Auth: Merge variable denylists and protections from multiple roles

nilmerg · nilmerg · commit 22e1aef80d95 · 2025-11-14T14:34:39.000+01:00
diff --git a/doc/04-Security.md b/doc/04-Security.md
@@ -69,18 +69,18 @@ Denylists prevent users from accessing information and in some cases will block
 >
 > Denylists from multiple roles will further limit access.
 
-Name                         | Description
------------------------------|------------------------------------------------------------------
-icingadb/denylist/routes    | Prevent access to routes that are part of the list
-icingadb/denylist/variables | Hide custom variables of Icinga objects that are part of the list
+| Name                        | Description                                                       |
+|-----------------------------|-------------------------------------------------------------------|
+| icingadb/denylist/routes    | Prevent access to routes that are part of the list                |
+| icingadb/denylist/variables | Hide custom variables of Icinga objects that are part of the list |
 
 `icingadb/denylist/routes` will block users from accessing defined routes and from related information elsewhere.
 For example, if `hostgroups` are part of the list a user won't have access to the hostgroup overview nor to a host's
-groups shown in its detail area. This should be a comma separated list. Possible values are: hostgroups, servicegroups,
+groups shown in its detail area. This should be a comma-separated list. Possible values are: hostgroups, servicegroups,
 contacts, contactgroups
 
 `icingadb/denylist/variables` will block users from accessing certain custom variables. A user affected by this won't
-see that those variables even exist. This should be a comma separated list of [variable paths](#variable-paths). It is
+see that those variables even exist. This should be a comma-separated list of [variable paths](#variable-paths). It is
 possible to use [match patterns](#match-patterns).
 
 ### Protections
@@ -91,12 +91,12 @@ Protections prevent users from accessing actual data. They will know that there
 >
 > Denylists from multiple roles will further limit access.
 
-Name                       | Description
----------------------------|-----------------------------------------------------------------------------
-icingadb/protect/variables | Obfuscate custom variable values of Icinga objects that are part of the list
+| Name                       | Description                                                                  |
+|----------------------------|------------------------------------------------------------------------------|
+| icingadb/protect/variables | Obfuscate custom variable values of Icinga objects that are part of the list |
 
 `icingadb/protect/variables` will replace certain custom variable values with `***`. A user affected by this will still
-be able to see the variable names though. This should be a comma separated list of [variable paths](#variable-paths).
+be able to see the variable names, though. This should be a comma-separated list of [variable paths](#variable-paths).
 It is possible to use [match patterns](#match-patterns).
 
 ### Formats
diff --git a/doc/05-Upgrading.md b/doc/05-Upgrading.md
@@ -5,6 +5,14 @@ If you are upgrading across multiple versions, make sure to follow the steps for
 
 ## Upgrading to Icinga DB Web v1.3
 
+**Breaking Changes**
+
+* The restrictions `icingadb/denylist/variables` and `icingadb/protect/variables` from different roles are now
+  merged into a single list, respectively. This means that variables denied in one role will not show up anymore
+  if another role denies access to different variables. The same applies to `icingadb/protect/variables`, in which
+  case variables protected in one role will now be protected even if another role protects different variables.
+  This has been done to simplify the configuration and to get it more in line with how refusals work in Icinga Web.
+
 **Removed Features**
 
 * The migration widget in the top right has been removed. If you have not adjusted your navigation items,
diff --git a/library/Icingadb/Common/Auth.php b/library/Icingadb/Common/Auth.php
@@ -125,35 +125,21 @@ public function assertColumnRestrictions(Filter\Rule $filter): void
             return;
         }
 
-        $forbiddenVars = Filter::all();
-        $protectedVars = Filter::any();
-        $hiddenVars = Filter::any();
+        $forbiddenVars = Filter::none();
         foreach ($this->getAuth()->getUser()->getRoles() as $role) {
             if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {
-                $denied = Filter::none();
-                $hiddenVars->add($denied);
                 foreach (explode(',', $restriction) as $value) {
-                    $denied->add(Filter::like('name', trim($value))->ignoreCase());
+                    $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());
                 }
             }
 
             if (($restriction = $role->getRestrictions('icingadb/protect/variables'))) {
-                $protected = Filter::none();
-                $protectedVars->add($protected);
                 foreach (explode(',', $restriction) as $value) {
-                    $protected->add(Filter::like('name', trim($value))->ignoreCase());
+                    $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());
                 }
             }
         }
 
