glpi-project
Fix followups entities restriction
ITILFollowups do not have any entities restrictions in their addDefaultWhere method.
This mean that any "listing" using the addDefaultWhere method may return data from inaccessible entities (for exemple: an API request on GET /ITIlFollowup).
I suspect this issue happens on all CommonDBChild and CommonDBRelation items.
I am planning on fixing it for all timeline related items (in separate PR) as they impact directly the unread messages plugin.
I do not plan to fix all the others types as it would require a lot more work and the need to maintain new itemtypes in the future which is not acceptable.
It would be better to fix this everywhere with some mutual code but it doesn't seem possible without an important rewrite of the addDefaultWhere and addDefaultJoin methods that can't be done on a minor version.
I can look into it for main if I get the greenlight.
| Q | A |
|---|---|
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets |
