ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-8448

A Zabbix Admin without "Super Admin" permission but just "Admin" rights can not edit a Host if it belongs to both a Read-Write and Read-Only "User Group".

    Details

      Description

      A Zabbix Admin without "Super Admin" permission but just "Admin" rights can not edit a Host if it belongs to both a Read-Write and Read-Only "User Group".

      Steps to recreate the problem:

      1. Create host groups "Test/Admin_Rights" and "Test/Read-Only_Rights"
      2. Create a host named "Host_Test" and add it to host groups "Test/Admin_Rights" and "Test/Read-Only_Rights"
      3. Create a user group "User_Test_Group" and give group permissions as follows:
      Read-Write -> "Test/Admin_Rights"
      Read-Only -> "Test/Read-Only_Rights"
      4. Create a user "Zabbix_Test" with only "Admin" rights (not superadmin) and assign user group "User_Test_Group" from step 3.
      5. Login with user "Zabbix_Test"
      6. Try and modify "Host_Test": Configuration -> Hosts -> "Host_Test" -> "Save"
      7. Permission error is thrown:
      No permissions to referred object or it does not exist! [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->massUpdate() → CHost->massRemove() → CHostGeneral->massRemove() → CHostGroup->massRemove() → CZBXAPI::exception() in /var/www/html/zabbix.dev.cbeyond.net/api/classes/CHostGroup.php:842]

      Error is thrown since Zabbix_Test user does not have read-write access to the "Test/Read-Only_Rights" host group under permissions but the host is in "Test/Admin_Rights" which the user has read-write access to.

      If you view the user permissions it shows "Host Test" has read-write rights.

      Screen shots provide.

      1. Zabbix_Admin_Screen1.5.png
        6 kB
      2. Zabbix_Admin_Screen1.png
        27 kB
      3. Zabbix_Admin_Screen2.png
        42 kB
      4. Zabbix_Admin_Screen3.png
        68 kB
      5. Zabbix_Admin_Screen4.png
        38 kB

        Issue Links

          Activity

          Hide
          Marc added a comment -

          similar to ZBX-8360

          Show
          Marc added a comment - similar to ZBX-8360
          Hide
          Pavels Jelisejevs (Inactive) added a comment -

          Another related issue to consider when fixing this bug - ZBX-6401.

          Show
          Pavels Jelisejevs (Inactive) added a comment - Another related issue to consider when fixing this bug - ZBX-6401 .
          Hide
          Ivo Kurzemnieks added a comment - - edited

          (1)
          for 2.2 branch
          Removed translation strings:

          • 'Can't remove group'
          • 'Can't add group'
          • 'Cannot delete host group.'
          • 'Cannot create host group.'

          for 2.4 branch
          Removed translation strings:

          • 'Cannot create host group.'
          • 'Cannot delete host group.'
          • 'Cannot remove group.'

          for trunk
          Removed translation strings:

          • 'Cannot create host group.'
          • 'Cannot delete host group.'
          • 'Cannot remove group.'

          Updated translation strings:

          • 'Wrong fields for host "%s".' -> 'Wrong fields for host "%1$s".'
          • 'No groups for host "%s".' -> 'No groups for host "%1$s".'

