1 files changed, 96 insertions, 100 deletions

diff --git a/configuration.php b/configuration.php
index 4536d5d..f812f3c 100644
--- a/configuration.php
+++ b/configuration.php
@@ -1,100 +1,99 @@
 <?php
 
 use Icinga\Application\Icinga;
+use Icinga\Application\Modules\Module;
+use Icinga\Module\Director\Auth\Permission;
+use Icinga\Module\Director\Auth\Restriction;
 use Icinga\Web\Window;
 
-/** @var \Icinga\Application\Modules\Module $this */
+/** @var Module $this */
 if ($this->getConfig()->get('frontend', 'disabled', 'no') === 'yes') {
     return;
 }
-$this->providePermission('director/api', $this->translate('Allow to access the director API'));
-$this->providePermission('director/audit', $this->translate('Allow to access the full audit log'));
-$this->providePermission(
-    'director/showconfig',
-    $this->translate('Allow to show configuration (could contain sensitive information)')
-);
-$this->providePermission(
-    'director/showsql',
-    $this->translate('Allow to show the full executed SQL queries in some places')
-);
-$this->providePermission('director/deploy', $this->translate('Allow to deploy configuration'));
-$this->providePermission('director/hosts', $this->translate('Allow to configure hosts'));
-$this->providePermission('director/services', $this->translate('Allow to configure services'));
-$this->providePermission('director/servicesets', $this->translate('Allow to configure service sets'));
-$this->providePermission('director/service_set/apply', $this->translate('Allow to define Service Set Apply Rules'));
-$this->providePermission('director/users', $this->translate('Allow to configure users'));
-$this->providePermission('director/notifications', $this->translate('Allow to configure notifications (unrestricted)'));
-$this->providePermission(
-    'director/scheduled-downtimes',
-    $this->translate('Allow to configure notifications (unrestricted)')
-);
-$this->providePermission(
-    'director/inspect',
-    $this->translate(
-        'Allow to inspect objects through the Icinga 2 API (could contain sensitive information)'
-    )
-);
-$this->providePermission(
-    'director/monitoring/services-ro',
-    $this->translate('Allow readonly users to see where a Service came from')
-);
-$this->providePermission(
-    'director/monitoring/hosts',
-    $this->translate('Allow users to modify Hosts they are allowed to see in the monitoring module')
-);
-$this->providePermission(
-    'director/monitoring/services',
-    $this->translate('Allow users to modify Service they are allowed to see in the monitoring module')
-);
-$this->providePermission('director/*', $this->translate('Allow unrestricted access to Icinga Director'));
 
-$this->provideRestriction(
-    'director/filter/hostgroups',
-    $this->translate(
-        'Limit access to the given comma-separated list of hostgroups'
-    )
-);
+$monitoringExists = Module::exists('monitoring');
+$icingadbExists = Module::exists('icingadb');
 
-$this->provideRestriction(
-    'director/monitoring/rw-object-filter',
-    $this->translate(
-        'Additional (monitoring module) object filter to further restrict write access'
-    )
-);
+$this->providePermission(Permission::ALL_PERMISSIONS, $this->translate('Allow unrestricted access to Icinga Director'));
+$this->providePermission(Permission::API, $this->translate('Allow to access the director API'));
+$this->providePermission(Permission::AUDIT, $this->translate('Allow to access the full audit log'));
+$this->providePermission(Permission::DEPLOY, $this->translate('Allow to deploy configuration'));
+$this->providePermission(Permission::INSPECT, $this->translate(
+    'Allow to inspect objects through the Icinga 2 API (could contain sensitive information)'
+));
+$this->providePermission(Permission::SHOW_CONFIG, $this->translate(
+    'Allow to show configuration (could contain sensitive information)'
+));
+$this->providePermission(Permission::SHOW_SQL, $this->translate(
+    'Allow to show the full executed SQL queries in some places'
+));
+$this->providePermission(Permission::GROUPS_FOR_RESTRICTED_HOSTS, $this->translate(
+    'Allow users with Hostgroup restrictions to access the Groups field'
+));
+$this->providePermission(Permission::HOSTS, $this->translate('Allow to configure hosts'));
+$this->providePermission(Permission::NOTIFICATIONS, $this->translate(
+    'Allow to configure notifications (unrestricted)'
+));
+$this->providePermission(Permission::SERVICES, $this->translate('Allow to configure services'));
+$this->providePermission(Permission::SERVICE_SETS, $this->translate('Allow to configure service sets'));
+$this->providePermission(Permission::SERVICE_SET_APPLY, $this->translate('Allow to define Service Set Apply Rules'));
+$this->providePermission(Permission::USERS, $this->translate('Allow to configure users'));
+$this->providePermission(Permission::SCHEDULED_DOWNTIMES, $this->translate(
+    'Allow to configure notifications (unrestricted)'
+));
 
-$this->providePermission(
-    'director/groups-for-restricted-hosts',
-    $this->translate('Allow users with Hostgroup restrictions to access the Groups field')
-);
+if ($monitoringExists) {
+    $this->providePermission(Permission::MONITORING_HOSTS, $this->translate(
+        'Allow users to modify Hosts they are allowed to see in the monitoring module'
+    ));
+    $this->providePermission(Permission::MONITORING_SERVICES, $this->translate(
+        'Allow users to modify Service they are allowed to see in the monitoring module'
+    ));
+    $this->providePermission(Permission::MONITORING_SERVICES_RO, $this->translate(
+        'Allow readonly users to see where a Service came from'
+    ));
+}
 
