Some permission updates for non-admin users

html/includes/table/alerts.inc.php

@@ -7,10 +7,18 @@ if (is_numeric($_POST['device_id']) && $_POST['device_id'] > 0) {
 }
 
 if (isset($searchPhrase) && !empty($searchPhrase)) {
-    $sql .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')";
+    $sql_search .= " AND (`timestamp` LIKE '%$searchPhrase%' OR `rule` LIKE '%$searchPhrase%' OR `name` LIKE '%$searchPhrase%' OR `hostname` LIKE '%$searchPhrase%')";
 }
 
-$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id` RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql";
+$sql = " FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id`";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= "  RIGHT JOIN alert_rules ON alerts.rule_id=alert_rules.id WHERE $where AND `state` IN (1,2,3,4) $sql_search";
 
 $count_sql = "SELECT COUNT(`alerts`.`id`) $sql";
 $total = dbFetchCell($count_sql,$param);
@@ -78,14 +86,12 @@ foreach (dbFetchRows($sql,$param) as $alert) {
         $severity .= " <strong>-</strong>";
     }
 
-    if ($_SESSION['userlevel'] >= '10') {
-        $ack_ico = 'volume-up';
-        $ack_col = 'success';
-        if($alert['state'] == 2) {
-            $ack_ico = 'volume-off';
-            $ack_col = 'danger';
-        }
-    }
+    $ack_ico = 'volume-up';
+    $ack_col = 'success';
+    if($alert['state'] == 2) {
+        $ack_ico = 'volume-off';
+        $ack_col = 'danger';
+     }
 
     $hostname = '
      <div class="incident">

html/pages/search/arp.inc.php

@@ -30,7 +30,16 @@ var grid = $("#arp-search").bootgrid({
 <?php
 
 // Select the devices only with ARP tables
-foreach (dbFetchRows("SELECT D.device_id AS device_id, `hostname` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D WHERE M.port_id = P.port_id AND P.device_id = D.device_id GROUP BY `device_id` ORDER BY `hostname`") as $data) {
+$sql = "SELECT D.device_id AS device_id, `hostname` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D";
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $sql .= " LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`";
+    $where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where GROUP BY `device_id` ORDER BY `hostname`";
+foreach (dbFetchRows($sql,$param) as $data) {
     echo('"<option value=\"'.$data['device_id'].'\""+');
     if ($data['device_id'] == $_POST['device_id']) {
         echo('" selected "+');

html/pages/search/packages.inc.php

@@ -70,9 +70,18 @@ if(isset($_POST['results_amount']) && $_POST['results_amount'] > 0) {
 
 $count_query = "SELECT COUNT(*) FROM ( ";
 $full_query = "";
-$query = 'SELECT packages.name FROM packages,devices WHERE packages.device_id = devices.device_id AND packages.name LIKE "%'.mres($_POST['package']).'%" GROUP BY packages.name';
-$where = '';
+$query = 'SELECT packages.name FROM packages,devices ';
 $param = array();
+
+if (is_admin() === FALSE && is_read() === FALSE) {
+    $query .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $sql_where .= " AND `DP`.`user_id`=?";
+    $param[] = $_SESSION['user_id'];
+}
+
+$query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%".mres($_POST['package'])."%' $sql_where GROUP BY packages.name";
+
+$where = '';
 $ver = "";
 $opt = "";