Device group based access (#10568)

* Device group based access * Use Permissions class to resolve permissions Also give port access based on device access * Convert more pages to use Permissions class * shorten config setting name use Eloquent relationships in several places alphabetize config_definitions.json * Change Models and Permissions * Clean up ajax_search LIMIT sql * Convert more pages to use Permissions class Co-authored-by: Tony Murray <murraytony@gmail.com>
2024-10-07 16:52:45 +00:00 · 2019-12-30 12:11:26 +01:00
parent 1998b8dd00
commit b361710148
44 changed files with 402 additions and 252 deletions
--- a/LibreNMS/Authentication/MysqlAuthorizer.php
+++ b/LibreNMS/Authentication/MysqlAuthorizer.php
@@ -144,6 +144,7 @@ class MysqlAuthorizer extends AuthorizerBase
        // could be used on cli, use Eloquent helper
        Eloquent::DB()->table('bill_perms')->where('user_id', $user_id)->delete();
        Eloquent::DB()->table('devices_perms')->where('user_id', $user_id)->delete();
        Eloquent::DB()->table('devices_group_perms')->where('user_id', $user_id)->delete();
        Eloquent::DB()->table('ports_perms')->where('user_id', $user_id)->delete();
        Eloquent::DB()->table('users_prefs')->where('user_id', $user_id)->delete();
--- a/LibreNMS/IRCBot.php
+++ b/LibreNMS/IRCBot.php
@@ -545,13 +545,8 @@ class IRCBot
                    $this->user['level'] = LegacyAuth::get()->getUserlevel($user['username']);
                    $this->user['expire'] = (time() + ($this->config['irc_authtime'] * 3600));
                    if ($this->user['level'] < 5) {
-                        foreach (dbFetchRows('SELECT device_id FROM devices_perms WHERE user_id = ?', array($this->user['id'])) as $tmp) {
+                        $this->user['devices'] = Permissions::devicesForUser($this->user['id'])->toArray();
-                            $this->user['devices'][] = $tmp['device_id'];
+                        $this->user['ports'] = Permissions::portsForUser($this->user['id'])->toArray();
                        }
                        foreach (dbFetchRows('SELECT port_id FROM ports_perms WHERE user_id = ?', array($this->user['id'])) as $tmp) {
                            $this->user['ports'][] = $tmp['port_id'];
                        }
                    }
                    if ($this->debug) {
                        $this->log("HostAuth on irc for '".$user['username']."', ID: '".$user_id."', Host: '".$host);
@@ -581,13 +576,8 @@ class IRCBot
                $tmp = LegacyAuth::get()->getUserlevel($tmp_user['username']);
                $this->user['level'] = $tmp;
                if ($this->user['level'] < 5) {
-                    foreach (dbFetchRows('SELECT device_id FROM devices_perms WHERE user_id = ?', array($this->user['id'])) as $tmp) {
+                        $this->user['devices'] = Permissions::devicesForUser($this->user['id'])->toArray();
-                        $this->user['devices'][] = $tmp['device_id'];
+                        $this->user['ports'] = Permissions::portsForUser($this->user['id'])->toArray();
                    }
                    foreach (dbFetchRows('SELECT port_id FROM ports_perms WHERE user_id = ?', array($this->user['id'])) as $tmp) {
                        $this->user['ports'][] = $tmp['port_id'];
                    }
                }
                return $this->respond('Authenticated.');
--- a/LibreNMS/Permissions.php
+++ b/LibreNMS/Permissions.php
@@ -31,6 +31,7 @@ use App\Models\Port;
 use App\Models\User;
 use Auth;
 use DB;
 use LibreNMS\Config;
 class Permissions
 {
@@ -140,7 +141,7 @@ class Permissions
    }
    /**
-     * Get a list of port_id of all ports the user can access
+     * Get a list of port_id of all ports the user can access directly
     *
     * @param User|int $user
     * @return \Illuminate\Support\Collection
@@ -153,7 +154,7 @@ class Permissions
    }
    /**
-     * Get a list of bill_id of all bills the user can access
+     * Get a list of bill_id of all bills the user can access directly
     *
     * @param User|int $user
     * @return \Illuminate\Support\Collection
@@ -193,7 +194,9 @@ class Permissions
    public function getDevicePermissions()
    {
        if (is_null($this->devicePermissions)) {
-            $this->devicePermissions = DB::table('devices_perms')->get();
+            $this->devicePermissions = DB::table('devices_perms')
                ->union($this->getDeviceGroupPermissionsQuery())
                ->get();
        }
        return $this->devicePermissions;
@@ -262,4 +265,19 @@ class Permissions
    {
        return $bill instanceof Bill ? $bill->bill_id : (is_numeric($bill) ? (int)$bill : 0);
    }
    /**
     * @return \Illuminate\Database\Query\Builder
     */
    public function getDeviceGroupPermissionsQuery()
    {
        return DB::table('devices_group_perms')
        ->select('devices_group_perms.user_id', 'device_group_device.device_id')
        ->join('device_group_device', 'device_group_device.device_group_id', '=', 'devices_group_perms.device_group_id')
        ->when(!Config::get('permission.device_group.allow_dynamic'), function ($query) {
            return $query
                ->join('device_groups', 'device_groups.id', '=', 'devices_group_perms.device_group_id')
                ->where('device_groups.type', 'static');
        });
    }
 }
--- a/app/Models/Device.php
+++ b/app/Models/Device.php
@@ -15,6 +15,7 @@ use LibreNMS\Util\IPv4;
 use LibreNMS\Util\IPv6;
 use LibreNMS\Util\Url;
 use LibreNMS\Util\Time;
 use Permissions;
 class Device extends BaseModel
 {
@@ -284,9 +285,7 @@ class Device extends BaseModel
            return true;
        }
-        return DB::table('devices_perms')
+        return Permissions::canAccessDevice($this->device_id, $user->user_id);
            ->where('user_id', $user->user_id)
            ->where('device_id', $this->device_id)->exists();
    }
    public function formatUptime($short = false)
--- a/app/Models/DeviceGroup.php
+++ b/app/Models/DeviceGroup.php
@@ -149,4 +149,9 @@ class DeviceGroup extends BaseModel
    {
        return $this->belongsToMany('App\Models\Service', 'device_group_device', 'device_group_id', 'device_id');
    }
    public function users()
    {
        return $this->belongsToMany('App\Models\User', 'devices_group_perms', 'device_group_id', 'user_id');
    }
 }
--- a/app/Models/Port.php
+++ b/app/Models/Port.php
@@ -5,6 +5,7 @@ namespace App\Models;
 use DB;
 use Illuminate\Database\Eloquent\Builder;
 use LibreNMS\Util\Rewrite;
 use Permissions;
 class Port extends DeviceRelatedModel
 {
@@ -62,7 +63,7 @@ class Port extends DeviceRelatedModel
    /**
     * Check if user can access this port.
     *
-     * @param User $user
+     * @param User|int $user
     * @return bool
     */
    public function canAccess($user)
@@ -75,15 +76,7 @@ class Port extends DeviceRelatedModel
            return true;
        }
-        $port_query = DB::table('ports_perms')
+        return Permissions::canAccessDevice($this->device_id, $user) || Permissions::canAccessPort($this->port_id, $user);
            ->where('user_id', $user->user_id)
            ->where('port_id', $this->port_id);
        $device_query = DB::table('devices_perms')
            ->where('user_id', $user->user_id)
            ->where('device_id', $this->device_id);
        return $port_query->union($device_query)->exists();
    }
    // ---- Accessors/Mutators ----
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -7,6 +7,7 @@ use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use LibreNMS\Authentication\LegacyAuth;
 use Permissions;
 class User extends Authenticatable
 {
@@ -83,7 +84,7 @@ class User extends Authenticatable
     */
    public function canAccessDevice($device)
    {
-        return $this->hasGlobalRead() || $this->devices->contains($device);
+        return $this->hasGlobalRead() || Permissions::canAccessDevice($device, $this->user_id);
    }
    /**
@@ -163,6 +164,15 @@ class User extends Authenticatable
        $this->attributes['enabled'] = $enable ? 1 : 0;
    }
    public function getDevicesAttribute()
    {
        // pseudo relation
        if (!array_key_exists('devices', $this->relations)) {
            $this->setRelation('devices', $this->devices()->get());
        }
        return $this->getRelation('devices');
    }
    // ---- Define Relationships ----
    public function apiToken()
@@ -172,11 +182,15 @@ class User extends Authenticatable
    public function devices()
    {
-        if ($this->hasGlobalRead()) {
+        // pseudo relation
-            return Device::query();
+        return Device::query()->when(!$this->hasGlobalRead(), function ($query) {
-        } else {
+            return $query->whereIn('device_id', Permissions::devicesForUser($this));
-            return $this->belongsToMany('App\Models\Device', 'devices_perms', 'user_id', 'device_id');
+        });
-        }
+    }
    public function deviceGroups()
    {
        return $this->belongsToMany('App\Models\DeviceGroup', 'devices_group_perms', 'user_id', 'device_group_id');
    }
    public function ports()
--- a/config/librenms.php
+++ b/config/librenms.php
@@ -23,7 +23,7 @@ return [
    /*
    |--------------------------------------------------------------------------
-    | User
+    | Group
    |--------------------------------------------------------------------------
    |
    | This value is the group LibreNMS runs as. It is used to secure permissions
--- a/database/migrations/2019_10_21_105350_devices_group_perms.php
+++ b/database/migrations/2019_10_21_105350_devices_group_perms.php
@@ -0,0 +1,32 @@
 <?php
 use Illuminate\Support\Facades\Schema;
 use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Database\Migrations\Migration;
 class DevicesGroupPerms extends Migration
 {
    /**
     * Run the migrations.