          Oleg Egorov CLOSED

          Show
          Ivo Kurzemnieks added a comment - - edited (1) for 2.2 branch Removed translation strings: 'Can't remove group' 'Can't add group' 'Cannot delete host group.' 'Cannot create host group.' for 2.4 branch Removed translation strings: 'Cannot create host group.' 'Cannot delete host group.' 'Cannot remove group.' for trunk Removed translation strings: 'Cannot create host group.' 'Cannot delete host group.' 'Cannot remove group.' Updated translation strings: 'Wrong fields for host "%s".' -> 'Wrong fields for host "%1$s".' 'No groups for host "%s".' -> 'No groups for host "%1$s".' Oleg Egorov CLOSED
          Hide
          Ivo Kurzemnieks added a comment - - edited
          1. Initial problem found in host.massupdate when updating hostgroup linkage. API selected groups including read only permissions group and was trying to delete that invisible group. Same situation in template.massupate and when linking hosts (f.e. template edit form the list of hosts).
          2. Another problem found in host prototypes when there are multiple groups assigned. But in this case the group that user has no permissions to will be removed from the list.
          3. Another problem admin can export templates/hosts with all of it's assigned groups, but cannot import them back in, since some groups appear to admin as non-existing and import is trying to create new groups and fails.
          Show
          Ivo Kurzemnieks added a comment - - edited Initial problem found in host.massupdate when updating hostgroup linkage. API selected groups including read only permissions group and was trying to delete that invisible group. Same situation in template.massupate and when linking hosts (f.e. template edit form the list of hosts). Another problem found in host prototypes when there are multiple groups assigned. But in this case the group that user has no permissions to will be removed from the list. Another problem admin can export templates/hosts with all of it's assigned groups, but cannot import them back in, since some groups appear to admin as non-existing and import is trying to create new groups and fails.
          Hide
          Pavels Jelisejevs (Inactive) added a comment -

          I suggest to fix this way:

          We display all of the host group in the form and mark the readonly ones as disabled. When saving the form, these groups must not be affected. Keep in mind, that when cloning the host, the readonly host groups must be unset. The API must not allow to modify these groups.

          The same goes for the template linkage form elements.

          Show
          Pavels Jelisejevs (Inactive) added a comment - I suggest to fix this way: We display all of the host group in the form and mark the readonly ones as disabled. When saving the form, these groups must not be affected. Keep in mind, that when cloning the host, the readonly host groups must be unset. The API must not allow to modify these groups. The same goes for the template linkage form elements.
          Hide
          Ivo Kurzemnieks added a comment -

          RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-2

          Show
          Ivo Kurzemnieks added a comment - RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-2
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (2) Minor issues in configuration.host.edit.php:

          1. Line 30: "getRequest('groupid') > 0" must be written as "getRequest('groupid') != 0";
          2. Next line, we use $groupIds[] instead of array_push();
          3. Line 217: it's better to use an associative array and isset() instead of in_array().

          Same thing for configuration.template.edit.php.

          Ivo Kurzemnieks RESOLVED in r50359

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (2) Minor issues in configuration.host.edit.php: Line 30: "getRequest('groupid') > 0" must be written as "getRequest('groupid') != 0"; Next line, we use $groupIds[] instead of array_push(); Line 217: it's better to use an associative array and isset() instead of in_array(). Same thing for configuration.template.edit.php. Ivo Kurzemnieks RESOLVED in r50359 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (3) Trying to update a discovered host results in the following errors:

          Undefined index: groups [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->checkInput() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php:669]
          No groups for host "vm_1". [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->checkInput() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php:670]

          Ivo Kurzemnieks RESOLVED in r50205

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (3) Trying to update a discovered host results in the following errors: Undefined index: groups [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->checkInput() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php:669] No groups for host "vm_1". [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->checkInput() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php:670] Ivo Kurzemnieks RESOLVED in r50205 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (4) Cannot unlink a template from a host using the tween box in the template form.

          Ivo Kurzemnieks RESOLVED in r50360

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (4) Cannot unlink a template from a host using the tween box in the template form. Ivo Kurzemnieks RESOLVED in r50360 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (5) Host partial update was broken:

          {
              "hostid": "200100000000002",
              "status": 0
          }
          
          {
              "jsonrpc": "2.0",
              "error": {
                  "code": -32602,
                  "message": "Invalid params.",
                  "data": "No groups for host \"host\".",
                  "debug": [
                      {
                          "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php",
                          "line": 670,
                          "function": "exception",
                          "class": "CZBXAPI",
                          "type": "::",
                          "args": [
                              100,
                              "No groups for host \"host\"."
                          ]
                      },
                      {
                          "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php",
                          "line": 963,
                          "function": "checkInput",
                          "class": "CHost",
                          "type": "->",
                          "args": [
                              [
                                  {
                                      "hostid": "200100000000002",
                                      "status": 0
                                  }
                              ],
                              "update"
                          ]
                      },
                      {
                          "function": "update",
                          "class": "CHost",
                          "type": "->",
                          "args": [
                              {
                                  "hostid": "200100000000002",
                                  "status": 0
                              }
                          ]
                      },
                      {
                          "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php",
                          "line": 120,
                          "function": "call_user_func",
                          "args": [
                              [
                                  {},
                                  "update"
                              ],
                              {
                                  "hostid": "200100000000002",
                                  "status": 0
                              }
                          ]
                      },
                      {
                          "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php",
                          "line": 72,
                          "function": "callAPI",
                          "class": "czbxrpc",
                          "type": "::",
                          "args": [
                              "host.update",
                              {
                                  "hostid": "200100000000002",
                                  "status": 0
                              }
                          ]
                      },
                      {
                          "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.cjsonrpc.php",
                          "line": 71,
                          "function": "call",
                          "class": "czbxrpc",
                          "type": "::",
                          "args": [
                              "host.update",
                              {
                                  "hostid": "200100000000002",
                                  "status": 0
                              },
                              "51ea5ea31453a4f021eeec2245842f30"
                          ]
                      },
                      {
                          "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api_jsonrpc.php",
                          "line": 50,
                          "function": "execute",
                          "class": "CJSONrpc",
                          "type": "->",
                          "args": []
                      }
                  ]
              },
              "id": 2
          }
          

          Ivo Kurzemnieks RESOLVED in r50205

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (5) Host partial update was broken: { "hostid" : "200100000000002" , "status" : 0 } { "jsonrpc" : "2.0" , "error" : { "code" : -32602, "message" : "Invalid params." , "data" : "No groups for host \" host\ "." , "debug" : [ { "file" : "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php" , "line" : 670, "function" : "exception" , "class" : "CZBXAPI" , "type" : "::" , "args" : [ 100, "No groups for host \" host\ "." ] }, { "file" : "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php" , "line" : 963, "function" : "checkInput" , "class" : "CHost" , "type" : "->" , "args" : [ [ { "hostid" : "200100000000002" , "status" : 0 } ], "update" ] }, { "function" : "update" , "class" : "CHost" , "type" : "->" , "args" : [ { "hostid" : "200100000000002" , "status" : 0 } ] }, { "file" : "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php" , "line" : 120, "function" : "call_user_func" , "args" : [ [ {}, "update" ], { "hostid" : "200100000000002" , "status" : 0 } ] }, { "file" : "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php" , "line" : 72, "function" : "callAPI" , "class" : "czbxrpc" , "type" : "::" , "args" : [ "host.update" , { "hostid" : "200100000000002" , "status" : 0 } ] }, { "file" : "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.cjsonrpc.php" , "line" : 71, "function" : "call" , "class" : "czbxrpc" , "type" : "::" , "args" : [ "host.update" , { "hostid" : "200100000000002" , "status" : 0 }, "51ea5ea31453a4f021eeec2245842f30" ] }, { "file" : "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api_jsonrpc.php" , "line" : 50, "function" : "execute" , "class" : "CJSONrpc" , "type" : "->" , "args" : [] } ] }, "id" : 2 } Ivo Kurzemnieks RESOLVED in r50205 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (6) When I try to remove all writable groups from a host and leave it only with readable groups, I get the following error: "You do not have permission to perform this operation.". This is possible via the API.

          Ivo Kurzemnieks RESOLVED in r50340, r50350

          Pavels Jelisejevs

          1. In CHost::update() I suggest you move the "unset($host['macros']);" code together with the other macro related code.
          2. Please add a comment that describes why groups need to be updated in the end. This is important.

          Ivo Kurzemnieks RESOLVED in r50535

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (6) When I try to remove all writable groups from a host and leave it only with readable groups, I get the following error: "You do not have permission to perform this operation.". This is possible via the API. Ivo Kurzemnieks RESOLVED in r50340, r50350 Pavels Jelisejevs In CHost::update() I suggest you move the "unset($host ['macros'] );" code together with the other macro related code. Please add a comment that describes why groups need to be updated in the end. This is important. Ivo Kurzemnieks RESOLVED in r50535 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (7) [trunk] Please move all of the affected API requests from views to controllers. This should be done in trunk only.

          Ivo Kurzemnieks RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-trunk r51705

          Oleg Egorov CLOSED

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (7) [trunk] Please move all of the affected API requests from views to controllers. This should be done in trunk only. Ivo Kurzemnieks RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-trunk r51705 Oleg Egorov CLOSED
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (8) Unused variables left in CHost::checkInput() and CHostGroup::validatePermissions().

          Ivo Kurzemnieks RESOLVED in r50205, r50261

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (8) Unused variables left in CHost::checkInput() and CHostGroup::validatePermissions(). Ivo Kurzemnieks RESOLVED in r50205, r50261 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (9) In CHostGroup::massAdd():

          $hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : null;
          $hostIds = ($hosts === null) ? array() : zbx_objectValues($hosts, 'hostid');
          

          can be simplified to

          $hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : array();
          $hostIds = zbx_objectValues($hosts, 'hostid');
          

          Ivo Kurzemnieks RESOLVED in r50261

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (9) In CHostGroup::massAdd(): $hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : null ; $hostIds = ($hosts === null ) ? array() : zbx_objectValues($hosts, 'hostid'); can be simplified to $hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : array(); $hostIds = zbx_objectValues($hosts, 'hostid'); Ivo Kurzemnieks RESOLVED in r50261 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (10) The validatePermission() method should be broken into smaller methods. Otherwise it's to specific to the massAdd and massUpdate methods.

          Ivo Kurzemnieks RESOLVED in r50261

          Pavels Jelisejevs

          1. The interface to validateMethod methods must be implemented according to the guidelines (poke me for the link if you can't find it).
          2. We omit @return void in PHP docs.
          3. Consider the CHostGroup::validateHostsPermissions() method. It it supposed to be a generic method to check host permissions, yet it has a hardcoded message "cannot update groups". Which means that it cannot be used anywhere else.

          Ivo Kurzemnieks RESOLVED in r50537

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (10) The validatePermission() method should be broken into smaller methods. Otherwise it's to specific to the massAdd and massUpdate methods. Ivo Kurzemnieks RESOLVED in r50261 Pavels Jelisejevs The interface to validateMethod methods must be implemented according to the guidelines (poke me for the link if you can't find it). We omit @return void in PHP docs. Consider the CHostGroup::validateHostsPermissions() method. It it supposed to be a generic method to check host permissions, yet it has a hardcoded message "cannot update groups". Which means that it cannot be used anywhere else. Ivo Kurzemnieks RESOLVED in r50537 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (11) Since you've added host and template permissions checks for hostgroup.massadd and massupdate, please also add it to massremove as well.

          Ivo Kurzemnieks RESOLVED in r50261

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (11) Since you've added host and template permissions checks for hostgroup.massadd and massupdate, please also add it to massremove as well. Ivo Kurzemnieks RESOLVED in r50261 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (12) Don't use array_merge in loops in validatePermissions(). It performs very poorly when called lots of times.

          Ivo Kurzemnieks RESOLVED in r50261

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (12) Don't use array_merge in loops in validatePermissions(). It performs very poorly when called lots of times. Ivo Kurzemnieks RESOLVED in r50261 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (13) Since the validation is already performed by hostgroup.massadd and hostgroup.massupdate, we can remove the code in CHost::checkInput(). Since we plan to deprecate the mass* methods, the code will be moved to the host API eventually.

          Ivo Kurzemnieks RESOLVED in r50205

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (13) Since the validation is already performed by hostgroup.massadd and hostgroup.massupdate, we can remove the code in CHost::checkInput(). Since we plan to deprecate the mass* methods, the code will be moved to the host API eventually. Ivo Kurzemnieks RESOLVED in r50205 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (14) Cannot unlink all hosts from templates using template.massupdate.

