|
similar to ZBX-8360
|
|
Another related issue to consider when fixing this bug - ZBX-6401.
|
|
(1)
for 2.2 branch
Removed translation strings:
- 'Can't remove group'
- 'Can't add group'
- 'Cannot delete host group.'
- 'Cannot create host group.'
for 2.4 branch
Removed translation strings:
- 'Cannot create host group.'
- 'Cannot delete host group.'
- 'Cannot remove group.'
for trunk
Removed translation strings:
- 'Cannot create host group.'
- 'Cannot delete host group.'
- 'Cannot remove group.'
Updated translation strings:
- 'Wrong fields for host "%s".' -> 'Wrong fields for host "%1$s".'
- 'No groups for host "%s".' -> 'No groups for host "%1$s".'
oleg.egorov CLOSED
|
- Initial problem found in host.massupdate when updating hostgroup linkage. API selected groups including read only permissions group and was trying to delete that invisible group. Same situation in template.massupate and when linking hosts (f.e. template edit form the list of hosts).
- Another problem found in host prototypes when there are multiple groups assigned. But in this case the group that user has no permissions to will be removed from the list.
- Another problem admin can export templates/hosts with all of it's assigned groups, but cannot import them back in, since some groups appear to admin as non-existing and import is trying to create new groups and fails.
|
|
I suggest to fix this way:
We display all of the host group in the form and mark the readonly ones as disabled. When saving the form, these groups must not be affected. Keep in mind, that when cloning the host, the readonly host groups must be unset. The API must not allow to modify these groups.
The same goes for the template linkage form elements.
|
|
RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-2
|
|
(2) Minor issues in configuration.host.edit.php:
- Line 30: "getRequest('groupid') > 0" must be written as "getRequest('groupid') != 0";
- Next line, we use $groupIds[] instead of array_push();
- Line 217: it's better to use an associative array and isset() instead of in_array().
Same thing for configuration.template.edit.php.
iivs RESOLVED in r50359
jelisejev CLOSED.
|
|
(3) Trying to update a discovered host results in the following errors:
Undefined index: groups [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->checkInput() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php:669]
No groups for host "vm_1". [hosts.php:482 → CAPIObject->update() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHost->update() → CHost->checkInput() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php:670]
iivs RESOLVED in r50205
jelisejev CLOSED.
|
|
(4) Cannot unlink a template from a host using the tween box in the template form.
iivs RESOLVED in r50360
jelisejev CLOSED.
|
|
(5) Host partial update was broken:
{
"hostid": "200100000000002",
"status": 0
}
{
"jsonrpc": "2.0",
"error": {
"code": -32602,
"message": "Invalid params.",
"data": "No groups for host \"host\".",
"debug": [
{
"file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php",
"line": 670,
"function": "exception",
"class": "CZBXAPI",
"type": "::",
"args": [
100,
"No groups for host \"host\"."
]
},
{
"file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHost.php",
"line": 963,
"function": "checkInput",
"class": "CHost",
"type": "->",
"args": [
[
{
"hostid": "200100000000002",
"status": 0
}
],
"update"
]
},
{
"function": "update",
"class": "CHost",
"type": "->",
"args": [
{
"hostid": "200100000000002",
"status": 0
}
]
},
{
"file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php",
"line": 120,
"function": "call_user_func",
"args": [
[
{},
"update"
],
{
"hostid": "200100000000002",
"status": 0
}
]
},
{
"file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.czbxrpc.php",
"line": 72,
"function": "callAPI",
"class": "czbxrpc",
"type": "::",
"args": [
"host.update",
{
"hostid": "200100000000002",
"status": 0
}
]
},
{
"file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api/rpc/class.cjsonrpc.php",
"line": 71,
"function": "call",
"class": "czbxrpc",
"type": "::",
"args": [
"host.update",
{
"hostid": "200100000000002",
"status": 0
},
"51ea5ea31453a4f021eeec2245842f30"
]
},
{
"file": "/opt/lampp/htdocs/zabbix/2.2/frontends/php/api_jsonrpc.php",
"line": 50,
"function": "execute",
"class": "CJSONrpc",
"type": "->",
"args": []
}
]
},
"id": 2
}
iivs RESOLVED in r50205
jelisejev CLOSED.
