diff options
author | Andrejs Verza <andrejs.verza@zabbix.com> | 2022-11-07 11:05:03 +0300 |
---|---|---|
committer | Andrejs Verza <andrejs.verza@zabbix.com> | 2022-11-07 11:05:03 +0300 |
commit | 3d047fe3334003132a04b5b74233fb35b5455b5a (patch) | |
tree | a33b4c192f5fe43530d025cfe363970d1956ced1 | |
parent | f36b0798c311f51a1febe5d93114d641ff7d55cd (diff) |
..F....... [ZBXNEXT-7469] fixed permission check in dashboards controllers
-rw-r--r-- | ui/app/controllers/CControllerDashboardConfigHash.php (renamed from ui/app/controllers/CControllerDashboardConfigurationHashGet.php) | 9 | ||||
-rw-r--r-- | ui/app/controllers/CControllerHostDashboardView.php | 2 | ||||
-rw-r--r-- | ui/include/classes/mvc/CRouter.php | 2 | ||||
-rw-r--r-- | ui/js/class.dashboard.js | 2 |
4 files changed, 10 insertions, 5 deletions
diff --git a/ui/app/controllers/CControllerDashboardConfigurationHashGet.php b/ui/app/controllers/CControllerDashboardConfigHash.php index 3e7f789a3ff..d56b08c3eaf 100644 --- a/ui/app/controllers/CControllerDashboardConfigurationHashGet.php +++ b/ui/app/controllers/CControllerDashboardConfigHash.php @@ -19,7 +19,7 @@ **/ -class CControllerDashboardConfigurationHashGet extends CController { +class CControllerDashboardConfigHash extends CController { protected function init(): void { $this->setPostContentType(self::POST_CONTENT_TYPE_JSON); @@ -50,6 +50,10 @@ class CControllerDashboardConfigurationHashGet extends CController { } protected function checkPermissions(): bool { + /* + * Permission check errors (e.g. expired sessions) must be ignored by the frontend and must not cause dashboard + * reload. + */ return true; } @@ -59,7 +63,8 @@ class CControllerDashboardConfigurationHashGet extends CController { protected function doAction(): void { $configuration_hash = null; - if ($this->checkAccess(CRoleHelper::UI_MONITORING_DASHBOARD)) { + if (($this->hasInput('templateid') && $this->checkAccess(CRoleHelper::UI_MONITORING_HOSTS)) + || (!$this->hasInput('templateid') && $this->checkAccess(CRoleHelper::UI_MONITORING_DASHBOARD))) { if ($this->hasInput('templateid')) { $db_dashboards = API::TemplateDashboard()->get([ 'output' => ['name', 'display_period', 'auto_start'], diff --git a/ui/app/controllers/CControllerHostDashboardView.php b/ui/app/controllers/CControllerHostDashboardView.php index b2062fe2d2c..efeed112c44 100644 --- a/ui/app/controllers/CControllerHostDashboardView.php +++ b/ui/app/controllers/CControllerHostDashboardView.php @@ -45,7 +45,7 @@ class CControllerHostDashboardView extends CController { } protected function checkPermissions() { - if ($this->getUserType() < USER_TYPE_ZABBIX_USER) { + if (!$this->checkAccess(CRoleHelper::UI_MONITORING_HOSTS)) { return false; } diff --git a/ui/include/classes/mvc/CRouter.php b/ui/include/classes/mvc/CRouter.php index c9a5f96d0bb..83195e00f05 100644 --- a/ui/include/classes/mvc/CRouter.php +++ b/ui/include/classes/mvc/CRouter.php @@ -64,7 +64,7 @@ class CRouter { 'correlation.enable' => ['CControllerCorrelationEnable', null, null], 'correlation.list' => ['CControllerCorrelationList', 'layout.htmlpage', 'configuration.correlation.list'], 'correlation.update' => ['CControllerCorrelationUpdate', null, null], - 'dashboard.configuration.hash.get' => ['CControllerDashboardConfigurationHashGet', 'layout.json', null], + 'dashboard.config.hash' => ['CControllerDashboardConfigHash', 'layout.json', null], 'dashboard.delete' => ['CControllerDashboardDelete', null, null], 'dashboard.list' => ['CControllerDashboardList', 'layout.htmlpage', 'monitoring.dashboard.list'], 'dashboard.page.properties.check' => ['CControllerDashboardPagePropertiesCheck', 'layout.json', null], diff --git a/ui/js/class.dashboard.js b/ui/js/class.dashboard.js index 681b96062c7..2cf9875662c 100644 --- a/ui/js/class.dashboard.js +++ b/ui/js/class.dashboard.js @@ -382,7 +382,7 @@ class CDashboard extends CBaseComponent { _promiseCheckConfiguration() { const curl = new Curl('zabbix.php'); - curl.setArgument('action', 'dashboard.configuration.hash.get'); + curl.setArgument('action', 'dashboard.config.hash'); return fetch(curl.getUrl(), { method: 'POST', |