zabbix/ui/include/perm.inc.php

<?php
/*
** Zabbix
** Copyright (C) 2001-2023 Zabbix SIA
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
**/


/**
 * Get permission label.
 *
 * @param int $permission
 *
 * @return string
 */
function permission2str($permission) {
	$permissions = [
		PERM_READ_WRITE => _('Read-write'),
		PERM_READ => _('Read only'),
		PERM_DENY => _('Deny')
	];

	return $permissions[$permission];
}

/**
 * Get authentication label.
 *
 * @param int $type
 *
 * @return string
 */
function authentication2str($type) {
	$authentications = [
		ZBX_AUTH_INTERNAL => _('Zabbix internal authentication'),
		ZBX_AUTH_LDAP => _('LDAP authentication')
	];

	return $authentications[$type];
}

/***********************************************
	CHECK USER ACCESS TO SYSTEM STATUS
************************************************/
/* Function: check_perm2system()
 *
 * Description:
 * 		Checking user permissions to access system (affects server side: no notification will be sent)
 *
 * Comments:
 *		return true if permission is positive
 */
function check_perm2system($userid) {
	$sql = 'SELECT g.usrgrpid'.
			' FROM usrgrp g,users_groups ug'.
			' WHERE ug.userid='.zbx_dbstr($userid).
				' AND g.usrgrpid=ug.usrgrpid'.
				' AND g.users_status='.GROUP_STATUS_DISABLED;
	if ($res = DBfetch(DBselect($sql, 1))) {
		return false;
	}
	return true;
}

/**
 * Checking user permissions to login in frontend.
 *
 * @param string $userId
 *
 * @return bool
 */
function check_perm2login($userId) {
	return (getUserGuiAccess($userId) != GROUP_GUI_ACCESS_DISABLED);
}

/**
 * Get user gui access.
 *
 * @param string $userid
 *
 * @return int
 */
function getUserGuiAccess(string $userid): int {
	if (isset(CWebUser::$data['gui_access'])) {
		return CWebUser::$data['gui_access'];
	}

	$gui_access = DBfetch(DBselect(
		'SELECT MAX(g.gui_access) AS gui_access'.
		' FROM usrgrp g,users_groups ug'.
		' WHERE g.usrgrpid=ug.usrgrpid'.
			' AND ug.userid='.zbx_dbstr($userid)
	));

	return $gui_access ? $gui_access['gui_access'] : GROUP_GUI_ACCESS_SYSTEM;
}

/**
 * Get user authentication type.
 *
 * @param int $gui_access  Frontend access. GROUP_GUI_ACCESS_*
 *
 * @return int
 */
function getUserAuthenticationType($gui_access) {
	switch ($gui_access) {
		case GROUP_GUI_ACCESS_SYSTEM:
			return CAuthenticationHelper::get(CAuthenticationHelper::AUTHENTICATION_TYPE);

		case GROUP_GUI_ACCESS_INTERNAL:
			return ZBX_AUTH_INTERNAL;

		case GROUP_GUI_ACCESS_LDAP:
			return ZBX_AUTH_LDAP;

		default:
			return CAuthenticationHelper::get(CAuthenticationHelper::AUTHENTICATION_TYPE);
	}
}

/***********************************************
	GET ACCESSIBLE RESOURCES BY RIGHTS
************************************************/
/* NOTE: right structure is
	$rights[i]['type']	= type of resource
	$rights[i]['permission']= permission for resource
	$rights[i]['id']	= resource id
*/
function get_accessible_hosts_by_rights(&$rights, $user_type, $perm) {
	$result = [];
	$res_perm = [];

	foreach ($rights as $id => $right) {
		$res_perm[$right['id']] = $right['permission'];
	}

	$host_perm = [];
	$where = [];

	array_push($where, 'h.status in ('.HOST_STATUS_MONITORED.','.HOST_STATUS_NOT_MONITORED.','.HOST_STATUS_TEMPLATE.')');
	array_push($where, dbConditionInt('h.flags', [ZBX_FLAG_DISCOVERY_NORMAL, ZBX_FLAG_DISCOVERY_CREATED]));

	$where = count($where) ? $where = ' WHERE '.implode(' AND ', $where) : '';

	$perm_by_host = [];

