API permissions issue when updating hosts and events.

XMLWordPrintable

    • Type: Incident report
    • Resolution: Cannot Reproduce
    • Priority: Major
    • None
    • Affects Version/s: 1.9.0 (alpha)
    • Component/s: API (A)
    • None
    • Environment:
      RedHat 5. Apache2, PHP 5.3.1 MySQL 5.1

      When doing certain operations with the API, they fail with a permissions issue. The api user is a Zabbix Super Admin and if I login to the GUI with this user, the account can complete the operations tried with the API. And example of code in question can be found in class.cevent.php but all permissions issues can be fixed in other API classes by doing the same "hack" so I assume if I could figure out what self::get was doing and fixed that all issues would be fixed:

      Current:
      if(!empty($events)){
      $allowed_events = self::get(array('eventids' => $eventids, 'preservekeys' => 1));
      foreach($events as $num => $event){
      if(!isset($allowed_events[$event['eventid']]))

      { self::setError(__METHOD__, ZBX_API_ERROR_PERMISSIONS, 'You have not enough rights for operation'); return false; }

      }
      }
      if(!empty($triggers)){
      $allowed_triggers = CTrigger::get(array('triggerids' => $triggerids, 'preservekeys' => 1));
      foreach($triggers as $num => $trigger){
      if(!isset($allowed_triggers[$trigger['triggerid']]))

      { self::setError(__METHOD__, ZBX_API_ERROR_PERMISSIONS, 'You have not enough rights for operation'); return false; }

      }
      $events = array_merge($events, self::get(array('triggerids' => $triggerids, 'nopermissions' => 1, 'preservekeys' => 1)));
      $eventids = zbx_objectValues($events, 'eventid');
      }
      "Hacked" code:
      if(!empty($events)){
      $allowed_events = self::get(array('eventids' => $eventids, 'preservekeys' => 1));
      //foreach($events as $num => $event){
      // if(!isset($allowed_events[$event['eventid']]))

      { // self::setError(__METHOD__, ZBX_API_ERROR_PERMISSIONS, 'You have not enough rights for operation'); // return false; // }

      //}
      }
      if(!empty($triggers)){
      $allowed_triggers = CTrigger::get(array('triggerids' => $triggerids, 'preservekeys' => 1));
      //foreach($triggers as $num => $trigger){
      // if(!isset($allowed_triggers[$trigger['triggerid']]))

      { // self::setError(__METHOD__, ZBX_API_ERROR_PERMISSIONS, 'You have not enough rights for operation'); // return false; // }

      //}
      $events = array_merge($events, self::get(array('triggerids' => $triggerids, 'nopermissions' => 1, 'preservekeys' => 1)));
      $eventids = zbx_objectValues($events, 'eventid');
      }

            Assignee:
            Unassigned
            Reporter:
            Dan Rogers
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: