Merge pull request #1411 from laf/issue-1289

Fixes a number of user permission issues
librenms · Jul 10, 2015 · 7560d5d · 7560d5d
2 parents 1a85384 + a044782
commit 7560d5d
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 25 deletions.
diff --git a/html/includes/table/address-search.inc.php b/html/includes/table/address-search.inc.php
@@ -1,11 +1,18 @@
 <?php
 
-$where = 1;
 $param = array();
 
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $perms_sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
+    $where .= " AND `DP`.`user_id`=?";
+    $param[] = array($_SESSION['user_id']);
+}
+
 list($address,$prefix) = explode("/", $_POST['address']);
 if ($_POST['search_type'] == 'ipv4') {
-    $sql = " FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D, `ipv4_networks` AS N WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id ";
+    $sql = " FROM `ipv4_addresses` AS A, `ports` AS I, `ipv4_networks` AS N, `devices` AS D";
+    $sql .= $perms_sql;
+    $sql .= " WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id $where ";
     if (!empty($address)) {
         $sql .= " AND ipv4_address LIKE '%".$address."%'";
     }
@@ -14,16 +21,19 @@
         $param[] = array($prefix);
     }
 } elseif ($_POST['search_type'] == 'ipv6') {
-    $sql = " FROM `ipv6_addresses` AS A, `ports` AS I, `devices` AS D, `ipv6_networks` AS N WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id ";
+    $sql = " FROM `ipv6_addresses` AS A, `ports` AS I, `ipv6_networks` AS N, `devices` AS D";
+    $sql .= $perms_sql;
+    $sql .= " WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id $where ";
     if (!empty($address)) {
         $sql .= " AND (ipv6_address LIKE '%".$address."%' OR ipv6_compressed LIKE '%".$address."%')";
     }
     if (!empty($prefix)) {
         $sql .= " AND ipv6_prefixlen = '$prefix'";
     }
 } elseif ($_POST['search_type'] == 'mac') {
-    $sql = " FROM `ports` AS I, `devices` AS D WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE '%?%' ";
-    $param[] = array("%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%");
+    $sql = " FROM `ports` AS I, `devices` AS D";
+    $sql .= $perms_sql;
+    $sql .= " WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE '%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%' $where ";
 }
 if (is_numeric($_POST['device_id'])) {
     $sql  .= " AND I.device_id = ?";

diff --git a/html/includes/table/alerts.inc.php b/html/includes/table/alerts.inc.php
@@ -7,10 +7,18 @@
 }
 
 if (isset($searchPhrase) && !empty($searchPhrase)) {
-    $sql .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')";
+    $sql_search .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')";
 }
 
-$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id` RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql";
+$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id`";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= "  RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql_search";
 
 $count_sql = "SELECT COUNT(`alerts`.`id`) $sql";
 $total = dbFetchCell($count_sql,$param);
@@ -78,14 +86,12 @@
         $severity .= " <strong>-</strong>";
     }
 
-    if ($_SESSION['userlevel'] >= '10') {
-        $ack_ico = 'volume-up';
-        $ack_col = 'success';
-        if($alert['state'] == 2) {
-            $ack_ico = 'volume-off';
-            $ack_col = 'danger';
-        }
-    }
+    $ack_ico = 'volume-up';
+    $ack_col = 'success';
+    if($alert['state'] == 2) {
+        $ack_ico = 'volume-off';
+        $ack_col = 'danger';
+     }
 
     $hostname = '
      <div class="incident">

diff --git a/html/includes/table/arp-search.inc.php b/html/includes/table/arp-search.inc.php
@@ -2,14 +2,22 @@
 
 $param = array();
 
-$sql = " FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D WHERE M.port_id = P.port_id AND P.device_id = D.device_id ";
+$sql .= " FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D ";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
+    $where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where ";
 
 if (isset($_POST['searchby']) && $_POST['searchby'] == "ip") {
     $sql .= " AND `ipv4_address` LIKE ?";
-    $param = array("%".trim($_POST['address'])."%");
+    $param[] = "%".trim($_POST['address'])."%";
 } elseif (isset($_POST['searchby']) && $_POST['searchby'] == "mac") {
     $sql .= " AND `mac_address` LIKE ?";
-    $param = array("%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%");
+    $param[] = "%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%";
 }
 
 if (is_numeric($_POST['device_id'])) {
@@ -70,7 +78,7 @@
     $response[] = array('mac_address'=>formatMac($entry['mac_address']),
                         'ipv4_address'=>$entry['ipv4_address'],
                         'hostname'=>generate_device_link($entry),
-                        'interface'=>generate_port_link($entry, makeshortif(fixifname(ifLabel($entry)['label']))) . ' ' . $error_img,
+                        'interface'=>generate_port_link($entry, makeshortif(fixifname(ifLabel($entry['label'])))) . ' ' . $error_img,
                         'remote_device'=>$arp_name,
                         'remote_interface'=>$arp_if);
     }

diff --git a/html/pages/search/arp.inc.php b/html/pages/search/arp.inc.php
@@ -30,7 +30,16 @@
 <?php
 
