Closed masakazuwatanabe closed 2 years ago
cconard96
commented
2 years ago The issue is when you use the search endpoint instead of the getItems one. There is a hidden filter in the search engine for these tasks that restrict them to being your tasks. You see the same thing by going to the project task search page /front/projecttask.php.'
The URL /apirest.php/ProjectTask will show all project tasks.
github-actions[bot]
commented
2 years ago There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.
If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.
You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.
marien-probesys
commented
7 months ago Hi, I can confirm the issue, even when using the URLs /apirest.php/ProjectTask or /apirest.php/Project/<id>/ProjectTask (I'm using GLPI 10.0.14).
I was able to understand a bit why it's working in the interface, but not in the API.
If the user has access to the project of the tasks, he has the right to read them even if he’s not in the Task Team (see https://github.com/glpi-project/glpi/blob/10.0/bugfixes/src/ProjectTask.php#L91-L96). Meaning that the user has the right to read the tasks as soon as it has the rights on the project.
Now, on the API part, the getItems method correctly checks the rights, but it also create a where condition:
(`glpi_projecttaskteams`.`itemtype` = 'User' AND `glpi_projecttaskteams`.`items_id` = '2')Indeed, it first calls Search::addDefaultWhere: https://github.com/glpi-project/glpi/blob/b69e15312f81915286a60de8ec68210570406123/src/Api/API.php#L1138
Which returns this condition: https://github.com/glpi-project/glpi/blob/b69e15312f81915286a60de8ec68210570406123/src/Search.php#L4343-L4348
This condition is incomplete as it should probably include an OR clause to check if the user has right on the task project. I'm not able to say if it can have unexpected impacts though.
Code of Conduct
Is there an existing issue for this?
Version
10.0.2
Bug description
hello. I'm having a problem because I can't get the list of project tasks with API.
This problem also occurs in Ver9.4.5 - Ver9.5.7. https://github.com/glpi-project/glpi/issues/6818
Set Project to Seeall in your profile.
If "See all" in "Projects" of "Profile" is checked,
but,
It seems that the task team is used as a condition for querying the project task, regardless of the status of the SeeAll permission of the project.
https://github.com/glpi-project/glpi/blob/10873706f388795a1d0d72a028eb4ceba36f7169/src/Search.php#L4251-L4281
There is no way to list all project tasks in REST-API. If all projects have permissions Just as the WebUI shows all the tasks, I also want to get a list of all tasks in REST-API.
Relevant log output
No response
Page URL
No response
Steps To reproduce
No response
Your GLPI setup information
システムのインストールと設定の情報
Server
Operating system: Linux glpi01 4.18.0-394.el8.x86_64 #1 SMP Tue May 31 16:19:11 UTC 2022 x86_64 PHP 7.4.19 fpm-fcgi (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apcu, bz2, calendar, cgi-fcgi, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, pdo_sqlite, session, sockets, sqlite3, standard, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="600" memory_limit="128M" post_max_size="64M" safe_mode="" session.save_handler="files" upload_max_filesize="50M" Software: nginx/1.14.1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Server Software: mariadb.org binary distribution Server Version: 10.8.3-MariaDB-1:10.8.3+maria~jammy Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION Parameters: glpi@127.0.0.1/glpi Host info: 127.0.0.1 via TCP/IP PHP version (7.4.19) is supported. Sessions configuration is OK. Allocated memory is sufficient. mysqli extension is installed. Following extensions are installed: dom, fileinfo, json, simplexml. curl extension is installed. gd extension is installed. intl extension is installed. libxml extension is installed. zlib extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. Database engine version (10.8.3) is supported. The log file has been created successfully. Write access to /usr/local/glpi/files/_cache has been validated. Write access to /usr/local/glpi/config has been validated. Write access to /usr/local/glpi/files/_cron has been validated. Write access to /usr/local/glpi/files has been validated. Write access to /usr/local/glpi/files/_dumps has been validated. Write access to /usr/local/glpi/files/_graphs has been validated. Write access to /usr/local/glpi/files/_lock has been validated. Write access to /usr/local/glpi/files/_pictures has been validated. Write access to /usr/local/glpi/files/_plugins has been validated. Write access to /usr/local/glpi/files/_rss has been validated. Write access to /usr/local/glpi/files/_sessions has been validated. Write access to /usr/local/glpi/files/_tmp has been validated. Write access to /usr/local/glpi/files/_uploads has been validated. Web access to files directory is protected For security reasons, SELinux mode should be Enforcing. exif extension is installed. ldap extension is installed. openssl extension is installed. zip extension is installed. bz2 extension is installed. Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, mbstring. Following extensions are not present: sodium. Write access to /usr/local/glpi/marketplace has been validated. Access to timezone database (mysql) is not allowed.GLPI constants
Libraries
LDAP directories
Server: '10.130.8.144', Port: '389', BaseDN: 'dc=qualitia,dc=co,dc=jp', Connection filter: '(&(objectClass=posixAccount)(objectClass=sambaSamAccount))', RootDN: 'cn=root,dc=qualitia,dc=co,dc=jp', Use TLS: none Server: '192.168.0.141', Port: '389', BaseDN: 'OU=Users,OU=QUALITIA,DC=domain,DC=nsz,DC=jp', Connection filter: '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN: 'DOMAIN\sysadmin', Use TLS: '1'SQL replicas
Notifications
Plugins list
advancedplanning Name: advancedplanning Version: 1.0.0 State: Error / to clean Install Method: Manual news Name: Alerts Version: 1.9.1 State: Error / to clean Install Method: Manual barcode Name: Barcode Version: 2.6.2 State: Error / to clean Install Method: Manual archimap Name: Diagrams Version: 3.2.7 State: Error / to clean Install Method: Manual fusioninventory Name: FusionInventory Version: 9.5+4.2 State: Error / to clean Install Method: Manual gantt Name: gantt Version: 1.0.0 State: Enabled Install Method: Marketplace geninventorynumber Name: Inventory number generation Version: 2.5.1 State: Error / to clean Install Method: Manual addressing Name: IP Adressing Version: 3.0.0 State: Enabled Install Method: Marketplace mreporting Name: More Reporting Version: 1.7.4 State: Error / to clean Install Method: Manual genericobject Name: Objects management Version: 2.12.1 State: Enabled Install Method: Marketplace order Name: Orders management Version: 2.9.0 State: Installed / not activated Install Method: Marketplace tag Name: Tag Management Version: 2.9.2 State: Enabled Install Method: Marketplace accounts Name: アカウント Version: 3.0.2 State: Enabled Install Method: Marketplace datainjection Name: インジェクション Version: 2.11.2 State: Installed / not activated Install Method: Marketplace fields Name: 追加のフィールド Version: 1.16.0 State: Enabled Install Method: MarketplaceAnything else?
No response