ID: 8021
Title: hostgroups servicegroups: fixed host / service visible when using
group_authorization AUTH_STRICT
Component: Livestatus
Level: 1
Class: Bug fix
Version: 1.2.5i5
This only applies with the setting group_authorization = AUTH_STRICT.
When an auth user was given the livestatus tables hostgroups and servicegroups did not
check if the auth user had permissions to all objects of the group.
As a result the user was able to view host- and servicegroups, even if he was not a
contact
for every object in it. However, the "forbidden" object itself was not returned,
just a subset
of the group. This was incorrect. The user needs to be contact of every element in this
group.
Otherwise he should not see the group at all..