          Ivo Kurzemnieks Probably same thing as (4). If so, RESOLVED in r50360. Please, check again.

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (14) Cannot unlink all hosts from templates using template.massupdate. Ivo Kurzemnieks Probably same thing as (4). If so, RESOLVED in r50360. Please, check again. Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (15) Template.massadd and template.massremove must also check permissions on linked hosts.

          Ivo Kurzemnieks RESOLVED in r50374

          Pavels Jelisejevs CLOSED.

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (15) Template.massadd and template.massremove must also check permissions on linked hosts. Ivo Kurzemnieks RESOLVED in r50374 Pavels Jelisejevs CLOSED.
          Hide
          Pavels Jelisejevs (Inactive) added a comment - - edited

          (16) Incorrect host group editing form behavior. I have two host groups which contain a single host each. When I try to remove the only host from one of the groups, it submits the form successfully but doesn't do anything. It should display an error. The other case is when I try to add the second host to the first host group, it displays an error: "One of the objects is left without a host group. [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHostGroup.php:1071]".

          Ivo Kurzemnieks RESOLVED in r50598

          Oleg Egorov CLOSED

          Show
          Pavels Jelisejevs (Inactive) added a comment - - edited (16) Incorrect host group editing form behavior. I have two host groups which contain a single host each. When I try to remove the only host from one of the groups, it submits the form successfully but doesn't do anything. It should display an error. The other case is when I try to add the second host to the first host group, it displays an error: "One of the objects is left without a host group. [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHostGroup.php:1071] ". Ivo Kurzemnieks RESOLVED in r50598 Oleg Egorov CLOSED
          Hide
          Oleg Egorov added a comment - - edited

          (17) Coding style:
          1. Missed space
          configuration.host.edit.php:31
          $groupIds[]= getRequest('groupid');

          2. Make some refactoring for API calls so that 'output' goes as first option
          hosts.php: 725
          API request, move 'output'

          Ivo Kurzemnieks RESOLVED in r51111

          Oleg Egorov CLOSED

          Show
          Oleg Egorov added a comment - - edited (17) Coding style: 1. Missed space configuration.host.edit.php:31 $groupIds[]= getRequest('groupid'); 2. Make some refactoring for API calls so that 'output' goes as first option hosts.php: 725 API request, move 'output' Ivo Kurzemnieks RESOLVED in r51111 Oleg Egorov CLOSED
          Hide
          Oleg Egorov added a comment -

          As was discussed.
          In 2.4 and trunk please fix strings
          Wrong fields for host "%s".
          No groups for host "%s".
          ...

          And other places, where was used %s construction

          Show
          Oleg Egorov added a comment - As was discussed. In 2.4 and trunk please fix strings Wrong fields for host "%s". No groups for host "%s". ... And other places, where was used %s construction
          Hide
          Oleg Egorov added a comment - - edited

          (19) host.create

          {
                  "host": "RW_API_3",
                  "interfaces": [
                      {
                          "type": 1,
                          "main": 1,
                          "useip": 1,
                          "ip": "192.168.3.1",
                          "dns": "",
                          "port": "10050"
                      }
                  ],
                  "groups": [
                      {
                          "groupid": "98"
                      },
                      {
                          "groupid": "96"
                      }
                  ]
              }
          

          Groupid 96 and 98 - don't exist. But possible reproduce this issue, if groups 96 and 98 is with Deny permissions.

          SQL statement execution has failed \"INSERT INTO hosts_groups (hostid,groupid,hostgroupid) VALUES ('10148','98','168')\".

          Ivo Kurzemnieks RESOLVED in r51110

          Oleg Egorov Nice, but I make minor coding style improvement, please review r51230

          Ivo Kurzemnieks Thanks!

          CLOSED.

