Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-12655

Users from different groups has access to all message content in event details

    Details

    • Team:
      Team C
    • Sprint:
      Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21
    • Story Points:
      0.5

      Description

      Personal information inside alert messages can be viewed by all users who has rights to the host even if these users are not from the same user group. In event details of a recovery event message content should not be displayed where recipients are "Inaccessible user".
      Macros {ESC.HISTORY}, {EVENT.ACK.HISTORY} and from 3.4 macro {USER.FULLNAME} may contain personal information.

      How to reproduce:

      • enable action to send emails to notifications about problem events and their recoveries to Superadmin and guest user (both have permission of the host and both are in different user groups), also add macro {ESC.HISTORY} to recovery message;
      • trigger a problem event;
      • resolve the problem;
      • log in as guest user;
      • open event details of the event that was resolved;
      • observe that both e-mails and all their content is visible to the guest user including admins full name and e-mail address.

      Expected: Information about message actions is not visible to users from different user groups except to Superadmins.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                gcalenko Gregory Chalenko
                Reporter:
                viktors.tjarve Viktors Tjarve
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: