Hi,
A customer notified us about issues with the permission-system, so I started digging through the sourcecode.
Unfortunately, there were some real issues, IMHO ...
In charts.php, the dropdown displaying the groups was Ok, but for the hosts, every host in the system was visible, not only those with at least read-permission. The graphs themselves are not visible, but the hostlist itself was enough for the customer
Those changes should fix the issue:
The other issues are amongst the visibility of pages themselves, e.g. maps.php with all maps and the hosts/items on the maps are visible to guests, no permission-checking ... same for reports (Guests do not need to know how many hosts we are monitoring), and others ...
I don't know if the changes are of general use, but at least the issue with charts.php would be great to be commited to the main sources.
greetings from Germany,
Anton
A customer notified us about issues with the permission-system, so I started digging through the sourcecode.
Unfortunately, there were some real issues, IMHO ...
In charts.php, the dropdown displaying the groups was Ok, but for the hosts, every host in the system was visible, not only those with at least read-permission. The graphs themselves are not visible, but the hostlist itself was enough for the customer
Those changes should fix the issue:
Code:
diff zabbix-1.4.6/charts.php monitoring/charts.php
149a150
> $cmbHosts->AddItem(0,S_ALL_SMALL);
152a154
> " and hg.groupid in (".$availiable_groups.") ".
159c161,162
< $sql = "select distinct h.hostid,h.host from hosts h,items i, graphs_items gi where h.status=".HOST_STATUS_MONIT
ORED.
---
> $sql = "select distinct h.hostid,h.host from hosts h,hosts_groups hg,items i, graphs_items gi where h.status=".H
OST_STATUS_MONITORED.
> " and hg.hostid=h.hostid and hg.groupid in (".$availiable_groups.") ".
188a192
> " and hg.groupid in (".$availiable_groups.") ".
196c200
< $sql = "select distinct g.graphid,g.name from graphs g,graphs_items gi,items i,hosts h".
---
> $sql = "select distinct g.graphid,g.name from graphs g,graphs_items gi,items i,hosts h,hosts_groups hg".
197a202
> " and hg.hostid=h.hostid and hg.groupid in (".$availiable_groups.") ".
The other issues are amongst the visibility of pages themselves, e.g. maps.php with all maps and the hosts/items on the maps are visible to guests, no permission-checking ... same for reports (Guests do not need to know how many hosts we are monitoring), and others ...
Code:
diff -r zabbix-1.4.6/include/page_header.php monitoring/include/page_header.php
109c109
< array("url"=>"actions.php" ,"label"=>S_ACTIONS ),
---
> array("url"=>"actions.php" ,"label"=>S_ACTIONS , "user_type"=>USER_TYPE_ZABBIX_
ADMIN),
111c111
< "sub_pages"=>array("map.php")
---
> "sub_pages"=>array("map.php" ), "user_type"=>USER_TYPE_ZABBIX_ADMIN
116c116
< array("url"=>"screens.php" ,"label"=>S_SCREENS ),
---
> array("url"=>"screens.php" ,"label"=>S_SCREENS , "user_type"=>USER_TYPE_ZABBIX_
ADMIN),
119c119,120
< "sub_pages"=>array("report3.php","chart_sla.php","chart5.php")
---
> "sub_pages"=>array("report3.php","chart_sla.php","chart5.php"),
> "user_type"=>USER_TYPE_ZABBIX_ADMIN
127a129
> "user_type" => USER_TYPE_ZABBIX_USER,
135a138
> "user_type" => USER_TYPE_ZABBIX_ADMIN,
171c174,175
< "sub_pages"=>array("screenedit.php")
---
> "sub_pages"=>array("screenedit.php"),
> "user_type"=>USER_TYPE_ZABBIX_ADMIN
174c178,179
< "sub_pages"=>array("services_form.php")
---
> "sub_pages"=>array("services_form.php"),
> "user_type"=>USER_TYPE_ZABBIX_ADMIN
I don't know if the changes are of general use, but at least the issue with charts.php would be great to be commited to the main sources.
greetings from Germany,
Anton