     *
     * @return void
     */
    public function up()
    {
        Schema::create('devices_group_perms', function (Blueprint $table) {
            $table->unsignedInteger('user_id')->index();
            $table->unsignedInteger('device_group_id')->index();
            $table->primary(['device_group_id','user_id']);
        });
    }
    /**
     * Reverse the migrations.
     *
     * @return void
     */
    public function down()
    {
        Schema::dropIfExists('devices_group_perms');
    }
 }
--- a/html/ajax_search.php
+++ b/html/ajax_search.php
@@ -20,6 +20,14 @@ if (isset($_REQUEST['search'])) {
    if (strlen($search) > 0) {
        $found = 0;
        if (!Auth::user()->hasGlobalRead()) {
            $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
            $perms_sql = "`D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
        } else {
            $device_ids = [];
            $perms_sql = "1";
        }
        if ($_REQUEST['type'] == 'group') {
            foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE ?", ["%$search%"]) as $group) {
                if ($_REQUEST['map']) {
@@ -43,13 +51,13 @@ if (isset($_REQUEST['search'])) {
            // Device search
            if (Auth::user()->hasGlobalRead()) {
                $results = dbFetchRows(
-                    "SELECT * FROM `devices` LEFT JOIN `locations` ON `locations`.`id` = `devices`.`location_id` WHERE `devices`.`hostname` LIKE ? OR `locations`.`location` LIKE ? OR `devices`.`sysName` LIKE ? OR `devices`.`purpose` LIKE ? OR `devices`.`notes` LIKE ? ORDER BY `devices`.hostname LIMIT " . $limit,
+                    "SELECT * FROM `devices` LEFT JOIN `locations` ON `locations`.`id` = `devices`.`location_id` WHERE `devices`.`hostname` LIKE ? OR `locations`.`location` LIKE ? OR `devices`.`sysName` LIKE ? OR `devices`.`purpose` LIKE ? OR `devices`.`notes` LIKE ? ORDER BY `devices`.hostname LIMIT ?",
-                    ["%$search%", "%$search%", "%$search%", "%$search%", "%$search%"]
+                    ["%$search%", "%$search%", "%$search%", "%$search%", "%$search%", $limit]
                );
            } else {
                $results = dbFetchRows(
-                    "SELECT * FROM `devices` AS `D` INNER JOIN `devices_perms` AS `P` ON `P`.`device_id` = `D`.`device_id` LEFT JOIN `locations` ON `locations`.`id` = `D`.`location_id` WHERE `P`.`user_id` = ? AND (D.`hostname` LIKE ? OR D.`sysName` LIKE ? OR `locations`.`location` LIKE ?) ORDER BY hostname LIMIT " . $limit,
+                    "SELECT * FROM `devices` AS `D` LEFT JOIN `locations` ON `locations`.`id` = `D`.`location_id` WHERE $perms_sql AND (D.`hostname` LIKE ? OR D.`sysName` LIKE ? OR `locations`.`location` LIKE ?) ORDER BY hostname LIMIT ?",
-                    [Auth::id(), "%$search%", "%$search%", "%$search%"]
+                    array_merge($device_ids, ["%$search%", "%$search%", "%$search%", $limit])
                );
            }
@@ -72,11 +80,8 @@ if (isset($_REQUEST['search'])) {
                        $highlight_colour = '#008000';
                    }
-                    if (Auth::user()->hasGlobalRead()) {
+                    $num_ports = dbFetchCell('SELECT COUNT(*) FROM `ports` AS `I`, `devices` AS `D` WHERE $perms_sql AND `I`.`device_id` = `D`.`device_id` AND D.device_id = ?', array_merge($device_ids, [$result['device_id']]));
-                        $num_ports = dbFetchCell('SELECT COUNT(*) FROM `ports` WHERE device_id = ?', [$result['device_id']]);
+
                    } else {
                        $num_ports = dbFetchCell('SELECT COUNT(*) FROM `ports` AS `I`, `devices` AS `D`, `devices_perms` AS `P` WHERE `P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id` AND `I`.`device_id` = `D`.`device_id` AND D.device_id = ?', [Auth::id(), $result['device_id']]);
                    }
                    $device[] = array(
                        'name'            => $name,
@@ -99,13 +104,13 @@ if (isset($_REQUEST['search'])) {
            // Search ports
            if (Auth::user()->hasGlobalRead()) {
                $results = dbFetchRows(
-                    "SELECT `ports`.*,`devices`.* FROM `ports` LEFT JOIN `devices` ON  `ports`.`device_id` =  `devices`.`device_id` WHERE `ifAlias` LIKE ? OR `ifDescr` LIKE ? OR `ifName` LIKE ? ORDER BY ifDescr LIMIT ".$limit,
+                    "SELECT `ports`.*,`devices`.* FROM `ports` LEFT JOIN `devices` ON  `ports`.`device_id` =  `devices`.`device_id` WHERE `ifAlias` LIKE ? OR `ifDescr` LIKE ? OR `ifName` LIKE ? ORDER BY ifDescr LIMIT ?",
-                    ["%$search%", "%$search%", "%$search%"]
+                    ["%$search%", "%$search%", "%$search%", $limit]
                );
            } else {
                $results = dbFetchRows(
-                    "SELECT DISTINCT(`I`.`port_id`), `I`.*, `D`.`hostname` FROM `ports` AS `I`, `devices` AS `D`, `devices_perms` AS `P`, `ports_perms` AS `PP` WHERE ((`P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id`) OR (`PP`.`user_id` = ? AND `PP`.`port_id` = `I`.`port_id` AND `I`.`device_id` = `D`.`device_id`)) AND `D`.`device_id` = `I`.`device_id` AND (`ifAlias` LIKE ? OR `ifDescr` LIKE ? OR `ifName` LIKE ?) ORDER BY ifDescr LIMIT ".$limit,
+                    "SELECT DISTINCT(`I`.`port_id`), `I`.*, `D`.`hostname` FROM `ports` AS `I`, `devices` AS `D` WHERE $perms_sql AND `D`.`device_id` = `I`.`device_id` AND (`ifAlias` LIKE ? OR `ifDescr` LIKE ? OR `ifName` LIKE ?) ORDER BY ifDescr LIMIT ?",
-                    [Auth::id(), Auth::id(), "%$search%", "%$search%", "%$search%"]
+                    array_merge($device_ids, ["%$search%", "%$search%", "%$search%", $limit])
                );
            }
@@ -149,17 +154,10 @@ if (isset($_REQUEST['search'])) {
            die($json);
        } elseif ($_REQUEST['type'] == 'bgp') {
            // Search bgp peers
-            if (Auth::user()->hasGlobalRead()) {
+            $results = dbFetchRows(
-                $results = dbFetchRows(
+                "SELECT `bgpPeers`.*,`D`.* FROM `bgpPeers`, `devices` AS `D` WHERE $perms_sql AND  `bgpPeers`.`device_id`=`D`.`device_id` AND  (`astext` LIKE ? OR `bgpPeerIdentifier` LIKE ? OR `bgpPeerRemoteAs` LIKE ?) ORDER BY `astext` LIMIT ?",
-                    "SELECT `bgpPeers`.*,`devices`.* FROM `bgpPeers` LEFT JOIN `devices` ON  `bgpPeers`.`device_id` =  `devices`.`device_id` WHERE `astext` LIKE ? OR `bgpPeerIdentifier` LIKE ? OR `bgpPeerRemoteAs` LIKE ? ORDER BY `astext` LIMIT " . $limit,
+                array_merge($device_ids, ["%$search%", "%$search%", "%$search%", $limit])
-                    ["%$search%", "%$search%", "%$search%"]
+            );
                );
            } else {
                $results = dbFetchRows(
                    "SELECT `bgpPeers`.*,`D`.* FROM `bgpPeers`, `devices` AS `D`, `devices_perms` AS `P` WHERE `P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id` AND  `bgpPeers`.`device_id`=`D`.`device_id` AND  (`astext` LIKE ? OR `bgpPeerIdentifier` LIKE ? OR `bgpPeerRemoteAs` LIKE ?) ORDER BY `astext` LIMIT ".$limit,
                    [Auth::id(), "%$search%", "%$search%", "%$search%"]
                );
            }
            if (count($results)) {
                $found = 1;
@@ -205,17 +203,11 @@ if (isset($_REQUEST['search'])) {
            die($json);
        } elseif ($_REQUEST['type'] == 'applications') {
            // Device search
-            if (Auth::user()->hasGlobalRead()) {
+            $results = dbFetchRows(
-                $results = dbFetchRows(
