[SOLVED] Tab shows even for users that don't have access?

[Howie]

Cacti 0.8.7a, Thold 0.3.8

When a user has no access to THold (even to view), the tab still shows up.

Looks like thold_show_tab calls this new-fangled api_user_realm_auth() function, to decide whether or not to show it, which presumably is returning the wrong thing.

monitor has the same problem, incidentally.

[chrisgapske]

I have noticed I have limited users with access to thold & syslog TAB.
They do not have access to thold or syslog but just the TAB.

I am also having what might be a related issue where Issues with limited access to hosts are able to see almost all hosts in the monitor plugin?

[mcutting]

Either of you guys have UP and DOWN notifications working with your version of THOLD ? Sorry it's a bit off topic, but I was curious.

Thanks

[Howie]

[Howie]

I've just been looking at this some more, and it seems that the api_user_realm_auth() function in plugins.php only works if a cacti setting called global_auth is set to 'on'. That setting doesn't exist at all in my 0.8.7a install.

When it doesn't exist (or isn't 'on'), then api_user_realm_auth only checks if the permission for that file has been defined, not whether the current user actually has it - it doesn't use the sess_user_id at all.

Since I don't know what global_auth does, I don't really know what the solution is, except to say that in my Cacti 0.8.7a install, nothing refers to global_auth apart from thold, monitor and plugins.php, and the database conversion scripts for upgrades. The database upgrade scripts appear to be deleting the setting during the move from 0.8.6x to 0.8.7x, so I guess it's an obsolete setting. Looks like it should really be using auth_method, if anything.

[Howie]

Changing line 68 of include/plugins.php to

[chrisgapske]

That fixed my TAB issue as well.

[chrisgapske]

Do the same thing for the monitor plugin to work in monitor.php to fix view permissions.


line 760 and 823

[lard]

Excellent - thanks guys that solved it for

[mkeadle]