formcreator icon indicating copy to clipboard operation
formcreator copied to clipboard

Published 20 hours ago verified publisher icon pluginsGLPI

[GLPI v10.0.0] [FC 2.13.0-b1] Unpublished FAQs are visible

Open jcovillers78114 opened this issue 2 years ago • 8 comments

I have just created a FAQ to which I have not assigned a target. The FAQ remains in "unpublished" mode and should not be visible.

2022-04-29 09_27_35-Base de connaissances - GLPI

However, in the simplified interface the user can see the FAQ but cannot display its content. I think this is related to the issue I mentioned earlier. 2022-04-29 09_28_01-Catalogue de service - GLPI

jcovillers78114 avatar Apr 29 '22 07:04 jcovillers78114

Hi

If you enabled the "is FAQ" flag then the item shows, even when there is no target . This is set in GLPI core.

See glpi/srcKnowbaseItem.php line 1404

I think there is no bug here, as a FAQ item is not subject to targets restriction.

image

btry avatar Apr 29 '22 10:04 btry

Sorry to insist but with GLPI v9.5 and FC v2.11.2 I have created targeted FAQs for a specific group and as you can see a user who is not part of the group cannot see the FAQs even if "is FAQ" is activated

2022-04-29 12_18_00-GLPI - Base de connaissances

2022-04-29 12_18_35-GLPI - Catalogue de service

2022-04-29 12_22_51-GLPI - Base de connaissances - 2

jcovillers78114 avatar Apr 29 '22 10:04 jcovillers78114

I will compare the code of formcreator 2.11 against the current code, and I'll doo the same with GLPI.

Since 2.11, some slq queries were isolated for bettdr code factorisation and I expect that old inconsistencies may be fixed, causing changes like the one you reported.

Examining the code will help to determine if there is a regression or a bugfix.

btry avatar Apr 29 '22 10:04 btry

Hi

I compared Formcreator 2.11.2 and 2.13. There is no change in the way it searches the KB items. The plugin gets from GLPI Core a SQL query with its own parameters, and the access restrictions are set by GLPI itself, not the plugin.

Then there is maybe a diffrence in GLPI which causes this difference. Could you check if you reproduce this behaviour without the service catalog ?

btry avatar May 04 '22 07:05 btry

Hi.

I tested with a user whose profile does not go through the service catalogue. The topics and publications are all visible to the user. If I click on a publication I get an error message saying I can't access it but I can still see the title of the article and the short description.

jcovillers78114 avatar May 10 '22 12:05 jcovillers78114

OK, then when building the list of KB items available, GLPI seems to "forget" to exclude items where no rights are granted, right ?

btry avatar May 11 '22 06:05 btry

Same issue here. Knowledge item (KI):

  • with 'Put this item in the FAQ' marked.
  • target entity outside hierarchical entity from user
  • Knowledge Category outside hierarchical entity from user

Results from user outside hierarchical entity of the KI:

  • user in simplified interface can list and search KI but when tries to read an error message is shown "You don't have permission to perform this action. "
  • user in technician view can list and search KI but when tries to read an error message is shown "You don't have permission to perform this action. "

GLPI 10.0.2 and FC 2.13.0-rc.1

marcellmanfrin avatar Jul 13 '22 17:07 marcellmanfrin

Hi

I identified that the problem has to be solved in GLPI. It requires some work because the fix does not maintains consistency with the targets (entity, group, profile, user) of a faq, introducing some exception. I must delay this issue and focus on the release of the plugin for now.

btry avatar Jul 13 '22 17:07 btry