          Show
          Oleg Egorov added a comment - - edited (19) host.create { "host" : "RW_API_3" , "interfaces" : [ { "type" : 1, "main" : 1, "useip" : 1, "ip" : "192.168.3.1" , "dns" : "", "port" : "10050" } ], "groups" : [ { "groupid" : "98" }, { "groupid" : "96" } ] } Groupid 96 and 98 - don't exist. But possible reproduce this issue, if groups 96 and 98 is with Deny permissions. SQL statement execution has failed \"INSERT INTO hosts_groups (hostid,groupid,hostgroupid) VALUES ('10148','98','168')\". Ivo Kurzemnieks RESOLVED in r51110 Oleg Egorov Nice, but I make minor coding style improvement, please review r51230 Ivo Kurzemnieks Thanks! CLOSED.
          Hide
          Oleg Egorov added a comment - - edited

          (20) Host group update via frontend.
          If one of hosts contains RW + R permissions.

          No permissions to referred object or it does not exist! [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in C:\xampp\htdocs\ZBX-8448-2\frontends\php\api\classes\CHostGroup.php:1139]

          Ivo Kurzemnieks RESOLVED in r51242

          Oleg Egorov CLOSED

          Show
          Oleg Egorov added a comment - - edited (20) Host group update via frontend. If one of hosts contains RW + R permissions. No permissions to referred object or it does not exist! [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in C:\xampp\htdocs\ZBX-8448-2\frontends\php\api\classes\CHostGroup.php:1139] Ivo Kurzemnieks RESOLVED in r51242 Oleg Egorov CLOSED
          Hide
          Oleg Egorov added a comment -

          TESTED, but only for 2.2.
          Please review my trivial changes in r51276

          Show
          Oleg Egorov added a comment - TESTED, but only for 2.2. Please review my trivial changes in r51276
          Hide
          Ivo Kurzemnieks added a comment - - edited

          RESOLVED for 2.4 branch in svn://svn.zabbix.com/branches/dev/ZBX-8448-24

          Oleg Egorov CLOSED

          Show
          Ivo Kurzemnieks added a comment - - edited RESOLVED for 2.4 branch in svn://svn.zabbix.com/branches/dev/ZBX-8448-24 Oleg Egorov CLOSED
          Hide
          Oleg Egorov added a comment -

          TESTED

          Show
          Oleg Egorov added a comment - TESTED
          Hide
          Ivo Kurzemnieks added a comment - - edited

          Problems before the fix:

          • When host or template belonged to two groups (one read-write and other read-only), an admin user did not have permissions to save existing host or template.
          • When saving template form, user lost template-host linkage.
          • Accessing trigger and trigger prototypes actions like "enable/disable" directly in URL, caused success message when trigger belonged to read group.

          What is fixed/added:

          • Fixed host and template permissions validation when an host or template belongs to both read and read-write groups.
          • In host and template edit forms read-only groups now appear grayed out (disabled) when object belongs to both read and read-write groups.
          • In template edit form linked hosts and templates that have read-only permissions now apper grayed out (disabled).
          • Fixed trigger and trigger prototype permissions when accessing actions and passing ID directly in URL and when trigger belongs to read-only group.
          • Admin user having read and read-write permissions to host or template can remove write permissions leaving only read permissions. It was possible via API with for example host.massremove, but now it's also possible via frontend.

          Fixed in:

          • pre-2.2.9rc1 r51861
          • pre-2.4.4rc1 r51862
          • pre-2.5.0 (trunk) r51863
          Show
          Ivo Kurzemnieks added a comment - - edited Problems before the fix: When host or template belonged to two groups (one read-write and other read-only), an admin user did not have permissions to save existing host or template. When saving template form, user lost template-host linkage. Accessing trigger and trigger prototypes actions like "enable/disable" directly in URL, caused success message when trigger belonged to read group. What is fixed/added: Fixed host and template permissions validation when an host or template belongs to both read and read-write groups. In host and template edit forms read-only groups now appear grayed out (disabled) when object belongs to both read and read-write groups. In template edit form linked hosts and templates that have read-only permissions now apper grayed out (disabled). Fixed trigger and trigger prototype permissions when accessing actions and passing ID directly in URL and when trigger belongs to read-only group. Admin user having read and read-write permissions to host or template can remove write permissions leaving only read permissions. It was possible via API with for example host.massremove, but now it's also possible via frontend. Fixed in: pre-2.2.9rc1 r51861 pre-2.4.4rc1 r51862 pre-2.5.0 (trunk) r51863
          Hide
          Ivo Kurzemnieks added a comment - - edited

