In several APIs permissions can only be checked by retrieving the object and then filtering them on the PHP side. Since countOutput returns the data right after it is retrieved from the DB, permissions for such requests are not checked.

The following APIs are affected by this problem:

• action
• map
• screen

This should be fixed using the code added in ZBX-6407.