enforce server script perms when handling alert templates

amidaware · Jun 19, 2024 · 711e85e · 711e85e
1 parent 559d9b9
commit 711e85e
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/api/tacticalrmm/alerts/permissions.py b/api/tacticalrmm/alerts/permissions.py
@@ -3,6 +3,7 @@
 from django.shortcuts import get_object_or_404
 from rest_framework import permissions
 
+from tacticalrmm.constants import AlertTemplateActionType
 from tacticalrmm.permissions import _has_perm, _has_perm_on_agent
 
 if TYPE_CHECKING:
@@ -53,4 +54,17 @@ def has_permission(self, r, view) -> bool:
         if r.method == "GET":
             return _has_perm(r, "can_list_alerttemplates")
 
+        if r.method in ("POST", "PUT", "PATCH"):
+            # ensure only users with explicit run server script perms can add/modify alert templates
+            # while also still requiring the manage alert template perm
+            if isinstance(r.data, dict):
+                if (
+                    r.data.get("action_type") == AlertTemplateActionType.SERVER
+                    or r.data.get("resolved_action_type")
+                    == AlertTemplateActionType.SERVER
+                ):
+                    return _has_perm(r, "can_run_server_scripts") and _has_perm(
+                        r, "can_manage_alerttemplates"
+                    )
+
         return _has_perm(r, "can_manage_alerttemplates")