search

Icinga / icingaweb2-module-director

The Director aims to be your new favourite Icinga config deployment tool. Director is designed for those who want to automate their configuration deployment and those who want to grant their “point & click” users easy access to the configuration.
https://icinga.com/docs/director/latest
GNU General Public License v2.0
413 stars 204 forks source link

Wrong redirect for editing thresholds for limited users #2469

Open EmmaTinten opened 2 years ago

EmmaTinten commented 2 years ago

Expected Behavior

Users with limited permissions who are allowed to override thresholds should be able to change the values directly by using "Edit" of the host / service entry.

Current Behavior

As a user limited by role access with the granted permission to modify values of services the link presented by the "Edit" Link of a host or service forwards the user to a read only view. Users granted all permissions are correctly presented the form to change the values of a check.

The user can navigate via Icinga Director -> Hosts -> select host -> Services -> select service to get the form where the values can be changed.

Possible Solution

Fix the link presented by edit for users with limited permissions.

Steps to Reproduce (for bugs)

  1. Assign a user with limited access, here the list of granted permissions:

module/director,director/hosts,director/notifications,director/services,director/servicesets,director/monitoring/services-ro,module/monitoring

  1. Create a service set, include some services with thresholds which should be overriden
  2. Limit the role's access with hostgroup filters
  3. Login as the user and try to override the thresholds by searching the service (not using the Icinga Director menu)

Your Environment

Thomas-Gelf commented 2 years ago

Please remove director/monitoring/services-ro, if you do not want readonly (ro) services

EmmaTinten commented 2 years ago

Without that endpoint the user is not able to see the service set. He is presented with a message that the permission has been denied.

EmmaTinten commented 2 years ago

I'll paste some screenshots:

Using the edit link as limited user results in the permission error:

image

Granting the user the services-ro right allows him to see the services. But theres no option to edit the thresholds from here (as a non limited user can!):

image

Important is, that the user is able to modify the thresholds navigating using the director menu.

Thomas-Gelf commented 2 years ago

I tried to reproduce this, there is something going wrong. As a workaround, please open HostController.php, go to isServicesReadOnlyAction() and comment/remove both findservice and invalidservice:

     protected function isServicesReadOnlyAction()
     {
         return in_array($this->getRequest()->getActionName(), [
             'servicesro',
-            'findservice',
-            'invalidservice',
         ]);
     }

This will break director/monitoring/services-ro, so I'll need find a different final fix for this. monitoring/ro is a very special permission that should not be combined with other/wider permissions. Please also remove director/services and director/servicesets from your permission list - it should then work as expected.