17500 FIX Custom & forecast graphs: Fix editing of foreign, non-publi…

…c graphs When editing a custom/forecast graph, we need to know the ID of the graph and the owner, because: * Users can edit custom/forecast graphs of other users if they have sufficient permissions. * The IDs must only be unique per user, not site-wide. CMK-20198 Change-Id: I5fe419f78316b6793db98f07f7a0db39698f9ea7
Checkmk · Jan 9, 2025 · 1f024c7 · 1f024c7
1 parent 78f5863
commit 1f024c7
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/.werks/17500.md b/.werks/17500.md
@@ -0,0 +1,17 @@
+[//]: # (werk v2)
+# Custom & forecast graphs: Fix editing of foreign, non-public graphs
+
+key        | value
+---------- | ---
+date       | 2025-01-07T12:40:14+00:00
+version    | 2.4.0b1
+class      | fix
+edition    | cee
+component  | multisite
+level      | 1
+compatible | yes
+
+Users with the permissions "Edit foreign custom/forecast graphs" can edit custom/forecast graphs
+owned by other users, even if they haven't been published. However, attempting to edit the design
+(custom graph)/the model (forecast graph) of an unpublished custom/forecast graph owned by another
+user resulted in the error message "No graph with the ID ...".
diff --git a/cmk/gui/pagetypes.py b/cmk/gui/pagetypes.py
@@ -51,7 +51,7 @@
 from cmk.gui.htmllib.generator import HTMLWriter
 from cmk.gui.htmllib.header import make_header
 from cmk.gui.htmllib.html import html
-from cmk.gui.http import request
+from cmk.gui.http import request, response
 from cmk.gui.i18n import _, _l, _u
 from cmk.gui.logged_in import LoggedInUser, save_user_file, user
 from cmk.gui.main_menu import mega_menu_registry, MegaMenuRegistry
@@ -1687,8 +1687,9 @@ def ajax_add_element(cls) -> None:
         if target_page:
             if not isinstance(target_page, str):
                 target_page = target_page.page_url()
-            html.write_text_permissive(target_page)
-        html.write_text_permissive("\n%s" % ("true" if need_sidebar_reload else "false"))
+
+        response.set_content_type("text/plain")
+        response.set_data(f"{target_page or ""}\n{"true" if need_sidebar_reload else "false"}")
 
     # Default implementation for generic containers - used e.g. by GraphCollection
     @classmethod