---- Edit
This only applies to postgresql!
It seems that postgresql (probably oracle to) and mysql differ how they handle NULL values in an SQL sort.
Users using MySQL will not benefit from this!
---- end of edit
Hi,
In the webfrontend for 1.4.4 i have found the following problem:
Situation:
- Normal user (no admin)
- User has access to GROUPA but not GROUPB
(not an explicit deny, just not defined)
- Hosts belonging to GROUPA and GROUPB
- Hosts belonging to GROUPA only
Symptoms:
- Now the user can see trigger overviews, data views, latest data, etc of servers in both groups.
- The user can see item history (text and graph) of hosts in GROUPA only
- The user can't see item history (text or graph) of hosts in GROUPA and GROUPB. 'ERROR: No Permissions'
finding the problem
After searching through the php code and trying some of the queries, i found out that the result set in the above situation is . . . less desirable.
history.php fetches two lists (i wont bash on the spelling
The item's host is in both lists, which is bad because the permission check is done on $denyed_hosts.
The function get_accessible_hosts_by_user(); resides in includes/perm.inc.php which queries the db for the user permissions crossing all user groups.
Looking at the db result set for the $denyed_hosts, you will get something like:
Because this is sorted DESC on perm and userid, the host entries without perm and userid come up first and thus showing up in the $denyed_hosts list/
Quick fix
I *think* the permissions query isn't meant to produce the above resultset.
I've tried to rewrite the query several times in order to get a result set with the correct records only, but each time i fixed the user permissions i broke the admin part.
The only working 'hack' i got working without breaking other parts is modifying the sort order for perm and userid in the query (as described above), thus making the correct host entry show up first per host.
Diff for includes/perm.inc.php
@zabbix developpers
Can you confirm this issue and that the above fix doesn't break other parts of the web interface? All seems to be working after this but hey, its the perm.inc.php.
If the fix is workable, i hope it will be included so this problem wont occur in future releases.
This only applies to postgresql!
It seems that postgresql (probably oracle to) and mysql differ how they handle NULL values in an SQL sort.
Users using MySQL will not benefit from this!
---- end of edit
Hi,
In the webfrontend for 1.4.4 i have found the following problem:
Situation:
- Normal user (no admin)
- User has access to GROUPA but not GROUPB
(not an explicit deny, just not defined)
- Hosts belonging to GROUPA and GROUPB
- Hosts belonging to GROUPA only
Symptoms:
- Now the user can see trigger overviews, data views, latest data, etc of servers in both groups.
- The user can see item history (text and graph) of hosts in GROUPA only
- The user can't see item history (text or graph) of hosts in GROUPA and GROUPB. 'ERROR: No Permissions'
finding the problem
After searching through the php code and trying some of the queries, i found out that the result set in the above situation is . . . less desirable.
history.php fetches two lists (i wont bash on the spelling
$denyed_hosts = get_accessible_hosts_by_user(blah);
$availiable_hosts = get_accessible_hosts_by_user(blah);
$availiable_hosts = get_accessible_hosts_by_user(blah);
The function get_accessible_hosts_by_user(); resides in includes/perm.inc.php which queries the db for the user permissions crossing all user groups.
Looking at the db result set for the $denyed_hosts, you will get something like:
Node; Nodename; Hostid; Hostname; Perm; Userid
1; "node"; 100100000010175; "host1"; ;
1; "node"; 100100000010175; "host1"; 2; 100100000000006
1; "node"; 100100000010188; "host2"; ;
1; "node"; 100100000010188; "host2"; 2; 100100000000006
1; "node"; 100100000010175; "host1"; ;
1; "node"; 100100000010175; "host1"; 2; 100100000000006
1; "node"; 100100000010188; "host2"; ;
1; "node"; 100100000010188; "host2"; 2; 100100000000006
Quick fix
I *think* the permissions query isn't meant to produce the above resultset.
I've tried to rewrite the query several times in order to get a result set with the correct records only, but each time i fixed the user permissions i broke the admin part.
The only working 'hack' i got working without breaking other parts is modifying the sort order for perm and userid in the query (as described above), thus making the correct host entry show up first per host.
Diff for includes/perm.inc.php
172c172
< ' order by n.name,n.nodeid, h.host, permission asc, userid asc';
---
> ' order by n.name,n.nodeid, h.host, permission desc, userid desc';
< ' order by n.name,n.nodeid, h.host, permission asc, userid asc';
---
> ' order by n.name,n.nodeid, h.host, permission desc, userid desc';
Can you confirm this issue and that the above fix doesn't break other parts of the web interface? All seems to be working after this but hey, its the perm.inc.php.
If the fix is workable, i hope it will be included so this problem wont occur in future releases.
Comment