search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.24k stars 1.29k forks source link

Category field enabled for self-service profile. #14436

Closed fabioneres closed 1 year ago

fabioneres commented 1 year ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.6

Bug description

When accessing a ticket with the self-service profile, the profile has permission to list the ITI categories, which is not ideal. Remembering that the user can only list and not change, which proves to be a bug since it makes no sense to be able to list without the purpose of changing the ITIL categories.

Relevant log output

No response

Page URL

https://server/marketplace/formcreator/front/issue.form.php

Steps To reproduce

  1. Open a ticket
  2. Click on the ticket
  3. Click on category

Note: Actions must be performed with the self-service profile

Your GLPI setup information

GLPI 10.0.6 ( => /var/www/glpi) Installation mode: TARBALL Current language:pt_BR

Operating system: Linux dev-glpi 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 PHP 7.4.3-4ubuntu2.18 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apc, apcu, bcmath, bz2, calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, soap, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="2M" Software: Apache/2.4.41 (Ubuntu) (Apache/2.4.41 (Ubuntu) Server at dev-glpi.unifesp.br Port 80 ) Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Server Software: Ubuntu 20.04 Server Version: 10.3.38-MariaDB-0ubuntu0.20.04.1 Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION Parameters: unifesp-glpi@172.22.29.174/glpidb Host info: 172.22.29.174 via TCP/IP

PHP version (7.4.3-4ubuntu2.18) is supported.PHP version (7.4.3-4ubuntu2.18) is supported. Sessions configuration is OK.Sessions configuration is OK. Allocated memory is sufficient.Allocated memory is sufficient. mysqli extension is installed.mysqli extension is installed. Following extensions are installed: dom, fileinfo, json, simplexml.Following extensions are installed: dom, fileinfo, json, simplexml. curl extension is installed.curl extension is installed. gd extension is installed.gd extension is installed. intl extension is installed.intl extension is installed. libxml extension is installed.libxml extension is installed. zlib extension is installed.zlib extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. Database engine version (10.3.38) is supported.Database engine version (10.3.38) is supported. No files from previous GLPI version detected.No files from previous GLPI version detected. The log file has been created successfully.The log file has been created successfully. Write access to /var/glpi/files/_cache has been validated. Write access to /var/glpi/config has been validated. Write access to /var/glpi/files/_cron has been validated. Write access to /var/glpi/files/_dumps has been validated. Write access to /var/glpi/files/_graphs has been validated. Write access to /var/glpi/files/_lock has been validated. Write access to /var/glpi/files/_pictures has been validated. Write access to /var/glpi/files/_plugins has been validated. Write access to /var/glpi/files/_rss has been validated. Write access to /var/glpi/files/_sessions has been validated. Write access to /var/glpi/files/_tmp has been validated. Write access to /var/glpi/files/_uploads has been validated.Write access to /var/glpi/files/_cache has been validated. Write access to /var/glpi/config has been validated. Write access to /var/glpi/files/_cron has been validated. Write access to /var/glpi/files/_dumps has been validated. Write access to /var/glpi/files/_graphs has been validated. Write access to /var/glpi/files/_lock has been validated. Write access to /var/glpi/files/_pictures has been validated. Write access to /var/glpi/files/_plugins has been validated. Write access to /var/glpi/files/_rss has been validated. Write access to /var/glpi/files/_sessions has been validated. Write access to /var/glpi/files/_tmp has been validated. Write access to /var/glpi/files/_uploads has been validated. GLPI data directories are located in a secured path.GLPI data directories are located in a secured path. Sessions configuration is secured.Sessions configuration is secured. exif extension is installed.exif extension is installed. ldap extension is installed.ldap extension is installed. openssl extension is installed.openssl extension is installed. zip extension is installed.zip extension is installed. bz2 extension is installed.bz2 extension is installed. Zend OPcache extension is installed.Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, mbstring, sodium.Following extensions are installed: ctype, iconv, mbstring, sodium. Write access to /var/www/glpi/marketplace has been validated.Write access to /var/www/glpi/marketplace has been validated. Access to timezone database (mysql) is not allowed.Access to timezone database (mysql) is not allowed.

