search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.27k stars 1.29k forks source link

Saved search entries visibility issue #12690

Closed Phorms closed 2 years ago

Phorms commented 2 years ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.3

Bug description

Expected behavior: Only your own and all plublic saved searches of the current category (tickets, assets, ...) are visible.

Current behavior: All saved searches of the current category (tickets, assets, ...) are visible. The private / public option has no impact.

User permissions seems not to affect this behavior. I'm unaware of any settings that could affect the saved search. I disabled all plugins, no change.

The system was updated from version 9.5.4 where the filter worked correctly.

Adding a new saved search entry does not create a new entry in the database table "glpi_savedsearches_users". Only a entry in "glpi_savedsearches" is created.

grafik

All three entries are from different users and private.

grafik

But, I'm able to see them.

grafik

The SQL query received on our SQL server (no filter for 'is_private' field)

SELECT glpi_savedsearches.*, glpi_savedsearches_users.id AS is_default FROM glpi_savedsearches LEFT JOIN glpi_savedsearches_users ON (glpi_savedsearches_users.savedsearches_id = glpi_savedsearches.id AND glpi_savedsearches.itemtype = glpi_savedsearches_users.itemtype AND glpi_savedsearches_users.users_id = '9') WHERE (glpi_savedsearches.itemtype = 'Ticket') ORDER BY itemtype, name

Hope that helps.

Relevant log output

access-errors.log - nothing
sql-errors.log - nothing
php-errors.log - nothing

Page URL

/front/ticket.php

Steps To reproduce

  1. Open the ticket list (Assistance ->Tickets)
  2. Click on "Lists"
  3. Now you see under the new menu "Tickets" your own saved searches AND every other saved search (all saved searches of that category). The private ones have a small lock symbol.

Your GLPI setup information

Information about system installation and configuration
GLPI 10.0.3 ( => /var/www/glpi)
Installation mode: TARBALL
Current language:en_GB
Server
 
Operating system: Linux XXX 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
PHP 8.1.9 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bcmath, bz2, calendar,
    ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli,
    mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm,
    tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="600" memory_limit="512M" post_max_size="80M" safe_mode="" session.save_handler="files"
    upload_max_filesize="80M" 
Software: Apache/2.4.54 (Debian) (Apache/2.4.54 (Debian) Server at XXX Port 443
)
    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Server Software: Debian 11
    Server Version: 10.5.15-MariaDB-0+deb11u1-log
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: XXX
    Host info: XXX via TCP/IP

PHP version (8.1.9) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.
gd extension is installed.
intl extension is installed.
libxml extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.5.15) is supported.
The log file has been created successfully.
Write access to /var/www/glpi/files/_cache has been validated.
Write access to /var/www/glpi/config has been validated.
Write access to /var/www/glpi/files/_cron has been validated.
Write access to /var/www/glpi/files has been validated.
Write access to /var/www/glpi/files/_dumps has been validated.
Write access to /var/www/glpi/files/_graphs has been validated.
Write access to /var/www/glpi/files/_lock has been validated.
Write access to /var/www/glpi/files/_pictures has been validated.
Write access to /var/www/glpi/files/_plugins has been validated.
Write access to /var/www/glpi/files/_rss has been validated.
Write access to /var/www/glpi/files/_sessions has been validated.
Write access to /var/www/glpi/files/_tmp has been validated.
Write access to /var/www/glpi/files/_uploads has been validated.
Web access to files directory is protected
Sessions configuration is secured.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
zip extension is installed.
bz2 extension is installed.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi/marketplace has been validated.
Access to timezone database (mysql) is not allowed.
GLPI constants
 
