Details
-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
Enterprise Edition
-
None
Description
Environment
Observium Version: 26.4.14843
Operating System: Debian 12
Web Server: Apache HTTP Server (Apache2) 2.4.67
PHP Version: 8.2.3
Description
Users who have level 1 permissions which assigned through device groups are unable to properly use line graph or stacked graph views. The graphs initially load and display correctly, but when the user clicks on a graph and attempts to change the displayed time range (for example: custom period), the system returns a "Permission denied" message.
This behavior appears to affect users whose access permissions are granted through device groups.
Steps to Reproduce
Open the Observium web UI
Log in with a user level-1 account that has permissions through device groups
Navigate to a device group page
Select a line graph or stacked graph
Click on the graph and select another time period
Actual Behavior
The graph initially loads and displays correctly
After clicking the graph and attempting to change the displayed time range, a "Permission denied" error appears
Expected Behavior
Users with access to the device group should be able to interact with graphs normally
Changing graph time ranges should work without permission errors
Graph permissions should respect the same group permissions used for initial graph visibility
Impact
This issue makes it difficult for users to:
Analyze historical trends
Investigate issues over different time periods
Fully utilize graph functionality while using group-based access control
Additional Notes
Initial graph rendering works correctly, which indicates users already have sufficient visibility permissions
The permission check may not correctly handle group-based access when loading graph detail views
This could be related to graph-specific authorization logic not inheriting device group permissions properly