Merge pull request #1411 from laf/issue-1289

Fixes a number of user permission issues
This commit is contained in:
Daniel Preussker
2015-07-10 09:51:31 +00:00
8 changed files with 98 additions and 25 deletions
+15 -5
View File
@@ -1,11 +1,18 @@
<?php
$where = 1;
$param = array();
if (is_admin() === FALSE && is_read() === FALSE) {
$perms_sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
$where .= " AND `DP`.`user_id`=?";
$param[] = array($_SESSION['user_id']);
}
list($address,$prefix) = explode("/", $_POST['address']);
if ($_POST['search_type'] == 'ipv4') {
$sql = " FROM `ipv4_addresses` AS A, `ports` AS I, `devices` AS D, `ipv4_networks` AS N WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id ";
$sql = " FROM `ipv4_addresses` AS A, `ports` AS I, `ipv4_networks` AS N, `devices` AS D";
$sql .= $perms_sql;
$sql .= " WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id $where ";
if (!empty($address)) {
$sql .= " AND ipv4_address LIKE '%".$address."%'";
}
@@ -14,7 +21,9 @@ if ($_POST['search_type'] == 'ipv4') {
$param[] = array($prefix);
}
} elseif ($_POST['search_type'] == 'ipv6') {
$sql = " FROM `ipv6_addresses` AS A, `ports` AS I, `devices` AS D, `ipv6_networks` AS N WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id ";
$sql = " FROM `ipv6_addresses` AS A, `ports` AS I, `ipv6_networks` AS N, `devices` AS D";
$sql .= $perms_sql;
$sql .= " WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id $where ";
if (!empty($address)) {
$sql .= " AND (ipv6_address LIKE '%".$address."%' OR ipv6_compressed LIKE '%".$address."%')";
}
@@ -22,8 +31,9 @@ if ($_POST['search_type'] == 'ipv4') {
$sql .= " AND ipv6_prefixlen = '$prefix'";
}
} elseif ($_POST['search_type'] == 'mac') {
$sql = " FROM `ports` AS I, `devices` AS D WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE '%?%' ";
$param[] = array("%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%");
$sql = " FROM `ports` AS I, `devices` AS D";
$sql .= $perms_sql;
$sql .= " WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE '%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%' $where ";
}
if (is_numeric($_POST['device_id'])) {
$sql .= " AND I.device_id = ?";
+16 -10
View File
@@ -7,10 +7,18 @@ if (is_numeric($_POST['device_id']) && $_POST['device_id'] > 0) {
}
if (isset($searchPhrase) && !empty($searchPhrase)) {
$sql .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')";
$sql_search .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')";
}
$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id` RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql";
$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id`";
if (is_admin() === FALSE && is_read() === FALSE) {
$sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
$where .= " AND `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$sql .= " RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql_search";
$count_sql = "SELECT COUNT(`alerts`.`id`) $sql";
$total = dbFetchCell($count_sql,$param);
@@ -78,14 +86,12 @@ foreach (dbFetchRows($sql,$param) as $alert) {
$severity .= " <strong>-</strong>";
}
if ($_SESSION['userlevel'] >= '10') {
$ack_ico = 'volume-up';
$ack_col = 'success';
if($alert['state'] == 2) {
$ack_ico = 'volume-off';
$ack_col = 'danger';
}
}
$ack_ico = 'volume-up';
$ack_col = 'success';
if($alert['state'] == 2) {
$ack_ico = 'volume-off';
$ack_col = 'danger';
}
$hostname = '
<div class="incident">
+12 -4
View File
@@ -2,14 +2,22 @@
$param = array();
$sql = " FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D WHERE M.port_id = P.port_id AND P.device_id = D.device_id ";
$sql .= " FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D ";
if (is_admin() === FALSE && is_read() === FALSE) {
$sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
$where .= " AND `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where ";
if (isset($_POST['searchby']) && $_POST['searchby'] == "ip") {
$sql .= " AND `ipv4_address` LIKE ?";
$param = array("%".trim($_POST['address'])."%");
$param[] = "%".trim($_POST['address'])."%";
} elseif (isset($_POST['searchby']) && $_POST['searchby'] == "mac") {
$sql .= " AND `mac_address` LIKE ?";
$param = array("%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%");
$param[] = "%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%";
}
if (is_numeric($_POST['device_id'])) {
@@ -70,7 +78,7 @@ foreach (dbFetchRows($sql, $param) as $entry) {
