..F....... [ZBXNEXT-7469] fixed permission check in dashboards controllers

4 files changed, 10 insertions, 5 deletions

diff --git a/ui/app/controllers/CControllerDashboardConfigurationHashGet.php b/ui/app/controllers/CControllerDashboardConfigHash.php
index 3e7f789a3ff..d56b08c3eaf 100644
--- a/ui/app/controllers/CControllerDashboardConfigurationHashGet.php
+++ b/ui/app/controllers/CControllerDashboardConfigHash.php
@@ -19,7 +19,7 @@
 **/
 
 
-class CControllerDashboardConfigurationHashGet extends CController {
+class CControllerDashboardConfigHash extends CController {
 
 	protected function init(): void {
 		$this->setPostContentType(self::POST_CONTENT_TYPE_JSON);
@@ -50,6 +50,10 @@ class CControllerDashboardConfigurationHashGet extends CController {
 	}
 
 	protected function checkPermissions(): bool {
+		/*
+		 * Permission check errors (e.g. expired sessions) must be ignored by the frontend and must not cause dashboard
+		 * reload.
+		 */
 		return true;
 	}
 
@@ -59,7 +63,8 @@ class CControllerDashboardConfigurationHashGet extends CController {
 	protected function doAction(): void {
 		$configuration_hash = null;
 
-		if ($this->checkAccess(CRoleHelper::UI_MONITORING_DASHBOARD)) {
+		if (($this->hasInput('templateid') && $this->checkAccess(CRoleHelper::UI_MONITORING_HOSTS))
+				|| (!$this->hasInput('templateid') && $this->checkAccess(CRoleHelper::UI_MONITORING_DASHBOARD))) {
 			if ($this->hasInput('templateid')) {
 				$db_dashboards = API::TemplateDashboard()->get([
 					'output' => ['name', 'display_period', 'auto_start'],
diff --git a/ui/app/controllers/CControllerHostDashboardView.php b/ui/app/controllers/CControllerHostDashboardView.php
index b2062fe2d2c..efeed112c44 100644
--- a/ui/app/controllers/CControllerHostDashboardView.php
+++ b/ui/app/controllers/CControllerHostDashboardView.php
@@ -45,7 +45,7 @@ class CControllerHostDashboardView extends CController {
 	}
 
 	protected function checkPermissions() {
-		if ($this->getUserType() < USER_TYPE_ZABBIX_USER) {
+		if (!$this->checkAccess(CRoleHelper::UI_MONITORING_HOSTS)) {
 			return false;
 		}
 
diff --git a/ui/include/classes/mvc/CRouter.php b/ui/include/classes/mvc/CRouter.php
index c9a5f96d0bb..83195e00f05 100644
--- a/ui/include/classes/mvc/CRouter.php
+++ b/ui/include/classes/mvc/CRouter.php
@@ -64,7 +64,7 @@ class CRouter {
 		'correlation.enable'						=> ['CControllerCorrelationEnable',						null,					null],
 		'correlation.list'							=> ['CControllerCorrelationList',						'layout.htmlpage',		'configuration.correlation.list'],
 		'correlation.update'						=> ['CControllerCorrelationUpdate',						null,					null],
-		'dashboard.configuration.hash.get'			=> ['CControllerDashboardConfigurationHashGet',			'layout.json',			null],
+		'dashboard.config.hash'						=> ['CControllerDashboardConfigHash',					'layout.json',			null],
 		'dashboard.delete'							=> ['CControllerDashboardDelete',						null,					null],
 		'dashboard.list'							=> ['CControllerDashboardList',							'layout.htmlpage',		'monitoring.dashboard.list'],
 		'dashboard.page.properties.check'			=> ['CControllerDashboardPagePropertiesCheck',			'layout.json',			null],
diff --git a/ui/js/class.dashboard.js b/ui/js/class.dashboard.js
index 681b96062c7..2cf9875662c 100644
--- a/ui/js/class.dashboard.js
+++ b/ui/js/class.dashboard.js
@@ -382,7 +382,7 @@ class CDashboard extends CBaseComponent {
 	_promiseCheckConfiguration() {
 		const curl = new Curl('zabbix.php');
 
-		curl.setArgument('action', 'dashboard.configuration.hash.get');
+		curl.setArgument('action', 'dashboard.config.hash');
 
 		return fetch(curl.getUrl(), {
 			method: 'POST',