settings.update method has become available to all user types

XMLWordPrintable

    • Type: Problem report
    • Resolution: Cannot Reproduce
    • Priority: Major
    • None
    • Affects Version/s: 7.2.4rc1, 7.4.0alpha1
    • Component/s: API (A)

      Documentation states that "settings.update" is available only to super admins, however this is no longer true in 7.2+.

      1. Create a non-super admin user, just a regular admin or regular user;
      2. assign user role "Admin" or "User";
      3. in User roles UI API methods field type "settings" and observe that "settings.*" and "settings.get" are available to this user role;
      4. using plain API, log in with regular user;
      5. check "settings.get" is working and pick one field to update, for example "login_attempts: 1";
      6. perform a "settings.update" request 
        {
"login_attempts": 1
}
      1. observe that it executed successfully.

      Before in 7.0 it worked correctly and returned error "No permissions to call "settings.update"."

      Also surprisingly there are not API tests regarding settings API.

            Assignee:
            Zabbix Development Team
            Reporter:
            Ivo Kurzemnieks
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 2h
                2h