[#ZBX-1035] users can add graphs to hosts they have no access to

[ZBX-1035] users can add graphs to hosts they have no access to Created: 2009 Sep 11 Updated: 2017 May 30 Resolved: 2009 Sep 30
Status:	Closed
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Frontend (F)
Affects Version/s:	1.6.6
Fix Version/s:	None

Type:

Incident report

Priority:

Critical

Reporter:

richlv

Assignee:

Unassigned

Resolution:

Fixed

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

1.6.6

Description

default 1.6.6 installation.
as admin, export default zabbix server and create new host in a new hostgroup, then create a new zabbix admin user that has read access to this new group only.

log out, log in as the new user and import the exported template.

it starts good by saying :
"Host [ZABBIX Server] skipped - Access deny."

then it continues with slightly more weird messages :
"Trigger [FTP server is down on

{HOSTNAME}

] skipped - missing host"

but in the end, graph operations succeed when they should not have :
"Graph "CPU Loads" added to hosts "ZABBIX Server"
Graph "CPU Utilization" added to hosts "ZABBIX Server"
Graph "Network utilization" added to hosts "ZABBIX Server"
Graph "Disk usage" added to hosts "ZABBIX Server""

log out, log in as admin and verify that graphs indeed have been added.

Comments

Comment by Alexey Fukalov [ 2009 Sep 30 ]

fixed in 1.6 branch. 8005

Comment by richlv [ 2009 Sep 30 ]

confirming the fix in 1.6 branch, revision 8005

Generated at Wed Apr 24 06:33:44 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-1035] users can add graphs to hosts they have no access to Created: 2009 Sep 11 Updated: 2017 May 30 Resolved: 2009 Sep 30