|
|
(6) When I try to remove all writable groups from a host and leave it only with readable groups, I get the following error: "You do not have permission to perform this operation.". This is possible via the API.
iivs RESOLVED in r50340, r50350
jelisejev
- In CHost::update() I suggest you move the "unset($host['macros']);" code together with the other macro related code.
- Please add a comment that describes why groups need to be updated in the end. This is important.
iivs RESOLVED in r50535
jelisejev CLOSED.
|
|
(7) [trunk] Please move all of the affected API requests from views to controllers. This should be done in trunk only.
iivs RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448-trunk r51705
oleg.egorov CLOSED
|
|
(8) Unused variables left in CHost::checkInput() and CHostGroup::validatePermissions().
iivs RESOLVED in r50205, r50261
jelisejev CLOSED.
|
|
(9) In CHostGroup::massAdd():
$hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : null;
$hostIds = ($hosts === null) ? array() : zbx_objectValues($hosts, 'hostid');
can be simplified to
$hosts = isset($data['hosts']) ? zbx_toArray($data['hosts']) : array();
$hostIds = zbx_objectValues($hosts, 'hostid');
iivs RESOLVED in r50261
jelisejev CLOSED.
|
|
(10) The validatePermission() method should be broken into smaller methods. Otherwise it's to specific to the massAdd and massUpdate methods.
iivs RESOLVED in r50261
jelisejev
- The interface to validateMethod methods must be implemented according to the guidelines (poke me for the link if you can't find it).
- We omit @return void in PHP docs.
- Consider the CHostGroup::validateHostsPermissions() method. It it supposed to be a generic method to check host permissions, yet it has a hardcoded message "cannot update groups". Which means that it cannot be used anywhere else.
iivs RESOLVED in r50537
jelisejev CLOSED.
|
|
(11) Since you've added host and template permissions checks for hostgroup.massadd and massupdate, please also add it to massremove as well.
iivs RESOLVED in r50261
jelisejev CLOSED.
|
|
(12) Don't use array_merge in loops in validatePermissions(). It performs very poorly when called lots of times.
iivs RESOLVED in r50261
jelisejev CLOSED.
|
|
(13) Since the validation is already performed by hostgroup.massadd and hostgroup.massupdate, we can remove the code in CHost::checkInput(). Since we plan to deprecate the mass* methods, the code will be moved to the host API eventually.
iivs RESOLVED in r50205
jelisejev CLOSED.
|
|
(14) Cannot unlink all hosts from templates using template.massupdate.
iivs Probably same thing as (4). If so, RESOLVED in r50360. Please, check again.
jelisejev CLOSED.
|
|
(15) Template.massadd and template.massremove must also check permissions on linked hosts.
iivs RESOLVED in r50374
jelisejev CLOSED.
|
|
(16) Incorrect host group editing form behavior. I have two host groups which contain a single host each. When I try to remove the only host from one of the groups, it submits the form successfully but doesn't do anything. It should display an error. The other case is when I try to add the second host to the first host group, it displays an error: "One of the objects is left without a host group. [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in /opt/lampp/htdocs/zabbix/2.2/frontends/php/api/classes/CHostGroup.php:1071]".
iivs RESOLVED in r50598
oleg.egorov CLOSED
|
|
(17) Coding style:
1. Missed space
configuration.host.edit.php:31
$groupIds[]= getRequest('groupid');
2. Make some refactoring for API calls so that 'output' goes as first option
hosts.php: 725
API request, move 'output'
iivs RESOLVED in r51111
oleg.egorov CLOSED
|
|
As was discussed.
