search

glpi-project / glpi-inventory-plugin

GLPI Inventory plugin
GNU Affero General Public License v3.0
46 stars 27 forks source link

API REST "ERROR_GLPI_ADD" "You do not have the required rights to perform this action." #442

Closed HugzWaaa closed 8 months ago

HugzWaaa commented 12 months ago

Describe the bug

I'm trying to create dynamic groups on GLPI 10.0. 8 thanks to the REST API, I managed to create a Dynamic group via API but now I'm trying to modify the criteria of a group using the API, so I did a GET on the URL of the criteria for dynamic groups to see what I need to modify so that the criteria fits my needs, so far no problem, the problem occurs when I try to make a POST to modify the criteria of a dynamic group, the GLPI returns the error "ERROR_GLPI_ADD" "You do not have the required rights to perform this action. "So I went to see what rights the user I'm using with the API has and I replaced the current authorization with "super-admin" and gave ALL rights to the "super-admin" authorization to make sure that GLPI no longer sends me back "You do not have the required rights to perform this action. "But the error persists, I've logged in with the account I use for the API to add a criterion manually from the GLPI interface and I haven't encountered any error, what can I do to fix this problem?

For all: image

To reproduce

I'm trying to create dynamic groups on GLPI 10.0. 8 thanks to the REST API, I managed to create a Dynamic group via API but now I'm trying to modify the criteria of a group using the API, so I did a GET on the URL of the criteria for dynamic groups to see what I need to modify so that the criteria fits my needs, so far no problem, the problem occurs when I try to make a POST to modify the criteria of a dynamic group, the GLPI returns the error "ERROR_GLPI_ADD" "You do not have the required rights to perform this action. "So I went to see what rights the user I'm using with the API has and I replaced the current authorization with "super-admin" and gave ALL rights to the "super-admin" authorization to make sure that GLPI no longer sends me back "You do not have the required rights to perform this action. "But the error persists, I've logged in with the account I use for the API to add a criterion manually from the GLPI interface and I haven't encountered any error, what can I do to fix this problem?

For all: image image image image image image image image image image image image image image

Expected behavior

that if I give ALL existing rights to the API user, I no longer get the error "You do not have the required rights to perform this action."

Operating system

Windows

GLPI Agent version

1.5

GLPI version

10.0.8

GLPIInventory plugin

1.3.0

Additional context

No response

HugzWaaa commented 12 months ago

I also made a "getActiveProfile" request to make sure my user had taken the "super-admin" profile, which has ALL rights image

stonebuzz commented 12 months ago

Hi @HugzWaaa can you post your code here (which updates the group dynamic) ?

HugzWaaa commented 12 months ago

Hi, of course, image so i create the input parrameter like: image

msg.payload = { "input": { "fields_array": 'a:2:{s:8:"criteria";a:1:{i:0;a:6:{s:4:"link";s:3:"AND";s:8:"itemtype";s:8:"Location";s:4:"meta";s:1:"1";s:5:"field";s:1:"1";s:10:"searchtype";s:6:"equals";s:5:"value";s:3:"249";}}s:12:"metacriteria";a:0:{}}'

    }
}
HugzWaaa commented 12 months ago

and I POST this on this endpoint "http://xxx.xxx.xxx.xxx/apirest.php/PluginGlpiinventoryDeployGroup_Dynamicdata"

stonebuzz commented 12 months ago

You need to set related object ID to your endpoint

http://xxx.xxx.xxx.xxx/apirest.php/PluginGlpiinventoryDeployGroup_Dynamicdata/##AN_ID##

stonebuzz commented 12 months ago

to update it

HugzWaaa commented 12 months ago

I've tried two different ways, http://xxx.xxx.xxx.xxx/apirest.php/PluginGlpiinventoryDeployGroup_Dynamicdata/15 and http://xxx.xxx.xxx.xxx/apirest.php/PluginGlpiinventoryDeployGroup_Dynamicdata/&id=15 but neither of the 2 works (the glpi returns "You do not have the required rights to perform this action").

HugzWaaa commented 12 months ago

image

HugzWaaa commented 12 months ago

Another strange thing with this endpoint, I can't filter my request: image

When I use the filter present in the URL, and I relaunch my request, I expect the request to return only one group, the one selected in the URL, but this is not the case, whereas if I do the same thing in the computer (use the filter present in the URL), the filter is taken into account and returns only the computers that have the right conditions.

