glpi
glpi copied to clipboard
glpi-project
Public Saved search visible without entity restriction
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- [X] I have searched the existing issues
Version
10.0.3
Bug description
On GLPI v10.0.3, public saved search for tickets are not restricted by entity.
We have the following entities :
- CSSCV
- --- Ressources Matérielles
- --- Ressources Informatiques
If we create a public saved search inside "Ressources Matérielles" and another one inside "Ressources Informatiques", users inside one or the other entity can see all saved searches listed as public, even if they are located inside the other entity (that they don't have access).
This only affect the vue inside /front/ticket.php when we select the button to show saved searches :
They are correctly restricted when managing saved searches through /front/savedsearch.php
Also note that the list of saved search on the /front/ticket.php page also list more than one saved search with the default flag (I have 5 with the star) and only 1 is showing the star inside /front/savedsearch.pgp
Thanks
Relevant log output
no error
Page URL
/front/ticket.php
Steps To reproduce
- Create 2 sub entities
- Affect one user to one sub entity and a second one to the second entity
- Create a different public saved search in each sub-entity
- Log with one user into one of the sub-entity
- See that both saved search are displayed
Your GLPI setup information
No response
Anything else?
May need a different bug report (please advise) but "saved search" button is not displayed inside objects list of GenericObject plugins. Not sure if it's a bug with glpi or the plugins itself...
/marketplace/genericobject/front/object.php?itemtype=Myobject
Several fixes has been done since 10.0.3 release on that part, please test if you reproduce with latest nightly build.
I will try with all the fixes this afternoon but I already applied those 2 and the problem was still present :
https://github.com/glpi-project/glpi/commit/9727416518a7e80a96476b09823c599397d159ff
https://github.com/glpi-project/glpi/commit/1d21b3f8c1e5b05c77952f5edbc19dacbf3ac292
Thanks Francois
From: Johan Cwiklinski @.> Sent: Monday, October 3, 2022 11:14:36 AM To: glpi-project/glpi @.> Cc: fralla2 @.>; Author @.> Subject: Re: [glpi-project/glpi] Public Saved search visible without entity restriction (Issue #12857)
Several fixes has been done since 10.0.3 release on that part, please test if you reproduce with latest nightly build.
— Reply to this email directly, view it on GitHubhttps://github.com/glpi-project/glpi/issues/12857#issuecomment-1265620202, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJE7BBYFD5GBTDYVKXVHZKTWBLZ5ZANCNFSM6AAAAAAQ3S5GK4. You are receiving this because you authored the thread.Message ID: @.***>
Problem is still present in nightly : https://nightly.glpi-project.org/glpi/main-0158630.tar.gz
Probably need to add an entity restriction in this function : https://github.com/glpi-project/glpi/blob/5ec7ba9498d9b9efffe74d126af400e76338d6aa/src/SavedSearch.php#L1318
I can confirm the quirk is still present in "10.1.0-dev-git-main-bf8b4786e1" . User Profiles with given permission "See public saved searches" see all public saved-searches, regardless of the user entity or search entity. They cannot access the search though, ("You do not have permission ...") so in that regard it's working as intended.
I think the "Need feedback" should be removed. This issue is still present in v10.0.5
I can confirm that I have reproduced this issue in two separate instances of glpi.
I even consider this a security issue as the name of saved searches can be quite revealing. In our case, we do not want one client to know the name of other clients.
Let us know if we can of help in further isolating or testing this issue.
Thanks.
