Fix the permission wildcards assertion

fixes #9202
Icinga · May 5, 2015 · 612fefb · 612fefb
1 parent 993cb31
commit 612fefb
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 10 deletions.
diff --git a/library/Icinga/User.php b/library/Icinga/User.php
@@ -413,30 +413,30 @@ public function isRemoteUser()
     /**
      * Whether the user has a given permission
      *
-     * @param   string $permission
+     * @param   string $requiredPermission
      *
      * @return  bool
      */
-    public function can($permission)
+    public function can($requiredPermission)
     {
-        if (isset($this->permissions['*']) || isset($this->permissions[$permission])) {
+        if (isset($this->permissions['*']) || isset($this->permissions[$requiredPermission])) {
             return true;
         }
         // If the permission to check contains a wildcard, grant the permission if any permit related to the permission
         // matches
-        $any = strpos($permission, '*');
-        foreach ($this->permissions as $permitted) {
-            if ($any !== false) {
+        $any = strpos($requiredPermission, '*');
+        foreach ($this->permissions as $grantedPermission) {
+            if ($any !== false && strpos($grantedPermission, '*') === false) {
                 $wildcard = $any;
             } else {
                 // If the permit contains a wildcard, grant the permission if it's related to the permit
-                $wildcard = strpos($permitted, '*');
+                $wildcard = strpos($grantedPermission, '*');
             }
             if ($wildcard !== false) {
-                if (substr($permission, 0, $wildcard) === substr($permitted, 0, $wildcard)) {
+                if (substr($requiredPermission, 0, $wildcard) === substr($grantedPermission, 0, $wildcard)) {
                     return true;
                 }
-            } elseif ($permission === $permitted) {
+            } elseif ($requiredPermission === $grantedPermission) {
                 return true;
             }
         }

diff --git a/test/php/library/Icinga/UserTest.php b/test/php/library/Icinga/UserTest.php
@@ -66,12 +66,16 @@ public function testPermissions()
         $user->setPermissions(array(
             'test',
             'test/some/specific',
-            'test/more/*'
+            'test/more/*',
+            'test/wildcard-with-wildcard/*'
         ));
         $this->assertTrue($user->can('test'));
         $this->assertTrue($user->can('test/some/specific'));
         $this->assertTrue($user->can('test/more/everything'));
+        $this->assertTrue($user->can('test/wildcard-with-wildcard/*'));
+        $this->assertTrue($user->can('test/wildcard/sub/sub'));
         $this->assertFalse($user->can('not/test'));
         $this->assertFalse($user->can('test/some/not/so/specific'));
+        $this->assertFalse($user->can('test/wildcard2/*'));
     }
 }