[ZBX-9381] Global search can pass read-only "groupid" parameter in URL preventing opening the edit form to users with write permissions Created: 2015 Mar 09  Updated: 2017 May 30  Resolved: 2015 Aug 04

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 2.2.10rc1, 2.2.10rc2, 2.4.6rc1, 2.5.0

Type: Incident report Priority: Blocker
Reporter: Ivo Kurzemnieks Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: globalsearch, permissions, usergroups
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File empty_host_list.png    
Issue Links:
Duplicate

 Description   

Global search can pass read-only "groupid" parameter in URL preventing opening the edit form although user has write permissions to other groups.

Moved from ZBX-8448 (24)

 Comments   
Comment by Ivo Kurzemnieks [ 2015 Mar 09 ]

(1) No translation string changes.

oleg.egorov CLOSED

Comment by Ivo Kurzemnieks [ 2015 Mar 09 ]

RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-9381

Comment by Oleg Egorov (Inactive) [ 2015 Mar 23 ]

(2)

			$groups = API::HostGroup()->get(array(
				'output' => array('groupid'),
				'groupids' => zbx_objectValues($host['groups'], 'groupid'),
				'editable' => true,
				'preservekeys' => true
			));

			foreach ($host['groups'] as $num => &$group) {
				if (!array_key_exists($group['groupid'], $groups)) {
					unset($host['groups'][$num]);
				}
			}
			unset($group);

Executed for admins and super admins users, but super admins always have write permissions.

And please add short description for this block.

iivs RESOLVED in r52851, r52852

oleg.egorov CLOSED

Comment by Oleg Egorov (Inactive) [ 2015 Mar 24 ]

TESTED

Comment by Alexander Vladishev [ 2015 Apr 08 ]

(3) Reference to the $group must be removed.

-foreach ($host['groups'] as $num => &$group) {
+foreach ($host['groups'] as $num => $group) {
     if (!array_key_exists($group['groupid'], $groups)) {
         unset($host['groups'][$num]);
     }
 }
-unset($group);

iivs RESOLVED in r53195

oleg.egorov CLOSED

Comment by Alexander Vladishev [ 2015 Apr 09 ]

(4) It should be fixed in all similar places.

iivs As discussed, I made an alternative version in new dev branch. I removed passing "groupid" from global search and added an automatic group selection from dropdown. When host is set and option "dropdown first entry none" is chosen, a group will be automatically found and set.
RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-9381-alt r53253

oleg.egorov Please review my minor changes in r54204

iivs CLOSED.

Comment by Oleg Egorov (Inactive) [ 2015 Jun 30 ]

TESTED

Comment by Ivo Kurzemnieks [ 2015 Jul 01 ]

The "groupid" parameter has been removed from global search URLs and is now automatically detected depending on host.

Fixed in:

  • pre-2.2.10rc1 r54231
  • pre-2.4.6rc1 r54233
  • pre-2.5.0 r54235
Comment by Alexander Vladishev [ 2015 Jul 28 ]

(5) [F] Empty host list can be shown in the popup windows

iivs RESOLVED in r54570

oleg.egorov CLOSED

Comment by Ivo Kurzemnieks [ 2015 Jul 31 ]

Fixed in:

  • pre-2.2.10rc2 r54635, r54636
  • pre-2.4.6rc1 r54637
  • pre-2.5.0 r54638
Generated at Tue Jan 07 12:26:49 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.