1 files changed, 55 insertions, 23 deletions

diff --git a/modules-available/statistics_reporting/page.inc.php b/modules-available/statistics_reporting/page.inc.php
index 52accaea..5d586b6c 100644
--- a/modules-available/statistics_reporting/page.inc.php
+++ b/modules-available/statistics_reporting/page.inc.php
@@ -52,16 +52,20 @@ class Page_Statistics_Reporting extends Page
 
 		// Export - handle in doPreprocess so we don't render the menu etc.
 		if ($this->action === 'export') {
-			$this->doExport();
-			// Does not return
+			if (User::hasPermission("table.export") && User::hasPermission("table.view.$this->type")) {
+				$this->doExport();
+				// Does not return
+			}
 		}
 		// Get report - fetch data exactly the way it would automatically be reported
 		// so the user can know what is going on
 		if ($this->action === 'getreport') {
-			$report = RemoteReport::generateReport(time());
-			Header('Content-Disposition: attachment; filename=remote-report.json');
-			Header('Content-Type: application/json; charset=utf-8');
-			die(json_encode($report));
+			if(User::hasPermission("reporting.download")) {
+				$report = RemoteReport::generateReport(time());
+				Header('Content-Disposition: attachment; filename=remote-report.json');
+				Header('Content-Type: application/json; charset=utf-8');
+				die(json_encode($report));
+			}
 		}
 	}
 
@@ -100,6 +104,7 @@ class Page_Statistics_Reporting extends Page
 				$data['tables'][] = array(
 					'name' => Dictionary::translate('table_' . $table, true),
 					'value' => $table,
+					'allowed' => User::hasPermission("table.view.$table"),
 					'selected' => ($this->type === $table) ? 'selected' : '',
 				);
 			}
@@ -121,10 +126,17 @@ class Page_Statistics_Reporting extends Page
 				$data['settingsButtonClass'] = 'danger';
 			}
 
+			$data['allowedExport'] = User::hasPermission("table.export") && User::hasPermission("table.view.$this->type");
+			$data['allowedDownload'] = User::hasPermission("reporting.download");
+			$data['allowedReportChange'] = User::hasPermission("reporting.change");
+
 			Render::addTemplate('columnChooser', $data);
 
 			$data['data'] = $this->fetchData(GETDATA_PRINTABLE);
-			Render::addTemplate('table-' . $this->type, $data);
+
+			if (User::hasPermission("table.view.$this->type")) {
+				Render::addTemplate('table-' . $this->type, $data);
+			}
 		}
 	}
 
@@ -132,23 +144,24 @@ class Page_Statistics_Reporting extends Page
 	{
 		$this->action = Request::any('action', false, 'string');
 		if ($this->action === 'setReporting') {
-			if (!User::isLoggedIn()) {
-				die("No.");
-			}
-			$state = Request::post('reporting', false, 'string');
-			if ($state === false) {
-				die('Missing setting value.');
-			}
-			RemoteReport::setReportingEnabled($state);
-			$data = array();
-			if (RemoteReport::isReportingEnabled()) {
-				$data['class'] = 'default';
-				$data['checked'] = true;
+			if (User::hasPermission("reporting.change")) {
+				$state = Request::post('reporting', false, 'string');
+				if ($state === false) {
+					die('Missing setting value.');
+				}
+				RemoteReport::setReportingEnabled($state);
+				$data = array();
+				if (RemoteReport::isReportingEnabled()) {
+					$data['class'] = 'default';
+					$data['checked'] = true;
+				} else {
+					$data['class'] = 'danger';
+				}
+				Header('Content-Type: application/json; charset=utf-8');
+				die(json_encode($data));
 			} else {
-				$data['class'] = 'danger';
+				die('No permission.');
 			}
-			Header('Content-Type: application/json; charset=utf-8');
-			die(json_encode($data));
 		} else {
 			echo 'Invalid action.';
 		}
@@ -266,9 +279,28 @@ class Page_Statistics_Reporting extends Page
 					}
 				}
 			}
+			// only show locations which you have permission for
+			$filterLocs = User::getAllowedLocations("table.view.location");
+			foreach ($data as $key => $row) {
+				if (!in_array($row['locationId'], $filterLocs)) {
+					unset($data[$key]);
+				}
+			}
+			// correct indexing of array after deletions
+			$data = array_values($data);
 			return $data;
 		case 'client':
-			return GetData::perClient($flags);
+			$data = GetData::perClient($flags);
+			// only show clients from locations which you have permission for
+			$filterLocs = User::getAllowedLocations("table.view.location");
+			foreach ($data as $key => $row) {
+				if (!in_array($row['locationId'], $filterLocs)) {
+					unset($data[$key]);
+				}
+			}
+			// correct indexing of array after deletions
+			$data = array_values($data);
+			return $data;
 		case 'user':
 			return GetData::perUser($flags);
 		case 'vm':