Group with RO at section but RWA on subnet cannot create nested subnets

[shmoeshmeps]

Describe the bug
If your group is set to RO permissions on the section, RO on a root subnet, RWA on a child subnet, group doesn't have permissions to create nested subnet.

A workaround is that if you set RWA permissions on the section (without delegation), this fixes the bug but introduces another. The group has permissions to create nested subnets on all other subnets that the group has RO permissions set,

phpIPAM version
Bug fixes are supported in the latest production and development releases. Please update to a supported release before reporting issues. Please search for existing Issues (including closed Issues) before submitting duplicates.

Versions of phpIPAM known to contain the issue (delete as appropriate).

• Latest production release [1.4].

Your Environment (please supply the following information):

• phpIPAM version: [e.g. 1.4]
• OS: Centos 7
• PHP version: 5.4.16
• Webserver: Apache
• Database: MariaDB 15.1
  (Also present on latest phpipam-docker build)

Steps To Reproduce
Please include steps to reproduce the issue:

1. Create a new group and put a test user in it
2. Go to section and set group permissions to be RO
3. Go to a root level subnet (aka net1) and set group permissions to be RO
4. Go to child subnet (under net1) and set permissions to be RWA
5. Switch user to test user, navigate to child subnet and witness permissions shown to be "Admin" but add nested subnet button greyed out.
6. Switch back to admin, go back to section, set permissions to be RWA (no delegate)
7. Configure permissions on another root subnet (aka net2) to have group permissions of RO
8. Switch back to user, go back to child subnet and witness add nested subnet button is now active
9. Switch to another subnet (net2) where the user should have RO access
10. Note the access level says "Read" but that the Add Nested Subnet button is active and user can add an active subnet (but cannot then edit it)

Screenshots and error logs
Please set $debugging=true; in your config.php and include any reported error messages. If applicable, add screenshots or other error logs to help explain your problem.

Additional Info
The issue is present in our native phpipam install on a VM, I have also reproduced using the above steps in docker-www using the latest tag.

[shmoeshmeps]

Section=RO, subnet=RWA. Shows user is admin, edit button is active but add nested is disabled.

Workaround in place, section=RWA, subnet=RO, Shows you can add nested subnet on RO subnet:

[shmoeshmeps]

It occurred to me that the behavior exhibited seems to be that "add nested subnet" only checks permissions set on the section and ignores permissions set on the subnet itself.

[Elvon]

I'm still using version 1.3.2 but even there I have this problem.

[Wandermond]

Faced with the same issue. Are there any news about possible fixes? Version 1.4.2

[qhiraa]

any updates on this?

[morgens]

1.4.3 and faced this too. Would be great to be able to gove permissions on just subnets to create nested subnets for other admins.

[k4lli]

1.5.0 - its still an issue - this forces users to split a subnet into multiple sections.
and once that's the case you cannot have a single pane to see what is used and what isn't
even in nested section, the parent cannot see child section networks (which is another issue)
but both together make management very complex

[XarkaOfMahrak]

Unsure it's a bug as it have been clearly dev'd that way.

https://github.com/phpipam/phpipam/blob/master/app/admin/subnets/edit.php#L34
https://github.com/phpipam/phpipam/blob/master/app/subnets/subnet-details/subnet-details.php#L637

I could fix that and open a pull request, but unsure it's bug fix