From a14faaf68af84dfcddb32ec41ec0ce899221ef7c Mon Sep 17 00:00:00 2001 From: raviks789 Date: Fri, 1 Aug 2025 12:35:05 +0200 Subject: [PATCH] HostgroupRestriction: Allow creation of hosts if they match restricted groups filter --- .../Restriction/HostgroupRestriction.php | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/library/Director/Restriction/HostgroupRestriction.php b/library/Director/Restriction/HostgroupRestriction.php index f2face4d5..7c414c94f 100644 --- a/library/Director/Restriction/HostgroupRestriction.php +++ b/library/Director/Restriction/HostgroupRestriction.php @@ -2,8 +2,10 @@ namespace Icinga\Module\Director\Restriction; +use Icinga\Data\Filter\Filter; use Icinga\Module\Director\Auth\Restriction; use Icinga\Module\Director\Db\IcingaObjectFilterHelper; +use Icinga\Module\Director\Objects\HostApplyMatches; use Icinga\Module\Director\Objects\IcingaHost; use Icinga\Module\Director\Objects\IcingaHostGroup; use Icinga\Module\Director\Objects\IcingaObject; @@ -59,7 +61,7 @@ public function allowsHost(IcingaHost $host) // Hint: branched hosts have no id if (! $host->hasBeenLoadedFromDb() || $host->hasModifiedGroups() || $host->get('id') === null) { foreach ($this->listRestrictedHostgroups() as $group) { - if ($host->hasGroup($group)) { + if ($host->hasGroup($group) || $this->matchesHostGroupFilter($group, $host)) { return true; } } @@ -76,6 +78,21 @@ public function allowsHost(IcingaHost $host) return (int) $this->db->fetchOne($query) === (int) $host->get('id'); } + /** + * Check if the given host matches the filter of given host group + * + * @param string $group + * @param IcingaHost $host + * + * @return bool + */ + private function matchesHostGroupFilter(string $group, IcingaHost $host): bool + { + return HostApplyMatches::prepare($host)->matchesFilter( + Filter::fromQueryString(IcingaHostGroup::load($group, $host->getConnection())->get('assign_filter')) + ); + } + /** * Whether access to the given hostgroup is allowed *