Fix director services permissions

application/controllers/HostController.php

@@ -146,12 +146,12 @@
         $info = ServiceFinder::find($host, $serviceName);
         $backend = $this->backend();
 
-        if ($info && $auth->hasPermission(Permission::HOSTS)) {
+        if ($info && $auth->hasPermission(Permission::SERVICES)) {
             $redirectUrl = $info->getUrl();
         } elseif (
             $info
-            && (($backend instanceof Monitoring && $auth->hasPermission(Permission::MONITORING_HOSTS))
-                || ($backend instanceof IcingadbBackend && $auth->hasPermission(Permission::ICINGADB_HOSTS))
+            && (($backend instanceof Monitoring && $auth->hasPermission(Permission::MONITORING_SERVICES))
+                || ($backend instanceof IcingadbBackend && $auth->hasPermission(Permission::ICINGADB_SERVICES))
             )
             && $backend->canModifyService($hostName, $serviceName)
         ) {
@@ -215,6 +215,14 @@
      */
     public function servicesAction()
     {
+        if (! $this->hasPermission(Permission::SERVICES)) {
+            if ($this->isServicesReadOnlyAction() && $this->hasPermission($this->getServicesReadOnlyPermission())) {
+                $this->servicesroAction();
+            }
+
+            return;
+        }
+
         $this->addServicesHeader();
         $host = $this->getHostObject();
         $this->addTitle($this->translate('Services: %s'), $host->getObjectName());
@@ -366,7 +374,7 @@
      * @param IcingaHost $host
      * @param IcingaHost|null $affectedHost
      */
     protected function addHostServiceSetTables(IcingaHost $host, IcingaHost $affectedHost = null, $roService = null)
     {
         $db = $this->db();
         if ($affectedHost === null) {

application/controllers/ServiceController.php

@@ -37,7 +37,7 @@ protected function checkDirectorPermissions()
             return;
         }
 
-        $this->assertPermission(Permission::HOSTS);
+        $this->assertPermission(Permission::SERVICES);
     }
 
     public function init()

library/Director/ProvidedHook/Icingadb/HostActions.php

@@ -47,10 +47,12 @@ protected function getThem(Host $host): array
         if (Util::hasPermission(Permission::HOSTS) && IcingaHost::exists($hostname, $db)) {
             $allowEdit = true;
         }
-        if (Util::hasPermission(Permission::ICINGADB_HOSTS)) {
-            if ((new IcingadbBackend())->canModifyHost($hostname)) {
-                $allowEdit = IcingaHost::exists($hostname, $db);
-            }
+        if (
+            Util::hasPermission(Permission::HOSTS)
+            && Util::hasPermission(Permission::ICINGADB_HOSTS)
+            && (new IcingadbBackend())->canModifyHost($hostname)
+        ) {
+            $allowEdit = IcingaHost::exists($hostname, $db);
         }
 
         if ($allowEdit) {

library/Director/ProvidedHook/Icingadb/ServiceActions.php

@@ -52,12 +52,12 @@ protected function getThem(Service $service)
         }
 
         $title = null;
-        if (Util::hasPermission(Permission::HOSTS)) {
+        if (
+            Util::hasPermission(Permission::SERVICES)
+            && Util::hasPermission(Permission::ICINGADB_SERVICES)
+            && (new IcingadbBackend())->canModifyService($hostname, $serviceName)
+        ) {
             $title = mt('director', 'Modify');
-        } elseif (Util::hasPermission(Permission::ICINGADB_SERVICES)) {
-            if ((new IcingadbBackend())->canModifyService($hostname, $serviceName)) {
-                $title = mt('director', 'Modify');
-            }
         } elseif (Util::hasPermission(Permission::ICINGADB_SERVICES_RO)) {
             $title = mt('director', 'Configuration');
         }

library/Director/ProvidedHook/Monitoring/HostActions.php

@@ -41,13 +41,12 @@ protected function getThem(Host $host)
         }
 
         $allowEdit = false;
-        if (Util::hasPermission(Permission::HOSTS) && IcingaHost::exists($hostname, $db)) {
-            $allowEdit = true;
-        }
-        if (Util::hasPermission(Permission::MONITORING_HOSTS)) {
-            if ((new Monitoring(Auth::getInstance()))->canModifyHost($hostname)) {
-                $allowEdit = IcingaHost::exists($hostname, $db);
-            }
+        if (
+            Util::hasPermission(Permission::HOSTS)
+            && Util::hasPermission(Permission::MONITORING_HOSTS)
+            && (new Monitoring(Auth::getInstance()))->canModifyHost($hostname)
+        ) {
+            $allowEdit = IcingaHost::exists($hostname, $db);
         }
 
         if ($allowEdit) {

library/Director/ProvidedHook/Monitoring/ServiceActions.php

@@ -53,12 +53,12 @@ protected function getThem(Service $service)
         }
 
         $title = null;
-        if (Util::hasPermission(Permission::HOSTS)) {
+        if (
+            Util::hasPermission(Permission::SERVICES)
+            && Util::hasPermission(Permission::MONITORING_SERVICES)
+            && (new Monitoring(Auth::getInstance()))->canModifyService($hostname, $serviceName)
+        ) {
             $title = mt('director', 'Modify');
-        } elseif (Util::hasPermission(Permission::MONITORING_SERVICES)) {
-            if ((new Monitoring(Auth::getInstance()))->canModifyService($hostname, $serviceName)) {
-                $title = mt('director', 'Modify');
-            }
         } elseif (Util::hasPermission(Permission::MONITORING_SERVICES_RO)) {
             $title = mt('director', 'Configuration');
         }

library/Director/Web/Tabs/ObjectTabs.php

@@ -67,7 +67,8 @@ protected function addTabsForExistingObject()
                 'label'     => $this->translate(ucfirst($type))
             ]);
         }
-        if ($object->getShortTableName() === 'host') {
+
+        if ($object->getShortTableName() === 'host' && $auth->hasPermission(Permission::SERVICES)) {
             $this->add('services', [
                 'url' => 'director/host/services',
                 'urlParams' => $params,