-        if (! $hiddenVars->isEmpty()) {
-            $forbiddenVars->add($hiddenVars);
-        }
-
-        if (! $protectedVars->isEmpty()) {
-            $forbiddenVars->add($protectedVars);
-        }
-
         if ($forbiddenVars->isEmpty()) {
             return;
         }
@@ -223,13 +209,14 @@ public function applyRestrictions(Query $query)
             $resolver = $query->getResolver();
 
             $queryFilter = Filter::any();
-            $obfuscationRules = Filter::any();
+            $forbiddenVars = Filter::all();
+            $obfuscationRules = Filter::all();
             foreach ($this->getAuth()->getUser()->getRoles() as $role) {
                 $roleFilter = Filter::all();
 
                 if ($customVarRelationName !== false) {
                     if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {
-                        $roleFilter->add($this->parseDenylist(
+                        $forbiddenVars->add($this->parseDenylist(
                             $restriction,
                             $customVarRelationName
                                 ? $resolver->qualifyColumn('flatname', $customVarRelationName)
@@ -364,7 +351,8 @@ public function applyRestrictions(Query $query)
                 }
             }
 
-            $query->filter($queryFilter);
+            $query->filter($queryFilter)
+                ->filter($forbiddenVars);
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -125,35 +125,21 @@ public function assertColumnRestrictions(Filter\Rule $filter): void`
`125`	`125`	`return;`
`126`	`126`	`}`
`127`	`127`
`128`		`- $forbiddenVars = Filter::all();`
`129`		`- $protectedVars = Filter::any();`
`130`		`- $hiddenVars = Filter::any();`
	`128`	`+ $forbiddenVars = Filter::none();`
`131`	`129`	`foreach ($this->getAuth()->getUser()->getRoles() as $role) {`
`132`	`130`	`if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {`
`133`		`- $denied = Filter::none();`
`134`		`- $hiddenVars->add($denied);`
`135`	`131`	`foreach (explode(',', $restriction) as $value) {`
`136`		`- $denied->add(Filter::like('name', trim($value))->ignoreCase());`
	`132`	`+ $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());`
`137`	`133`	`}`
`138`	`134`	`}`
`139`	`135`
`140`	`136`	`if (($restriction = $role->getRestrictions('icingadb/protect/variables'))) {`
`141`		`- $protected = Filter::none();`
`142`		`- $protectedVars->add($protected);`
`143`	`137`	`foreach (explode(',', $restriction) as $value) {`
`144`		`- $protected->add(Filter::like('name', trim($value))->ignoreCase());`
	`138`	`+ $forbiddenVars->add(Filter::like('name', trim($value))->ignoreCase());`
`145`	`139`	`}`
`146`	`140`	`}`
`147`	`141`	`}`
`148`	`142`
`149`		`- if (! $hiddenVars->isEmpty()) {`
`150`		`- $forbiddenVars->add($hiddenVars);`
`151`		`- }`
`152`		`-`
`153`		`- if (! $protectedVars->isEmpty()) {`
`154`		`- $forbiddenVars->add($protectedVars);`
`155`		`- }`
`156`		`-`
`157`	`143`	`if ($forbiddenVars->isEmpty()) {`
`158`	`144`	`return;`
`159`	`145`	`}`
`@@ -223,13 +209,14 @@ public function applyRestrictions(Query $query)`
`223`	`209`	`$resolver = $query->getResolver();`
`224`	`210`
`225`	`211`	`$queryFilter = Filter::any();`
`226`		`- $obfuscationRules = Filter::any();`
	`212`	`+ $forbiddenVars = Filter::all();`
	`213`	`+ $obfuscationRules = Filter::all();`
`227`	`214`	`foreach ($this->getAuth()->getUser()->getRoles() as $role) {`
`228`	`215`	`$roleFilter = Filter::all();`
`229`	`216`
`230`	`217`	`if ($customVarRelationName !== false) {`
`231`	`218`	`if (($restriction = $role->getRestrictions('icingadb/denylist/variables'))) {`
`232`		`- $roleFilter->add($this->parseDenylist(`
	`219`	`+ $forbiddenVars->add($this->parseDenylist(`
`233`	`220`	`$restriction,`
`234`	`221`	`$customVarRelationName`
`235`	`222`	`? $resolver->qualifyColumn('flatname', $customVarRelationName)`
`@@ -364,7 +351,8 @@ public function applyRestrictions(Query $query)`
`364`	`351`	`}`
`365`	`352`	`}`
`366`	`353`
`367`		`- $query->filter($queryFilter);`
	`354`	`+ $query->filter($queryFilter)`
	`355`	`+ ->filter($forbiddenVars);`
`368`	`356`	`}`
`369`	`357`	`}`
`370`	`358`