HugzWaaa commented 12 months ago

I've also tried to replace POST with PUT because PUT is more used for update, and the request no longer returns an error, but the criterion is not created in the group

stonebuzz commented 12 months ago

URL have been cleaned (by PHP or GLPI) with [urlencode](https://www.php.net/manual/fr/function.urlencode.php)

(for (among others) security)

I therefore advise you not to rely on the URL.

I'd rather do my filter in GLPI, then check the added value in the database (cleaned / serialized) and use it for API request

HugzWaaa commented 12 months ago

Thanks for your reply, but I don't understand what I should do ;(

stonebuzz commented 12 months ago

No it's for internal use.

stonebuzz commented 12 months ago

For "You do not have the required rights to perform this action"

can you run this SQL query and post result here

MariaDB [10bugfixes]> select * from glpi_profilerights where profiles_id = 4 and name = 'plugin_glpiinventory_group';
+-----+-------------+----------------------------+--------+
| id  | profiles_id | name                       | rights |
+-----+-------------+----------------------------+--------+
| 788 |           4 | plugin_glpiinventory_group |     31 |
+-----+-------------+----------------------------+--------+
HugzWaaa commented 12 months ago

Yes of course: id profiles_id name rights 1388 4 plugin_glpiinventory_group 23

stonebuzz commented 12 months ago

right => 21 correspond to this

image

MariaDB [10bugfixes]> select * from glpi_profilerights where profiles_id = 4 and name = 'plugin_glpiinventory_group';
+-----+-------------+----------------------------+--------+
| id  | profiles_id | name                       | rights |
+-----+-------------+----------------------------+--------+
| 788 |           4 | plugin_glpiinventory_group |     21 |
+-----+-------------+----------------------------+--------+

Can you (re)check the profile/user rights used by the API client?

If necessary, can you run the following GLPI command (at the root of GLPI)

php bin/console cache:clear

HugzWaaa commented 12 months ago

I double-checked the super-admin profile image My user is a super-admin image I can confirm this by making a "getActiveProfile" request to make sure it uses the super-admin profile. Here is what the request says: image And I've RUN the command you gave me as you asked and I've restarted the request but the error still persists. image image

stonebuzz commented 12 months ago

Can you "uncheck" then "check" the right "update" and save the profile?

Then retry (and check from database value with last SQL query)

HugzWaaa commented 12 months ago

I have unchecked all rights

image

I restarted the order

image

Then I checked the rights again image

And I restarted the order but I still get the same result image

I did save the profile from GLPI after each modification

stonebuzz commented 12 months ago

are you sure you're on the right database, on the right GLPI?

Un check all rights give this result from SQL query 

MariaDB [10bugfixes]> select * from glpi_profilerights where profiles_id = 4 and name = 'plugin_glpiinventory_group';
+-----+-------------+----------------------------+--------+
| id  | profiles_id | name                       | rights |
+-----+-------------+----------------------------+--------+
| 788 |           4 | plugin_glpiinventory_group |      0 |
+-----+-------------+----------------------------+--------+
1 row in set (0,000 sec)
HugzWaaa commented 12 months ago

I thought so but apparently not, now that I've told him to use the right base, I'm behaving like you. image but the request always returns the same error even after rechecking.

HugzWaaa commented 12 months ago

I have check again, image I re-launched the request image

stonebuzz commented 12 months ago

before going any further, we need to

To make sure you have the latest version of the fixes

HugzWaaa commented 12 months ago

Okay no worries I'll look into updating the plugin and GLPI I'll get back to you when I have news.

HugzWaaa commented 11 months ago

hello sir, I've updated the plugin and GLPI but the rights problem still persists. image image image

HugzWaaa commented 11 months ago

I don't know how GLPI works at all, but if checking this box means that you have the right to access the "PluginGlpiinventoryDeployGroup" class, that's right, but this box must also allow you to access the "PluginGlpiinventoryDeployGroup_Dynamicdata" class to be able to modify the criteria of a dynamic group. image

stonebuzz commented 11 months ago

Hi @HugzWaaa

"PluginGlpiinventoryDeployGroup_Dynamicdata" right depends on this checkbox =)

I'm not sure how to help you, since I don't reproduce on my side (with basic curl call).

Perhaps you should consider taking out a subscription to benefit from professional support. This would allow me (among other things) to take control of your instance for debugging purposes.

trasher commented 8 months ago

Since we cannot reproduce; and existing data is certainly faulty; I close.

Feel free to reopen if you can provide a use case reproducing issue on a fresh install.