+                "SELECT * FROM `applications` INNER JOIN `devices` AS `D` ON `D`.`device_id` = `applications`.`device_id` WHERE $perms_sql AND (`app_type` LIKE ? OR `hostname` LIKE ?) ORDER BY hostname LIMIT ?",
-                    "SELECT * FROM `applications` INNER JOIN `devices` ON devices.device_id = applications.device_id WHERE `app_type` LIKE ? OR `hostname` LIKE ? ORDER BY hostname LIMIT ".$limit,
+                array_merge($device_ids, ["%$search%", "%$search%", $limit])
-                    ["%$search%", "%$search%"]
+            );
-                );
+
            } else {
                $results = dbFetchRows(
                    "SELECT * FROM `applications` INNER JOIN `devices` AS `D` ON `D`.`device_id` = `applications`.`device_id` INNER JOIN `devices_perms` AS `P` ON `P`.`device_id` = `D`.`device_id` WHERE `P`.`user_id` = ? AND (`app_type` LIKE ? OR `hostname` LIKE ?) ORDER BY hostname LIMIT ".$limit,
                    [Auth::id(), "%$search%", "%$search%"]
                );
            }
            if (count($results)) {
                $found   = 1;
@@ -252,17 +244,11 @@ if (isset($_REQUEST['search'])) {
            die($json);
        } elseif ($_REQUEST['type'] == 'munin') {
            // Device search
-            if (Auth::user()->hasGlobalRead()) {
+            $results = dbFetchRows(
-                $results = dbFetchRows(
+                "SELECT * FROM `munin_plugins` INNER JOIN `devices` AS `D` ON `D`.`device_id` = `munin_plugins`.`device_id` WHERE $perms_sql AND (`mplug_type` LIKE ? OR `mplug_title` LIKE ? OR `hostname` LIKE ?) ORDER BY hostname LIMIT ?",
-                    "SELECT * FROM `munin_plugins` INNER JOIN `devices` ON devices.device_id = munin_plugins.device_id WHERE `mplug_type` LIKE ? OR `mplug_title` LIKE ? OR `hostname` LIKE ? ORDER BY hostname LIMIT ".$limit,
+                array_merge($device_ids, ["%$search%", "%$search%", "%$search%", $limit])
-                    ["%$search%", "%$search%", "%$search%"]
+            );
-                );
+
            } else {
                $results = dbFetchRows(
                    "SELECT * FROM `munin_plugins` INNER JOIN `devices` AS `D` ON `D`.`device_id` = `munin_plugins`.`device_id` INNER JOIN `devices_perms` AS `P` ON `P`.`device_id` = `D`.`device_id` WHERE `P`.`user_id` = ? AND (`mplug_type` LIKE ? OR `mplug_title` LIKE ? OR `hostname` LIKE ?) ORDER BY hostname LIMIT ".$limit,
                    [Auth::id(), "%$search%", "%$search%", "%$search%"]
                );
            }
            if (count($results)) {
                $found   = 1;
@@ -299,17 +285,11 @@ if (isset($_REQUEST['search'])) {
            die($json);
        } elseif ($_REQUEST['type'] == 'iftype') {
            // Device search
-            if (Auth::user()->hasGlobalRead()) {
+            $results = dbFetchRows(
-                $results = dbFetchRows(
+                "SELECT `ports`.ifType FROM `ports` WHERE $perms_sql AND `ifType` LIKE ? GROUP BY ifType ORDER BY ifType LIMIT ?",
-                    "SELECT `ports`.ifType FROM `ports` WHERE `ifType` LIKE ? GROUP BY ifType ORDER BY ifType LIMIT ".$limit,
+                array_merge($device_ids, ["%$search%", $limit])
-                    ["%$search%"]
+            );
-                );
+
            } else {
                $results = dbFetchRows(
                    "SELECT `I`.ifType FROM `ports` AS `I`, `devices` AS `D`, `devices_perms` AS `P`, `ports_perms` AS `PP` WHERE ((`P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id`) OR (`PP`.`user_id` = ? AND `PP`.`port_id` = `I`.`port_id` AND `I`.`device_id` = `D`.`device_id`)) AND `D`.`device_id` = `I`.`device_id` AND (`ifType` LIKE ?) GROUP BY ifType ORDER BY ifType LIMIT ".$limit,
                    [Auth::id(), Auth::id(), "%$search%"]
                );
            }
            if (count($results)) {
                $found   = 1;
                $devices = count($results);
@@ -327,13 +307,13 @@ if (isset($_REQUEST['search'])) {
            // Device search
            if (Auth::user()->hasGlobalRead()) {
                $results = dbFetchRows(
-                    "SELECT `bills`.bill_id, `bills`.bill_name FROM `bills` WHERE `bill_name` LIKE ? OR `bill_notes` LIKE ? LIMIT ".$limit,
+                    "SELECT `bills`.bill_id, `bills`.bill_name FROM `bills` WHERE `bill_name` LIKE ? OR `bill_notes` LIKE ? LIMIT ?",
-                    ["%$search%", "%$search%"]
+                    ["%$search%", "%$search%", $limit]
                );
            } else {
                $results = dbFetchRows(
-                    "SELECT `bills`.bill_id, `bills`.bill_name FROM `bills` INNER JOIN `bill_perms` ON `bills`.bill_id = `bill_perms`.bill_id WHERE `bill_perms`.user_id = ? AND (`bill_name` LIKE ? OR `bill_notes` LIKE ?) LIMIT ".$limit,
+                    "SELECT `bills`.bill_id, `bills`.bill_name FROM `bills` INNER JOIN `bill_perms` ON `bills`.bill_id = `bill_perms`.bill_id WHERE `bill_perms`.user_id = ? AND (`bill_name` LIKE ? OR `bill_notes` LIKE ?) LIMIT ?",
-                    [Auth::id(), "%$search%", "%$search%"]
+                    [Auth::id(), "%$search%", "%$search%", $limit]
                );
            }
            $json = json_encode($results);
--- a/html/js/vendor.js
+++ b/html/js/vendor.js
--- a/html/mix-manifest.json
+++ b/html/mix-manifest.json
@@ -2,11 +2,11 @@
    "/js/app.js": "/js/app.js?id=d074dd82ac08dba78c44",
    "/css/app.css": "/css/app.css?id=17e56994706c74ee9663",
    "/js/manifest.js": "/js/manifest.js?id=3c768977c2574a34506e",
-    "/js/vendor.js": "/js/vendor.js?id=00c1d21ecfea78860e09",
+    "/js/vendor.js": "/js/vendor.js?id=8903cec9b99453318869",
-    "/js/lang/de.js": "/js/lang/de.js?id=e0623715e8df0895188b",
+    "/js/lang/de.js": "/js/lang/de.js?id=04de715032d1fe1584d9",
-    "/js/lang/en.js": "/js/lang/en.js?id=116363543952443ac4cb",
+    "/js/lang/en.js": "/js/lang/en.js?id=368d06aa81687a47cbdf",
-    "/js/lang/fr.js": "/js/lang/fr.js?id=2d1159debd99a1909f12",
+    "/js/lang/fr.js": "/js/lang/fr.js?id=51f0ee3b59a7dace8913",
-    "/js/lang/ru.js": "/js/lang/ru.js?id=b007ddce75134acbe635",
+    "/js/lang/ru.js": "/js/lang/ru.js?id=d1a4a7e38c1e19a9f35f",
-    "/js/lang/uk.js": "/js/lang/uk.js?id=146819d3cf1dfb16672d",
+    "/js/lang/uk.js": "/js/lang/uk.js?id=a4f38c7e0cfec6593e8e",
-    "/js/lang/zh-TW.js": "/js/lang/zh-TW.js?id=f57574a3892e5990ecbc"
+    "/js/lang/zh-TW.js": "/js/lang/zh-TW.js?id=d973da2eac4a300af36d"
 }
--- a/includes/caches/alerts.inc.php
+++ b/includes/caches/alerts.inc.php
@@ -3,8 +3,11 @@
 if (Auth::user()->hasGlobalRead()) {
    $data['active_count'] = array('query' => 'SELECT COUNT(`alerts`.`id`)  FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id`  RIGHT JOIN `alert_rules` ON `alerts`.`rule_id`=`alert_rules`.`id` WHERE 1 AND `alerts`.`state` NOT IN (0,2) AND `devices`.`disabled` = 0 AND `devices`.`ignore` = 0');
 } else {
    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
    $perms_sql = "`D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $data['active_count'] = array(
-        'query'  => 'SELECT COUNT(`alerts`.`id`)  FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id` LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`  RIGHT JOIN `alert_rules` ON `alerts`.`rule_id`=`alert_rules`.`id` WHERE 1 AND `alerts`.`state` NOT IN (0,2)  AND `devices`.`disabled` = 0 AND `devices`.`ignore` = 0 AND `DP`.`user_id`=?',
