[ZBX-12655] Users from different groups has access to all message content in event details Created: 2017 Sep 01  Updated: 2024 Apr 10  Resolved: 2018 Jan 04

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A)
Affects Version/s: 3.0.10, 3.2.7, 3.4.1
Fix Version/s: 3.0.14rc1, 3.2.11rc1, 3.4.5rc1, 4.0.0alpha1, 4.0 (plan)

Type: Problem report Priority: Major
Reporter: Viktors Tjarve Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: api
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screenshot_with_marks.png    
Issue Links:
Sub-task
part of ZBX-12441 {USER.FULLNAME}, {ESC.HISTORY}, {EVEN... Closed
part of ZBX-12887 Zabbix user can see super administrat... Closed
Team: Team C
Team: Team C
Sprint: Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21
Story Points: 0.5

 Description   

Personal information inside alert messages can be viewed by all users who has rights to the host even if these users are not from the same user group. In event details of a recovery event message content should not be displayed where recipients are "Inaccessible user".
Macros {ESC.HISTORY}, {EVENT.ACK.HISTORY} and from 3.4 macro {USER.FULLNAME} may contain personal information.

How to reproduce:

  • enable action to send emails to notifications about problem events and their recoveries to Superadmin and guest user (both have permission of the host and both are in different user groups), also add macro {ESC.HISTORY} to recovery message;
  • trigger a problem event;
  • resolve the problem;
  • log in as guest user;
  • open event details of the event that was resolved;
  • observe that both e-mails and all their content is visible to the guest user including admins full name and e-mail address.

Expected: Information about message actions is not visible to users from different user groups except to Superadmins.

 Comments   
Comment by Viktors Tjarve [ 2017 Sep 01 ]

Server side fixed in ZBX-12441.

Comment by Gregory Chalenko [ 2017 Sep 14 ]

Resolved in development branch branches/dev/ZBX-12655

Comment by Vjaceslavs Bogdanovs [ 2017 Oct 03 ]

(1) [F] No translation string changes

CLOSED

Comment by Gregory Chalenko [ 2017 Oct 20 ]

(3) Please review changes made for branches 3.0 (branches/dev/ZBX-12655) and 3.2 (branches/dev/ZBX-12655-3.2)

vjaceslavs Reviewed, CLOSED

Comment by Gregory Chalenko [ 2017 Nov 23 ]

Fixed in:

  • 3.0.14rc1 r74906
  • 3.2.11rc1 r74907
  • 3.4.5rc1 r74924
  • 4.0.0trunk r74925
Comment by Ivo Kurzemnieks [ 2017 Dec 29 ]

(5) [D] alert.get has changed output. API documentation is missing.

gcalenko RESOLVED API documentation changes:

iivs Minor wording change. Other wise good. Thanks!
CLOSED

Generated at Fri Apr 19 14:06:06 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.