REST API: host-tag auth update

* require "wato.edit" on all modifying endpoints * require "wato.hosttags" on all endpoints Change-Id: I6e81b1da4c73652783851fb06d2a3d72dba4f75e
FredIde · May 30, 2022 · 7ec5861 · 7ec5861
1 parent 597d17b
commit 7ec5861
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/cmk/gui/plugins/openapi/endpoints/host_tag.py b/cmk/gui/plugins/openapi/endpoints/host_tag.py
@@ -54,6 +54,14 @@
     ]
 )
 
+RW_PERMISSIONS = permissions.AllPerm(
+    [
+        permissions.Perm("wato.edit"),
+        permissions.Perm("wato.hosttags"),
+        permissions.Optional(permissions.Perm("wato.all_folders")),
+    ]
+)
+
 
 class HostTagGroupName(fields.String):
     """A field representing the host tag group"""
@@ -86,10 +94,11 @@ def _validate(self, value):
     etag="output",
     request_schema=request_schemas.InputHostTagGroup,
     response_schema=response_schemas.DomainObject,
-    permissions_required=PERMISSIONS,
+    permissions_required=RW_PERMISSIONS,
 )
 def create_host_tag_group(params):
     """Create a host tag group"""
+    user.need_permission("wato.edit")
     host_tag_group_details = params["body"]
     save_tag_group(TagGroup.from_config(host_tag_group_details))
     return _serve_host_tag_group(_retrieve_group(host_tag_group_details["id"]).get_dict_format())
@@ -102,7 +111,7 @@ def create_host_tag_group(params):
     etag="output",
     path_params=[HOST_TAG_GROUP_NAME],
     response_schema=response_schemas.ConcreteHostTagGroup,
-    permissions_required=permissions.Perm("wato.hosttags"),
+    permissions_required=PERMISSIONS,
 )
 def show_host_tag_group(params):
     """Show a host tag group"""
@@ -117,10 +126,11 @@ def show_host_tag_group(params):
     ".../collection",
     method="get",
     response_schema=response_schemas.DomainObjectCollection,
-    permissions_required=permissions.Optional(permissions.Perm("wato.hosttags")),
+    permissions_required=PERMISSIONS,
 )
 def list_host_tag_groups(params):
     """Show all host tag groups"""
+    user.need_permission("wato.hosttags")
     tag_config = load_tag_config()
     tag_config += BuiltinTagConfig()
     tag_groups_collection = {
@@ -147,12 +157,13 @@ def list_host_tag_groups(params):
     path_params=[HOST_TAG_GROUP_NAME],
     additional_status_codes=[401, 405],
     request_schema=request_schemas.UpdateHostTagGroup,
-    permissions_required=PERMISSIONS,
+    permissions_required=RW_PERMISSIONS,
     response_schema=response_schemas.ConcreteHostTagGroup,
 )
 def update_host_tag_group(params):
     """Update a host tag group"""
     # TODO: ident verification mechanism with ParamDict replacement
+    user.need_permission("wato.edit")
     user.need_permission("wato.hosttags")  # see cmk.gui.wato.pages.tags
     body = params["body"]
     ident = params["name"]
@@ -190,11 +201,12 @@ def update_host_tag_group(params):
     path_params=[HOST_TAG_GROUP_NAME],
     additional_status_codes=[405],
     query_params=[request_schemas.DeleteHostTagGroup],
-    permissions_required=PERMISSIONS,
+    permissions_required=RW_PERMISSIONS,
     output_empty=True,
 )
 def delete_host_tag_group(params):
     """Delete a host tag group"""
+    user.need_permission("wato.edit")
     ident = params["name"]
     if is_builtin(ident):
         return problem(