GLPI_ROOT: /var/www/glpi
GLPI_CONFIG_DIR: /var/www/glpi/config
GLPI_VAR_DIR: /var/www/glpi/files
GLPI_MARKETPLACE_DIR: /var/www/glpi/marketplace
GLPI_USE_CSRF_CHECK: 1
GLPI_CSRF_EXPIRES: 7200
GLPI_CSRF_MAX_TOKENS: 100
GLPI_USE_IDOR_CHECK: 1
GLPI_IDOR_EXPIRES: 7200
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: 
GLPI_SERVERSIDE_URL_ALLOWLIST: Array
GLPI_TELEMETRY_URI: https://telemetry.glpi-project.org
GLPI_INSTALL_MODE: TARBALL
GLPI_NETWORK_MAIL: glpi@teclib.com
GLPI_NETWORK_SERVICES: https://services.glpi-network.com
GLPI_MARKETPLACE_ALLOW_OVERRIDE: 1
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: 1
GLPI_USER_AGENT_EXTRA_COMMENTS: 
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: 1
GLPI_AJAX_DASHBOARD: 1
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: 0
GLPI_CENTRAL_WARNINGS: 1
GLPI_DOC_DIR: /var/www/glpi/files
GLPI_CACHE_DIR: /var/www/glpi/files/_cache
GLPI_CRON_DIR: /var/www/glpi/files/_cron
GLPI_DUMP_DIR: /var/www/glpi/files/_dumps
GLPI_GRAPH_DIR: /var/www/glpi/files/_graphs
GLPI_LOCAL_I18N_DIR: /var/www/glpi/files/_locales
GLPI_LOCK_DIR: /var/www/glpi/files/_lock
GLPI_LOG_DIR: /var/www/glpi/files/_log
GLPI_PICTURE_DIR: /var/www/glpi/files/_pictures
GLPI_PLUGIN_DOC_DIR: /var/www/glpi/files/_plugins
GLPI_RSS_DIR: /var/www/glpi/files/_rss
GLPI_SESSION_DIR: /var/www/glpi/files/_sessions
GLPI_TMP_DIR: /var/www/glpi/files/_tmp
GLPI_UPLOAD_DIR: /var/www/glpi/files/_uploads
GLPI_INVENTORY_DIR: /var/www/glpi/files/_inventories
GLPI_NETWORK_REGISTRATION_API_URL: https://services.glpi-network.com/api/registration/
GLPI_MARKETPLACE_PLUGINS_API_URI: https://services.glpi-network.com/api/glpi-plugins/
GLPI_I18N_DIR: /var/www/glpi/locales
GLPI_VERSION: 10.0.3
GLPI_SCHEMA_VERSION: 10.0.3@a130db99c7d9b131c2e2ea59fe0d6260fe93d831
GLPI_MARKETPLACE_PRERELEASES: 
GLPI_MIN_PHP: 7.4.0
GLPI_MAX_PHP: 8.3.0
GLPI_YEAR: 2022
Libraries
 
htmlawed/htmlawed version 1.2.9 in (/var/www/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.6.0 in (/var/www/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.4.4 in (/var/www/glpi/plugins/pdf/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/glpi/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi/vendor/psr/cache/src)
league/csv in (/var/www/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi/vendor/symfony/polyfill-php82)
SQL replicas
 
Not active
Plugins list I disabled all plugins. The problem did not change. 
 
    order                Name: Bestellverwaltung              Version: 2.9.0      State: Enabled                                 
        Install Method: Manual
    datainjection        Name: Data injection                 Version: 2.12.0     State: Enabled                                 
        Install Method: Manual
    formcreator          Name: Form Creator                   Version: 2.13.0     State: Enabled                                 
        Install Method: Manual
    fpsoftware           Name: FP Software                    Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    fusioninventory      Name: FusionInventory                Version: 10.0.1+1.0 State: Enabled                                 
        Install Method: Manual
    accounts             Name: Konten                         Version: 3.0.2      State: Enabled                                 
        Install Method: Manual
    mreporting           Name: More Reporting                 Version: 1.8.1      State: Enabled                                 
        Install Method: Manual
    pdf                  Name: PDF-Ausgabe                    Version: 2.1.0      State: Enabled                                 
        Install Method: Manual
    stab                 Name: Split Timeline Action Buttons  Version: 1.0.2      State: Enabled                                 
        Install Method: Manual
    manufacturersimports Name: Suppliers imports              Version: 3.0.2      State: Enabled                                 
        Install Method: Manual
    behaviors            Name: Verhalten                      Version: 2.7.1      State: Enabled                                 
        Install Method: Manual

Anything else?

No response

cconard96 commented 2 years ago

This should be fixed by #12692

Phorms commented 2 years ago

Hi,

thanks for your quick response, but the fix does not fix the issue.

The SQL query gets shorter, but is missing any user filter.

SELECT glpi_savedsearches.*, glpi_savedsearches_users.id AS is_default FROM glpi_savedsearches 
LEFT JOIN glpi_savedsearches_users ON (glpi_savedsearches_users.savedsearches_id = glpi_savedsearches.id) 
WHERE glpi_savedsearches.itemtype = 'Ticket' ORDER BY itemtype, name

+ self::getVisibilityCriteria(); could add the user filter, but Session::haveRight('config', UPDATE) skips that filter. Maybe this is usefull for admins in the saved searches overview (/front/savedsearch.php), but not if you want to see only your own saved searches under "Lists".

Phorms commented 2 years ago

Removing

if (Session::haveRight('config', UPDATE)) { return $criteria; }

in src/SavedSearch.php under the function public static function getVisibilityCriteria(bool $forceall = false): array (line 1327 - 1332) solves my issue. Maybe with unpredictable side effects, but the lists now contains only my own and public saved searches.