[ZBX-23048] Can't change other users passwords through API Created: 2023 Jul 02  Updated: 2024 Apr 10  Resolved: 2023 Aug 02

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D)
Affects Version/s: None
Fix Version/s: 6.4.6rc1, 7.0.0alpha4, 7.0 (plan)

Type: Documentation task Priority: Trivial
Reporter: Paal Braathen Assignee: Arturs Dancis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Zabbix 6.4.4

Team: Team D
Story Points: 0.125

 Description   

Steps to reproduce:

  1. Authenticate to the API as a user with "Super admin role"
  2. Try to change another users password through the API with the current_password parameter set to the empty string.

Result:

Observe that a blank current_passwd isn't allowed. You must know the current password.

Expected:

It should be possible to have the parameter blank, like stated in the docs:
https://www.zabbix.com/documentation/6.4/en/manual/api/reference/user/update

 Comments   
Comment by Paal Braathen [ 2023 Jul 02 ]

More example:

$ TOKEN=$(curl -s --request POST \
   --url 'http://localhost:8080/api_jsonrpc.php' \
   --header 'Content-Type: application/json-rpc' \
   --data '{"jsonrpc":"2.0","method":"user.login","params":{"username":"Admin","password":"zabbix"},"id":1}' | jq -r '.result')
$ curl -s --request POST \
   --url 'http://localhost:8080/api_jsonrpc.php' \
   --header 'Content-Type: application/json-rpc' \
   --data "{\"jsonrpc\":\"2.0\",\"method\":\"user.checkAuthentication\",\"params\":{\"sessionid\": \"$TOKEN\"},\"id\":2}" | jq '.'
{
  "jsonrpc": "2.0",
  "result": {
    "userid": "1",
    "username": "Admin",
    "name": "Zabbix",
    "surname": "Administrator",
    "url": "",
    "autologin": "1",
    "autologout": "0",
    "lang": "en_US",
    "refresh": "30s",
    "theme": "default",
    "attempt_failed": "0",
    "attempt_ip": "",
    "attempt_clock": "0",
    "rows_per_page": "50",
    "timezone": "system",
    "roleid": "3",
    "userdirectoryid": "0",
    "ts_provisioned": "0",
    "type": 3,
    "userip": "10.89.3.2",
    "debug_mode": 0,
    "gui_access": "1",
    "deprovisioned": false,
    "auth_type": 0,
    "sessionid": "41ce57702ca16777fe5e88819168563b",
    "secret": "c186342a45b05eeeba8ba063aa49063b"
  },
  "id": 2
}
$ curl -s --request POST \
   --url 'http://localhost:8080/api_jsonrpc.php' \
   --header 'Content-Type: application/json-rpc' \
   --header "Authorization: Bearer $TOKEN" \
   --data '{"jsonrpc":"2.0","method":"role.get","params":{},"id":3}' | jq '.'
{
  "jsonrpc": "2.0",
  "result": [
    {
      "roleid": "1",
      "name": "User role",
      "type": "1",
      "readonly": "0"
    },
    {
      "roleid": "2",
      "name": "Admin role",
      "type": "2",
      "readonly": "0"
    },
    {
      "roleid": "3",
      "name": "Super admin role",
      "type": "3",
      "readonly": "1"
    },
    {
      "roleid": "4",
      "name": "Guest role",
      "type": "1",
      "readonly": "0"
    }
  ],
  "id": 3
}
$ curl -s --request POST \
   --url 'http://localhost:8080/api_jsonrpc.php' \
   --header 'Content-Type: application/json-rpc' \
   --header "Authorization: Bearer $TOKEN" \
   --data '{"jsonrpc":"2.0","method":"user.get","params":{},"id":4}' | jq '.'
{
  "jsonrpc": "2.0",
  "result": [
    {
      "userid": "1",
      "username": "Admin",
      "name": "Zabbix",
      "surname": "Administrator",
      "url": "",
      "autologin": "1",
      "autologout": "0",
      "lang": "default",
      "refresh": "30s",
      "theme": "default",
      "attempt_failed": "0",
      "attempt_ip": "",
      "attempt_clock": "0",
      "rows_per_page": "50",
      "timezone": "default",
      "roleid": "3",
      "userdirectoryid": "0",
      "ts_provisioned": "0"
    },
    {
      "userid": "2",
      "username": "guest",
      "name": "",
      "surname": "",
      "url": "",
      "autologin": "0",
      "autologout": "15m",
      "lang": "default",
      "refresh": "30s",
      "theme": "default",
      "attempt_failed": "0",
      "attempt_ip": "",
      "attempt_clock": "0",
      "rows_per_page": "50",
      "timezone": "default",
      "roleid": "4",
      "userdirectoryid": "0",
      "ts_provisioned": "0"
    },
    {
      "userid": "3",
      "username": "User",
      "name": "",
      "surname": "",
      "url": "",
      "autologin": "0",
      "autologout": "0",
      "lang": "default",
      "refresh": "30s",
      "theme": "default",
      "attempt_failed": "0",
      "attempt_ip": "",
      "attempt_clock": "0",
      "rows_per_page": "50",
      "timezone": "default",
      "roleid": "1",
      "userdirectoryid": "0",
      "ts_provisioned": "0"
    }
  ],
  "id": 4
}
$ curl -s --request POST \
   --url 'http://localhost:8080/api_jsonrpc.php' \
   --header 'Content-Type: application/json-rpc' \
   --header "Authorization: Bearer $TOKEN" \
   --data '{"jsonrpc":"2.0","method":"user.update","params":{"userid":"3","passwd":"ASFASFasasffas124124!!!","current_passwd":""},"id":5}' | jq '.'
{
  "jsonrpc": "2.0",
  "error": {
    "code": -32602,
    "message": "Invalid params.",
    "data": "Invalid parameter \"/1/current_passwd\": cannot be empty."
  },
  "id": 5
}
Comment by Elina Kuzyutkina (Inactive) [ 2023 Jul 03 ]

