fix(security) admin access to gorgone popup (centreon#8798)

kduret · Jun 25, 2020 · 5a91ef2 · 5a91ef2
1 parent cc2928d
commit 5a91ef2
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/www/include/configuration/configServers/popup/popup.php b/www/include/configuration/configServers/popup/popup.php
@@ -36,16 +36,21 @@
 }
 $centreon = $_SESSION['centreon'];
 $pollerId = filter_var($_GET['id'] ?? false, FILTER_VALIDATE_INT);
-$userId = $centreon->user->user_id;
-$isAdmin = $centreon->user->admin;
-
-$acl = new CentreonACL($userId, $isAdmin);
-$aclPollers = $acl->getPollers();
-
-if ($pollerId === false || !array_key_exists($pollerId, $aclPollers)) {
+if ($pollerId === false) {
  print "Bad Poller Id";
  exit();
 }
+$userId = (int)$centreon->user->user_id;
+$isAdmin = (bool)$centreon->user->admin;
+
+if ($isAdmin === false) {
+ $acl = new CentreonACL($userId, $isAdmin);
+ $aclPollers = $acl->getPollers();
+ if (!array_key_exists($pollerId, $aclPollers)) {
+ print "No access rights to this Poller";
+ exit();
+ }
+}
 
 $tpl = new Smarty();
 $tpl = initSmartyTpl(null, $tpl);