+        'query'  => 'SELECT COUNT(`alerts`.`id`)  FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id` RIGHT JOIN `alert_rules` ON `alerts`.`rule_id`=`alert_rules`.`id` WHERE $perms_sql AND `alerts`.`state` NOT IN (0,2)  AND `devices`.`disabled` = 0 AND `devices`.`ignore` = 0',
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
 }
--- a/includes/caches/devices.inc.php
+++ b/includes/caches/devices.inc.php
@@ -11,28 +11,31 @@ if (Auth::user()->hasGlobalRead()) {
    $data['disabled'] = array('query' => "SELECT COUNT(*) FROM devices WHERE `disabled` = '1'");
 } else {
    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
    $perms_sql = "`D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $data['count'] = array(
-        'query'  => 'SELECT COUNT(*) FROM devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id`',
+        'query'  => 'SELECT COUNT(*) FROM devices AS D WHERE $perms_sql',
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['up'] = array(
-        'query'  => "SELECT COUNT(*) FROM devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND D.`status` = '1' AND D.`ignore` = '0' AND D.`disabled` = '0'",
+        'query'  => "SELECT COUNT(*) FROM devices AS D WHERE $perms_sql AND D.`status` = '1' AND D.`ignore` = '0' AND D.`disabled` = '0'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['down'] = array(
-        'query'  => "SELECT COUNT(*) FROM devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND D.`status` = '0' AND D.`ignore` = '0' AND D.`disabled` = '0'",
+        'query'  => "SELECT COUNT(*) FROM devices AS D WHERE $perms_sql AND D.`status` = '0' AND D.`ignore` = '0' AND D.`disabled` = '0'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['ignored'] = array(
-        'query'  => "SELECT COUNT(*) FROM devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND D.`ignore` = '1' AND D.`disabled` = '0'",
+        'query'  => "SELECT COUNT(*) FROM devices AS D WHERE $perms_sql AND D.`ignore` = '1' AND D.`disabled` = '0'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['disabled'] = array(
-        'query'  => "SELECT COUNT(*) FROM devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND D.`disabled` = '1'",
+        'query'  => "SELECT COUNT(*) FROM devices AS D WHERE $perms_sql AND D.`disabled` = '1'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
 }//end if
--- a/includes/caches/ports.inc.php
+++ b/includes/caches/ports.inc.php
@@ -13,33 +13,36 @@ if (Auth::user()->hasGlobalRead()) {
    $data['ignored'] = array('query' => "SELECT COUNT(*) FROM ports AS I, devices AS D WHERE I.`deleted` = '0' AND D.`device_id` = I.`device_id` AND (I.`ignore` = '1' OR D.`ignore` = '1')");
 } else {
    $device_ids = Permissions::portsForUser()->toArray() ?: [0];
    $perms_sql = "`I`.`port_id` IN " .dbGenPlaceholders(count($device_ids));
    $data['count'] = array(
-        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D, devices_perms AS P WHERE I.`deleted` = '0' AND P.`user_id` = ? AND P.`device_id` = D.`device_id` AND I.`device_id` = D.`device_id`",
+        'query'  => "SELECT COUNT(*) FROM ports AS I WHERE $perms_sql AND I.`deleted` = '0'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['up'] = array(
-        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D, devices_perms AS P WHERE I.`deleted` = '0' AND P.`user_id` = ? AND P.`device_id` = D.`device_id` AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND I.`ifOperStatus` = 'up'",
+        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D WHERE $perms_sql AND I.`deleted` = '0' AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND I.`ifOperStatus` = 'up'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['down'] = array(
-        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D, devices_perms AS P WHERE I.`deleted` = '0' AND P.`user_id` = ? AND P.`device_id` = D.`device_id` AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND I.`ifOperStatus` = 'down' AND I.`ifAdminStatus` = 'up'",
+        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D WHERE $perms_sql AND I.`deleted` = '0' AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND I.`ifOperStatus` = 'down' AND I.`ifAdminStatus` = 'up'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['shutdown'] = array(
-        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D, devices_perms AS P WHERE I.`deleted` = '0' AND P.`user_id` = ? AND P.`device_id` = D.`device_id` AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND I.`ifAdminStatus` = 'down'",
+        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D WHERE $perms_sql AND I.`deleted` = '0' AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND I.`ifAdminStatus` = 'down'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['errored'] = array(
-        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D, devices_perms AS P WHERE I.`deleted` = '0' AND P.`user_id` = ? AND P.`device_id` = D.`device_id` AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND (I.`ifInErrors_delta` > '0' OR I.`ifOutErrors_delta` > '0')",
+        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D WHERE $perms_sql AND I.`deleted` = '0' AND I.`device_id` = D.`device_id` AND I.`ignore` = '0' AND D.`ignore` = '0' AND (I.`ifInErrors_delta` > '0' OR I.`ifOutErrors_delta` > '0')",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['ignored'] = array(
-        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D, devices_perms AS P WHERE I.`deleted` = '0' AND P.`user_id` = ? AND P.`device_id` = D.`device_id` AND I.`device_id` = D.`device_id` AND (I.`ignore` = '1' OR D.`ignore` = '1')",
+        'query'  => "SELECT COUNT(*) FROM ports AS I, devices AS D WHERE $perms_sql AND I.`deleted` = '0' AND I.`device_id` = D.`device_id` AND (I.`ignore` = '1' OR D.`ignore` = '1')",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
 }//end if
--- a/includes/caches/services.inc.php
+++ b/includes/caches/services.inc.php
@@ -7,28 +7,31 @@ if (Auth::user()->hasGlobalRead()) {
    $data['ignored']  = array( 'query' => "SELECT COUNT(*) FROM services WHERE `service_ignore` = '1' AND `service_disabled` = '0'");
    $data['disabled'] = array( 'query' => "SELECT COUNT(*) FROM services WHERE `service_disabled` = '1'");
 } else {
    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
    $perms_sql = "`S`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $data['count'] = array(
-        'query'  => 'SELECT COUNT(*) FROM services AS S, devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND S.`device_id` = D.`device_id`',
+        'query'  => 'SELECT COUNT(*) FROM services AS S WHERE $perms_sql',
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['up'] = array(
-        'query'  => "SELECT COUNT(*) FROM services AS S, devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND S.`device_id` = D.`device_id` AND S.`service_ignore` = '0' AND S.`service_disabled` = '0' AND S.`service_status` = '0'",
+        'query'  => "SELECT COUNT(*) FROM services AS S WHERE $perms_sql AND S.`service_ignore` = '0' AND S.`service_disabled` = '0' AND S.`service_status` = '0'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['down'] = array(
-        'query'  => "SELECT COUNT(*) FROM services AS S, devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND S.`device_id` = D.`device_id` AND S.`service_ignore` = '0' AND S.`service_disabled` = '0' AND S.`service_status` = '2'",
+        'query'  => "SELECT COUNT(*) FROM services AS S WHERE $perms_sql AND S.`service_ignore` = '0' AND S.`service_disabled` = '0' AND S.`service_status` = '2'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['ignored'] = array(
