function cloneAction()
 
     public function editAction()
     {
-        $this->assertPermission('reporting/reports');
+        $this->assertPermission('reporting/reports/modify');
         $this->addTitleTab($this->translate('Edit Report'));
 
         $values = [
@@ -234,7 +234,7 @@ protected function assembleActions()
 
         $actions = new ActionBar();
 
-        if ($this->hasPermission('reporting/reports')) {
+        if ($this->hasPermission('reporting/reports/modify')) {
             $actions->addHtml(
                 new ActionLink(
                     $this->translate('Modify'),
diff --git a/application/controllers/ReportsController.php b/application/controllers/ReportsController.php
@@ -26,7 +26,7 @@ public function indexAction()
     {
         $this->createTabs()->activate('reports');
 
-        if ($this->hasPermission('reporting/reports')) {
+        if ($this->hasPermission('reporting/reports/modify')) {
             $this->addControl(new ButtonLink(
                 $this->translate('New Report'),
                 Url::fromPath('reporting/reports/new'),
@@ -43,6 +43,8 @@ public function indexAction()
         $reports = Report::on($this->getDb())
             ->withColumns(['report.timeframe.name']);
 
+        $this->applyRestriction($reports, 'name');
+
         $sortControl = $this->createSortControl(
             $reports,
             [
@@ -58,13 +60,16 @@ public function indexAction()
         foreach ($reports as $report) {
             $url = Url::fromPath('reporting/report', ['id' => $report->id])->getAbsoluteUrl('&');
 
-            $tableRows[] = Html::tag('tr', ['href' => $url], [
+            $content = [
                 Html::tag('td', null, $report->name),
                 Html::tag('td', null, $report->author),
                 Html::tag('td', null, $report->timeframe->name),
                 Html::tag('td', null, $report->ctime->format('Y-m-d H:i')),
                 Html::tag('td', null, $report->mtime->format('Y-m-d H:i')),
-                Html::tag('td', ['class' => 'icon-col'], [
+            ];
+
+            if ($this->hasPermission('reporting/reports/modify')) {
+                $content[] = Html::tag('td', ['class' => 'icon-col'], [
                     new Link(
                         new Icon('edit'),
                         Url::fromPath('reporting/report/edit', ['id' => $report->id]),
@@ -73,8 +78,10 @@ public function indexAction()
                             'data-no-icinga-ajax' => true
                         ]
                     )
-                ])
-            ]);
+                ]);
+            }
+
+            $tableRows[] = Html::tag('tr', ['href' => $url], $content);
         }
 
         if (! empty($tableRows)) {
@@ -110,7 +117,7 @@ public function indexAction()
 
     public function newAction()
     {
-        $this->assertPermission('reporting/reports');
+        $this->assertPermission('reporting/reports/modify');
         $this->addTitleTab($this->translate('New Report'));
 
         switch ($this->params->shift('report')) {
diff --git a/configuration.php b/configuration.php
@@ -36,6 +36,11 @@
         $this->translate('Allow managing reports')
     );
 
+    $this->providePermission(
+        'reporting/reports/modify',
+        $this->translate('Allow creating, editing and removing reports')
+    );
+
     $this->providePermission(
         'reporting/schedules',
         $this->translate('Allow managing schedules')
@@ -50,4 +55,9 @@
         'reporting/timeframes',
         $this->translate('Allow managing timeframes')
     );
+
+    $this->provideRestriction(
+        'reporting/prefix',
+        $this->translate('Restrict access to reports with the given prefix')
+    );
 }
diff --git a/library/Reporting/Web/Controller.php b/library/Reporting/Web/Controller.php
@@ -4,8 +4,33 @@
 
 namespace Icinga\Module\Reporting\Web;
 
+use Icinga\Authentication\Auth;
+use ipl\Orm\Query;
+use ipl\Stdlib\Filter;
 use ipl\Web\Compat\CompatController;
 
 class Controller extends CompatController
 {
+    /**
+     * @param Query $query
+     * @param string $column
+     * @return void
+     */
+    protected function applyRestriction(Query $query, string $column)
+    {
+        $restrictions = Auth::getInstance()->getRestrictions('reporting/prefix');
+        $prefixes = [];
+        foreach ($restrictions as $restriction) {
+            $prefixes = array_merge(
+                $prefixes,
+                explode(', ', trim($restriction))
+            );
+        }
+
+        if (! empty($prefixes)) {
+            foreach ($prefixes as $prefix) {
+                $query->orFilter(Filter::like($column, $prefix . '*'));
+            }
+        }
+    }
 }
diff --git a/library/Reporting/Web/Forms/ReportForm.php b/library/Reporting/Web/Forms/ReportForm.php
@@ -83,17 +83,52 @@ protected function assemble()
                 . ' and also when listing the reports in the cli'
             ),
             'validators' => [
-                'Callback' => function ($value, CallbackValidator $validator) {
-                    if ($value !== null && strpos($value, '..') !== false) {
-                        $validator->addMessage(
-                            $this->translate('Double dots are not allowed in the report name')
-                        );
+                new CallbackValidator(
+                    function ($value, CallbackValidator $validator) {
+                        if ($value !== null && strpos($value, '..') !== false) {
+                            $validator->addMessage(
+                                $this->translate('Double dots are not allowed in the report name')
+                            );
 
-                        return false;
-                    }
+                            return false;
+                        }
 
-                    return true;
-                }
+                        return true;
+                    }
+                ),
+                new CallbackValidator(
+                    function ($value, $validator) {
+                        /** @var CallbackValidator $validator */
+                        $restrictions = Auth::getInstance()->getRestrictions('reporting/prefix');
+                        $prefixes = [];
+                        foreach ($restrictions as $restriction) {
+                            $prefixes = array_merge(
+                                $prefixes,
+                                explode(',', trim($restriction))
+                            );
+                        }
+
+                        if (! empty($prefixes)) {
+                            foreach ($prefixes as $prefix) {
+                                $prefix = trim($prefix);
+                                if (substr($value, 0, strlen($prefix)) === $prefix) {
+                                    return true;
+                                }
+                            }
+
+                            $validator->addMessage(
+                                sprintf(
+                                    $this->translate('Please prefix the name with "%s"'),
+                                    implode(' | ', $prefixes)
+                                )
+                            );
+
+                            return false;
+                        }
+
+                        return true;
+                    }
+                )
             ]
         ]);
 