-$this->provideRestriction(
-    'director/service/apply/filter-by-name',
-    $this->translate(
-        'Filter available service apply rules'
-    )
-);
+if ($icingadbExists) {
+    $this->providePermission(Permission::ICINGADB_HOSTS, $this->translate(
+        'Allow users to modify Hosts they are allowed to see in Icinga DB Web'
+    ));
+    $this->providePermission(Permission::ICINGADB_SERVICES, $this->translate(
+        'Allow users to modify Service they are allowed to see in Icinga DB Web'
+    ));
+    $this->providePermission(Permission::ICINGADB_SERVICES_RO, $this->translate(
+        'Allow readonly users to see where a Service came from'
+    ));
+}
 
-$this->provideRestriction(
-    'director/notification/apply/filter-by-name',
-    $this->translate(
-        'Filter available notification apply rules'
-    )
-);
+if ($monitoringExists) {
+    $this->provideRestriction(Restriction::MONITORING_RW_OBJECT_FILTER, $this->translate(
+        'Additional (monitoring module) object filter to further restrict write access'
+    ));
+}
 
-$this->provideRestriction(
-    'director/scheduled-downtime/apply/filter-by-name',
-    $this->translate(
-        'Filter available scheduled downtime rules'
-    )
-);
+if ($icingadbExists) {
+    $this->provideRestriction(Restriction::ICINGADB_RW_OBJECT_FILTER, $this->translate(
+        'Additional (Icinga DB Web) object filter to further restrict write access'
+    ));
+}
 
-$this->provideRestriction(
-    'director/service_set/filter-by-name',
-    $this->translate(
-        'Filter available service set templates. Use asterisks (*) as wildcards,'
-        . ' like in DB* or *net*'
-    )
-);
+$this->provideRestriction(Restriction::FILTER_HOSTGROUPS, $this->translate(
+    'Limit access to the given comma-separated list of hostgroups'
+));
+$this->provideRestriction(Restriction::NOTIFICATION_APPLY_FILTER_BY_NAME, $this->translate(
+    'Filter available notification apply rules'
+));
+$this->provideRestriction(Restriction::SCHEDULED_DOWNTIME_APPLY_FILTER_BY_NAME, $this->translate(
+    'Filter available scheduled downtime rules'
+));
+$this->provideRestriction(Restriction::SERVICE_APPLY_FILTER_BY_NAME, $this->translate(
+    'Filter available service apply rules'
+));
+$this->provideRestriction(Restriction::SERVICE_SET_FILTER_BY_NAME, $this->translate(
+    'Filter available service set templates. Use asterisks (*) as wildcards,'
+    . ' like in DB* or *net*'
+));
 
 $this->provideSearchUrl($this->translate('Host configs'), 'director/hosts?limit=10', 60);
 
@@ -111,10 +110,10 @@ $this->provideRestriction(
 );
 */
 
-$this->provideConfigTab('config', array(
+$this->provideConfigTab('config', [
     'title' => 'Configuration',
     'url'   => 'settings'
-));
+]);
 $mainTitle = N_('Icinga Director');
 
 try {
@@ -141,41 +140,38 @@ try {
     $mainTitle .= ' (?!)';
 }
 
-$section = $this->menuSection(
-    $mainTitle
-)->setUrl('director')->setPriority(60)->setIcon(
-    'cubes'
-)->setRenderer(array(
-    'SummaryNavigationItemRenderer',
-    'state' => 'critical'
-));
-
+// Hint: director/admin and director/deployments are intentionally
+$section = $this->menuSection($mainTitle)
+    ->setUrl('director')
+    ->setPriority(60)
+    ->setIcon('cubes')
+    ->setRenderer(['SummaryNavigationItemRenderer', 'state' => 'critical']);
 $section->add(N_('Hosts'))
     ->setUrl('director/dashboard?name=hosts')
-    ->setPermission('director/hosts')
+    ->setPermission(Permission::HOSTS)
     ->setPriority(30);
 $section->add(N_('Services'))
     ->setUrl('director/dashboard?name=services')
-    ->setPermission('director/services')
+    ->setPermission(Permission::SERVICES)
     ->setPriority(40);
 $section->add(N_('Commands'))
     ->setUrl('director/dashboard?name=commands')
-    ->setPermission('director/admin')
+    ->setPermission(Permission::ADMIN)
     ->setPriority(50);
 $section->add(N_('Notifications'))
     ->setUrl('director/dashboard?name=notifications')
-    ->setPermission('director/notifications')
+    ->setPermission(Permission::NOTIFICATIONS)
     ->setPriority(70);
 $section->add(N_('Automation'))
     ->setUrl('director/importsources')
-    ->setPermission('director/admin')
+    ->setPermission(Permission::ADMIN)
     ->setPriority(901);
 $section->add(N_('Activity log'))
     ->setUrl('director/config/activities')
     ->setPriority(902)
-    ->setPermission('director/audit')
+    ->setPermission(Permission::AUDIT)
     ->setRenderer('ConfigHealthItemRenderer');
 $section->add(N_('Deployments'))
     ->setUrl('director/config/deployments')
     ->setPriority(902)
-    ->setPermission('director/deployments');
+    ->setPermission(Permission::DEPLOYMENTS);