-        'query'  => "SELECT COUNT(*) FROM services AS S, devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND S.`device_id` = D.`device_id` AND S.`service_ignore` = '1' AND S.`service_disabled` = '0'",
+        'query'  => "SELECT COUNT(*) FROM services AS S WHERE $perms_sql AND S.`service_ignore` = '1' AND S.`service_disabled` = '0'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
    $data['disabled'] = array(
-        'query'  => "SELECT COUNT(*) FROM services AS S, devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND S.`device_id` = D.`device_id` AND S.`service_disabled` = '1'",
+        'query'  => "SELECT COUNT(*) FROM services AS S WHERE $perms_sql AND S.`service_disabled` = '1'",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
 }//end if
--- a/includes/caches/toner.inc.php
+++ b/includes/caches/toner.inc.php
@@ -3,8 +3,11 @@
 if (Auth::user()->hasGlobalRead()) {
    $data['count'] = array('query' => "SELECT COUNT(`toner_id`) FROM toner");
 } else {
    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
    $perms_sql = "`toner`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $data['count'] = array(
-        'query'  => "SELECT COUNT(`toner_id`) FROM toner AS T, devices AS D, devices_perms AS P WHERE P.`user_id` = ? AND P.`device_id` = D.`device_id` AND T.`device_id` = D.`device_id`",
+        'query'  => "SELECT COUNT(`toner_id`) FROM toner WHERE $perms_sql",
-        'params' => array(Auth::id()),
+        'params' => $device_ids
    );
 }
--- a/includes/html/common/worldmap.inc.php
+++ b/includes/html/common/worldmap.inc.php
@@ -91,14 +91,16 @@ var greenMarker = L.AwesomeMarkers.icon({
        $param = $show_status;
    } else {
    // Normal user - grab devices that user has permissions to
        $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
        $sql = "SELECT DISTINCT(`devices`.`device_id`) as `device_id`,`location`,`sysName`,`hostname`,`os`,`status`,`lat`,`lng`
-                FROM `devices_perms`, `devices`
+                FROM `devices`
                LEFT JOIN `locations` ON `devices`.location_id=`locations`.`id`
                WHERE `disabled`=0 AND `ignore`=0 AND ((`lat` != '' AND `lng` != '') OR (`location` REGEXP '\[[0-9\.\, ]+\]'))
-                AND `devices`.`device_id` = `devices_perms`.`device_id`
+                AND `devices`.`device_id` IN " . dbGenPlaceholders(count($device_ids)) .
-                AND `devices_perms`.`user_id` = ? AND `status` IN " . dbGenPlaceholders(count($show_status)) .
+                " AND `status` IN " . dbGenPlaceholders(count($show_status)) .
                " ORDER BY `status` ASC, `hostname`";
-        $param = array_merge([Auth::id()], $show_status);
+        $param = array_merge($device_ids, $show_status);
    }
    foreach (dbFetchRows($sql, $param) as $map_devices) {
--- a/includes/html/list/devices.inc.php
+++ b/includes/html/list/devices.inc.php
@@ -28,9 +28,9 @@ $where = [];
 $params = [];
 if (!Auth::user()->hasGlobalRead()) {
-    $query .= ' LEFT JOIN `devices_perms` USING (`device_id`)';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where = '`devices_perms`.`user_id`=?';
+    $where[] = " `devices`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $params[] = Auth::id();
+    $params = array_merge($params, $device_ids);
 }
 if (!empty($_REQUEST['search'])) {
--- a/includes/html/pages/edituser.inc.php
+++ b/includes/html/pages/edituser.inc.php
@@ -1,5 +1,6 @@
 <?php
 use App\Models\DeviceGroup;
 use App\Models\User;
 $no_refresh = true;
@@ -32,6 +33,14 @@ if (! Auth::user()->hasGlobalAdmin()) {
            }
        }
        if ($vars['action'] == 'deldevgroupperm') {
            $user->deviceGroups()->detach($vars['device_group_id']);
        }
        if ($vars['action'] == 'adddevgroupperm') {
            $user->deviceGroups()->syncWithoutDetaching($vars['device_group_id']);
        }
        if ($vars['action'] == 'delifperm') {
            if (dbFetchCell('SELECT COUNT(*) FROM ports_perms WHERE `port_id` = ? AND `user_id` = ?', array($vars['port_id'], $user_data['user_id']))) {
                dbDelete('ports_perms', '`port_id` =  ? AND `user_id` = ?', array($vars['port_id'], $user_data['user_id']));
@@ -112,7 +121,65 @@ if (! Auth::user()->hasGlobalAdmin()) {
           </div>
           <button type='submit' class='btn btn-default' name='Submit'>Add</button></form>";
-        echo "</div>
+        echo '</div>
           <div class="col-md-4">';
        // Display devices this users has access to
        echo '<h3>Device access via Device Group (beta)</h3>';
        echo "<div class='panel panel-default panel-condensed'>
            <table class='table table-hover table-condensed table-striped'>
              <tr>
                <th>Device Group</th>
                <th>Action</th>
              </tr>";
        foreach ($user->deviceGroups as $device_group_perm) {
            echo '<tr><td><strong>'.$device_group_perm->name."</td><td> <a href='edituser/action=deldevgroupperm/user_id=".$user->user_id.'/device_group_id='.$device_group_perm->id."'><i class='fa fa-trash fa-lg icon-theme' aria-hidden='true'></i></a></strong></td></tr>";
        }
        echo '</table>
          </div>';
        if ($user->deviceGroups->isEmpty()) {
            echo 'None Configured';
        }
        // Display device groups this user doesn't have access to
        echo '<h4>Grant access to new Device Group</h4>';
        $allow_dynamic = \LibreNMS\Config::get('permission.device_group.allow_dynamic');
        if (!$allow_dynamic) {
            echo "<i>Dynamic groups are disabled, set permission.device_group.allow_dynamic to enable.</i>";
        }
        echo "<form class='form-inline' role='form' method='post' action=''>
            " . csrf_field() . "
            <input type='hidden' value='".$user_data['user_id']."' name='user_id'>
            <input type='hidden' value='edituser' name='page'>
            <input type='hidden' value='adddevgroupperm' name='action'>
            <div class='form-group'>
              <label class='sr-only' for='device_group_id'>Device</label>
              <select name='device_group_id' id='device_group_id' class='form-control'>";
        $device_groups = DeviceGroup::query()
            ->whereNotIn('id', $user->deviceGroups->pluck('id'))
            ->when(!$allow_dynamic, function ($query) {
                return $query->where('type', 'static');
            })
            ->orderBy('name')
            ->get(['id', 'name']);
        foreach ($device_groups as $group) {
            echo '<option value="'.$group->id . '">' . $group->name . '</option>';
        }
        echo "</select>
           </div>
           <button type='submit' class='btn btn-default' name='Submit'>Add</button></form>";
        echo "</div></div>
        <div class='row'>
          <div class='col-md-4'>";
        echo '<h3>Interface Access</h3>';
@@ -143,7 +210,7 @@ if (! Auth::user()->hasGlobalAdmin()) {
            echo 'None Configured';
        }
-        // Display devices this user doesn't have access to
+        // Display interfaces this user doesn't have access to
        echo '<h4>Grant access to new interface</h4>';
        echo "<form action='' method='post' class='form-horizontal' role='form'>
--- a/includes/html/pages/fullscreenmap.inc.php
+++ b/includes/html/pages/fullscreenmap.inc.php
@@ -4,12 +4,12 @@
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
- * 
+ *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 * GNU General Public License for more details.
