"Graph Settings" permission issue.

[mrfizz]

Hi,

When you enable users to keep custom graph settings, they are able to see the titles of all of your Graph Hierarchies. This is problematic for me because 1) we have a multi-user system, 2) we use customer names in the Graph Hierarchies and 3) we want to keep customer names confidential.

The problem are seems to be line 108 of graph_settings.php. In the SQL query if you could crossreference auth_graph_hierarchy with graph_hierarchy, you could list just the Hierarchies that the user had permission to see. Something like:

SELECT T1.*, T2.* FROM auth_graph_heirarchy, graph_hierarchy WHERE T1.UserID='$user_id' AND T2.ID=T1.HierarchyID

I am having a little trouble running down all of the variables and functions to make the above query work correctly.

Has this issue been pointed out before? I have searched but was unable to locate it.

Thanks for an awesome product!

[raX]

I believe this issue has been fixed in the 0.8.x releases of Cacti. I suggest that you upgrade to 0.8, and then to 0.8.2a.

-Ian

[mrfizz]

hrm... I attempted the upgrade last night only to discover that the "Output String" field for the Data Input Sources had been limited to 255 chars. Our security policy forbids SNMP, so I am currently using scripts for *all* of my data input and my longest output string definition is over 2,200 chars. I really do *want* to upgrade to stay current but I have 4800 rrd_graph_item records, 1100 rrd_ds, and over 200 rrd_graph... Has anyone else requested that this Med. Int. be changed back to Med. Blob for 0.8.3?

The other major problem standing in my way is the new requirements for multi-output formats. This can be changed but will require some time...

But hey! It's job security I suppose.

[Guest]

Okay, obviously I have used Cacti in ways it wasn't originally designed and I've worked my way into a corner here and need a temporary quick way out. Anyone in a similar position may benefit from this change to line 108 of graph_settings.php in previous verisions (I am on 0.6.8a):

Code: Select all

DrawFormItemDropdownFromSQL("treeid",$cnn_id,"select graph_hierarchy.ID, graph_hierarchy.Name, auth_graph_hierarchy.UserID from graph_hierarchy left join auth_graph_hierarchy on (graph_hierarchy.ID=auth_graph_hierarchy.HierarchyID and auth_graph_hierarchy.UserID='$user_id') where auth_graph_hierarchy.UserID is not null order by graph_hierarchy.Name",

This seems to fix the problem from my original post. Thanks Ian for pointing me to the latest version, where I was able to derive this dirty fix.

-Aaron

[mrfizz]

Well that was close but not quite. Didn't work for "admin" and other users who had "Allow" by default. Again, deriving from Ian's new code, here is the way it should look:

Code: Select all

/* find GraphPolicy for user */
$query="SELECT GraphPolicy FROM auth_users WHERE ID='$user_id'";
$result=mysql_query($query);
$graph_policy=mysql_result($result, 0);
if ($graph_policy == "1") {
  $sql_where = "where auth_graph_hierarchy.UserID is null";
}elseif ($graph_policy == "2") {
  $sql_where = "where auth_graph_hierarchy.UserID is not null";
}
DrawFormItemDropdownFromSQL("treeid",$cnn_id,"select graph_hierarchy.ID, graph_hierarchy.Name, auth_graph_hierarchy.UserID from graph_hierarchy left join auth_graph_hierarchy on (graph_hierarchy.ID=auth_graph_hierarchy.HierarchyID and auth_graph_hierarchy.UserID='$user_id') $sql_where order by graph_hierarchy.Name",

-Aaron