From 95970af78e4c899744a715766d744deef8c505f7 Mon Sep 17 00:00:00 2001
From: Neil Lathwood <gh+n@laf.io>
Date: Mon, 14 Feb 2022 07:40:30 +0000
Subject: [PATCH] Moved some pages to be within admin route (#13782)

* Moved plugin admin pages to be within admin route
* Wrap html transports page in admin check
* Moved Port group controller to be admin protected
* fixed tests
---
 includes/html/pages/alert-transports.inc.php | 44 +++++++++++---------
 routes/web.php                               | 10 +++--
 2 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/includes/html/pages/alert-transports.inc.php b/includes/html/pages/alert-transports.inc.php
index 9f9f4316109f..84390ccdfc37 100644
--- a/includes/html/pages/alert-transports.inc.php
+++ b/includes/html/pages/alert-transports.inc.php
@@ -1,29 +1,33 @@
 <?php
 
-// handle OAuth requests
-$request = request();  // grab the Request object
+if (Auth::user()->hasGlobalAdmin()) {
+    // handle OAuth requests
+    $request = request();  // grab the Request object
 
-if ($request->has('oauthtransport')) {
-    // make sure transport is safe
-    $validator = Validator::make($request->all(), ['oauthtransport' => 'required|alpha']);
+    if ($request->has('oauthtransport')) {
+        // make sure transport is safe
+        $validator = Validator::make($request->all(), ['oauthtransport' => 'required|alpha']);
 
-    if ($validator->passes()) {
-        $transport_name = $request->get('oauthtransport');
-        $class = \LibreNMS\Alert\Transport::getClass($transport_name);
-        if (class_exists($class)) {
-            $transport = app($class);
-            if ($transport->handleOauth($request)) {
-                flash()->addSuccess("$transport_name added successfully.");
-            } else {
-                flash()->addError("$transport_name was not added. Check the log for details.");
+        if ($validator->passes()) {
+            $transport_name = $request->get('oauthtransport');
+            $class = \LibreNMS\Alert\Transport::getClass($transport_name);
+            if (class_exists($class)) {
+                $transport = app($class);
+                if ($transport->handleOauth($request)) {
+                    flash()->addSuccess("$transport_name added successfully.");
+                } else {
+                    flash()->addError("$transport_name was not added. Check the log for details.");
+                }
             }
         }
+
+        // remove get variables otherwise things will get double added
+        echo '<script>window.history.replaceState(null, null, window.location.pathname);</script>';
     }
+    unset($request);
 
-    // remove get variables otherwise things will get double added
-    echo '<script>window.history.replaceState(null, null, window.location.pathname);</script>';
+    // print alert transports
+    require_once 'includes/html/print-alert-transports.php';
+} else {
+    include 'includes/html/error-no-perm.inc.php';
 }
-unset($request);
-
-// print alert transports
-require_once 'includes/html/print-alert-transports.php';
diff --git a/routes/web.php b/routes/web.php
index 80cbb4ca99b5..3568ed1905f5 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -22,7 +22,6 @@
     // pages
     Route::post('alert/{alert}/ack', [\App\Http\Controllers\AlertController::class, 'ack'])->name('alert.ack');
     Route::resource('device-groups', 'DeviceGroupController');
-    Route::resource('port-groups', 'PortGroupController');
     Route::resource('port', 'PortController', ['only' => 'update']);
     Route::group(['prefix' => 'poller'], function () {
         Route::get('', 'PollerController@pollerTab')->name('poller.index');
@@ -75,11 +74,14 @@
         Route::delete('settings/{name}', 'SettingsController@destroy')->name('settings.destroy');
 
         Route::post('alert/transports/{transport}/test', [\App\Http\Controllers\AlertTransportController::class, 'test'])->name('alert.transports.test');
+
+        Route::get('plugin/settings', 'PluginAdminController')->name('plugin.admin');
+        Route::get('plugin/settings/{plugin:plugin_name}', 'PluginSettingsController')->name('plugin.settings');
+        Route::post('plugin/settings/{plugin:plugin_name}', 'PluginSettingsController@update')->name('plugin.update');
+
+        Route::resource('port-groups', 'PortGroupController');
     });
 
-    Route::get('plugin/settings', 'PluginAdminController')->name('plugin.admin');
-    Route::get('plugin/settings/{plugin:plugin_name}', 'PluginSettingsController')->name('plugin.settings');
-    Route::post('plugin/settings/{plugin:plugin_name}', 'PluginSettingsController@update')->name('plugin.update');
     Route::get('plugin', 'PluginLegacyController@redirect');
     Route::redirect('plugin/view=admin', '/plugin/admin');
     Route::get('plugin/p={pluginName}', 'PluginLegacyController@redirect');