- * 
+ *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>. */
 /**
@@ -32,7 +32,7 @@ $config['leaflet']['default_lat'] = 65.3258792;
 $config['leaflet']['default_lng'] = 14.1115485;
  Dag B <dag@bakke.com>
 */
- 
+
 $pagetitle[] = 'Geographical Map';
 if (\LibreNMS\Config::get('map.engine') == 'leaflet') {
@@ -55,7 +55,7 @@ if (\LibreNMS\Config::get('map.engine') == 'leaflet') {
             setStyle();
         };
    }, false);
-    
+
    function setStyle() {
        if(isFullscreen) {
            document.getElementsByClassName('navbar-fixed-top')[0].style.display = "none";
@@ -64,7 +64,7 @@ if (\LibreNMS\Config::get('map.engine') == 'leaflet') {
            document.getElementsByClassName('navbar-fixed-top')[0].style.removeProperty("display");
            document.getElementsByTagName('body')[0].style.paddingTop = "50px";
        };
-    }; 
+    };
    window.dispatchEvent(new Event('resize'));
 </script>
--- a/includes/html/pages/ports.inc.php
+++ b/includes/html/pages/ports.inc.php
@@ -13,6 +13,8 @@
 * @author     LibreNMS Contributors
 */
 use App\Models\Port;
 $pagetitle[] = "Ports";
 // Set Defaults here
@@ -162,14 +164,13 @@ if ((isset($vars['searchbar']) && $vars['searchbar'] != "hide") || !isset($vars[
    $output .= "<select name='ifSpeed' id='ifSpeed' class='form-control input-sm'>";
    $output .= "<option value=''>All Speeds</option>";
-    if (Auth::user()->hasGlobalRead()) {
+    $ifSpeed = Port::select('ifSpeed')
-        $sql = "SELECT `ifSpeed` FROM `ports` GROUP BY `ifSpeed` ORDER BY `ifSpeed`";
+        ->hasAccess(Auth::user())
-    } else {
+        ->groupBy('ifSpeed')
-        $sql = "SELECT `ifSpeed` FROM `ports` AS `I`, `devices` AS `D`, `devices_perms` AS `P`, `ports_perms` AS `PP` WHERE ((`P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id`) OR (`PP`.`user_id` = ? AND `PP`.`port_id` = `I`.`port_id` AND `I`.`device_id` = `D`.`device_id`)) AND `D`.`device_id` = `I`.`device_id` GROUP BY `ifSpeed` ORDER BY `ifSpeed`";
+        ->orderBy('ifSpeed')
-        $param[] = array(Auth::id(), Auth::id());
+        ->get();
    }
-    foreach (dbFetchRows($sql, $param) as $data) {
+    foreach ($ifSpeed as $data) {
        if ($data['ifSpeed']) {
            if ($data['ifSpeed'] == $vars['ifSpeed']) {
                $speedselected = "selected";
@@ -186,14 +187,13 @@ if ((isset($vars['searchbar']) && $vars['searchbar'] != "hide") || !isset($vars[
    $output .= "<select name='ifType' id='ifType' class='form-control input-sm'>";
    $output .= "<option value=''>All Media</option>";
-    if (Auth::user()->hasGlobalRead()) {
+    $ifType = Port::select('ifType')
-        $sql = "SELECT `ifType` FROM `ports` GROUP BY `ifType` ORDER BY `ifType`";
+        ->hasAccess(Auth::user())
-    } else {
+        ->groupBy('ifType')
-        $sql = "SELECT `ifType` FROM `ports` AS `I`, `devices` AS `D`, `devices_perms` AS `P`, `ports_perms` AS `PP` WHERE ((`P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id`) OR (`PP`.`user_id` = ? AND `PP`.`port_id` = `I`.`port_id` AND `I`.`device_id` = `D`.`device_id`)) AND `D`.`device_id` = `I`.`device_id` GROUP BY `ifType` ORDER BY `ifType`";
+        ->orderBy('ifType')
-        $param[] = array(Auth::id(), Auth::id());
+        ->get();
    }
-    foreach (dbFetchRows($sql, $param) as $data) {
+    foreach ($ifType as $data) {
        if ($data['ifType']) {
            if ($data['ifType'] == $vars['ifType']) {
                $dataselected = "selected";
@@ -214,9 +214,13 @@ if ((isset($vars['searchbar']) && $vars['searchbar'] != "hide") || !isset($vars[
        $sql = "SELECT `port_descr_type` FROM `ports` AS `I`, `devices` AS `D`, `devices_perms` AS `P`, `ports_perms` AS `PP` WHERE ((`P`.`user_id` = ? AND `P`.`device_id` = `D`.`device_id`) OR (`PP`.`user_id` = ? AND `PP`.`port_id` = `I`.`port_id` AND `I`.`device_id` = `D`.`device_id`)) AND `D`.`device_id` = `I`.`device_id` GROUP BY `port_descr_type` ORDER BY `port_descr_type`";
        $param[] = array(Auth::id(), Auth::id());
    }
-    $ports = dbFetchRows($sql, $param);
+    $port_descr_type = Port::select('port_descr_type')
        ->hasAccess(Auth::user())
        ->groupBy('port_descr_type')
        ->orderBy('port_descr_type')
        ->get();
-    foreach ($ports as $data) {
+    foreach ($port_descr_type as $data) {
        if ($data['port_descr_type']) {
            if ($data['port_descr_type'] == $vars['port_descr_type']) {
                $portdescrib = "selected";
--- a/includes/html/pages/search/arp.inc.php
+++ b/includes/html/pages/search/arp.inc.php
@@ -33,11 +33,12 @@ var grid = $("#arp-search").bootgrid({
            // Select the devices only with ARP tables
 $sql = 'SELECT D.device_id AS device_id, `hostname`, `D`.`sysName` AS `sysName` FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D';
 $param = array();
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where GROUP BY `D`.`device_id`, `D`.`hostname`, `D`.`sysName` ORDER BY `hostname`";
--- a/includes/html/pages/search/fdb.inc.php
+++ b/includes/html/pages/search/fdb.inc.php
@@ -36,12 +36,12 @@ var grid = $("#fdb-search").bootgrid({
 // Select the devices only with FDB tables
 $sql = 'SELECT D.device_id AS device_id, `hostname` FROM `ports_fdb` AS F, `ports` AS P, `devices` AS D';
 $param = array();
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " WHERE F.port_id = P.port_id AND P.device_id = D.device_id $where GROUP BY `D`.`device_id`, `D`.`hostname` ORDER BY `hostname`";
--- a/includes/html/pages/search/ipv4.inc.php
+++ b/includes/html/pages/search/ipv4.inc.php
@@ -30,11 +30,12 @@ var grid = $("#ipv4-search").bootgrid({
 <?php
 $sql = 'SELECT `devices`.`device_id`,`hostname`,`sysName` FROM `devices`';
 $param = [];
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' WHERE `DP`.`user_id`=?';
+    $where .= " WHERE `devices`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " $where ORDER BY `hostname`";
--- a/includes/html/pages/search/ipv6.inc.php
+++ b/includes/html/pages/search/ipv6.inc.php
@@ -29,11 +29,12 @@ var grid = $("#ipv6-search").bootgrid({
 <?php
 $sql = 'SELECT `devices`.`device_id`,`hostname`, `sysName` FROM `devices`';
 $param = [];
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' WHERE `DP`.`user_id`=?';
+    $where .= " WHERE `devices`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " $where ORDER BY `hostname`";
--- a/includes/html/pages/search/mac.inc.php
+++ b/includes/html/pages/search/mac.inc.php
@@ -30,11 +30,12 @@ var grid = $("#mac-search").bootgrid({
 <?php
 $sql = 'SELECT `devices`.`device_id`,`hostname`, `sysName` FROM `devices`';
 $param = [];
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' WHERE `DP`.`user_id`=?';
+    $where .= " WHERE `devices`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " $where ORDER BY `hostname`";
--- a/includes/html/pages/search/packages.inc.php
+++ b/includes/html/pages/search/packages.inc.php
@@ -77,9 +77,9 @@ $query = 'SELECT packages.name FROM packages,devices ';
 $param = array();
 if (!Auth::user()->hasGlobalRead()) {
-    $query .= " LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`";
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $sql_where .= " AND `DP`.`user_id`=?";
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $query .= " WHERE packages.device_id = devices.device_id AND packages.name LIKE '%".mres($_POST['package'])."%' $sql_where GROUP BY packages.name";
--- a/includes/html/pages/services.inc.php
+++ b/includes/html/pages/services.inc.php
@@ -120,14 +120,16 @@ require_once 'includes/html/modal/delete_service.inc.php';
                    $sql_param[] = $state;
                }
-                if (Auth::user()->hasGlobalRead()) {
+                $host_par = array();
-                    $host_sql = 'SELECT `D`.`device_id`,`D`.`hostname`,`D`.`sysName` FROM devices AS D, services AS S WHERE D.device_id = S.device_id GROUP BY `D`.`hostname`, `D`.`device_id`, `D`.`sysName` ORDER BY D.hostname';
+                $perms_sql = null;
-                    $host_par = array();
+                if (!Auth::user()->hasGlobalRead()) {
-                } else {
+                    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-                    $host_sql = 'SELECT `D`.`device_id`,`D`.`hostname`,`D`.`sysName` FROM devices AS D, services AS S, devices_perms AS P WHERE D.device_id = S.device_id AND D.device_id = P.device_id AND P.user_id = ? GROUP BY `D`.`hostname`, `D`.`device_id`, `D`.`sysName` ORDER BY D.hostname';
+                    $perms_sql .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-                    $host_par = array(Auth::id());
+                    $host_par = $device_ids;
                }
                $host_sql = 'SELECT `D`.`device_id`,`D`.`hostname`,`D`.`sysName` FROM devices AS D, services AS S WHERE D.device_id = S.device_id ' . $perms_sql . ' GROUP BY `D`.`hostname`, `D`.`device_id`, `D`.`sysName` ORDER BY D.hostname';
                $shift = 1;
                foreach (dbFetchRows($host_sql, $host_par) as $device) {
                    $device_id = $device['device_id'];
--- a/includes/html/print-graph-alerts.inc.php
+++ b/includes/html/print-graph-alerts.inc.php
@@ -18,7 +18,7 @@
 */
 $pagetitle[] = "Alert Stats";
-
+$param = [];
 $sql = "";
 if (isset($device['device_id']) && $device['device_id'] > 0) {
    $sql = " AND alert_log.device_id=?";
@@ -27,13 +27,13 @@ if (isset($device['device_id']) && $device['device_id'] > 0) {
    );
 }
-if (Auth::user()->hasGlobalRead()) {
+if (!Auth::user()->hasGlobalRead()) {
-    $query = "SELECT DATE_FORMAT(time_logged, '" . \LibreNMS\Config::get('alert_graph_date_format') . "') Date, COUNT(alert_log.rule_id) totalCount, alert_rules.severity Severity FROM alert_log,alert_rules WHERE alert_log.rule_id=alert_rules.id AND `alert_log`.`state` != 0 $sql GROUP BY DATE_FORMAT(time_logged, '" . \LibreNMS\Config::get('alert_graph_date_format') . "'),alert_rules.severity";
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
    $sql .= " AND `alert_log`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $param = array_merge($param, $device_ids);
 }
-if (!Auth::user()->hasGlobalRead()) {
+$query = "SELECT DATE_FORMAT(time_logged, '" . \LibreNMS\Config::get('alert_graph_date_format') . "') Date, COUNT(alert_log.rule_id) totalCount, alert_rules.severity Severity FROM alert_log,alert_rules WHERE alert_log.rule_id=alert_rules.id AND `alert_log`.`state` != 0 $sql GROUP BY DATE_FORMAT(time_logged, '" . \LibreNMS\Config::get('alert_graph_date_format') . "'),alert_rules.severity";
    $query = "SELECT DATE_FORMAT(time_logged, '" . \LibreNMS\Config::get('alert_graph_date_format') . "') Date, COUNT(alert_log.device_id) totalCount, alert_rules.severity Severity FROM alert_log,alert_rules,devices_perms WHERE alert_log.rule_id=alert_rules.id AND `alert_log`.`state` != 0 $sql AND alert_log.device_id = devices_perms.device_id AND devices_perms.user_id = " . Auth::id() . " GROUP BY DATE_FORMAT(time_logged, '" . \LibreNMS\Config::get('alert_graph_date_format') . "'),alert_rules.severity";
 }
 ?>
 <br>
--- a/includes/html/print-map.inc.php
+++ b/includes/html/print-map.inc.php
@@ -28,9 +28,10 @@ if (!empty($device['hostname'])) {
 }
 if (!Auth::user()->hasGlobalRead()) {
-    $join_sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `D1`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $sql  .= ' AND `DP`.`user_id`=?';
+    $sql .= " AND `D1`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $sql_array[] = Auth::id();
+    $sql .= " AND `D2`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $sql_array = array_merge($sql_array, $device_ids, $device_ids);
 }
 $devices_by_id = array();
--- a/includes/html/table/address-search.inc.php
+++ b/includes/html/table/address-search.inc.php
@@ -5,15 +5,14 @@ use LibreNMS\Util\IP;
 $param = array();
 if (!Auth::user()->hasGlobalRead()) {
-    $perms_sql .= ' LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where     .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[]    = array(Auth::id());
+    $param = array_merge($param, $device_ids);
 }
 list($address,$prefix) = explode('/', $vars['address']);
 if ($vars['search_type'] == 'ipv4') {
    $sql  = ' FROM `ipv4_addresses` AS A, `ports` AS I, `ipv4_networks` AS N, `devices` AS D';
    $sql .= $perms_sql;
    $sql .= " WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv4_network_id = A.ipv4_network_id $where ";
    if (!empty($address)) {
        $sql .= " AND ipv4_address LIKE '%".$address."%'";
@@ -25,7 +24,6 @@ if ($vars['search_type'] == 'ipv4') {
    }
 } elseif ($vars['search_type'] == 'ipv6') {
    $sql  = ' FROM `ipv6_addresses` AS A, `ports` AS I, `ipv6_networks` AS N, `devices` AS D';
    $sql .= $perms_sql;
    $sql .= " WHERE I.port_id = A.port_id AND I.device_id = D.device_id AND N.ipv6_network_id = A.ipv6_network_id $where ";
    if (!empty($address)) {
        $sql .= " AND (ipv6_address LIKE '%".$address."%' OR ipv6_compressed LIKE '%".$address."%')";
@@ -36,7 +34,6 @@ if ($vars['search_type'] == 'ipv4') {
    }
 } elseif ($vars['search_type'] == 'mac') {
    $sql  = ' FROM `ports` AS I, `devices` AS D';
    $sql .= $perms_sql;
    $sql .= " WHERE I.device_id = D.device_id AND `ifPhysAddress` LIKE '%".str_replace(array(':', ' ', '-', '.', '0x'), '', mres($vars['address']))."%' $where ";
 }//end if
 if (is_numeric($vars['device_id'])) {
--- a/includes/html/table/alertlog.inc.php
+++ b/includes/html/table/alertlog.inc.php
@@ -29,11 +29,10 @@ if (isset($vars['min_severity'])) {
    $where .=  get_sql_filter_min_severity($vars['min_severity'], "R");
 }
-if (Auth::user()->hasGlobalRead()) {
+if (!Auth::user()->hasGlobalRead()) {
-    $sql = " FROM `alert_log` AS E LEFT JOIN devices AS D ON E.device_id=D.device_id RIGHT JOIN alert_rules AS R ON E.rule_id=R.id WHERE $where";
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-} else {
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $sql = " FROM `alert_log` AS E LEFT JOIN devices AS D ON E.device_id=D.device_id RIGHT JOIN alert_rules AS R ON E.rule_id=R.id RIGHT JOIN devices_perms AS P ON E.device_id = P.device_id WHERE $where AND P.user_id = ?";
+    $param = array_merge($param, $device_ids);
    $param[] = array(Auth::id());
 }
 if (isset($searchPhrase) && !empty($searchPhrase)) {
--- a/includes/html/table/alerts.inc.php
+++ b/includes/html/table/alerts.inc.php
@@ -14,7 +14,7 @@
 */
 $where = ' `devices`.`disabled` = 0';
-
+$param = [];
 $alert_states = array(
    // divined from librenms/alerts.php
    'recovered' => 0,
@@ -66,9 +66,9 @@ if (isset($searchPhrase) && !empty($searchPhrase)) {
 $sql = ' FROM `alerts` LEFT JOIN `devices` ON `alerts`.`device_id`=`devices`.`device_id`';
 if (!Auth::user()->hasGlobalRead()) {
