[ZBX-8448] A Zabbix Admin without "Super Admin" permission but just "Admin" rights can not edit a Host if it belongs to both a Read-Write and Read-Only "User Group". Created: 2014 Jul 07 Updated: 2017 May 30 Resolved: 2016 Feb 11 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.3.1 |
Fix Version/s: | 2.2.9rc1, 2.4.4rc1, 2.5.0 |
Type: | Incident report | Priority: | Blocker |
Reporter: | Kenneth Palmertree | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 1 |
Labels: | permissions | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Zabbix 2.2.5-47071 |
Attachments: | Zabbix_Admin_Screen1.5.png Zabbix_Admin_Screen1.png Zabbix_Admin_Screen2.png Zabbix_Admin_Screen3.png Zabbix_Admin_Screen4.png | ||||||||||||
Issue Links: |
|
Description |
A Zabbix Admin without "Super Admin" permission but just "Admin" rights can not edit a Host if it belongs to both a Read-Write and Read-Only "User Group". Steps to recreate the problem: 1. Create host groups "Test/Admin_Rights" and "Test/Read-Only_Rights" Error is thrown since Zabbix_Test user does not have read-write access to the "Test/Read-Only_Rights" host group under permissions but the host is in "Test/Admin_Rights" which the user has read-write access to. If you view the user permissions it shows "Host Test" has read-write rights. Screen shots provide. |
Comments |
Comment by Marc [ 2014 Jul 07 ] |
similar to |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Jul 15 ] |
Another related issue to consider when fixing this bug - |
Comment by Ivo Kurzemnieks [ 2014 Oct 01 ] |
(1)
for 2.4 branch
for trunk
Updated translation strings:
oleg.egorov CLOSED |
Comment by Ivo Kurzemnieks [ 2014 Oct 01 ] |
|
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 09 ] |
I suggest to fix this way: We display all of the host group in the form and mark the readonly ones as disabled. When saving the form, these groups must not be affected. Keep in mind, that when cloning the host, the readonly host groups must be unset. The API must not allow to modify these groups. The same goes for the template linkage form elements. |
Comment by Ivo Kurzemnieks [ 2014 Oct 14 ] |
RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-2 |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 23 ] |
(2) Minor issues in configuration.host.edit.php:
Same thing for configuration.template.edit.php. iivs RESOLVED in r50359 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 23 ] |
(3) Trying to update a discovered host results in the following errors:
iivs RESOLVED in r50205 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 23 ] |
(4) Cannot unlink a template from a host using the tween box in the template form. iivs RESOLVED in r50360 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 23 ] |
(5) Host partial update was broken: { "hostid": "200100000000002", "status": 0 } { "jsonrpc": "2.0", "error": { "code": -32602, "message": "Invalid params.", "data": "No groups for host \"host\".", "debug": [ { "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php", "line": 670, "function": "exception", "class": "CZBXAPI", "type": "::", "args": [ 100, "No groups for host \"host\"." ] }, { "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php", "line": 963, "function": "checkInput", "class": "CHost", "type": "->", "args": [ [ { "hostid": "200100000000002", "status": 0 } ], "update" ] }, { "function": "update", "class": "CHost", "type": "->", "args": [ { "hostid": "200100000000002", "status": 0 } ] }, { "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php", "line": 120, "function": "call_user_func", "args": [ [ {}, "update" ], { "hostid": "200100000000002", "status": 0 } ] }, { "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php", "line": 72, "function": "callAPI", "class": "czbxrpc", "type": "::", "args": [ "host.update", { "hostid": "200100000000002", "status": 0 } ] }, { "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.cjsonrpc.php", "line": 71, "function": "call", "class": "czbxrpc", "type": "::", "args": [ "host.update", { "hostid": "200100000000002", "status": 0 }, "51ea5ea31453a4f021eeec2245842f30" ] }, { "file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api_jsonrpc.php", "line": 50, "function": "execute", "class": "CJSONrpc", "type": "->", "args": [] } ] }, "id": 2 } iivs RESOLVED in r50205 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 23 ] |
(6) When I try to remove all writable groups from a host and leave it only with readable groups, I get the following error: "You do not have permission to perform this operation.". This is possible via the API. iivs RESOLVED in r50340, r50350
iivs RESOLVED in r50535 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 23 ] |
(7) [trunk] Please move all of the affected API requests from views to controllers. This should be done in trunk only. iivs RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-trunk r51705 oleg.egorov CLOSED |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 24 ] |
(8) Unused variables left in CHost::checkInput() and CHostGroup::validatePermissions(). iivs RESOLVED in r50205, r50261 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 24 ] |
