fix(acl): filter access to api using external entry point (#8021)

centreon · Oct 28, 2019 · 0a02bd2 · 0a02bd2
1 parent 42da02f
commit 0a02bd2
Show file tree

Hide file tree

Showing 13 changed files with 81 additions and 25 deletions.
diff --git a/www/api/class/centreon_administration_widget.class.php b/www/api/class/centreon_administration_widget.class.php
@@ -161,10 +161,13 @@ public function postRemove()
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiConfiguration())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiConfiguration();
+        return false;
     }
 }
diff --git a/www/api/class/centreon_clapi.class.php b/www/api/class/centreon_clapi.class.php
@@ -229,11 +229,14 @@ public function postAction()
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiConfiguration())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiConfiguration();
+        return false;
     }
 
     /**

diff --git a/www/api/class/centreon_configuration_objects.class.php b/www/api/class/centreon_configuration_objects.class.php
@@ -276,10 +276,13 @@ protected function retrieveRelatedValues($relationObject, $id)
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiConfiguration())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiConfiguration();
+        return false;
     }
 }
diff --git a/www/api/class/centreon_home_customview.class.php b/www/api/class/centreon_home_customview.class.php
@@ -331,6 +331,13 @@ public function getPreferences()
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        return true;
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiConfiguration())
+        ) {
+            return true;
+        }
+
+        return false;
     }
 }
diff --git a/www/api/class/centreon_keepalive.class.php b/www/api/class/centreon_keepalive.class.php
@@ -71,6 +71,6 @@ public function getKeepAlive()
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        return true;
+        return $isInternal;
     }
 }
diff --git a/www/api/class/centreon_metric.class.php b/www/api/class/centreon_metric.class.php
@@ -778,6 +778,13 @@ protected function executeQueryPeriods($query, $start, $end, $queryValues)
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        return true;
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiRealtime())
+        ) {
+            return true;
+        }
+
+        return false;
     }
 }
diff --git a/www/api/class/centreon_proxy.class.php b/www/api/class/centreon_proxy.class.php
@@ -37,6 +37,6 @@ public function postCheckConfiguration()
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        return true;
+        return $isInternal;
     }
 }
diff --git a/www/api/class/centreon_realtime_base.class.php b/www/api/class/centreon_realtime_base.class.php
@@ -259,10 +259,13 @@ protected function retrieveRelatedValues($relationObject, $id)
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiRealtime())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiRealtime();
+        return false;
     }
 }
diff --git a/www/api/class/centreon_results_acceptor.class.php b/www/api/class/centreon_results_acceptor.class.php
@@ -246,10 +246,13 @@ public function postSubmit()
      */
     public function authorize($action, $user, $isInternal)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiConfiguration())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiConfiguration();
+        return false;
     }
 }
diff --git a/www/api/class/centreon_submit_results.class.php b/www/api/class/centreon_submit_results.class.php
@@ -330,10 +330,13 @@ public function postSubmit()
      */
     public function authorize($action, $user, $isInternal)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiRealtime())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiConfiguration();
+        return false;
     }
 }
diff --git a/www/api/class/centreon_topcounter.class.php b/www/api/class/centreon_topcounter.class.php
@@ -856,9 +856,13 @@ protected function checkChangeState($pollerId, $lastRestart)
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiRealtime())
+        ) {
             return true;
         }
-        return $user->hasAccessRestApiConfiguration();
+
+        return false;
     }
 }
diff --git a/www/api/class/centreon_wiki.class.php b/www/api/class/centreon_wiki.class.php
@@ -90,10 +90,13 @@ public function postDeletePage()
      */
     public function authorize($action, $user, $isInternal = false)
     {
-        if (parent::authorize($action, $user, $isInternal)) {
+        if (
+            parent::authorize($action, $user, $isInternal)
+            || ($user && $user->hasAccessRestApiConfiguration())
+        ) {
             return true;
         }
 
-        return $user->hasAccessRestApiConfiguration();
+        return false;
     }
 }
diff --git a/www/api/external.php b/www/api/external.php
@@ -36,10 +36,27 @@
 ini_set('error_reporting', E_ALL & ~E_NOTICE & ~E_STRICT);
 ini_set('display_errors', 'Off');
 
-require_once dirname(__FILE__) . '/../../bootstrap.php';
-require_once _CENTREON_PATH_ . '/www/class/centreonDB.class.php';
-require_once dirname(__FILE__) . '/class/webService.class.php';
+require_once __DIR__ . '/../../bootstrap.php';
+require_once __DIR__ . '/../class/centreon.class.php';
+require_once __DIR__ . '/class/webService.class.php';
 
-$pearDB = new CentreonDB;
+$pearDB = $dependencyInjector['configuration_db'];
 
-CentreonWebService::router($dependencyInjector, null, false);
+$user = null;
+// get user information if a token is provided
+if (isset($_SERVER['HTTP_CENTREON_AUTH_TOKEN'])) {
+    try {
+        $res = $pearDB->prepare(
+            "SELECT c.* FROM ws_token w, contact c WHERE c.contact_id = w.contact_id AND token = ?"
+        );
+        $res->execute(array($_SERVER['HTTP_CENTREON_AUTH_TOKEN']));
+        if ($userInfos = $res->fetch()) {
+            $centreon = new Centreon($userInfos);
+            $user = $centreon->user;
+        }
+    } catch (\PDOException $e) {
+        CentreonWebService::sendResult("Database error", 500);
+    }
+}
+
+CentreonWebService::router($dependencyInjector, $user, false);