	$dbHosts = DBselect(
		'SELECT hg.groupid AS groupid,h.hostid,h.host,h.name AS host_name,h.status'.
		' FROM hosts h'.
			' LEFT JOIN hosts_groups hg ON hg.hostid=h.hostid'.
			$where
	);
	while ($dbHost = DBfetch($dbHosts)) {
		if (isset($dbHost['groupid']) && isset($res_perm[$dbHost['groupid']])) {
			if (!isset($perm_by_host[$dbHost['hostid']])) {
				$perm_by_host[$dbHost['hostid']] = [];
			}
			$perm_by_host[$dbHost['hostid']][] = $res_perm[$dbHost['groupid']];
			$host_perm[$dbHost['hostid']][$dbHost['groupid']] = $res_perm[$dbHost['groupid']];
		}
		$host_perm[$dbHost['hostid']]['data'] = $dbHost;
	}

	foreach ($host_perm as $hostid => $dbHost) {
		$dbHost = $dbHost['data'];

		// select min rights from groups
		if (USER_TYPE_SUPER_ADMIN == $user_type) {
			$dbHost['permission'] = PERM_READ_WRITE;
		}
		else {
			if (isset($perm_by_host[$hostid])) {
				$dbHost['permission'] = (min($perm_by_host[$hostid]) == PERM_DENY)
					? PERM_DENY
					: max($perm_by_host[$hostid]);
			}
			else {
				$dbHost['permission'] = PERM_DENY;
			}
		}

		if ($dbHost['permission'] < $perm) {
			continue;
		}

		$result[$dbHost['hostid']] = $dbHost;
	}

	CArrayHelper::sort($result, [
		['field' => 'host_name', 'order' => ZBX_SORT_UP]
	]);

	return $result;
}

function get_accessible_groups_by_rights(&$rights, $user_type, $perm) {
	$result = [];

	$group_perm = [];
	foreach ($rights as $right) {
		$group_perm[$right['id']] = $right['permission'];
	}

	$dbHostGroups = DBselect('SELECT g.*,'.PERM_DENY.' AS permission FROM hstgrp g');

	while ($dbHostGroup = DBfetch($dbHostGroups)) {
		if ($user_type == USER_TYPE_SUPER_ADMIN) {
			$dbHostGroup['permission'] = PERM_READ_WRITE;
		}
		elseif (isset($group_perm[$dbHostGroup['groupid']])) {
			$dbHostGroup['permission'] = $group_perm[$dbHostGroup['groupid']];
		}
		else {
			$dbHostGroup['permission'] = PERM_DENY;
		}

		if ($dbHostGroup['permission'] < $perm) {
			continue;
		}

		$result[$dbHostGroup['groupid']] = $dbHostGroup;
	}

	CArrayHelper::sort($result, [
		['field' => 'name', 'order' => ZBX_SORT_UP]
	]);

	return $result;
}

/**
 * Returns array of user groups by $userId
 *
 * @param int $userId
 *
 * @return array
 */
function getUserGroupsByUserId($userId) {
	static $userGroups;

	if (!isset($userGroups[$userId])) {
		$userGroups[$userId] = [];

		$result = DBselect('SELECT usrgrpid FROM users_groups WHERE userid='.zbx_dbstr($userId));
		while ($row = DBfetch($result)) {
			$userGroups[$userId][] = $row['usrgrpid'];
		}
	}

	return $userGroups[$userId];
}
zabbix6.0 1 year ago			`<?php`
			`/*`
			`** Zabbix`
			`** Copyright (C) 2001-2023 Zabbix SIA`
			`**`
			`** This program is free software; you can redistribute it and/or modify`
			`** it under the terms of the GNU General Public License as published by`
			`** the Free Software Foundation; either version 2 of the License, or`
			`** (at your option) any later version.`
			`**`
			`** This program is distributed in the hope that it will be useful,`
			`** but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`** GNU General Public License for more details.`
			`**`
			`** You should have received a copy of the GNU General Public License`
			`** along with this program; if not, write to the Free Software`
			`** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.`
			`**/`