Hi,
this can't be considered like a bug as the same behavior is described in the documentation:
https://www.zabbix.com/documentation/6.4/en/manual/api/reference/user/update

current_passwd
Parameter behavior:

  • write-only
  • required if passwd of User object is set and user changes own user password

If you think that the behavior should be changed - you can register ZBXNEXT ticket and describe why 'new' way will be better\more convenient
This ticket I am going to close as there is no indication of a bug

Regards, Elina

Comment by Paal Braathen [ 2023 Jul 03 ]

@elina.kuzyutkina

 It's clearly stated that this should be possible, i.e. the issue is a bug:

> The value of this parameter can be an empty string if:  a user that is of Super admin type is changing password for a different user.

This is what I'm doing above.

Comment by Elina Kuzyutkina (Inactive) [ 2023 Jul 03 ]

If it's another user why you are trying to specify his current password?

'{"jsonrpc":"2.0","method":"user.update","params":{"userid":"3","passwd":"ASFASFasasffas124124!!!"},"id":5}'

Closing the ticket again

Comment by Paal Braathen [ 2023 Jul 03 ]

Changing other users password is a legit scenario. I'm am zabbix super admin and I need to change another users password.

According to the docs this should be possible with an empty current_passwd.

You didn't quote my full request. I did this:

{"jsonrpc":"2.0","method":"user.update","params":{"userid":"3","passwd":"ASFASFasasffas124124!!!","current_passwd":""},"id":5}
Comment by Paal Braathen [ 2023 Jul 03 ]

I believe I misunderstood what you tried to say in your last comment.

The docs says that I should send the current_passwd as the empty string ("The value of this parameter can be an empty string if..."). So that's why I'm doing it.

However it seems to work if I do not send the parameter at all.

So it's just a bug in the docs then?

Comment by Elina Kuzyutkina (Inactive) [ 2023 Jul 05 ]

Yes, you are right, it could be put better. I will pass this on to the tech writers
Thank you for pointing this out. Can I close the ticket? =)

Comment by Paal Braathen [ 2023 Jul 05 ]

Thank you for pointing this out. Can I close the ticket? =)

Sure. I'd be happy if the docs where clear. Just close the issue if you don't need it to be open.

Comment by Arturs Dancis [ 2023 Aug 02 ]

Thank you for reporting! Documentation updated:

  • API > Method reference > User > user.update (6.4, 7.0)
Generated at Mon Jun 30 08:36:11 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.