formcreator icon indicating copy to clipboard operation
formcreator copied to clipboard

Published 20 hours ago verified publisher icon pluginsGLPI

Drop ldap restrition

Open btry opened this issue 3 years ago • 3 comments

internal ref 22945 23259

btry avatar Nov 30 '21 10:11 btry

The changes were introduced by https://github.com/pluginsGLPI/formcreator/pull/1437. Is the discussion in this PR no longer valid ? Wouldn't this change allow you to see an LDAP from another entity that you do not have access to ?.

AdrienClairembault avatar Dec 01 '21 07:12 AdrienClairembault

I see several problems with this implemetnation

  • access to all LDAP when the user is in the root entity. The root entity does not grants more privileges than others.

  • LDAPs are not linked to an entity, then entity restriction is not applicable.

  • An entity may be linked to a LDAP to search for users, this type of relation should not be used to restrict the available directories when editing a question (see below)

image

To edit forms, the user needs to have UPDATE right on entities. This means that the user also have rights to change the LDAP associated to the current entity (and maybe others).

Maybe LDAP questions should be restricted to people able to edit general config of GLPI. See https://github.com/glpi-project/glpi/blob/9.5/bugfixes/front/authldap.form.php#L35

btry avatar Dec 01 '21 07:12 btry

LDAPs are not linked to an entity, then entity restriction is not applicable.

Ok, seems fine to DROP this restriction then.

It does feel bad not being able to filter LDAP on some criteria but if nothing exist we can't do much.

AdrienClairembault avatar Dec 01 '21 14:12 AdrienClairembault