-    $sql .= ' LEFT JOIN `devices_perms` AS `DP` ON `devices`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " LEFT JOIN `locations` ON `devices`.`location_id` = `locations`.`id`";
--- a/includes/html/table/arp-search.inc.php
+++ b/includes/html/table/arp-search.inc.php
@@ -5,9 +5,9 @@ $param = array();
 $sql .= ' FROM `ipv4_mac` AS M, `ports` AS P, `devices` AS D ';
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `D`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " WHERE M.port_id = P.port_id AND P.device_id = D.device_id $where ";
--- a/includes/html/table/inventory.inc.php
+++ b/includes/html/table/inventory.inc.php
@@ -3,15 +3,14 @@
 $where = '1';
 $param = array();
-
+if (!Auth::user()->hasGlobalRead()) {
-
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-if (Auth::user()->hasGlobalRead()) {
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $sql = " FROM entPhysical AS E, devices AS D WHERE $where AND D.device_id = E.device_id";
+    $param = array_merge($param, $device_ids);
 } else {
    $sql     = " FROM entPhysical AS E, devices AS D, devices_perms AS P WHERE $where AND D.device_id = E.device_id AND P.device_id = D.device_id AND P.user_id = ?";
    $param[] = Auth::id();
 }
 $sql = " FROM entPhysical AS E, devices AS D WHERE $where AND D.device_id = E.device_id";
 if (isset($searchPhrase) && !empty($searchPhrase)) {
    $sql .= " AND (`D`.`hostname` LIKE '%$searchPhrase%' OR `E`.`entPhysicalDescr` LIKE '%$searchPhrase%' OR `E`.`entPhysicalModelName` LIKE '%$searchPhrase%' OR `E`.`entPhysicalSerialNum` LIKE '%$searchPhrase%')";
 }
--- a/includes/html/table/mempool.inc.php
+++ b/includes/html/table/mempool.inc.php
@@ -18,10 +18,12 @@
 $graph_type = 'mempool_usage';
 $where      = 1;
 $sql        = ' FROM `mempools` AS `M` LEFT JOIN `devices` AS `D` ON `M`.`device_id` = `D`.`device_id`';
 $param      = [];
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `M`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " WHERE $where";
--- a/includes/html/table/ports.inc.php
+++ b/includes/html/table/ports.inc.php
@@ -28,12 +28,12 @@ $param = array();
 $sql = 'FROM `ports`';
 if (!Auth::user()->hasGlobalRead()) {
-    $sql .= ' LEFT JOIN `devices_perms` AS `DP` ON `ports`.`device_id` = `DP`.`device_id`';
+    $port_ids = Permissions::portsForUser()->toArray() ?: [0];
-    $sql .= ' LEFT JOIN `ports_perms` AS `PP` ON `ports`.`port_id` = `PP`.`port_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-
+    $where .= " AND (`ports`.`port_id` IN " . dbGenPlaceholders(count($port_ids));
-    $where .= ' AND (`DP`.`user_id`=? OR `PP`.`user_id`=?)';
+    $where .= " OR `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $where .= ")";
-    $param[] = Auth::id();
+    $param = array_merge($param, $port_ids, $device_ids);
 }
 $sql .= ' LEFT JOIN `devices` AS `D` ON `ports`.`device_id` = `D`.`device_id`';
--- a/includes/html/table/processor.inc.php
+++ b/includes/html/table/processor.inc.php
@@ -18,10 +18,12 @@
 $graph_type = 'processor_usage';
 $where      = 1;
 $sql        = ' FROM `processors` AS `P` LEFT JOIN `devices` AS `D` ON `P`.`device_id` = `D`.`device_id`';
 $param      = [];
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `P`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [false];
-    $where  .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `P`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " WHERE $where";
--- a/includes/html/table/sensors-common.php
+++ b/includes/html/table/sensors-common.php
@@ -23,16 +23,13 @@ $class      = mres($vars['class']);
 $sql = " FROM `$table` AS S, `devices` AS D";
 if (!Auth::user()->hasGlobalRead()) {
    $sql .= ', devices_perms as P';
 }
 $sql .= " WHERE S.sensor_class=? AND S.device_id = D.device_id ";
 $param[] = mres($vars['class']);
 if (!Auth::user()->hasGlobalRead()) {
-    $sql .= " AND D.device_id = P.device_id AND P.user_id = ?";
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $param[] = Auth::id();
+    $sql .= " AND `D`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
    $param = array_merge($param, $device_ids);
 }
 if (isset($searchPhrase) && !empty($searchPhrase)) {
--- a/includes/html/table/storage.inc.php
+++ b/includes/html/table/storage.inc.php
@@ -18,13 +18,14 @@
 $graph_type = 'storage_usage';
 $where = 1;
 $param = [];
 $sql = ' FROM `storage` AS `S` LEFT JOIN `devices` AS `D` ON `S`.`device_id` = `D`.`device_id`';
 if (!Auth::user()->hasGlobalRead()) {
-    $sql    .= ' LEFT JOIN `devices_perms` AS `DP` ON `S`.`device_id` = `DP`.`device_id`';
+    $device_ids = Permissions::devicesForUser()->toArray() ?: [0];
-    $where  .= ' AND `DP`.`user_id`=?';
+    $where .= " AND `S`.`device_id` IN " .dbGenPlaceholders(count($device_ids));
-    $param[] = Auth::id();
+    $param = array_merge($param, $device_ids);
 }
 $sql .= " WHERE $where";
--- a/misc/config_definitions.json
+++ b/misc/config_definitions.json
@@ -3610,6 +3610,13 @@
            "order": 6,
            "type": "integer"
        },
        "permission.device_group.allow_dynamic": {
            "default": false,
            "group": "authorization",
            "order": 1,
            "section": "device-group",
            "type": "boolean"
        },
        "ping": {
            "default": "/bin/ping",
            "group": "external",
--- a/misc/db_schema.yaml
+++ b/misc/db_schema.yaml
@@ -515,6 +515,14 @@ devices_attribs:
  Indexes:
    PRIMARY: { Name: PRIMARY, Columns: [attrib_id], Unique: true, Type: BTREE }
    device_id: { Name: device_id, Columns: [device_id], Unique: false, Type: BTREE }
 devices_group_perms:
  Columns:
    - { Field: user_id, Type: 'int(10) unsigned', 'Null': false, Extra: '' }
    - { Field: device_group_id, Type: 'int(10) unsigned', 'Null': false, Extra: '' }
  Indexes:
    PRIMARY: { Name: PRIMARY, Columns: [device_group_id, user_id], Unique: true, Type: BTREE }
    devices_group_perms_device_group_id_index: { Name: devices_group_perms_device_group_id_index, Columns: [device_group_id], Unique: false, Type: BTREE }
    devices_group_perms_user_id_index: { Name: devices_group_perms_user_id_index, Columns: [user_id], Unique: false, Type: BTREE }
 devices_perms:
  Columns:
    - { Field: user_id, Type: 'int(10) unsigned', 'Null': false, Extra: '' }
--- a/resources/lang/en/settings.php
+++ b/resources/lang/en/settings.php
@@ -5,6 +5,7 @@ return [
    'groups' => [
        'alerting' => 'Alerting',
        'auth' => 'Authentication',
        'authorization' => 'Authorization',
        'external' => 'External',
        'global' => 'Global',
        'os' => 'OS',
@@ -23,6 +24,9 @@ return [
            'ad' => 'Active Directory Settings',
            'ldap' => 'LDAP Settings'
        ],
        'authorization' => [
            'device-group' => 'Device Group Settings'
        ],
        'discovery' => [
            'general' => 'General Discovery Settings',
            'route' => 'Routes Discovery Module',
@@ -592,6 +596,13 @@ return [
            'description' => 'Poller performance log entries older than (days)',
            'help' => 'Cleanup done by daily.sh'
        ],
        'permission' => [
            'device_group' => [
                'allow_dynamic' => [
                    'description' => 'Enable user access via dynamic Device Groups',
                ]
            ]
        ],
        'ping' => [
            'description' => 'Path to ping'
        ],