In the cgi, only permit a user to execute commands on an entire

hostgroup/servicegroup if authorized for every member of the group.
From upstream repo.

net/icinga/core/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.9 2011/06/08 16:18:57 sthen Exp $
+# $OpenBSD: Makefile,v 1.10 2011/06/28 06:34:33 sthen Exp $
 
 COMMENT-main =		network monitoring system (improved fork of Nagios)
 COMMENT-cgi =		cgi scripts for Icinga (classic Nagios-style UI)
@@ -8,6 +8,7 @@ COMMENT-api =		database-backed API for icinga
 DISTNAME =		icinga-$V
 PKGNAME-main =		icinga-$V
 REVISION-main =		0
+REVISION-cgi =		0
 PKGNAME-cgi =		icinga-cgi-$V
 PKGNAME-ido =		icinga-idoutils-$V
 PKGNAME-api =		icinga-api-$V

net/icinga/core/patches/patch-cgi_cgiauth_c

@@ -0,0 +1,46 @@
+$OpenBSD: patch-cgi_cgiauth_c,v 1.1 2011/06/28 06:34:33 sthen Exp $
+
+Fix from upstream ed01c63
+
+--- cgi/cgiauth.c.orig	Wed Jun  8 08:58:48 2011
++++ cgi/cgiauth.c	Mon Jun 27 23:47:45 2011
+@@ -858,3 +858,39 @@ int is_authorized_for_host_commands(host *hst, authdat
+         }
+ 
+ 
++/* check is the current user is authorized to issue commands relating to a particular servicegroup */
++int is_authorized_for_servicegroup_commands(servicegroup *sg, authdata *authinfo){
++	servicesmember *temp_servicesmember;
++	service *temp_service;
++
++	if(sg==NULL)
++		return FALSE;
++
++	/* see if user is authorized for all services commands in the servicegroup */
++	for(temp_servicesmember=sg->members;temp_servicesmember!=NULL;temp_servicesmember=temp_servicesmember->next){
++		temp_service=find_service(temp_servicesmember->host_name,temp_servicesmember->service_description);
++		if(is_authorized_for_service_commands(temp_service,authinfo)==FALSE)
++			return FALSE;
++	}
++
++	return TRUE;
++}
++
++
++/* check is the current user is authorized to issue commands relating to a particular hostgroup */
++int is_authorized_for_hostgroup_commands(hostgroup *hg, authdata *authinfo){
++	hostsmember *temp_hostsmember;
++	host *temp_host;
++
++	if(hg==NULL)
++		return FALSE;
++
++	/* see if user is authorized for all hosts in the hostgroup */
++	for(temp_hostsmember=hg->members;temp_hostsmember!=NULL;temp_hostsmember=temp_hostsmember->next){
++		temp_host=find_host(temp_hostsmember->host_name);
++		if(is_authorized_for_host_commands(temp_host,authinfo)==FALSE)
++			return FALSE;
++	}
++
++	return TRUE;
++}

net/icinga/core/patches/patch-cgi_cmd_c

@@ -0,0 +1,20 @@
+$OpenBSD: patch-cgi_cmd_c,v 1.1 2011/06/28 06:34:33 sthen Exp $
+
+Fix from upstream ed01c63
+
+--- cgi/cmd.c.orig	Wed Jun  8 08:58:48 2011
++++ cgi/cmd.c	Mon Jun 27 23:47:45 2011
+@@ -2175,11 +2175,11 @@ void commit_command_data(int cmd){
+ 		   cmd==CMD_ENABLE_HOSTGROUP_SVC_CHECKS		|| cmd==CMD_DISABLE_HOSTGROUP_SVC_CHECKS || \
+ 		   cmd==CMD_SCHEDULE_HOSTGROUP_HOST_DOWNTIME	|| cmd==CMD_SCHEDULE_HOSTGROUP_SVC_DOWNTIME ){
+ 			temp_hostgroup=find_hostgroup(hostgroup_name);
+-			if(is_authorized_for_hostgroup(temp_hostgroup,&current_authdata)==TRUE)
++			if(is_authorized_for_hostgroup_commands(temp_hostgroup,&current_authdata)==TRUE)
+ 				is_authorized[x]=TRUE;
+ 		} else {
+ 			temp_servicegroup=find_servicegroup(servicegroup_name);
+-			if(is_authorized_for_servicegroup(temp_servicegroup,&current_authdata)==TRUE)
++			if(is_authorized_for_servicegroup_commands(temp_servicegroup,&current_authdata)==TRUE)
+ 				is_authorized[x]=TRUE;
+ 		}
+ 

net/icinga/core/patches/patch-include_cgiauth_h

@@ -0,0 +1,16 @@
+$OpenBSD: patch-include_cgiauth_h,v 1.1 2011/06/28 06:34:33 sthen Exp $
+
+Fix from upstream ed01c63
+
+--- include/cgiauth.h.orig	Wed Jun  8 08:58:48 2011
++++ include/cgiauth.h	Mon Jun 27 23:47:45 2011
+@@ -69,6 +69,9 @@ int is_authorized_for_service_commands(service *,authd
+ int is_authorized_for_hostgroup(hostgroup *,authdata *);
+ int is_authorized_for_servicegroup(servicegroup *,authdata *);
+ 
++int is_authorized_for_hostgroup_commands(hostgroup *,authdata *);
++int is_authorized_for_servicegroup_commands(servicegroup *,authdata *);
++
+ int is_authorized_for_configuration_information(authdata *);
+ 
+ int is_authorized_for_read_only(authdata *);