From 44742851b22f225294a693f54161ad8e43a7dfda Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 28 Jun 2021 15:04:35 +0200
Subject: [eventlog] Check permissions; add synamic suggestions for keys

---
 modules-available/eventlog/pages/mailconfigs.inc.php | 3 +++
 modules-available/eventlog/pages/rules.inc.php       | 3 +++
 modules-available/eventlog/pages/transports.inc.php  | 3 +++
 3 files changed, 9 insertions(+)

(limited to 'modules-available/eventlog/pages')

diff --git a/modules-available/eventlog/pages/mailconfigs.inc.php b/modules-available/eventlog/pages/mailconfigs.inc.php
index 6d5d20b6..141bf6e2 100644
--- a/modules-available/eventlog/pages/mailconfigs.inc.php
+++ b/modules-available/eventlog/pages/mailconfigs.inc.php
@@ -8,6 +8,7 @@ class SubPage
 	public static function doPreprocess()
 	{
 		if (Request::isPost()) {
+			User::assertPermission('filter.mailconfigs.edit');
 			$action = Request::post('action');
 			if ($action === 'save-mailconfig') {
 				self::saveMailconfig();
@@ -61,6 +62,7 @@ class SubPage
 
 	public static function doRender()
 	{
+		User::assertPermission('filter.mailconfigs.view');
 		$id = Request::get('id', null, 'int');
 		if ($id !== null) {
 			self::showMailconfigEditor($id);
@@ -79,6 +81,7 @@ class SubPage
 	 */
 	private static function showMailconfigEditor(int $id)
 	{
+		User::assertPermission('filter.mailconfigs.edit');
 		if ($id !== 0) {
 			// EDIT
 			$data = Database::queryFirst('SELECT configid, host, port, `ssl`, senderaddress, replyto,
diff --git a/modules-available/eventlog/pages/rules.inc.php b/modules-available/eventlog/pages/rules.inc.php
index 131c4eb6..b00dcf08 100644
--- a/modules-available/eventlog/pages/rules.inc.php
+++ b/modules-available/eventlog/pages/rules.inc.php
@@ -8,6 +8,7 @@ class SubPage
 	public static function doPreprocess()
 	{
 		if (Request::isPost()) {
+			User::assertPermission('filter.rule.edit');
 			$action = Request::post('action');
 			if ($action === 'save-filter') {
 				self::saveRule();
@@ -87,6 +88,7 @@ class SubPage
 
 	public static function doRender()
 	{
+		User::assertPermission('filter.rule.view');
 		$id = Request::get('id', null, 'int');
 		if ($id !== null) {
 			self::showRuleEditor($id);
@@ -109,6 +111,7 @@ class SubPage
 	private static function showRuleEditor(int $id)
 	{
 		// EDIT
+		User::assertPermission('filter.rule.edit');
 		$index = 0;
 		$existing = [];
 		if ($id !== 0) {
diff --git a/modules-available/eventlog/pages/transports.inc.php b/modules-available/eventlog/pages/transports.inc.php
index b72f36f9..c5d3713c 100644
--- a/modules-available/eventlog/pages/transports.inc.php
+++ b/modules-available/eventlog/pages/transports.inc.php
@@ -6,6 +6,7 @@ class SubPage
 	public static function doPreprocess()
 	{
 		if (Request::isPost()) {
+			User::assertPermission('filter.transport.edit');
 			$action = Request::post('action');
 			if ($action === 'save-transport') {
 				self::saveTransport();
@@ -107,6 +108,7 @@ class SubPage
 
 	public static function doRender()
 	{
+		User::assertPermission('filter.transport.view');
 		$id = Request::get('id', null, 'int');
 		if ($id !== null) {
 			self::showTransportEditor($id);
@@ -134,6 +136,7 @@ class SubPage
 	 */
 	private static function showTransportEditor(int $id)
 	{
+		User::assertPermission('filter.transport.edit');
 		if ($id !== 0) {
 			$entry = Database::queryFirst('SELECT transportid, title, description, data
 				FROM notification_backend
-- 
cgit v1.2.3-55-g7522