glpi icon indicating copy to clipboard operation
glpi copied to clipboard
verified publisher icon glpi-project

Fix(Core): Take care of item recursivity to load Dropdown values

Open stonebuzz opened this issue 1 year ago • 0 comments

Since the release of version 10.0.15 with the following security fix :

https://github.com/glpi-project/glpi/commit/d02c537d23cbb729fe18b87f71b3c6e84e9892da

A user in a sub-entity who views an asset in the root entity (recurisf) can no longer load dropdowns.

image

When creating the dropdown, the entity_restrict option does not take into account the notion of recursiveness

an empty array is sent

image

I should see the values visible in the asset entity AND in my current entity (sub-entity)

I think the problem comes from the Session::getMatchingActiveEntities function, which filters theactive entities ($_SESSION) with the desired entity (1 in_array [] => false) (without taking into account the recusivity of the asset).

By adding entity_sons option, GLPI also retrieves the asset's sub-entities, which are then filtered to match the current user's active entities (1 in_array [1] => yes)

image

This PR deserves special attention because of the complexity of the filtering by entity, because I am not aware of the scope of this change and the criticality involved.

in other words, I don't really know what I'm doing.

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #32875

stonebuzz avatar May 07 '24 09:05 stonebuzz