In 2.4 and trunk please fix strings
Wrong fields for host "%s".
No groups for host "%s".
...
And other places, where was used %s construction
|
|
(19) host.create
{
"host": "RW_API_3",
"interfaces": [
{
"type": 1,
"main": 1,
"useip": 1,
"ip": "192.168.3.1",
"dns": "",
"port": "10050"
}
],
"groups": [
{
"groupid": "98"
},
{
"groupid": "96"
}
]
}
Groupid 96 and 98 - don't exist. But possible reproduce this issue, if groups 96 and 98 is with Deny permissions.
SQL statement execution has failed \"INSERT INTO hosts_groups (hostid,groupid,hostgroupid) VALUES ('10148','98','168')\".
iivs RESOLVED in r51110
oleg.egorov Nice, but I make minor coding style improvement, please review r51230
iivs Thanks!
CLOSED.
|
|
(20) Host group update via frontend.
If one of hosts contains RW + R permissions.
No permissions to referred object or it does not exist! [hostgroups.php:112 → CAPIObject->massUpdate() → CAPIObject->__call() → czbxrpc::call() → czbxrpc::callAPI() → call_user_func() → CHostGroup->massUpdate() → CHostGroup->validateMassUpdate() → CZBXAPI::exception() in C:\xampp\htdocs\ZBX-8448-2\frontends\php\api\classes\CHostGroup.php:1139]
iivs RESOLVED in r51242
oleg.egorov CLOSED
|
|
TESTED, but only for 2.2.
Please review my trivial changes in r51276
|
|
RESOLVED for 2.4 branch in svn://svn.zabbix.com/branches/dev/ZBX-8448-24
oleg.egorov CLOSED
|
|
TESTED
|
|
Problems before the fix:
- When host or template belonged to two groups (one read-write and other read-only), an admin user did not have permissions to save existing host or template.
- When saving template form, user lost template-host linkage.
- Accessing trigger and trigger prototypes actions like "enable/disable" directly in URL, caused success message when trigger belonged to read group.
What is fixed/added:
- Fixed host and template permissions validation when an host or template belongs to both read and read-write groups.
- In host and template edit forms read-only groups now appear grayed out (disabled) when object belongs to both read and read-write groups.
- In template edit form linked hosts and templates that have read-only permissions now apper grayed out (disabled).
- Fixed trigger and trigger prototype permissions when accessing actions and passing ID directly in URL and when trigger belongs to read-only group.
- Admin user having read and read-write permissions to host or template can remove write permissions leaving only read permissions. It was possible via API with for example host.massremove, but now it's also possible via frontend.
Fixed in:
- pre-2.2.9rc1 r51861
- pre-2.4.4rc1 r51862
- pre-2.5.0 (trunk) r51863
|
|
(22) API documentation needs to be updated.
iivs Difficult to capture each method's changes. Please review if anything is missing or redundant.
sasha CLOSED
|
|
(23) Documentation needs to be updated (probably with screenshots from edit forms).
martins-v Our screenshots are made from a super-admin perspective, so probably no changes there. Won't fix?
iivs CLOSED
|
|
(24) Is ZBX-8360 covered as well?
A Zabbix-Admin may not edit a host anymore when host is member of a host group the Zabbix-Admin has no permission to
<richlv> based on this comment, let's explicitly verify that the mentioned issue is solved as well
iivs Seems like it's working just fine.
CLOSED.
|
|
subissues still open: 22, 23
|
|
it caused a regression - ZBX-9348
|
|
(25) Global search can pass read-only "groupid" parameter in URL preventing opening the edit form although user has write permissions to other groups.
iivs RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-8448 r52446
sasha Do not fix regressions in this issue because 2.4.4 is already released! Please create different ZBX issue.
iivs Moved to ZBX-9381
CLOSED.
|
|
another regression - ZBX-9365
|
Generated at Sat Apr 27 05:54:12 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.
Zabbix_Admin_Screen1.5.png