Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
Enterprise Edition
-
Observium Version: 26.4.14797
Operating System: Debian 12
Web Server: Apache HTTP Server (Apache2) 2.4.67
PHP Version: 8.2.3
Description
LDAP users with permission level 1 are currently unable to use API tokens to access their assigned devices via the Observium API.
API token authentication itself works, but device queries return an empty result set for users with level 1. Increasing the same user's permission level (for example to 5, 7, or 10) immediately allows access to devices through the API.
This appears to affect only low-permission LDAP users using API tokens.
Steps to Reproduce{}
- Log into the Observium web UI
- Navigate to API Tokens
- Create an API token for the user with permission level 1
- Execute the following API request:
- curl -H "Authorization: Bearer YOUR_TOKEN_HERE" \
"https://observium.xxx.xx/api/v0/devices"
Actual Behavior
The API returns an empty device list:
{"count":0,"status":"ok","devices":[]}Expected Behavior
Users with permission level 1 should be able to access devices assigned to them when authenticating with valid API tokens.
Impact
This issue prevents:
- LDAP users with restricted permissions from using the API
- Automation and integrations for low-privilege users
- Consistent permission behavior between the web UI and API
It especially affects environments where users should only have access to their own assigned devices.
Additional Notes
- The issue only occurs with permission level 1
- Raising the user's permission level (e.g. 5) immediately restores API functionality
- Web UI access appears to work correctly for the same users
- This may indicate that API authorization does not correctly evaluate device permissions for level 1 LDAP users
The API response should include the devices the user is permitted to view in the web interface.
A