			`/**`
			`* Get permission label.`
			`*`
			`* @param int $permission`
			`*`
			`* @return string`
			`*/`
			`function permission2str($permission) {`
			`$permissions = [`
			`PERM_READ_WRITE => _('Read-write'),`
			`PERM_READ => _('Read only'),`
			`PERM_DENY => _('Deny')`
			`];`

			`return $permissions[$permission];`
			`}`

			`/**`
			`* Get authentication label.`
			`*`
			`* @param int $type`
			`*`
			`* @return string`
			`*/`
			`function authentication2str($type) {`
			`$authentications = [`
			`ZBX_AUTH_INTERNAL => _('Zabbix internal authentication'),`
			`ZBX_AUTH_LDAP => _('LDAP authentication')`
			`];`

			`return $authentications[$type];`
			`}`

			`/***********************************************`
			`CHECK USER ACCESS TO SYSTEM STATUS`
			`************************************************/`
			`/* Function: check_perm2system()`
			`*`
			`* Description:`
			`* Checking user permissions to access system (affects server side: no notification will be sent)`
			`*`
			`* Comments:`
			`* return true if permission is positive`
			`*/`
			`function check_perm2system($userid) {`
			`$sql = 'SELECT g.usrgrpid'.`
			`' FROM usrgrp g,users_groups ug'.`
			`' WHERE ug.userid='.zbx_dbstr($userid).`
			`' AND g.usrgrpid=ug.usrgrpid'.`
			`' AND g.users_status='.GROUP_STATUS_DISABLED;`
			`if ($res = DBfetch(DBselect($sql, 1))) {`
			`return false;`
			`}`
			`return true;`
			`}`

			`/**`
			`* Checking user permissions to login in frontend.`
			`*`
			`* @param string $userId`
			`*`
			`* @return bool`
			`*/`
			`function check_perm2login($userId) {`
			`return (getUserGuiAccess($userId) != GROUP_GUI_ACCESS_DISABLED);`
			`}`

			`/**`
			`* Get user gui access.`
			`*`
			`* @param string $userid`
			`*`
			`* @return int`
			`*/`
			`function getUserGuiAccess(string $userid): int {`
			`if (isset(CWebUser::$data['gui_access'])) {`
			`return CWebUser::$data['gui_access'];`
			`}`

			`$gui_access = DBfetch(DBselect(`
			`'SELECT MAX(g.gui_access) AS gui_access'.`
			`' FROM usrgrp g,users_groups ug'.`
			`' WHERE g.usrgrpid=ug.usrgrpid'.`
			`' AND ug.userid='.zbx_dbstr($userid)`
			`));`

			`return $gui_access ? $gui_access['gui_access'] : GROUP_GUI_ACCESS_SYSTEM;`
			`}`

			`/**`
			`* Get user authentication type.`
			`*`
			`* @param int $gui_access Frontend access. GROUP_GUI_ACCESS_*`
			`*`
			`* @return int`
			`*/`
			`function getUserAuthenticationType($gui_access) {`
			`switch ($gui_access) {`
			`case GROUP_GUI_ACCESS_SYSTEM:`
			`return CAuthenticationHelper::get(CAuthenticationHelper::AUTHENTICATION_TYPE);`

			`case GROUP_GUI_ACCESS_INTERNAL:`
			`return ZBX_AUTH_INTERNAL;`

			`case GROUP_GUI_ACCESS_LDAP:`
			`return ZBX_AUTH_LDAP;`

			`default:`
			`return CAuthenticationHelper::get(CAuthenticationHelper::AUTHENTICATION_TYPE);`
			`}`
			`}`

			`/***********************************************`
			`GET ACCESSIBLE RESOURCES BY RIGHTS`
			`************************************************/`
			`/* NOTE: right structure is`
			`$rights[i]['type'] = type of resource`
			`$rights[i]['permission']= permission for resource`
			`$rights[i]['id'] = resource id`
			`*/`
			`function get_accessible_hosts_by_rights(&$rights, $user_type, $perm) {`
			`$result = [];`
			`$res_perm = [];`

			`foreach ($rights as $id => $right) {`
			`$res_perm[$right['id']] = $right['permission'];`
			`}`

