Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(secu): only return resources that you are allowed to see #9363

Merged
merged 8 commits into from
Jan 6, 2021
Merged

fix(secu): only return resources that you are allowed to see #9363

merged 8 commits into from
Jan 6, 2021

Conversation

adr-mo
Copy link
Contributor

@adr-mo adr-mo commented Jan 5, 2021

This PR intends to:

  • Fix several security issues
  • Cleaning dozens of coding style errors on files that were edited

For the security issue related to externalcmd an other PR will be made for the 19.10.x and 2.8.x will be made as in previous versions centcore was still used.

Fixes # (issue)

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software
  • Updating documentation (missing information, typo...)

Target serie

  • 19.10.x
  • 20.04.x
  • 20.10.x
  • 21.04.x (master)

How this pull request can be tested ?

Please describe the procedure to verify that the goal of the PR is matched. Provide clear instructions so that it can be correctly tested.

Any relevant details of the configuration to perform the test should be added.

Checklist

  • I have followed the coding style guidelines provided by Centreon
  • I have commented my code, especially new classes, functions or any legacy code modified. (docblock)
  • I have commented my code, especially hard-to-understand areas of the PR.
  • I have made corresponding changes to the documentation.
  • I have rebased my development branch on the base branch (master, maintenance).

@adr-mo adr-mo requested review from a team, callapa and loiclau January 5, 2021 15:07
@sc979
Copy link
Contributor

sc979 commented Jan 5, 2021

Kindly rename this PR ;)

@adr-mo adr-mo changed the title Mon 5535 security fixes sec: only return resources that you are allowed to see Jan 5, 2021
sc979
sc979 suggested changes Jan 5, 2021
View reviewed changes
www/api/class/centreon_metric.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_metric.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_metric.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_metric.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_monitoring_poller.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_metric.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_metric.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_monitoring_poller.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_monitoring_poller.class.php Outdated Show resolved Hide resolved
www/api/class/centreon_monitoring_poller.class.php Outdated Show resolved Hide resolved
@adr-mo adr-mo changed the title sec: only return resources that you are allowed to see fix(secu): only return resources that you are allowed to see Jan 5, 2021
callapa
callapa reviewed Jan 6, 2021
View reviewed changes
www/api/class/centreon_metric.class.php
/**
* If ACLs on, then only return metrics linked to services that the user can see.
*/
if (!$centreon->user->admin) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would have been better to do a private method that you would have called

@adr-mo adr-mo merged commit 52d64aa into master Jan 6, 2021
@adr-mo adr-mo deleted the MON-5535-security-fixes branch January 6, 2021 16:12
adr-mo added a commit that referenced this pull request Jan 6, 2021
@adr-mo
fix(secu): only return resources that you are allowed to see (#9363)
872529b 
* secu(poller): return only allowed poller resources types

* codingstyle: pollers

* secu(metrics): return only allowed metrics linked to service resources types

* secu(metrics): list only allowed metrics

* codingstyle: metrics

* style: fix errors returned by phpcs

* secu(externalcmd): remove dead code

This code is no longer used for versions that uses gorgone instead of
centcore

* code-review: take feedbacks into account #1
adr-mo added a commit that referenced this pull request Jan 6, 2021
@adr-mo
fix(secu): only return resources that you are allowed to see (#9363)
1bb7028 
* secu(poller): return only allowed poller resources types

* codingstyle: pollers

* secu(metrics): return only allowed metrics linked to service resources types

* secu(metrics): list only allowed metrics

* codingstyle: metrics

* style: fix errors returned by phpcs

* secu(externalcmd): remove dead code

This code is no longer used for versions that uses gorgone instead of
centcore

* code-review: take feedbacks into account #1
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@callapa callapa callapa left review comments

@loiclau loiclau loiclau approved these changes

@sc979 sc979 sc979 approved these changes

@jeremyjaouen jeremyjaouen jeremyjaouen approved these changes

Assignees
No one assigned
Labels
area/backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@adr-mo @sc979 @callapa @loiclau @jeremyjaouen