$response[] = array('mac_address'=>formatMac($entry['mac_address']),
'ipv4_address'=>$entry['ipv4_address'],
'hostname'=>generate_device_link($entry),
'interface'=>generate_port_link($entry, makeshortif(fixifname(ifLabel($entry)['label']))) . ' ' . $error_img,
'interface'=>generate_port_link($entry, makeshortif(fixifname(ifLabel($entry['label'])))) . ' ' . $error_img,
'remote_device'=>$arp_name,
'remote_interface'=>$arp_if);
}
+10 -1
View File
@@ -30,7 +30,16 @@ var grid = $("#arp-search").bootgrid({
<?php
// Select the devices only with ARP tables
foreach (dbFetchRows("SELECT D.device_id AS device_id, `hostname` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D WHERE M.port_id = P.port_id AND P.device_id = D.device_id GROUP BY `device_id` ORDER BY `hostname`") as $data) {
$sql = "SELECT D.device_id AS device_id, `hostname` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D";
if (is_admin() === FALSE && is_read() === FALSE) {
$sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
$where .= " AND `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where GROUP BY `device_id` ORDER BY `hostname`";
foreach (dbFetchRows($sql,$param) as $data) {
echo('"<option value=\"'.$data['device_id'].'\""+');
if ($data['device_id'] == $_POST['device_id']) {
echo('" selected "+');
+12 -1
View File
@@ -26,7 +26,18 @@ var grid = $("#ipv4-search").bootgrid({
"<select name=\"device_id\" id=\"device_id\" class=\"form-control input-sm\">"+
"<option value=\"\">All Devices</option>"+
<?php
foreach (dbFetchRows("SELECT `device_id`,`hostname` FROM `devices` GROUP BY `hostname` ORDER BY `hostname`") as $data) {
$sql = "SELECT `devices`.`device_id`,`hostname` FROM `devices`";
if (is_admin() === FALSE && is_read() === FALSE) {
$sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
$where .= " WHERE `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$sql .= " $where GROUP BY `hostname` ORDER BY `hostname`";
foreach (dbFetchRows($sql,$param) as $data) {
echo('"<option value=\"'.$data['device_id'].'\""+');
if ($data['device_id'] == $_POST['device_id']) {
echo('" selected "+');
+12 -1
View File
@@ -25,7 +25,18 @@ var grid = $("#ipv6-search").bootgrid({
"<select name=\"device_id\" id=\"device_id\" class=\"form-control input-sm\">"+
"<option value=\"\">All Devices</option>"+
<?php
foreach (dbFetchRows("SELECT `device_id`,`hostname` FROM `devices` GROUP BY `hostname` ORDER BY `hostname`") as $data) {
$sql = "SELECT `devices`.`device_id`,`hostname` FROM `devices`";
if (is_admin() === FALSE && is_read() === FALSE) {
$sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
$where .= " WHERE `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$sql .= " $where GROUP BY `hostname` ORDER BY `hostname`";
foreach (dbFetchRows($sql,$param) as $data) {
echo('"<option value=\"'.$data['device_id'].'\""+');
if ($data['device_id'] == $_POST['device_id']) {
echo('" selected"+');
+10 -1
View File
@@ -26,7 +26,16 @@ var grid = $("#mac-search").bootgrid({
"<select name=\"device_id\" id=\"device_id\" class=\"form-control input-sm\">"+
"<option value=\"\">All Devices</option>"+
<?php
foreach (dbFetchRows("SELECT `device_id`,`hostname` FROM `devices` GROUP BY `hostname` ORDER BY `hostname`") as $data) {
$sql = "SELECT `devices`.`device_id`,`hostname` FROM `devices`";
if (is_admin() === FALSE && is_read() === FALSE) {
$sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
$where .= " WHERE `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$sql .= " $where GROUP BY `hostname` ORDER BY `hostname`";
foreach (dbFetchRows($sql,$param) as $data) {
echo('"<option value=\"'.$data['device_id'].'\""+');
if ($data['device_id'] == $_POST['device_id']) {
echo('" selected "+');
+11 -2
View File
@@ -70,9 +70,18 @@ if(isset($_POST['results_amount']) && $_POST['results_amount'] > 0) {
$count_query = "SELECT COUNT(*) FROM ( ";
$full_query = "";
$query = 'SELECT packages.name FROM packages,devices WHERE packages.device_id = devices.device_id AND packages.name LIKE "%'.mres($_POST['package']).'%" GROUP BY packages.name';
$where = '';
$query = 'SELECT packages.name FROM packages,devices ';
$param = array();
if (is_admin() === FALSE && is_read() === FALSE) {
$query .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
$sql_where .= " AND `DP`.`user_id`=?";
$param[] = $_SESSION['user_id'];
}
$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%".mres($_POST['package'])."%' $sql_where GROUP BY packages.name";
$where = '';
$ver = "";
$opt = "";