			`$host_perm = [];`
			`$where = [];`

			`array_push($where, 'h.status in ('.HOST_STATUS_MONITORED.','.HOST_STATUS_NOT_MONITORED.','.HOST_STATUS_TEMPLATE.')');`
			`array_push($where, dbConditionInt('h.flags', [ZBX_FLAG_DISCOVERY_NORMAL, ZBX_FLAG_DISCOVERY_CREATED]));`

			`$where = count($where) ? $where = ' WHERE '.implode(' AND ', $where) : '';`

			`$perm_by_host = [];`

			`$dbHosts = DBselect(`
			`'SELECT hg.groupid AS groupid,h.hostid,h.host,h.name AS host_name,h.status'.`
			`' FROM hosts h'.`
			`' LEFT JOIN hosts_groups hg ON hg.hostid=h.hostid'.`
			`$where`
			`);`
			`while ($dbHost = DBfetch($dbHosts)) {`
			`if (isset($dbHost['groupid']) && isset($res_perm[$dbHost['groupid']])) {`
			`if (!isset($perm_by_host[$dbHost['hostid']])) {`
			`$perm_by_host[$dbHost['hostid']] = [];`
			`}`
			`$perm_by_host[$dbHost['hostid']][] = $res_perm[$dbHost['groupid']];`
			`$host_perm[$dbHost['hostid']][$dbHost['groupid']] = $res_perm[$dbHost['groupid']];`
			`}`
			`$host_perm[$dbHost['hostid']]['data'] = $dbHost;`
			`}`

			`foreach ($host_perm as $hostid => $dbHost) {`
			`$dbHost = $dbHost['data'];`

			`// select min rights from groups`
			`if (USER_TYPE_SUPER_ADMIN == $user_type) {`
			`$dbHost['permission'] = PERM_READ_WRITE;`
			`}`
			`else {`
			`if (isset($perm_by_host[$hostid])) {`
			`$dbHost['permission'] = (min($perm_by_host[$hostid]) == PERM_DENY)`
			`? PERM_DENY`
			`: max($perm_by_host[$hostid]);`
			`}`
			`else {`
			`$dbHost['permission'] = PERM_DENY;`
			`}`
			`}`

			`if ($dbHost['permission'] < $perm) {`
			`continue;`
			`}`

			`$result[$dbHost['hostid']] = $dbHost;`
			`}`

			`CArrayHelper::sort($result, [`
			`['field' => 'host_name', 'order' => ZBX_SORT_UP]`
			`]);`

			`return $result;`
			`}`

			`function get_accessible_groups_by_rights(&$rights, $user_type, $perm) {`
			`$result = [];`

			`$group_perm = [];`
			`foreach ($rights as $right) {`
			`$group_perm[$right['id']] = $right['permission'];`
			`}`

			`$dbHostGroups = DBselect('SELECT g.*,'.PERM_DENY.' AS permission FROM hstgrp g');`

			`while ($dbHostGroup = DBfetch($dbHostGroups)) {`
			`if ($user_type == USER_TYPE_SUPER_ADMIN) {`
			`$dbHostGroup['permission'] = PERM_READ_WRITE;`
			`}`
			`elseif (isset($group_perm[$dbHostGroup['groupid']])) {`
			`$dbHostGroup['permission'] = $group_perm[$dbHostGroup['groupid']];`
			`}`
			`else {`
			`$dbHostGroup['permission'] = PERM_DENY;`
			`}`

			`if ($dbHostGroup['permission'] < $perm) {`
			`continue;`
			`}`

			`$result[$dbHostGroup['groupid']] = $dbHostGroup;`
			`}`

			`CArrayHelper::sort($result, [`
			`['field' => 'name', 'order' => ZBX_SORT_UP]`
			`]);`

			`return $result;`
			`}`

			`/**`
			`* Returns array of user groups by $userId`
			`*`
			`* @param int $userId`
			`*`
			`* @return array`
			`*/`
			`function getUserGroupsByUserId($userId) {`
			`static $userGroups;`

			`if (!isset($userGroups[$userId])) {`
			`$userGroups[$userId] = [];`

			`$result = DBselect('SELECT usrgrpid FROM users_groups WHERE userid='.zbx_dbstr($userId));`
			`while ($row = DBfetch($result)) {`
			`$userGroups[$userId][] = $row['usrgrpid'];`
			`}`
			`}`

			`return $userGroups[$userId];`
			`}`