[ZBX-13190] Admin user can enable/disable action without permissions on it Created: 2017 Oct 04  Updated: 2024 Apr 10  Resolved: 2017 Dec 13

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 2.2.21rc1
Fix Version/s: 2.2.21rc1, 3.0.14rc1, 3.4.5rc1, 4.0.0alpha1, 4.0 (plan)

Type: Incident report Priority: Major
Reporter: Natalja Romancaka Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: permissions
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File action.png     PNG File getting_there.png    
Team: Team C
Sprint: Sprint 19, Sprint 21, Sprint 22
Story Points: 0.25

 Description   

Steps to reproduce:
1. Create admin user
2. Login as admin user and create action
3. Open dev tools (F12 - Network - Preserve log)
4. Select action in list and choose mass enable
5. Select actionconf.php in dev tools, copy from headers form data
6. Paste into url and change action id. For example action id=3 (default disabled action for superadmin)
Result: action status changed
Expected result: error something like "No permissions to referred object"

Thanks for report vjaceslavs

 Comments   
Comment by Natalja Romancaka [ 2017 Oct 04 ]

akucenko please investigate this bug, check on another pages, for example host, and check with simple user

Comment by Vjaceslavs Bogdanovs [ 2017 Oct 20 ]

API should be used instead of direct SQL calls in actionconf.php. Easy fix, not more than an hour.

Comment by Gregory Chalenko [ 2017 Dec 01 ]

Fixed in:

  • 2.2.21rc1 r75275
  • 3.0.14rc1 r75276
  • 3.4.5rc1 r75288
  • 4.0.0alpha1 r75289
Generated at Thu Apr 25 05:29:35 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.