Closed blippercop closed 2 years ago
What Project template permission are you referring to? There is no different permission for templates of projects.
The general ones (ITIL objects). Revoke the permission (give only READ) for editing templates (ITIL objects) for a profile. Do the steps above. Voila you edited a template without having permission.
A Project is not an ITIL type (at least as far as GLPI is concerned). Project templates use the Project permissions.
Also, please refrain from posting possible security issues publicly. The project's security policy (Listed in the Security tab of this repository) has an email address that you can send information to if you suspect you found a security vulnerability.
I dont think this is a security issue (other simmilar cases with privacy issues where also discussed publicly).
There is no permission for editing permission for the template - meaning anyone with edit rights (i guess) can edit templates.
Howewer this is a still a bug or at lears a major design issue. Demo:
"i want to create a new project" appears in the template even though i was in the "create project FROM template"
However other techs would consider "I am creating a new project and can add tasks to the new project" instead of "I am creating a new project and are editing the template if I dont click save before"
Code of Conduct
Is there an existing issue for this?
Version
10.0.0 and 9.5.6
Bug description
Go to http://127.0.0.1/helpdesk/front/setup.templates.php?itemtype=Project&add=0 and create a template with no tasks - just a name etc..
Create a new project and select your template (http://127.0.0.1/helpdesk/front/setup.templates.php?itemtype=Project&add=1) and select your template (do not save it!).
Click on project "tasks" and create a new one.
Type in a name and click add.
Go back to the original template http://127.0.0.1/helpdesk/front/setup.templates.php?itemtype=Project&add=0
You will see that the task was added to the original template.
Workaround was to remove the permission to update templates but the permission revoke didn't change anything - the technician is still able to modify the template by adding a task.
Relevant log output
Page URL
No response
Steps To reproduce
No response
Your GLPI setup information
No response
Anything else?
No response