search

Cacti / plugin_reportit

ReportIt Plugin for Cacti
GNU General Public License v2.0
7 stars 8 forks source link

Unauthorized access when Cacti Authentication Method is none #81

Closed gmourani closed 5 years ago

gmourani commented 5 years ago

Hello,

If you set Cacti Authentication Method to none, then reportit doesn't let you create new report or configuration. It's look to me that even without authentication in Cacti, reportit need it to work!

PHP Notice: Undefined index: sess_user_id in /var/www/html/cacti/plugins/reportit/include/global_forms.php on line 72, referer: https://172.16.10.42/cacti/plugins/reportit/templates.php?action=template_new PHP Notice: Undefined index: sess_user_id in /var/www/html/cacti/plugins/reportit/lib/funct_online.php on line 26, referer: https://172.16.10.42/cacti/plugins/reportit/reports.php?action=report_add

Regards,

netniV commented 5 years ago

ReportIT does require a user because each user has their own settings. As it's heavily relied upon throughout the plugin, for now the recommendation is to use another auth method. After all, if using Cacti's internal auth, you can select the "Remember Me" option when logging in and it'll keep logging in as that user.

cigamit commented 5 years ago

Okay, I have removed the Authentication Method of 'None' which we had planned to do in an earlier release. So, this will effectively be resolved in 1.2.

gmourani commented 5 years ago

Did you removed it into Cacti ? Because the Authentication Method of 'None' allow me to use Apache auth with SSO for users login.

cigamit commented 5 years ago

Yes, we have. The proper way to support single sign on with Cacti is to use the basic authentication mode. With the basic mode, we obtain the username from through the basic authentication. It will provide one of several possible username variables. If you review auth_login.php lines 33 through 44, you will see those server variables. They include:

$_SERVER[PHP_AUTH_USER]
$_SERVER[REMOTE_USER]
$_SERVER[REDIRECT_REMOTE_USER]
$_SERVER[HTTP_PHP_AUTH_USER]
$_SERVER[HTTP_REMOTE_USER]
$_SERVER[HTTP_REDIRECT_REMOTE_USER]

So, you need to review your SSO setup and determine how to setup your SSO's Apache module for single sign on. When that is done properly, one of the above variables will be properly populated with the user account, and you can simply select WebBasic authentication in Cacti.

gmourani commented 5 years ago

Thanks Jimmy,

It works this way.

Regards,