(9) In CHostGroup::massAdd(): $hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : null; $hostIds = ($hosts === null) ? array() : zbx_objectValues($hosts, 'hostid'); can be simplified to $hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : array(); $hostIds = zbx_objectValues($hosts, 'hostid'); iivs RESOLVED in r50261 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 24 ] |
(10) The validatePermission() method should be broken into smaller methods. Otherwise it's to specific to the massAdd and massUpdate methods. iivs RESOLVED in r50261
iivs RESOLVED in r50537 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 24 ] |
(11) Since you've added host and template permissions checks for hostgroup.massadd and massupdate, please also add it to massremove as well. iivs RESOLVED in r50261 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 24 ] |
(12) Don't use array_merge in loops in validatePermissions(). It performs very poorly when called lots of times. iivs RESOLVED in r50261 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 24 ] |
(13) Since the validation is already performed by hostgroup.massadd and hostgroup.massupdate, we can remove the code in CHost::checkInput(). Since we plan to deprecate the mass* methods, the code will be moved to the host API eventually. iivs RESOLVED in r50205 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 27 ] |
(14) Cannot unlink all hosts from templates using template.massupdate. iivs Probably same thing as (4). If so, RESOLVED in r50360. Please, check again. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Oct 27 ] |
(15) Template.massadd and template.massremove must also check permissions on linked hosts. iivs RESOLVED in r50374 jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Nov 11 ] |
(16) Incorrect host group editing form behavior. I have two host groups which contain a single host each. When I try to remove the only host from one of the groups, it submits the form successfully but doesn't do anything. It should display an error. The other case is when I try to add the second host to the first host group, it displays an error: "One of the objects is left without a host group. [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHostGroup.php:1071]". iivs RESOLVED in r50598 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Nov 25 ] |
(17) Coding style: 2. Make some refactoring for API calls so that 'output' goes as first option iivs RESOLVED in r51111 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Dec 05 ] |
As was discussed. And other places, where was used %s construction |
Comment by Oleg Egorov (Inactive) [ 2014 Dec 10 ] |
(19) host.create { "host": "RW_API_3", "interfaces": [ { "type": 1, "main": 1, "useip": 1, "ip": "192.168.3.1", "dns": "", "port": "10050" } ], "groups": [ { "groupid": "98" }, { "groupid": "96" } ] } Groupid 96 and 98 - don't exist. But possible reproduce this issue, if groups 96 and 98 is with Deny permissions. SQL statement execution has failed \"INSERT INTO hosts_groups (hostid,groupid,hostgroupid) VALUES ('10148','98','168')\". iivs RESOLVED in r51110 oleg.egorov Nice, but I make minor coding style improvement, please review r51230 iivs Thanks! CLOSED. |
Comment by Oleg Egorov (Inactive) [ 2014 Dec 17 ] |
(20) Host group update via frontend. No permissions to referred object or it does not exist! [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in C:\xampp\htdocs\ZBX-8448-2\frontends\php\api\classes\CHostGroup.php:1139] iivs RESOLVED in r51242 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Dec 19 ] |
TESTED, but only for 2.2. |
Comment by Ivo Kurzemnieks [ 2015 Jan 05 ] |
RESOLVED for 2.4 branch in svn://svn.zabbix.com/branches/dev/ZBX-8448-24 oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2015 Jan 27 ] |
TESTED |
Comment by Ivo Kurzemnieks [ 2015 Jan 27 ] |
Problems before the fix:
What is fixed/added:
Fixed in:
|
Comment by Ivo Kurzemnieks [ 2015 Jan 27 ] |
(22) API documentation needs to be updated. iivs Difficult to capture each method's changes. Please review if anything is missing or redundant.
sasha CLOSED |
Comment by Ivo Kurzemnieks [ 2015 Jan 27 ] |
(23) Documentation needs to be updated (probably with screenshots from edit forms). martins-v Our screenshots are made from a super-admin perspective, so probably no changes there. Won't fix? iivs CLOSED |
Comment by Marc [ 2015 Jan 27 ] |
(24) Is <richlv> based on this comment, let's explicitly verify that the mentioned issue is solved as well iivs Seems like it's working just fine. |
Comment by richlv [ 2015 Feb 02 ] |
subissues still open: |
Comment by Oleksii Zagorskyi [ 2015 Mar 01 ] |
it caused a regression - |
Comment by Ivo Kurzemnieks [ 2015 Mar 02 ] |
(25) Global search can pass read-only "groupid" parameter in URL preventing opening the edit form although user has write permissions to other groups. iivs RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448 r52446 sasha Do not fix regressions in this issue because 2.4.4 is already released! Please create different ZBX issue. |
Comment by Oleksii Zagorskyi [ 2015 Mar 06 ] |
another regression - |