search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.24k stars 1.29k forks source link

Templates can be modified regardless of permission #11509

Closed blippercop closed 2 years ago

blippercop commented 2 years ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.0 and 9.5.6

Bug description

Go to http://127.0.0.1/helpdesk/front/setup.templates.php?itemtype=Project&add=0 and create a template with no tasks - just a name etc..

Create a new project and select your template (http://127.0.0.1/helpdesk/front/setup.templates.php?itemtype=Project&add=1) and select your template (do not save it!).

Click on project "tasks" and create a new one.

Type in a name and click add.

Go back to the original template http://127.0.0.1/helpdesk/front/setup.templates.php?itemtype=Project&add=0

You will see that the task was added to the original template.

Workaround was to remove the permission to update templates but the permission revoke didn't change anything - the technician is still able to modify the template by adding a task.

Relevant log output

None

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

No response

Anything else?

No response

cconard96 commented 2 years ago

What Project template permission are you referring to? There is no different permission for templates of projects.

blippercop commented 2 years ago

The general ones (ITIL objects). Revoke the permission (give only READ) for editing templates (ITIL objects) for a profile. Do the steps above. Voila you edited a template without having permission.

cconard96 commented 2 years ago

A Project is not an ITIL type (at least as far as GLPI is concerned). Project templates use the Project permissions.

Also, please refrain from posting possible security issues publicly. The project's security policy (Listed in the Security tab of this repository) has an email address that you can send information to if you suspect you found a security vulnerability.

blippercop commented 2 years ago

I dont think this is a security issue (other simmilar cases with privacy issues where also discussed publicly).

There is no permission for editing permission for the template - meaning anyone with edit rights (i guess) can edit templates.

Howewer this is a still a bug or at lears a major design issue. Demo: Untitled

"i want to create a new project" appears in the template even though i was in the "create project FROM template"

However other techs would consider "I am creating a new project and can add tasks to the new project" instead of "I am creating a new project and are editing the template if I dont click save before"