Allow restricting reports by name & author

Author: yhabteab

application/controllers/ReportController.php

@@ -35,9 +35,11 @@ public function init()
 
         $report = Model\Report::on($this->getDb())
             ->with(['timeframe'])
-            ->filter(Filter::equal('id', $reportId))
-            ->first();
+            ->filter(Filter::equal('id', $reportId));
 
+        $this->applyRestrictions($report);
+
+        $report = $report->first();
         if ($report === null) {
             $this->httpNotFound($this->translate('Report not found'));
         }

application/controllers/ReportsController.php

@@ -43,6 +43,8 @@ public function indexAction()
         $reports = Report::on($this->getDb())
             ->withColumns(['report.timeframe.name']);
 
+        $this->applyRestrictions($reports);
+
         $sortControl = $this->createSortControl(
             $reports,
             [
@@ -64,16 +66,16 @@ public function indexAction()
                 Html::tag('td', null, $report->timeframe->name),
                 Html::tag('td', null, $report->ctime->format('Y-m-d H:i')),
                 Html::tag('td', null, $report->mtime->format('Y-m-d H:i')),
-                Html::tag('td', ['class' => 'icon-col'], [
-                    new Link(
+                ! $this->hasPermission('reporting/reports')
+                    ? null
+                    : Html::tag('td', ['class' => 'icon-col'], new Link(
                         new Icon('edit'),
                         Url::fromPath('reporting/report/edit', ['id' => $report->id]),
                         [
                             'data-icinga-modal'   => true,
                             'data-no-icinga-ajax' => true
                         ]
-                    )
-                ])
+                    ))
             ]);
         }
 

configuration.php

@@ -50,4 +50,9 @@
         'reporting/timeframes',
         $this->translate('Allow managing timeframes')
     );
+
+    $this->provideRestriction(
+        'reporting/filter/reports',
+        $this->translate('Restrict access to the reports that match the provided filter')
+    );
 }

doc/03-Configuration.md

@@ -31,3 +31,16 @@ reporting/reports    | Reports (create, edit, delete)
 reporting/schedules  | Schedules (create, edit, delete)
 reporting/templates  | Templates (create, edit, delete)
 reporting/timeframes | Timeframes (create, edit, delete)
+
+## Restrictions
+
+Icinga Reporting currently provides a single restriction that can be used to limit users to a specific set of reports,
+while having the `reporting/reports` permission.
+
+> **Note:**
+> 
+> Filters from multiple roles will expand the available access.
+
+| Name                     | Description                                                   |
+|--------------------------|---------------------------------------------------------------|
+| reporting/filter/reports | Restrict access to the reports that match the provided filter |

library/Reporting/Common/Auth.php

@@ -0,0 +1,67 @@
+<?php
+
+/* Icinga Reporting | (c) 2023 Icinga GmbH | GPLv2 */
+
+namespace Icinga\Module\Reporting\Common;
+
+use Icinga\Authentication\Auth as IcingaAuth;
+use Icinga\Exception\ConfigurationError;
+use ipl\Orm\Query;
+use ipl\Stdlib\Filter;
+use ipl\Web\Filter\QueryString;
+
+trait Auth
+{
+    /**
+     * Apply restrictions of this module
+     *
+     * @param Query $query
+     */
+    protected function applyRestrictions(Query $query): void
+    {
+        $auth = IcingaAuth::getInstance();
+        $restrictions = $auth->getRestrictions('reporting/filter/reports');
+
+        $queryFilter = Filter::any();
+        // Don't filter out reports created by the current user!
+        $queryFilter->add(Filter::equal('author', $auth->getUser()->getUsername()));
+
+        foreach ($restrictions as $restriction) {
+            $queryFilter->add($this->parseRestriction($restriction, 'reporting/filter/reports'));
+        }
+
+        $query->filter($queryFilter);
+    }
+
+    /**
+     * Parse the query string of the given restriction
+     *
+     * @param string $queryString
+     * @param string $restriction
+     *
+     * @return Filter\Rule
+     */
+    protected function parseRestriction(string $queryString, string $restriction): Filter\Rule
+    {
+        return QueryString::fromString($queryString)
+            ->on(
+                QueryString::ON_CONDITION,
+                function (Filter\Condition $condition) use ($restriction, $queryString) {
+                    $allowedColumns = ['report.name', 'report.author'];
+                    if (in_array($condition->getColumn(), $allowedColumns, true)) {
+                        return;
+                    }
+
+                    throw new ConfigurationError(
+                        t(
+                            'Cannot apply restriction %s using the filter %s.'
+                            . ' You can only use the following columns: %s'
+                        ),
+                        $restriction,
+                        $queryString,
+                        implode(', ', $allowedColumns)
+                    );
+                }
+            )->parse();
+    }
+}

library/Reporting/Web/Controller.php

@@ -4,8 +4,10 @@
 
 namespace Icinga\Module\Reporting\Web;
 
+use Icinga\Module\Reporting\Common\Auth;
 use ipl\Web\Compat\CompatController;
 
 class Controller extends CompatController
 {
+    use Auth;
 }