mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-05-09 07:04:55 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
c58a3ccdda6732d3cb919dbe00cc1f747fcbcd53
zoneminder/src/zm_monitor_permission.cpp
Isaac Connor 3dfe185260 fix: resolve role-based group permissions not granting stream access 
The C++ User class (used by zms for streaming) had no awareness of
roles. It only checked user-direct permissions from Monitors_Permissions
and Groups_Permissions tables, completely ignoring Role_Monitors_Permissions,
Role_Groups_Permissions, and User_Roles base permissions. This caused
users who received camera permissions via Roles to be denied live stream
access, even though the PHP web interface (which has its own role-aware
checks in visibleMonitor()) showed the monitors correctly.

Changes:
- Add role_id to C++ User class, loaded via COALESCE(RoleId, 0) in all
  SQL queries (find, zmLoadTokenUser, zmLoadAuthUser)
- Add loadRoleBasePermissions() to merge role's Stream/Events/Monitors/
  etc. as fallback when user's own permission is PERM_NONE
- Add findByRole() to Group_Permission and Monitor_Permission classes
  to query Role_Groups_Permissions and Role_Monitors_Permissions tables
- Extend User::canAccess() to check role monitor and group permissions
  after user-direct permissions, matching the PHP visibleMonitor() logic
- Fix Monitor::canView() in PHP to also check role permissions when
  called for a user other than the global $user
- Fix off-by-one in zmLoadTokenUser where dbrow[10] read TokenMinExpiry
  out of bounds (was at index 9); adding RoleId shifts it to index 10

Fixes #4692

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 15:07:14 -04:00

79 lines
2.5 KiB
C++
Raw Blame History

/*
* ZoneMinder Monitor Permission class implementation
* Copyright (C) 2022 ZoneMinder Inc
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "zm_monitor_permission.h"
#include "zm_db.h"
#include "zm_utils.h"
#include <cstring>
Monitor_Permission::Monitor_Permission() : id(0), user_id(0), monitor_id(0), permission(PERM_INHERIT) {
}
Monitor_Permission::Monitor_Permission(const MYSQL_ROW &dbrow) {
int index = 0;
id = atoi(dbrow[index++]);
user_id = atoi(dbrow[index++]);
monitor_id = atoi(dbrow[index++]);
permission = static_cast<Permission>(atoi(dbrow[index++]));
}
Monitor_Permission::~Monitor_Permission() {
}
void Monitor_Permission::Copy(const Monitor_Permission &mp) {
id = mp.id;
user_id = mp.user_id;
monitor_id = mp.monitor_id;
permission = mp.permission;
}
std::vector<Monitor_Permission> Monitor_Permission::find(int p_user_id) {
std::vector<Monitor_Permission> results;
std::string sql = stringtf("SELECT `Id`,`UserId`,`MonitorId`,`Permission`+0 FROM Monitors_Permissions WHERE `UserId`='%d'", p_user_id);
MYSQL_RES *result = zmDbFetch(sql.c_str());
if (result) {
results.reserve(mysql_num_rows(result));
while (MYSQL_ROW dbrow = mysql_fetch_row(result)) {
results.push_back(Monitor_Permission(dbrow));
}
mysql_free_result(result);
}
return results;
}
std::vector<Monitor_Permission> Monitor_Permission::findByRole(int role_id) {
std::vector<Monitor_Permission> results;
std::string sql = stringtf("SELECT `Id`,`RoleId`,`MonitorId`,`Permission`+0 FROM Role_Monitors_Permissions WHERE `RoleId`='%d'", role_id);
MYSQL_RES *result = zmDbFetch(sql.c_str());
if (result) {
results.reserve(mysql_num_rows(result));
while (MYSQL_ROW dbrow = mysql_fetch_row(result)) {
results.push_back(Monitor_Permission(dbrow));
}
mysql_free_result(result);
}
return results;
}
Reference in New Issue View Git Blame Copy Permalink