-
Type:
Change Request
-
Resolution: Unresolved
-
Priority:
Low
-
Affects Version/s: 6.0.42, 7.0.20, 7.2.14, 7.4.4
-
Component/s: API (A), Installation (I)
-
S25-W46/47, S25-W48/49, S25-W50/51/52/01
-
2
There is a bug where if a user has Access to API enabled, but the Allow list is empty, they can still execute some API actions.
Scenario:
- Edit the default User role, change API access from "Deny list" to "Allow list"
- Optional: for better demonstration you can also remove all other access, except API access has to be enabled (see image below)
- Create a regular user with this role
- Some API methods can still be called (when they shouldn't)
- Change the user role permissions again, in the Allow list add a single method
- Now only the allowed API method works (as expected)
My user role config:
Expected:
As a user I would expect no API methods to work when the list is empty. This is further reinforced by the fact that they don't work when a single API method is added to the list.
- is duplicated by
-
ZBX-27325 Add "Denied methods" None or "Allowed methods" None
-
- Closed
-