 // Select the devices only with ARP tables
-foreach (dbFetchRows("SELECT D.device_id AS device_id, `hostname` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D WHERE M.port_id = P.port_id AND P.device_id = D.device_id GROUP BY `device_id` ORDER BY `hostname`") as $data) {
+$sql = "SELECT D.device_id AS device_id, `hostname` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
+    $where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where GROUP BY `device_id` ORDER BY `hostname`";
+foreach (dbFetchRows($sql,$param) as $data) {
     echo('"<option value=\"'.$data['device_id'].'\""+');
     if ($data['device_id'] == $_POST['device_id']) {
         echo('" selected "+');

diff --git a/html/pages/search/ipv4.inc.php b/html/pages/search/ipv4.inc.php
@@ -26,7 +26,18 @@
                 "<select name=\"device_id\" id=\"device_id\" class=\"form-control input-sm\">"+
                 "<option value=\"\">All Devices</option>"+
 <?php
-foreach (dbFetchRows("SELECT `device_id`,`hostname` FROM `devices` GROUP BY `hostname` ORDER BY `hostname`") as $data) {
+
+$sql = "SELECT `devices`.`device_id`,`hostname` FROM `devices`";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $where .= " WHERE `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= " $where GROUP BY `hostname` ORDER BY `hostname`";
+
+foreach (dbFetchRows($sql,$param) as $data) {
     echo('"<option value=\"'.$data['device_id'].'\""+');
     if ($data['device_id'] == $_POST['device_id']) {
         echo('" selected "+');

diff --git a/html/pages/search/ipv6.inc.php b/html/pages/search/ipv6.inc.php
@@ -25,7 +25,18 @@
                 "<select name=\"device_id\" id=\"device_id\" class=\"form-control input-sm\">"+
                 "<option value=\"\">All Devices</option>"+
 <?php
-foreach (dbFetchRows("SELECT `device_id`,`hostname` FROM `devices` GROUP BY `hostname` ORDER BY `hostname`") as $data) {
+
+$sql = "SELECT `devices`.`device_id`,`hostname` FROM `devices`";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $where .= " WHERE `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= " $where GROUP BY `hostname` ORDER BY `hostname`";
+
+foreach (dbFetchRows($sql,$param) as $data) {
     echo('"<option value=\"'.$data['device_id'].'\""+');
     if ($data['device_id'] == $_POST['device_id']) {
         echo('" selected"+');

diff --git a/html/pages/search/mac.inc.php b/html/pages/search/mac.inc.php
@@ -26,7 +26,16 @@
                 "<select name=\"device_id\" id=\"device_id\" class=\"form-control input-sm\">"+
                 "<option value=\"\">All Devices</option>"+
 <?php
-foreach (dbFetchRows("SELECT `device_id`,`hostname` FROM `devices` GROUP BY `hostname` ORDER BY `hostname`") as $data) {
+$sql = "SELECT `devices`.`device_id`,`hostname` FROM `devices`";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $where .= " WHERE `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= " $where GROUP BY `hostname` ORDER BY `hostname`";
+foreach (dbFetchRows($sql,$param) as $data) {
     echo('"<option value=\"'.$data['device_id'].'\""+');
     if ($data['device_id'] == $_POST['device_id']) {
         echo('" selected "+');

diff --git a/html/pages/search/packages.inc.php b/html/pages/search/packages.inc.php
@@ -70,9 +70,18 @@
 
 $count_query = "SELECT COUNT(*) FROM ( ";
 $full_query = "";
-$query = 'SELECT packages.name FROM packages,devices WHERE packages.device_id = devices.device_id AND packages.name LIKE "%'.mres($_POST['package']).'%" GROUP BY packages.name';
-$where = '';
+$query = 'SELECT packages.name FROM packages,devices ';
 $param = array();
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $query .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $sql_where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%".mres($_POST['package'])."%' $sql_where GROUP BY packages.name";
+
+$where = '';
 $ver = "";
 $opt = "";