          (22) API documentation needs to be updated.

          Ivo Kurzemnieks Difficult to capture each method's changes. Please review if anything is missing or redundant.

          Alexander Vladishev CLOSED

          Show
          Ivo Kurzemnieks added a comment - - edited (22) API documentation needs to be updated. Ivo Kurzemnieks Difficult to capture each method's changes. Please review if anything is missing or redundant. https://www.zabbix.com/documentation/2.2/manual/api/changes_2.2 https://www.zabbix.com/documentation/2.4/manual/api/changes_2.4 RESOLVED. Alexander Vladishev CLOSED
          Hide
          Ivo Kurzemnieks added a comment - - edited

          (23) Documentation needs to be updated (probably with screenshots from edit forms).

          Martins Valkovskis Our screenshots are made from a super-admin perspective, so probably no changes there. Won't fix?

          Ivo Kurzemnieks CLOSED

          Show
          Ivo Kurzemnieks added a comment - - edited (23) Documentation needs to be updated (probably with screenshots from edit forms). Martins Valkovskis Our screenshots are made from a super-admin perspective, so probably no changes there. Won't fix? Ivo Kurzemnieks CLOSED
          Hide
          Marc added a comment - - edited

          (24) Is ZBX-8360 covered as well?
          A Zabbix-Admin may not edit a host anymore when host is member of a host group the Zabbix-Admin has no permission to

          <richlv> based on this comment, let's explicitly verify that the mentioned issue is solved as well

          Ivo Kurzemnieks Seems like it's working just fine.
          CLOSED.

          Show
          Marc added a comment - - edited (24) Is ZBX-8360 covered as well? A Zabbix-Admin may not edit a host anymore when host is member of a host group the Zabbix-Admin has no permission to < richlv > based on this comment, let's explicitly verify that the mentioned issue is solved as well Ivo Kurzemnieks Seems like it's working just fine. CLOSED.
          Hide
          richlv added a comment - - edited

          subissues still open: 22, 23

          Show
          richlv added a comment - - edited subissues still open: 22 , 23
          Hide
          Oleksiy Zagorskyi added a comment -

          it caused a regression - ZBX-9348

          Show
          Oleksiy Zagorskyi added a comment - it caused a regression - ZBX-9348
          Hide
          Ivo Kurzemnieks added a comment - - edited

          (25) Global search can pass read-only "groupid" parameter in URL preventing opening the edit form although user has write permissions to other groups.

          Ivo Kurzemnieks RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448 r52446

          Alexander Vladishev Do not fix regressions in this issue because 2.4.4 is already released! Please create different ZBX issue.

          Ivo Kurzemnieks Moved to ZBX-9381
          CLOSED.

          Show
          Ivo Kurzemnieks added a comment - - edited (25) Global search can pass read-only "groupid" parameter in URL preventing opening the edit form although user has write permissions to other groups. Ivo Kurzemnieks RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448 r52446 Alexander Vladishev Do not fix regressions in this issue because 2.4.4 is already released! Please create different ZBX issue. Ivo Kurzemnieks Moved to ZBX-9381 CLOSED.
          Hide
          Oleksiy Zagorskyi added a comment -

          another regression - ZBX-9365

          Show
          Oleksiy Zagorskyi added a comment - another regression - ZBX-9365

            People

            • Assignee:
              Unassigned
              Reporter:
              Kenneth Palmertree
            • Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: