['min_user_type' => USER_TYPE_ZABBIX_USER], 'create' => ['min_user_type' => USER_TYPE_SUPER_ADMIN], 'update' => ['min_user_type' => USER_TYPE_SUPER_ADMIN], 'delete' => ['min_user_type' => USER_TYPE_SUPER_ADMIN] ]; protected $tableName = 'usrgrp'; protected $tableAlias = 'g'; protected $sortColumns = ['usrgrpid', 'name']; /** * Get user groups. * * @param array $options * @param array $options['usrgrpids'] * @param array $options['userids'] * @param bool $options['status'] * @param bool $options['selectUsers'] * @param int $options['count'] * @param string $options['pattern'] * @param int $options['limit'] * @param string $options['order'] * * @return array */ public function get($options = []) { $result = []; $sqlParts = [ 'select' => ['usrgrp' => 'g.usrgrpid'], 'from' => ['usrgrp' => 'usrgrp g'], 'where' => [], 'order' => [], 'limit' => null ]; $defOptions = [ 'usrgrpids' => null, 'userids' => null, 'status' => null, // filter 'filter' => null, 'search' => null, 'searchByAny' => null, 'startSearch' => false, 'excludeSearch' => false, 'searchWildcardsEnabled' => null, // output 'editable' => false, 'output' => API_OUTPUT_EXTEND, 'selectUsers' => null, 'selectRights' => null, 'selectHostGroupRights' => null, 'selectTemplateGroupRights' => null, 'selectTagFilters' => null, 'countOutput' => false, 'preservekeys' => false, 'sortfield' => '', 'sortorder' => '', 'limit' => null ]; $options = zbx_array_merge($defOptions, $options); $this->checkDeprecatedParam($options, 'selectRights'); // permissions if (self::$userData['type'] != USER_TYPE_SUPER_ADMIN) { if (!$options['editable']) { $sqlParts['where'][] = 'g.usrgrpid IN ('. 'SELECT uug.usrgrpid'. ' FROM users_groups uug'. ' WHERE uug.userid='.self::$userData['userid']. ')'; } else { return []; } } // usrgrpids if (!is_null($options['usrgrpids'])) { zbx_value2array($options['usrgrpids']); $sqlParts['where'][] = dbConditionInt('g.usrgrpid', $options['usrgrpids']); } // userids if (!is_null($options['userids'])) { zbx_value2array($options['userids']); $sqlParts['from']['users_groups'] = 'users_groups ug'; $sqlParts['where'][] = dbConditionInt('ug.userid', $options['userids']); $sqlParts['where']['gug'] = 'g.usrgrpid=ug.usrgrpid'; } // status if (!is_null($options['status'])) { $sqlParts['where'][] = 'g.users_status='.zbx_dbstr($options['status']); } // filter if (is_array($options['filter'])) { $this->dbFilter('usrgrp g', $options, $sqlParts); } // search if (is_array($options['search'])) { zbx_db_search('usrgrp g', $options, $sqlParts); } // limit if (zbx_ctype_digit($options['limit']) && $options['limit']) { $sqlParts['limit'] = $options['limit']; } $sqlParts = $this->applyQueryOutputOptions($this->tableName(), $this->tableAlias(), $options, $sqlParts); $sqlParts = $this->applyQuerySortOptions($this->tableName(), $this->tableAlias(), $options, $sqlParts); $res = DBselect(self::createSelectQueryFromParts($sqlParts), $sqlParts['limit']); while ($usrgrp = DBfetch($res)) { if ($options['countOutput']) { $result = $usrgrp['rowscount']; } else { $result[$usrgrp['usrgrpid']] = $usrgrp; } } if ($options['countOutput']) { return $result; } if ($result) { $result = $this->addRelatedObjects($options, $result); } // removing keys (hash -> array) if (!$options['preservekeys']) { $result = zbx_cleanHashes($result); } return $result; } /** * @param array $usrgrps * * @return array */ public function create(array $usrgrps) { if (self::$userData['type'] != USER_TYPE_SUPER_ADMIN) { self::exception(ZBX_API_ERROR_PERMISSIONS, _s('No permissions to call "%1$s.%2$s".', 'usergroup', __FUNCTION__) ); } $this->validateCreate($usrgrps); $ins_usrgrps = []; foreach ($usrgrps as $usrgrp) { unset($usrgrp['hostgroup_rights'], $usrgrp['templategroup_rights'], $usrgrp['tag_filters'], $usrgrp['users'] ); $ins_usrgrps[] = $usrgrp; } $usrgrpids = DB::insert('usrgrp', $ins_usrgrps); foreach ($usrgrps as $index => &$usrgrp) { $usrgrp['usrgrpid'] = $usrgrpids[$index]; } unset($usrgrp); self::updateRights($usrgrps); self::updateTagFilters($usrgrps); self::updateUsers($usrgrps); self::addAuditLog(CAudit::ACTION_ADD, CAudit::RESOURCE_USER_GROUP, $usrgrps); return ['usrgrpids' => $usrgrpids]; } /** * @param array $usrgrps * * @throws APIException if the input is invalid. */ private function validateCreate(array &$usrgrps) { $api_input_rules = ['type' => API_OBJECTS, 'flags' => API_NOT_EMPTY | API_NORMALIZE, 'uniq' => [['name']], 'fields' => [ 'name' => ['type' => API_STRING_UTF8, 'flags' => API_REQUIRED | API_NOT_EMPTY, 'length' => DB::getFieldLength('usrgrp', 'name')], 'debug_mode' => ['type' => API_INT32, 'in' => implode(',', [GROUP_DEBUG_MODE_DISABLED, GROUP_DEBUG_MODE_ENABLED])], 'gui_access' => ['type' => API_INT32, 'in' => implode(',', [GROUP_GUI_ACCESS_SYSTEM, GROUP_GUI_ACCESS_INTERNAL, GROUP_GUI_ACCESS_LDAP, GROUP_GUI_ACCESS_DISABLED]), 'default' => DB::getDefault('usrgrp', 'gui_access')], 'users_status' => ['type' => API_INT32, 'in' => implode(',', [GROUP_STATUS_ENABLED, GROUP_STATUS_DISABLED])], 'userdirectoryid' => ['type' => API_MULTIPLE, 'rules' => [ ['if' => ['field' => 'gui_access', 'in' => implode(',', [GROUP_GUI_ACCESS_SYSTEM, GROUP_GUI_ACCESS_LDAP])], 'type' => API_ID], ['else' => true, 'type' => API_UNEXPECTED] ]], 'rights' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE | API_DEPRECATED, 'replacement' => 'hostgroup_rights', 'uniq' => [['id']], 'fields' => [ 'id' => ['type' => API_ID, 'flags' => API_REQUIRED], 'permission' => ['type' => API_INT32, 'flags' => API_REQUIRED, 'in' => implode(',', [PERM_DENY, PERM_READ, PERM_READ_WRITE])] ]], 'hostgroup_rights' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE, 'uniq' => [['id']], 'fields' => [ 'id' => ['type' => API_ID, 'flags' => API_REQUIRED], 'permission' => ['type' => API_INT32, 'flags' => API_REQUIRED, 'in' => implode(',', [PERM_DENY, PERM_READ, PERM_READ_WRITE])] ]], 'templategroup_rights' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE, 'uniq' => [['id']], 'fields' => [ 'id' => ['type' => API_ID, 'flags' => API_REQUIRED], 'permission' => ['type' => API_INT32, 'flags' => API_REQUIRED, 'in' => implode(',', [PERM_DENY, PERM_READ, PERM_READ_WRITE])] ]], 'tag_filters' => ['type' => API_OBJECTS, 'uniq' => [['groupid', 'tag', 'value']], 'fields' => [ 'groupid' => ['type' => API_ID, 'flags' => API_REQUIRED], 'tag' => ['type' => API_STRING_UTF8, 'length' => DB::getFieldLength('tag_filter', 'tag'), 'default' => DB::getDefault('tag_filter', 'tag')], 'value' => ['type' => API_STRING_UTF8, 'length' => DB::getFieldLength('tag_filter', 'value'), 'default' => DB::getDefault('tag_filter', 'value')] ]], 'userids' => ['type' => API_IDS, 'flags' => API_NORMALIZE | API_DEPRECATED, 'uniq' => true], 'users' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE, 'uniq' => [['userid']], 'fields' => [ 'userid' => ['type' => API_ID, 'flags' => API_REQUIRED] ]] ]]; if (!CApiInputValidator::validate($api_input_rules, $usrgrps, '/', $error)) { self::exception(ZBX_API_ERROR_PARAMETERS, $error); } foreach ($usrgrps as &$usrgrp) { if (array_key_exists('userids', $usrgrp)) { if (array_key_exists('users', $usrgrp)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('Parameter "%1$s" is deprecated.', 'userids')); } $usrgrp['users'] = zbx_toObject($usrgrp['userids'], 'userid'); unset($usrgrp['userids']); } } unset($usrgrp); $this->checkDuplicates(array_column($usrgrps, 'name')); $this->checkUsers($usrgrps); $this->checkHimself($usrgrps, __FUNCTION__); $this->checkTemplateGroups($usrgrps); $this->checkHostGroups($usrgrps); $this->checkTagFilters($usrgrps); self::checkUserDirectories($usrgrps); } /** * @param array $usrgrps * * @return array */ public function update($usrgrps) { if (self::$userData['type'] != USER_TYPE_SUPER_ADMIN) { self::exception(ZBX_API_ERROR_PERMISSIONS, _s('No permissions to call "%1$s.%2$s".', 'usergroup', __FUNCTION__) ); } $this->validateUpdate($usrgrps, $db_usrgrps); self::updateForce($usrgrps, $db_usrgrps); return ['usrgrpids'=> array_column($usrgrps, 'usrgrpid')]; } /** * @param array $usrgrps * @param array $db_usrgrps * * @throws APIException if the input is invalid. */ private function validateUpdate(array &$usrgrps, array &$db_usrgrps = null) { $api_input_rules = ['type' => API_OBJECTS, 'flags' => API_NOT_EMPTY | API_NORMALIZE | API_ALLOW_UNEXPECTED, 'uniq' => [['usrgrpid']], 'fields' => [ 'usrgrpid' => ['type' => API_ID, 'flags' => API_REQUIRED] ]]; if (!CApiInputValidator::validate($api_input_rules, $usrgrps, '/', $error)) { self::exception(ZBX_API_ERROR_PARAMETERS, $error); } $usrgrpids = array_column($usrgrps, 'usrgrpid'); $db_usrgrps = API::UserGroup()->get([ 'output' => ['usrgrpid', 'name', 'debug_mode', 'gui_access', 'users_status'], 'usrgrpids' => $usrgrpids, 'preservekeys' => true ]); if (count($usrgrpids) != count($db_usrgrps)) { self::exception(ZBX_API_ERROR_PERMISSIONS, _('No permissions to referred object or it does not exist!')); } $enabled_groupids = array_keys(array_column($usrgrps, 'users_status', 'usrgrpid'), GROUP_STATUS_ENABLED); $disabled_user_groupid = CAuthenticationHelper::get(CAuthenticationHelper::DISABLED_USER_GROUPID); if ($enabled_groupids && in_array($disabled_user_groupid, $enabled_groupids)) { static::exception(ZBX_API_ERROR_PARAMETERS, _('Deprovisioned users group cannot be enabled.')); } $names = []; $usrgrps = $this->extendObjectsByKey($usrgrps, $db_usrgrps, 'usrgrpid', ['gui_access']); $api_input_rules = ['type' => API_OBJECTS, 'flags' => API_NOT_EMPTY | API_NORMALIZE, 'uniq' => [['name']], 'fields' => [ 'usrgrpid' => ['type' => API_ID], 'name' => ['type' => API_STRING_UTF8, 'flags' => API_NOT_EMPTY, 'length' => DB::getFieldLength('usrgrp', 'name')], 'debug_mode' => ['type' => API_INT32, 'in' => implode(',', [GROUP_DEBUG_MODE_DISABLED, GROUP_DEBUG_MODE_ENABLED])], 'gui_access' => ['type' => API_INT32, 'in' => implode(',', [GROUP_GUI_ACCESS_SYSTEM, GROUP_GUI_ACCESS_INTERNAL, GROUP_GUI_ACCESS_LDAP, GROUP_GUI_ACCESS_DISABLED])], 'users_status' => ['type' => API_INT32, 'in' => implode(',', [GROUP_STATUS_ENABLED, GROUP_STATUS_DISABLED])], 'userdirectoryid' => ['type' => API_MULTIPLE, 'rules' => [ ['if' => ['field' => 'gui_access', 'in' => implode(',', [GROUP_GUI_ACCESS_SYSTEM, GROUP_GUI_ACCESS_LDAP])], 'type' => API_ID], ['else' => true, 'type' => API_UNEXPECTED] ]], 'rights' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE | API_DEPRECATED, 'replacement' => 'hostgroup_rights', 'uniq' => [['id']], 'fields' => [ 'id' => ['type' => API_ID, 'flags' => API_REQUIRED], 'permission' => ['type' => API_INT32, 'flags' => API_REQUIRED, 'in' => implode(',', [PERM_DENY, PERM_READ, PERM_READ_WRITE])] ]], 'hostgroup_rights' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE, 'uniq' => [['id']], 'fields' => [ 'id' => ['type' => API_ID, 'flags' => API_REQUIRED], 'permission' => ['type' => API_INT32, 'flags' => API_REQUIRED, 'in' => implode(',', [PERM_DENY, PERM_READ, PERM_READ_WRITE])] ]], 'templategroup_rights' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE, 'uniq' => [['id']], 'fields' => [ 'id' => ['type' => API_ID, 'flags' => API_REQUIRED], 'permission' => ['type' => API_INT32, 'flags' => API_REQUIRED, 'in' => implode(',', [PERM_DENY, PERM_READ, PERM_READ_WRITE])] ]], 'tag_filters' => ['type' => API_OBJECTS, 'uniq' => [['groupid', 'tag', 'value']], 'fields' => [ 'groupid' => ['type' => API_ID, 'flags' => API_REQUIRED], 'tag' => ['type' => API_STRING_UTF8, 'length' => DB::getFieldLength('tag_filter', 'tag'), 'default' => DB::getDefault('tag_filter', 'tag')], 'value' => ['type' => API_STRING_UTF8, 'length' => DB::getFieldLength('tag_filter', 'value'), 'default' => DB::getDefault('tag_filter', 'value')] ]], 'userids' => ['type' => API_IDS, 'flags' => API_NORMALIZE | API_DEPRECATED, 'uniq' => true], 'users' => ['type' => API_OBJECTS, 'flags' => API_NORMALIZE, 'uniq' => [['userid']], 'fields' => [ 'userid' => ['type' => API_ID, 'flags' => API_REQUIRED] ]] ]]; if (!CApiInputValidator::validate($api_input_rules, $usrgrps, '/', $error)) { self::exception(ZBX_API_ERROR_PARAMETERS, $error); } foreach ($usrgrps as &$usrgrp) { if (array_key_exists('userids', $usrgrp)) { if (array_key_exists('users', $usrgrp)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('Parameter "%1$s" is deprecated.', 'userids')); } $usrgrp['users'] = zbx_toObject($usrgrp['userids'], 'userid'); unset($usrgrp['userids']); } $db_usrgrp = $db_usrgrps[$usrgrp['usrgrpid']]; if (array_key_exists('name', $usrgrp) && $usrgrp['name'] !== $db_usrgrp['name']) { $names[] = $usrgrp['name']; } if (array_key_exists('gui_access', $usrgrp) && $usrgrp['gui_access'] != $db_usrgrp['gui_access'] && $usrgrp['gui_access'] != GROUP_GUI_ACCESS_LDAP && $usrgrp['gui_access'] != GROUP_GUI_ACCESS_SYSTEM) { $usrgrp['userdirectoryid'] = 0; } } unset($usrgrp); self::addAffectedObjects($usrgrps, $db_usrgrps); if ($names) { $this->checkDuplicates($names); } $this->checkUsers($usrgrps); $this->checkHimself($usrgrps, __FUNCTION__, $db_usrgrps); $this->checkUsersWithoutGroups($usrgrps); $this->checkTemplateGroups($usrgrps); $this->checkHostGroups($usrgrps); $this->checkTagFilters($usrgrps); self::checkUserDirectories($usrgrps); } /** * Check for duplicated user groups. * * @param array $names * * @throws APIException if user group already exists. */ private function checkDuplicates(array $names) { $db_usrgrps = DB::select('usrgrp', [ 'output' => ['name'], 'filter' => ['name' => $names], 'limit' => 1 ]); if ($db_usrgrps) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User group "%1$s" already exists.', $db_usrgrps[0]['name'])); } } /** * Check for valid users. * * @param array $usrgrps * @param array $usrgrps[]['users'] (optional) * @param string $usrgrps[]['users'][]['userid'] * * @throws APIException */ private function checkUsers(array $usrgrps) { $userids = []; foreach ($usrgrps as $usrgrp) { if (array_key_exists('users', $usrgrp)) { foreach ($usrgrp['users'] as $user) { $userids[$user['userid']] = true; } } } if (!$userids) { return; } $userids = array_keys($userids); $db_users = DB::select('users', [ 'output' => [], 'userids' => $userids, 'preservekeys' => true ]); foreach ($userids as $userid) { if (!array_key_exists($userid, $db_users)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User with ID "%1$s" is not available.', $userid)); } } } /** * Check for valid template groups. * * @param array $usrgrps * @param array $usrgrps[]['templategroup_rights'] (optional) * * @throws APIException */ private function checkTemplateGroups(array $usrgrps) { $groupids = []; foreach ($usrgrps as $usrgrp) { if (array_key_exists('templategroup_rights', $usrgrp)) { foreach ($usrgrp['templategroup_rights'] as $right) { $groupids[$right['id']] = true; } } } if (!$groupids) { return; } $groupids = array_keys($groupids); $db_groups = DB::select('hstgrp', [ 'output' => [], 'groupids' => $groupids, 'filter' => ['type' => HOST_GROUP_TYPE_TEMPLATE_GROUP], 'preservekeys' => true ]); foreach ($groupids as $groupid) { if (!array_key_exists($groupid, $db_groups)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('Template group with ID "%1$s" is not available.', $groupid) ); } } } /** * Check for valid host groups. * * @param array $usrgrps * @param array $usrgrps[]['hostgroup_rights'] (optional) * @param array $usrgrps[]['tag_filters'] (optional) * * @throws APIException */ private function checkHostGroups(array $usrgrps) { $groupids = []; foreach ($usrgrps as $usrgrp) { if (array_key_exists('hostgroup_rights', $usrgrp)) { foreach ($usrgrp['hostgroup_rights'] as $right) { $groupids[$right['id']] = true; } } if (array_key_exists('tag_filters', $usrgrp)) { foreach ($usrgrp['tag_filters'] as $tag_filter) { $groupids[$tag_filter['groupid']] = true; } } } if (!$groupids) { return; } $groupids = array_keys($groupids); $db_groups = DB::select('hstgrp', [ 'output' => [], 'groupids' => $groupids, 'filter' => ['type' => HOST_GROUP_TYPE_HOST_GROUP], 'preservekeys' => true ]); foreach ($groupids as $groupid) { if (!array_key_exists($groupid, $db_groups)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('Host group with ID "%1$s" is not available.', $groupid)); } } } /** * Tag filter validation. * * @param array $usrgrps * * @throws APIException */ private function checkTagFilters(array $usrgrps) { foreach ($usrgrps as $usrgrp) { if (array_key_exists('tag_filters', $usrgrp)) { foreach ($usrgrp['tag_filters'] as $tag_filter) { if ($tag_filter['tag'] === '' && $tag_filter['value'] !== '') { self::exception(ZBX_API_ERROR_PARAMETERS, _s('Incorrect value for field "%1$s": %2$s.', _('tag'), _('cannot be empty')) ); } } } } } /** * Auxiliary function for checkHimself(). * Returns true if user group has GROUP_GUI_ACCESS_DISABLED or GROUP_STATUS_DISABLED states. * * @param array $usrgrp * @param string $method * @param array $db_usrgrps * * @return bool */ private static function userGroupDisabled(array $usrgrp, $method, array $db_usrgrps = null) { $gui_access = array_key_exists('gui_access', $usrgrp) ? $usrgrp['gui_access'] : ($method === 'validateCreate' ? GROUP_GUI_ACCESS_SYSTEM : $db_usrgrps[$usrgrp['usrgrpid']]['gui_access']); $users_status = array_key_exists('users_status', $usrgrp) ? $usrgrp['users_status'] : ($method === 'validateCreate' ? GROUP_STATUS_ENABLED : $db_usrgrps[$usrgrp['usrgrpid']]['users_status']); return ($gui_access == GROUP_GUI_ACCESS_DISABLED || $users_status == GROUP_STATUS_DISABLED); } /** * Additional check to exclude an opportunity to deactivate himself. * * @param array $usrgrps * @param string $method * @param array $db_usrgrps * * @throws APIException */ private function checkHimself(array $usrgrps, $method, array $db_usrgrps = null) { if ($method === 'validateUpdate') { $groups_users = []; foreach ($usrgrps as $usrgrp) { if (self::userGroupDisabled($usrgrp, $method, $db_usrgrps) && !array_key_exists('users', $usrgrp)) { $groups_users[$usrgrp['usrgrpid']] = []; } } if ($groups_users) { $db_users_groups = DB::select('users_groups', [ 'output' => ['usrgrpid', 'userid'], 'filter' => ['usrgrpid' => array_keys($groups_users)] ]); foreach ($db_users_groups as $db_user_group) { $groups_users[$db_user_group['usrgrpid']][] = ['userid' => $db_user_group['userid']]; } foreach ($usrgrps as &$usrgrp) { if (self::userGroupDisabled($usrgrp, $method, $db_usrgrps) && !array_key_exists('users', $usrgrp)) { $usrgrp['users'] = $groups_users[$usrgrp['usrgrpid']]; } } unset($usrgrp); } } foreach ($usrgrps as $usrgrp) { if (self::userGroupDisabled($usrgrp, $method, $db_usrgrps) && array_key_exists('users', $usrgrp)) { foreach ($usrgrp['users'] as $user) { if (bccomp(self::$userData['userid'], $user['userid']) == 0) { self::exception(ZBX_API_ERROR_PARAMETERS, _('User cannot add himself to a disabled group or a group with disabled GUI access.') ); } } } } } /** * Check to exclude an opportunity to leave user without user groups. * * @param array $usrgrps * @param array $usrgrps[]['usrgrpid'] * @param array $usrgrps[]['users'] (optional) * @param string $usrgrps[]['users'][]['userid'] * * @throws APIException */ private function checkUsersWithoutGroups(array $usrgrps) { $users_groups = []; foreach ($usrgrps as $usrgrp) { if (array_key_exists('users', $usrgrp)) { $users_groups[$usrgrp['usrgrpid']] = []; foreach ($usrgrp['users'] as $user) { $users_groups[$usrgrp['usrgrpid']][$user['userid']] = true; } } } if (!$users_groups) { return; } $db_users_groups = DB::select('users_groups', [ 'output' => ['usrgrpid', 'userid'], 'filter' => ['usrgrpid' => array_keys($users_groups)] ]); $ins_userids = []; $del_userids = []; foreach ($db_users_groups as $db_user_group) { if (array_key_exists($db_user_group['userid'], $users_groups[$db_user_group['usrgrpid']])) { unset($users_groups[$db_user_group['usrgrpid']][$db_user_group['userid']]); } else { if (!array_key_exists($db_user_group['userid'], $del_userids)) { $del_userids[$db_user_group['userid']] = 0; } $del_userids[$db_user_group['userid']]++; } } foreach ($users_groups as $usrgrpid => $userids) { foreach (array_keys($userids) as $userid) { $ins_userids[$userid] = true; } } $del_userids = array_diff_key($del_userids, $ins_userids); if (!$del_userids) { return; } $db_users = DBselect( 'SELECT u.userid,u.username,count(ug.usrgrpid) as usrgrp_num'. ' FROM users u,users_groups ug'. ' WHERE u.userid=ug.userid'. ' AND '.dbConditionInt('u.userid', array_keys($del_userids)). ' GROUP BY u.userid,u.username' ); while ($db_user = DBfetch($db_users)) { if ($db_user['usrgrp_num'] == $del_userids[$db_user['userid']]) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User "%1$s" cannot be without user group.', $db_user['username']) ); } } } /** * @static * * @param array $usrgrps * @param array $db_usrgrps */ public static function updateForce($usrgrps, $db_usrgrps): void { $upd_usrgrps = []; foreach ($usrgrps as $usrgrp) { $db_usrgrp = $db_usrgrps[$usrgrp['usrgrpid']]; $upd_usrgrp = DB::getUpdatedValues('usrgrp', $usrgrp, $db_usrgrp); if ($upd_usrgrp) { $upd_usrgrps[] = [ 'values' => $upd_usrgrp, 'where' => ['usrgrpid' => $usrgrp['usrgrpid']] ]; } } if ($upd_usrgrps) { DB::update('usrgrp', $upd_usrgrps); } self::updateRights($usrgrps, $db_usrgrps); self::updateTagFilters($usrgrps, $db_usrgrps); self::updateUsers($usrgrps, $db_usrgrps); self::addAuditLog(CAudit::ACTION_UPDATE, CAudit::RESOURCE_USER_GROUP, $usrgrps, $db_usrgrps); } /** * @param array $usrgrps * @param null|array $db_usrgrps */ private static function updateRights(array &$usrgrps, array $db_usrgrps = null): void { $ins_rights = []; $upd_rights = []; $del_rightids = []; foreach (['hostgroup_rights', 'templategroup_rights'] as $parameter) { foreach ($usrgrps as &$usrgrp) { if (!array_key_exists($parameter, $usrgrp)) { continue; } $db_rights = $db_usrgrps !== null ? array_column($db_usrgrps[$usrgrp['usrgrpid']][$parameter], null, 'id') : []; foreach ($usrgrp[$parameter] as &$right) { if (array_key_exists($right['id'], $db_rights)) { $db_right = $db_rights[$right['id']]; unset($db_rights[$right['id']]); $right['rightid'] = $db_right['rightid']; $upd_right = DB::getUpdatedValues('rights', $right, $db_right); if ($upd_right) { $upd_rights[] = [ 'values' => $upd_right, 'where' => ['rightid' => $db_right['rightid']] ]; } } else { $ins_rights[] = [ 'groupid' => $usrgrp['usrgrpid'], 'id' => $right['id'], 'permission' => $right['permission'] ]; } } unset($right); $del_rightids = array_merge($del_rightids, array_column($db_rights, 'rightid')); } unset($usrgrp); } if ($ins_rights) { $rightids = DB::insertBatch('rights', $ins_rights); } if ($upd_rights) { DB::update('rights', $upd_rights); } if ($del_rightids) { DB::delete('rights', ['rightid' => $del_rightids]); } foreach (['hostgroup_rights', 'templategroup_rights'] as $parameter) { foreach ($usrgrps as &$usrgrp) { if (!array_key_exists($parameter, $usrgrp)) { continue; } foreach ($usrgrp[$parameter] as &$right) { if (!array_key_exists('rightid', $right)) { $right['rightid'] = array_shift($rightids); } } unset($right); } unset($usrgrp); } } /** * @param array $usrgrps * @param null|array $db_usrgrps */ private static function updateTagFilters(array &$usrgrps, array $db_usrgrps = null): void { $ins_tag_filters = []; $del_tag_filterids = []; foreach ($usrgrps as &$usrgrp) { if (!array_key_exists('tag_filters', $usrgrp)) { continue; } $db_tag_filterids_by_tag_value = []; $db_tag_filters = $db_usrgrps !== null ? $db_usrgrps[$usrgrp['usrgrpid']]['tag_filters'] : []; foreach ($db_tag_filters as $db_tag_filter) { $db_tag_filterids_by_tag_value[$db_tag_filter['groupid']][$db_tag_filter['tag']][ $db_tag_filter['value'] ] = $db_tag_filter['tag_filterid']; } foreach ($usrgrp['tag_filters'] as &$tag_filter) { $groupid = $tag_filter['groupid']; $tag = $tag_filter['tag']; $value = $tag_filter['value']; if (array_key_exists($groupid, $db_tag_filterids_by_tag_value) && array_key_exists($tag, $db_tag_filterids_by_tag_value[$groupid]) && array_key_exists($value, $db_tag_filterids_by_tag_value[$groupid][$tag])) { $tag_filterid = $db_tag_filterids_by_tag_value[$groupid][$tag][$value]; unset($db_tag_filters[$tag_filterid]); $tag_filter['tag_filterid'] = $tag_filterid; } else { $ins_tag_filters[] = [ 'usrgrpid' => $usrgrp['usrgrpid'], 'groupid' => $tag_filter['groupid'], 'tag' => $tag_filter['tag'], 'value' => $tag_filter['value'] ]; } } unset($tag_filter); $del_tag_filterids = array_merge($del_tag_filterids, array_column($db_tag_filters, 'tag_filterid')); } unset($usrgrp); if ($ins_tag_filters) { $tag_filterids = DB::insertBatch('tag_filter', $ins_tag_filters); } if ($del_tag_filterids) { DB::delete('tag_filter', ['tag_filterid' => $del_tag_filterids]); } foreach ($usrgrps as &$usrgrp) { if (!array_key_exists('tag_filters', $usrgrp)) { continue; } foreach ($usrgrp['tag_filters'] as &$tag_filter) { if (!array_key_exists('tag_filterid', $tag_filter)) { $tag_filter['tag_filterid'] = array_shift($tag_filterids); } } unset($tag_filter); } unset($usrgrp); } /** * @param array $groups * @param null|array $db_groups */ private static function updateUsers(array &$groups, array $db_groups = null): void { $users = []; $db_users = []; foreach ($groups as &$group) { if (!array_key_exists('users', $group)) { continue; } $_db_users = $db_groups !== null ? array_column($db_groups[$group['usrgrpid']]['users'], null, 'userid') : []; foreach ($group['users'] as $user) { $userid = $user['userid']; if (array_key_exists($userid, $_db_users)) { unset($_db_users[$userid]); } else { $users[$userid]['userid'] = $userid; $users[$userid]['usrgrps'][] = ['usrgrpid' => $group['usrgrpid']]; $db_users[$userid]['userid'] = $userid; $db_users[$userid]['usrgrps'] = []; } } foreach ($_db_users as $userid => $db_user) { $users[$userid]['userid'] = $userid; $users[$userid] += ['usrgrps' => []]; $db_users[$userid]['userid'] = $userid; $db_users[$userid]['usrgrps'][$db_user['id']] = [ 'id' => $db_user['id'], 'usrgrpid' => $group['usrgrpid'] ]; } unset($group['users'], $db_groups[$group['usrgrpid']]['users']); } unset($group); if (!$users) { return; } $options = [ 'output' => ['userid', 'username'], 'userids' => array_keys($users) ]; $result = DBselect(DB::makeSql('users', $options)); while ($row = DBfetch($result)) { $db_users[$row['userid']]['username'] = $row['username']; } CUser::updateForce(array_values($users), $db_users); } /** * @param array $usrgrpids * * @return array */ public function delete(array $usrgrpids) { if (self::$userData['type'] != USER_TYPE_SUPER_ADMIN) { self::exception(ZBX_API_ERROR_PERMISSIONS, _s('No permissions to call "%1$s.%2$s".', 'usergroup', __FUNCTION__) ); } $this->validateDelete($usrgrpids, $db_usrgrps); DB::delete('rights', ['groupid' => $usrgrpids]); DB::delete('users_groups', ['usrgrpid' => $usrgrpids]); DB::delete('usrgrp', ['usrgrpid' => $usrgrpids]); self::addAuditLog(CAudit::ACTION_DELETE, CAudit::RESOURCE_USER_GROUP, $db_usrgrps); return ['usrgrpids' => $usrgrpids]; } /** * @throws APIException * * @param array $usrgrpids * @param array $db_usrgrps */ protected function validateDelete(array &$usrgrpids, array &$db_usrgrps = null) { $api_input_rules = ['type' => API_IDS, 'flags' => API_NOT_EMPTY, 'uniq' => true]; if (!CApiInputValidator::validate($api_input_rules, $usrgrpids, '/', $error)) { self::exception(ZBX_API_ERROR_PARAMETERS, $error); } if (in_array(CAuthenticationHelper::get(CAuthenticationHelper::DISABLED_USER_GROUPID), $usrgrpids)) { static::exception(ZBX_API_ERROR_PARAMETERS, _('Deprovisioned users group cannot be deleted.')); } $db_usrgrps = DB::select('usrgrp', [ 'output' => ['usrgrpid', 'name'], 'usrgrpids' => $usrgrpids, 'preservekeys' => true ]); $usrgrps = []; foreach ($usrgrpids as $usrgrpid) { // Check if this user group exists. if (!array_key_exists($usrgrpid, $db_usrgrps)) { self::exception(ZBX_API_ERROR_PERMISSIONS, _('No permissions to referred object or it does not exist!') ); } $usrgrps[] = [ 'usrgrpid' => $usrgrpid, 'users' => [] ]; } // Check if user groups are used in actions. $db_actions = DBselect( 'SELECT a.name,og.usrgrpid'. ' FROM opmessage_grp og,operations o,actions a'. ' WHERE og.operationid=o.operationid'. ' AND o.actionid=a.actionid'. ' AND '.dbConditionInt('og.usrgrpid', $usrgrpids), 1 ); if ($db_action = DBfetch($db_actions)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User group "%1$s" is used in "%2$s" action.', $db_usrgrps[$db_action['usrgrpid']]['name'], $db_action['name'] )); } // Check if user groups are used in scripts. $db_scripts = DB::select('scripts', [ 'output' => ['name', 'usrgrpid'], 'filter' => ['usrgrpid' => $usrgrpids], 'limit' => 1 ]); if ($db_scripts) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User group "%1$s" is used in script "%2$s".', $db_usrgrps[$db_scripts[0]['usrgrpid']]['name'], $db_scripts[0]['name'] )); } // Check if user group are used in config. if (array_key_exists(CSettingsHelper::get(CSettingsHelper::ALERT_USRGRPID), $db_usrgrps)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User group "%1$s" is used in configuration for database down messages.', $db_usrgrps[CSettingsHelper::get(CSettingsHelper::ALERT_USRGRPID)]['name']) ); } // Check if user groups are used in scheduled reports. $db_reports = DBselect( 'SELECT r.name,rug.usrgrpid'. ' FROM report r,report_usrgrp rug'. ' WHERE r.reportid=rug.reportid'. ' AND '.dbConditionInt('rug.usrgrpid', $usrgrpids), 1 ); if ($db_report = DBfetch($db_reports)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('User group "%1$s" is report "%2$s" recipient.', $db_usrgrps[$db_report['usrgrpid']]['name'], $db_report['name'] )); } $this->checkUsersWithoutGroups($usrgrps); } protected function addRelatedObjects(array $options, array $result) { $result = parent::addRelatedObjects($options, $result); // adding users if ($options['selectUsers'] !== null && $options['selectUsers'] != API_OUTPUT_COUNT) { $dbUsers = []; $relationMap = $this->createRelationMap($result, 'usrgrpid', 'userid', 'users_groups'); $related_ids = $relationMap->getRelatedIds(); if ($related_ids) { $get_access = ($this->outputIsRequested('gui_access', $options['selectUsers']) || $this->outputIsRequested('debug_mode', $options['selectUsers']) || $this->outputIsRequested('users_status', $options['selectUsers'])) ? true : null; $dbUsers = API::User()->get([ 'output' => $options['selectUsers'], 'userids' => $related_ids, 'getAccess' => $get_access, 'preservekeys' => true ]); } $result = $relationMap->mapMany($result, $dbUsers, 'users'); } self::addRelatedRights($options, $result, 'selectRights'); self::addRelatedRights($options, $result, 'selectHostGroupRights'); self::addRelatedRights($options, $result, 'selectTemplateGroupRights'); // Adding usergroup tag filters. if ($options['selectTagFilters'] !== null && $options['selectTagFilters'] != API_OUTPUT_COUNT) { foreach ($result as &$usrgrp) { $usrgrp['tag_filters'] = []; } unset($usrgrp); if (is_array($options['selectTagFilters'])) { $output_fields = []; foreach ($this->outputExtend($options['selectTagFilters'], ['usrgrpid']) as $field) { if ($this->hasField($field, 'tag_filter')) { $output_fields[$field] = $this->fieldId($field, 't'); } } $output_fields = implode(',', $output_fields); } else { $output_fields = 't.*'; } $db_tag_filters = DBselect( 'SELECT '.$output_fields. ' FROM tag_filter t'. ' WHERE '.dbConditionInt('t.usrgrpid', array_keys($result)) ); while ($db_tag_filter = DBfetch($db_tag_filters)) { $usrgrpid = $db_tag_filter['usrgrpid']; unset($db_tag_filter['tag_filterid'], $db_tag_filter['usrgrpid']); $result[$usrgrpid]['tag_filters'][] = $db_tag_filter; } } return $result; } /** * Adds related host or template groups rights requested by "select*" options to the resulting object set. * * @param array $options [IN] Original input options. * @param array $result [IN/OUT] Result output. * @param string $option [IN] Possible values: * - "selectGroups" (deprecated); * - "selectHostGroups"; * - "selectTemplateGroups". */ private static function addRelatedRights(array $options, array &$result, string $option): void { if ($options[$option] === null || $options[$option] === API_OUTPUT_COUNT) { return; } switch ($option) { case 'selectRights': $output_tag = 'rights'; $types = [HOST_GROUP_TYPE_HOST_GROUP]; break; case 'selectHostGroupRights': $output_tag = 'hostgroup_rights'; $types = [HOST_GROUP_TYPE_HOST_GROUP]; break; case 'selectTemplateGroupRights': $output_tag = 'templategroup_rights'; $types = [HOST_GROUP_TYPE_TEMPLATE_GROUP]; break; } foreach ($result as &$row) { $row[$output_tag] = []; } unset($row); if (is_array($options[$option])) { $output_fields = ['groupid']; foreach ($options[$option] as $field) { if (in_array($field, ['id', 'permission'])) { $output_fields[] = $field; } } } else { $output_fields = ['groupid', 'id', 'permission']; } $sql = 'SELECT r.'.implode(',r.', $output_fields). ' FROM rights r,hstgrp hg'. ' WHERE r.id=hg.groupid'. ' AND '.dbConditionInt('hg.type', $types). ' AND '.dbConditionId('r.groupid', array_keys($result)); if (self::$userData['type'] != USER_TYPE_SUPER_ADMIN) { $sql .= ' AND '.dbConditionId('r.permission', [PERM_READ_WRITE, PERM_READ]); } $db_rights = DBselect($sql); while ($db_right = DBfetch($db_rights)) { $result[$db_right['groupid']][$output_tag][] = array_diff_key($db_right, array_flip(['groupid'])); } } /** * Add the existing rights, tag_filters and userids to $db_usrgrps whether these are affected by the update. * * @static * * @param array $usrgrps * @param array $db_usrgrps */ private static function addAffectedObjects(array $usrgrps, array &$db_usrgrps): void { $usrgrpids = ['hostgroup_rights' => [], 'templategroup_rights' => [], 'tag_filters' => [], 'users' => []]; foreach ($usrgrps as $usrgrp) { if (array_key_exists('hostgroup_rights', $usrgrp)) { $usrgrpids['hostgroup_rights'][] = $usrgrp['usrgrpid']; $db_usrgrps[$usrgrp['usrgrpid']]['hostgroup_rights'] = []; } if (array_key_exists('templategroup_rights', $usrgrp)) { $usrgrpids['templategroup_rights'][] = $usrgrp['usrgrpid']; $db_usrgrps[$usrgrp['usrgrpid']]['templategroup_rights'] = []; } if (array_key_exists('tag_filters', $usrgrp)) { $usrgrpids['tag_filters'][] = $usrgrp['usrgrpid']; $db_usrgrps[$usrgrp['usrgrpid']]['tag_filters'] = []; } if (array_key_exists('users', $usrgrp)) { $usrgrpids['users'][] = $usrgrp['usrgrpid']; $db_usrgrps[$usrgrp['usrgrpid']]['users'] = []; } } if ($usrgrpids['hostgroup_rights']) { $db_rights = DBselect( 'SELECT r.rightid,r.groupid,r.permission,r.id'. ' FROM rights r,hstgrp hg'. ' WHERE r.id=hg.groupid'. ' AND '.dbConditionId('r.groupid', $usrgrpids['hostgroup_rights']). ' AND '.dbConditionInt('hg.type', [HOST_GROUP_TYPE_HOST_GROUP]) ); while ($db_right = DBfetch($db_rights)) { $db_usrgrps[$db_right['groupid']]['hostgroup_rights'][$db_right['rightid']] = array_diff_key($db_right, array_flip(['groupid'])); } } if ($usrgrpids['templategroup_rights']) { $db_rights = DBselect( 'SELECT r.rightid,r.groupid,r.permission,r.id'. ' FROM rights r,hstgrp hg'. ' WHERE r.id=hg.groupid'. ' AND '.dbConditionId('r.groupid', $usrgrpids['templategroup_rights']). ' AND '.dbConditionInt('hg.type', [HOST_GROUP_TYPE_TEMPLATE_GROUP]) ); while ($db_right = DBfetch($db_rights)) { $db_usrgrps[$db_right['groupid']]['templategroup_rights'][$db_right['rightid']] = array_diff_key($db_right, array_flip(['groupid'])); } } if ($usrgrpids['tag_filters']) { $options = [ 'output' => ['tag_filterid', 'usrgrpid', 'groupid', 'tag', 'value'], 'filter' => ['usrgrpid' => $usrgrpids['tag_filters']] ]; $db_tags = DBselect(DB::makeSql('tag_filter', $options)); while ($db_tag = DBfetch($db_tags)) { $db_usrgrps[$db_tag['usrgrpid']]['tag_filters'][$db_tag['tag_filterid']] = array_diff_key($db_tag, array_flip(['usrgrpid'])); } } if ($usrgrpids['users']) { $options = [ 'output' => ['id', 'usrgrpid', 'userid'], 'filter' => ['usrgrpid' => $usrgrpids['users']] ]; $db_users = DBselect(DB::makeSql('users_groups', $options)); while ($db_user = DBfetch($db_users)) { $db_usrgrps[$db_user['usrgrpid']]['users'][$db_user['id']] = array_diff_key($db_user, array_flip(['usrgrpid'])); } } } /** * Check if user directories exist. * * @param array $usrgrps * @param string $usrgrps['userdirectoryid'] * * @throws APIException */ private static function checkUserDirectories(array $usrgrps): void { $userdirectoryids = array_filter(array_column($usrgrps, 'userdirectoryid')); if (!$userdirectoryids) { return; } $db_userdirectories = API::UserDirectory()->get([ 'output' => [], 'userdirectoryids' => $userdirectoryids, 'filter' => ['idp_type' => IDP_TYPE_LDAP], 'preservekeys' => true ]); foreach ($usrgrps as $i => $usrgrp) { if (array_key_exists('userdirectoryid', $usrgrp) && $usrgrp['userdirectoryid'] != 0 && !array_key_exists($usrgrp['userdirectoryid'], $db_userdirectories)) { self::exception(ZBX_API_ERROR_PARAMETERS, _s('Invalid parameter "%1$s": %2$s.', '/'.($i + 1).'/userdirectoryid', _('referred object does not exist') ) ); } } } }