-
Patch request
-
Resolution: Fixed
-
Trivial
-
7.0.12, 7.0.13
-
None
-
S25-W22/23
-
0.125
Steps to reproduce:
- Fresh install of Zabbix Frontend (UI) 7.0
- Developping frontend module, using a CMultiSelect with 'srctbl' => 'templates',
- On ui, try using the multiselect element as role type "USER" and got "Access denied"
Result:
Expected:
More context :
I'm developping an improved (for my case) version of availability report. With user role type ADMIN or SUPERADMIN, no issue. But when trying to use it as standard USER, template multiselect does not work, despite the user have read permissions on all templates. Template Groups work perfectly, Template trigger display the multiselect, but i need to select a template first, so the same issue appear.
Digging on Zabbix Frontend core, I found in CControllerPopupGeneric, the templates action is limited to ADMIN or greater :
While, template groups, host, triggers are fine to USER :
This may be intentionnal for security reason ?! But on Zabbix 7.2 it was changed to USER for templates, on availability report rework : https://support.zabbix.com/si/jira.issueviews:issue-html/ZBXNEXT-8993/ZBXNEXT-8993.html
https://github.com/zabbix/zabbix/commit/16243f0e622e390287d6df7e69590b15d735e322
Can you check this and "fix" the permissions on 7.0 ?
