From: Gunnar Beutner <gunnar@beutner.name>
Date: Tue, 18 Aug 2015 06:17:34 +0000 (+0200)
Subject: Don't allow users to delete objects that weren't created using the API
X-Git-Tag: v2.4.0~401
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=60a30d50f67c902e023a96d7b246550331ffaad0;p=icinga2

Don't allow users to delete objects that weren't created using the API

refs #9082
---

diff --git a/lib/remote/createobjecthandler.cpp b/lib/remote/createobjecthandler.cpp
index 143d17139..456935781 100644
--- a/lib/remote/createobjecthandler.cpp
+++ b/lib/remote/createobjecthandler.cpp
@@ -61,6 +61,7 @@ bool CreateObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
 	builder->SetType(type->GetName());
 	builder->SetName(name);
 	builder->SetScope(ScriptGlobal::GetGlobals());
+	builder->SetModule("_api");
 
 	Array::Ptr templates = params->Get("templates");
 
diff --git a/lib/remote/deleteobjecthandler.cpp b/lib/remote/deleteobjecthandler.cpp
index fe532dfdf..92b6aa079 100644
--- a/lib/remote/deleteobjecthandler.cpp
+++ b/lib/remote/deleteobjecthandler.cpp
@@ -65,6 +65,13 @@ bool DeleteObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
 		Dictionary::Ptr result1 = new Dictionary();
 		result1->Set("type", type->GetName());
 		result1->Set("name", obj->GetName());
+		results->Add(result1);
+
+		if (obj->GetModule() != "_api") {
+			result1->Set("code", 500);
+			result1->Set("status", "Object cannot be deleted because it was not created using the API.");
+			continue;
+		}
 
 		ConfigItem::Ptr item = ConfigItem::GetObject(type->GetName(), obj->GetName());
 
@@ -82,8 +89,6 @@ bool DeleteObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
 			result1->Set("code", 500);
 			result1->Set("status", "Object could not be deleted: " + DiagnosticInformation(ex));
 		}
-
-		results->Add(result1);
 	}
 
 	Dictionary::Ptr result = new Dictionary();