Fix restrictions for form operations (#76)

* Fix restrictions for form operations
Icinga · Aug 5, 2024 · 6d318a3 · 6d318a3
1 parent e3899de
commit 6d318a3
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/application/forms/EditForm.php b/application/forms/EditForm.php
@@ -56,23 +56,25 @@ public function onSuccess()
             $this->view->getMetaData();
             $this->view->getTree();
 
-            // Store the view to the session
-            $this->viewconfig->storeToSession($this->view);
-
             $cancel = $this->getElement('btn_submit_cancel');
             $delete = $this->getElement('btn_submit_delete');
 
             if ($this->getElement('btn_submit_save_file')->getValue() !== null) {
+                // Store the view to its YAML file
                 $this->viewconfig->storeToFile($this->view);
                 Notification::success($this->translate('Top Level View successfully saved'));
             } elseif ($cancel !== null && $cancel->getValue() !== null) {
+                // Clear the stored session data for the view
                 $this->viewconfig->clearSession($this->view);
                 Notification::success($this->translate('Top Level View restored from disk'));
             } elseif ($delete != null && $delete->getValue() !== null) {
+                // Delete the view's YAML file
                 $this->viewconfig->delete($this->view);
                 $this->setRedirectUrl('toplevelview');
                 Notification::success($this->translate('Top Level View successfully deleted'));
             } else {
+                // Store the view to the user's session by default
+                $this->viewconfig->storeToSession($this->view);
                 Notification::success($this->translate('Top Level View successfully saved for the current session'));
             }
             return true;

diff --git a/library/Toplevelview/ViewConfig.php b/library/Toplevelview/ViewConfig.php
@@ -246,6 +246,10 @@ public function loadAll($format = self::FORMAT_YAML): array
      */
     public function storeToSession($view): void
     {
+        // Assert the user has rights to edit this view
+        $restrictions = $this->getRestrictions('toplevelview/filter/edit');
+        $this->assertAccessToView($restrictions, $view->getName());
+
         Session::getSession()->set(self::SESSION_PREFIX . $view->getName(), $view->getText());
     }
 
@@ -266,6 +270,10 @@ public function clearSession($view): void
      */
     public function storeToFile($view): void
     {
+        // Assert the user has rights to edit this file
+        $restrictions = $this->getRestrictions('toplevelview/filter/edit');
+        $this->assertAccessToView($restrictions, $view->getName());
+
         $file_path = $this->getConfigDir() . DIRECTORY_SEPARATOR . $view->getName() . '.' . $view->getFormat();
         // Store a backup of the existing config
         if (file_exists($file_path)) {
@@ -283,6 +291,10 @@ public function storeToFile($view): void
      */
     public function delete($view): void
     {
+        // Assert the user has rights to edit this view
+        $restrictions = $this->getRestrictions('toplevelview/filter/edit');
+        $this->assertAccessToView($restrictions, $view->getName());
+
         $file_path = $this->getConfigDir() . DIRECTORY_SEPARATOR . $view->getName() . '.' . $view->getFormat();
 
         $this->clearSession($view);