From 734c493dc1e416ee188ad121033b7856e8259816 Mon Sep 17 00:00:00 2001
From: Udo Walter
Date: Thu, 18 Jan 2018 17:54:13 +0100
Subject: [statistics] added permissions to view client logs; removed unused
 query arguments from Paginate::exec (caused an error if query arguments that
 are actually used in the query are passed to Paginate::exec)

---
 inc/paginate.inc.php                               |  2 --
 modules-available/syslog/lang/de/permissions.json  |  3 +++
 modules-available/syslog/lang/en/permissions.json  |  3 +++
 modules-available/syslog/page.inc.php              | 26 +++++++++++++++++++---
 .../syslog/permissions/permissions.json            |  3 +++
 modules-available/syslog/templates/heading.html    |  1 +
 .../syslog/templates/page-syslog.html              |  1 -
 7 files changed, 33 insertions(+), 6 deletions(-)
 create mode 100644 modules-available/syslog/lang/de/permissions.json
 create mode 100644 modules-available/syslog/lang/en/permissions.json
 create mode 100644 modules-available/syslog/permissions/permissions.json
 create mode 100644 modules-available/syslog/templates/heading.html

diff --git a/inc/paginate.inc.php b/inc/paginate.inc.php
index cdb4adf1..b212e252 100644
--- a/inc/paginate.inc.php
+++ b/inc/paginate.inc.php
@@ -65,8 +65,6 @@ class Paginate
 		$countQuery = preg_replace('/ORDER\s+BY\s.*?(\sASC|\sDESC|$)/is', '', $this->query);
 		$countQuery = preg_replace('/SELECT\s.*?\sFROM\s/is', 'SELECT Count(*) AS rowcount FROM ', $countQuery);
 		$countRes = Database::queryFirst($countQuery, $args);
-		$args['limit_start'] = $this->currentPage;
-		$args['limit_count'] = $this->perPage;
 		$query = $this->query . ' LIMIT ' . ($this->currentPage * $this->perPage) . ', ' . $this->perPage;
 		$retval = Database::simpleQuery($query, $args);
 		$this->totalRows = (int)$countRes['rowcount'];
diff --git a/modules-available/syslog/lang/de/permissions.json b/modules-available/syslog/lang/de/permissions.json
new file mode 100644
index 00000000..0cd05451
--- /dev/null
+++ b/modules-available/syslog/lang/de/permissions.json
@@ -0,0 +1,3 @@
+{
+	"view": "Client Log anschauen."
+}
\ No newline at end of file
diff --git a/modules-available/syslog/lang/en/permissions.json b/modules-available/syslog/lang/en/permissions.json
new file mode 100644
index 00000000..497e199e
--- /dev/null
+++ b/modules-available/syslog/lang/en/permissions.json
@@ -0,0 +1,3 @@
+{
+	"view": "View client log."
+}
\ No newline at end of file
diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php
index c679877a..a34ceb53 100644
--- a/modules-available/syslog/page.inc.php
+++ b/modules-available/syslog/page.inc.php
@@ -15,6 +15,13 @@ class Page_SysLog extends Page
 
 	protected function doRender()
 	{
+		Render::addTemplate("heading");
+
+		if (!User::hasPermission("view")) {
+			Message::addError('main.no-permission');
+			return;
+		}
+
 		$cutoff = strtotime('-1 month');
 		$res = Database::simpleQuery("SELECT logtypeid, Count(*) AS counter FROM clientlog WHERE dateline > $cutoff GROUP BY logtypeid ORDER BY counter ASC");
 		$types = array();
@@ -55,11 +62,24 @@ class Page_SysLog extends Page
 			else
 				$whereClause .= ' AND ';
 
-				$whereClause .= "machineuuid='" . preg_replace('/[^0-9a-zA-Z\-]/', '', Request::get('machineuuid', '', 'string')) . "'";
+			$whereClause .= "machineuuid='" . preg_replace('/[^0-9a-zA-Z\-]/', '', Request::get('machineuuid', '', 'string')) . "'";
+		}
+
+		$allowedLocations = User::getAllowedLocations("view");
+		$joinClause = "";
+		if (!in_array(0, $allowedLocations)) {
+			$joinClause = "INNER JOIN machine ON machine.machineuuid = clientlog.machineuuid";
+			if (empty($whereClause))
+				$whereClause .= ' WHERE ';
+			else
+				$whereClause .= ' AND ';
+
+			$whereClause .= 'locationid IN (:allowedLocations)';
 		}
+
 		$lines = array();
-		$paginate = new Paginate("SELECT logid, dateline, logtypeid, clientip, description, extra FROM clientlog $whereClause ORDER BY logid DESC", 50);
-		$res = $paginate->exec();
+		$paginate = new Paginate("SELECT logid, dateline, logtypeid, clientlog.clientip as clientip, description, extra FROM clientlog $joinClause $whereClause ORDER BY logid DESC", 50);
+		$res = $paginate->exec(array("allowedLocations" => $allowedLocations));
 		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
 			$row['date'] = Util::prettyTime($row['dateline']);
 			$row['icon'] = $this->eventToIconName($row['logtypeid']);
diff --git a/modules-available/syslog/permissions/permissions.json b/modules-available/syslog/permissions/permissions.json
new file mode 100644
index 00000000..f04ea714
--- /dev/null
+++ b/modules-available/syslog/permissions/permissions.json
@@ -0,0 +1,3 @@
+[
+	"view"
+]
\ No newline at end of file
diff --git a/modules-available/syslog/templates/heading.html b/modules-available/syslog/templates/heading.html
new file mode 100644
index 00000000..d6790a21
--- /dev/null
+++ b/modules-available/syslog/templates/heading.html
@@ -0,0 +1 @@
+<h1>{{lang_clientLog}}</h1>
\ No newline at end of file
diff --git a/modules-available/syslog/templates/page-syslog.html b/modules-available/syslog/templates/page-syslog.html
index 8b590038..9062dbaa 100644
--- a/modules-available/syslog/templates/page-syslog.html
+++ b/modules-available/syslog/templates/page-syslog.html
@@ -1,4 +1,3 @@
-<h1>{{lang_clientLog}}</h1>
 <style type="text/css">
 	.selectize-dropdown {
 		max-width: 500px;
-- 
cgit v1.2.3-55-g7522