From b1a052f357d231d797b3fbad6e98cc18abd87eb2 Mon Sep 17 00:00:00 2001 From: laf Date: Tue, 7 Jul 2015 23:18:57 +0100 Subject: [PATCH 1/5] Some permission updates for non-admin users --- html/includes/table/alerts.inc.php | 26 ++++++++++++++++---------- html/pages/search/arp.inc.php | 11 ++++++++++- html/pages/search/packages.inc.php | 13 +++++++++++-- 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/html/includes/table/alerts.inc.php b/html/includes/table/alerts.inc.php index da2a6d1c6..799404b1a 100644 --- a/html/includes/table/alerts.inc.php +++ b/html/includes/table/alerts.inc.php @@ -7,10 +7,18 @@ if (is_numeric($_POST['device_id']) && $_POST['device_id'] > 0) { } if (isset($searchPhrase) && !empty($searchPhrase)) { - $sql .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')"; + $sql_search .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')"; } -$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id` RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql"; +$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id`"; + +if (is_admin() === FALSE && is_read() === FALSE) { + $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`"; + $where .= " AND `DP`.`user_id`=?"; + $param[] = $_SESSION['user_id']; +} + +$sql .= " RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql_search"; $count_sql = "SELECT COUNT(`alerts`.`id`) $sql"; $total = dbFetchCell($count_sql,$param); @@ -78,14 +86,12 @@ foreach (dbFetchRows($sql,$param) as $alert) { $severity .= " -"; } - if ($_SESSION['userlevel'] >= '10') { - $ack_ico = 'volume-up'; - $ack_col = 'success'; - if($alert['state'] == 2) { - $ack_ico = 'volume-off'; - $ack_col = 'danger'; - } - } + $ack_ico = 'volume-up'; + $ack_col = 'success'; + if($alert['state'] == 2) { + $ack_ico = 'volume-off'; + $ack_col = 'danger'; + } $hostname = '
diff --git a/html/pages/search/arp.inc.php b/html/pages/search/arp.inc.php index 5e7df4266..a4dcbd113 100644 --- a/html/pages/search/arp.inc.php +++ b/html/pages/search/arp.inc.php @@ -30,7 +30,16 @@ var grid = $("#arp-search").bootgrid({ 0) { $count_query = "SELECT COUNT(*) FROM ( "; $full_query = ""; -$query = 'SELECT packages.name FROM packages,devices WHERE packages.device_id = devices.device_id AND packages.name LIKE "%'.mres($_POST['package']).'%" GROUP BY packages.name'; -$where = ''; +$query = 'SELECT packages.name FROM packages,devices '; $param = array(); + +if (is_admin() === FALSE && is_read() === FALSE) { + $query .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`"; + $sql_where .= " AND `DP`.`user_id`=?"; + $param[] = $_SESSION['user_id']; +} + +$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%".mres($_POST['package'])."%' $sql_where GROUP BY packages.name"; + +$where = ''; $ver = ""; $opt = ""; From 3ed8d261a7937010f5bff6f657b2c5fd33beaddd Mon Sep 17 00:00:00 2001 From: laf Date: Tue, 7 Jul 2015 23:26:03 +0100 Subject: [PATCH 2/5] Fixed arp search page user perm queries --- html/includes/table/arp-search.inc.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/html/includes/table/arp-search.inc.php b/html/includes/table/arp-search.inc.php index d4a9eaaf8..937553b42 100644 --- a/html/includes/table/arp-search.inc.php +++ b/html/includes/table/arp-search.inc.php @@ -2,14 +2,22 @@ $param = array(); -$sql = " FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D WHERE M.port_id = P.port_id AND P.device_id = D.device_id "; +$sql .= " FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D "; + +if (is_admin() === FALSE && is_read() === FALSE) { + $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`"; + $where .= " AND `DP`.`user_id`=?"; + $param[] = $_SESSION['user_id']; +} + +$sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where "; if (isset($_POST['searchby']) && $_POST['searchby'] == "ip") { $sql .= " AND `ipv4_address` LIKE ?"; - $param = array("%".trim($_POST['address'])."%"); + $param[] = "%".trim($_POST['address'])."%"; } elseif (isset($_POST['searchby']) && $_POST['searchby'] == "mac") { $sql .= " AND `mac_address` LIKE ?"; - $param = array("%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%"); + $param[] = "%".str_replace(array(':', ' ', '-', '.', '0x'),'',mres($_POST['address']))."%"; } if (is_numeric($_POST['device_id'])) { @@ -41,6 +49,7 @@ if ($rowCount != -1) { $sql = "SELECT *,`P`.`ifDescr` AS `interface` $sql"; +system("echo '$sql' >> /tmp/test"); foreach (dbFetchRows($sql, $param) as $entry) { if (!$ignore) { @@ -70,7 +79,7 @@ foreach (dbFetchRows($sql, $param) as $entry) { $response[] = array('mac_address'=>formatMac($entry['mac_address']), 'ipv4_address'=>$entry['ipv4_address'], 'hostname'=>generate_device_link($entry), - 'interface'=>generate_port_link($entry, makeshortif(fixifname(ifLabel($entry)['label']))) . ' ' . $error_img, + 'interface'=>generate_port_link($entry, makeshortif(fixifname(ifLabel($entry['label'])))) . ' ' . $error_img, 'remote_device'=>$arp_name, 'remote_interface'=>$arp_if); } From fba1e6933af8e026010a3c320b55102391066920 Mon Sep 17 00:00:00 2001 From: laf Date: Tue, 7 Jul 2015 23:28:00 +0100 Subject: [PATCH 3/5] removed debug --- html/includes/table/arp-search.inc.php | 1 - 1 file changed, 1 deletion(-) diff --git a/html/includes/table/arp-search.inc.php b/html/includes/table/arp-search.inc.php index 937553b42..dd5c6225e 100644 --- a/html/includes/table/arp-search.inc.php +++ b/html/includes/table/arp-search.inc.php @@ -49,7 +49,6 @@ if ($rowCount != -1) { $sql = "SELECT *,`P`.`ifDescr` AS `interface` $sql"; -system("echo '$sql' >> /tmp/test"); foreach (dbFetchRows($sql, $param) as $entry) { if (!$ignore) { From 9a43454700d9c38591a056b0403ba13b87aa00ca Mon Sep 17 00:00:00 2001 From: laf Date: Tue, 7 Jul 2015 23:34:56 +0100 Subject: [PATCH 4/5] Fixed mac user perm queries --- html/pages/search/mac.inc.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/html/pages/search/mac.inc.php b/html/pages/search/mac.inc.php index 4306a412d..c040a1e16 100644 --- a/html/pages/search/mac.inc.php +++ b/html/pages/search/mac.inc.php @@ -26,7 +26,16 @@ var grid = $("#mac-search").bootgrid({ "