GLPI_ROOT: "/var/www/glpi" GLPI_CONFIG_DIR: "/var/glpi/config" GLPI_VAR_DIR: "/var/glpi/files" GLPI_LOG_DIR: "/var/glpi/files" GLPI_MARKETPLACE_DIR: "/var/www/glpi/marketplace" GLPI_USE_CSRF_CHECK: "1" GLPI_CSRF_EXPIRES: "7200" GLPI_CSRF_MAX_TOKENS: "100" GLPI_USE_IDOR_CHECK: "1" GLPI_IDOR_EXPIRES: "7200" GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"] GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org" GLPI_INSTALL_MODE: "TARBALL" GLPI_NETWORK_MAIL: "glpi@teclib.com" GLPI_NETWORK_SERVICES: "https://services.glpi-network.com" GLPI_MARKETPLACE_ALLOW_OVERRIDE: true GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true GLPI_USER_AGENT_EXTRA_COMMENTS: "" GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1" GLPI_AJAX_DASHBOARD: "1" GLPI_CALDAV_IMPORT_STATE: 0 GLPI_DEMO_MODE: "0" GLPI_CENTRAL_WARNINGS: "1" GLPI_DOC_DIR: "/var/glpi/files" GLPI_CACHE_DIR: "/var/glpi/files/_cache" GLPI_CRON_DIR: "/var/glpi/files/_cron" GLPI_DUMP_DIR: "/var/glpi/files/_dumps" GLPI_GRAPH_DIR: "/var/glpi/files/_graphs" GLPI_LOCAL_I18N_DIR: "/var/glpi/files/_locales" GLPI_LOCK_DIR: "/var/glpi/files/_lock" GLPI_PICTURE_DIR: "/var/glpi/files/_pictures" GLPI_PLUGIN_DOC_DIR: "/var/glpi/files/_plugins" GLPI_RSS_DIR: "/var/glpi/files/_rss" GLPI_SESSION_DIR: "/var/glpi/files/_sessions" GLPI_TMP_DIR: "/var/glpi/files/_tmp" GLPI_UPLOAD_DIR: "/var/glpi/files/_uploads" GLPI_INVENTORY_DIR: "/var/glpi/files/_inventories" GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/" GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/" GLPI_I18N_DIR: "/var/www/glpi/locales" GLPI_VERSION: "10.0.6" GLPI_SCHEMA_VERSION: "10.0.6@21cffee0fbb5afbf0d580cabdf6fd7a922598f97" GLPI_MARKETPLACE_PRERELEASES: false GLPI_MIN_PHP: "7.4.0" GLPI_MAX_PHP: "8.3.0" GLPI_YEAR: "2023"

htmlawed/htmlawed version 1.2.9 in (/var/www/glpi/vendor/htmlawed/htmlawed) phpmailer/phpmailer version 6.6.0 in (/var/www/glpi/vendor/phpmailer/phpmailer/src) simplepie/simplepie version 1.5.8 in (/var/www/glpi/vendor/simplepie/simplepie/library) tecnickcom/tcpdf version 6.6.2 in (/var/www/glpi/vendor/tecnickcom/tcpdf) michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf) true/punycode in (/var/www/glpi/vendor/true/punycode/src) iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink) sabre/dav in (/var/www/glpi/vendor/sabre/dav/lib/DAV) sabre/http in (/var/www/glpi/vendor/sabre/http/lib) sabre/uri in (/var/www/glpi/vendor/sabre/uri/lib) sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib) laminas/laminas-i18n in (/var/www/glpi/vendor/laminas/laminas-i18n/src) laminas/laminas-servicemanager in (/var/www/glpi/vendor/laminas/laminas-servicemanager/src) monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog) sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src) donatj/phpuseragentparser in (/var/www/glpi/vendor/donatj/phpuseragentparser/src/UserAgent) elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src) symfony/console in (/var/www/glpi/vendor/symfony/console) scssphp/scssphp in (/var/www/glpi/vendor/scssphp/scssphp/src) laminas/laminas-mail in (/var/www/glpi/vendor/laminas/laminas-mail/src/Protocol) laminas/laminas-mime in (/var/www/glpi/vendor/laminas/laminas-mime/src) rlanvin/php-rrule in (/var/www/glpi/vendor/rlanvin/php-rrule/src) blueimp/jquery-file-upload in (/var/www/glpi/vendor/blueimp/jquery-file-upload/server/php) ramsey/uuid in (/var/www/glpi/vendor/ramsey/uuid/src) psr/log in (/var/www/glpi/vendor/psr/log/Psr/Log) psr/simple-cache in (/var/www/glpi/vendor/psr/simple-cache/src) psr/cache in (/var/www/glpi/vendor/psr/cache/src) league/csv in (/var/www/glpi/vendor/league/csv/src) mexitek/phpcolors in (/var/www/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors) guzzlehttp/guzzle in (/var/www/glpi/vendor/guzzlehttp/guzzle/src) guzzlehttp/psr7 in (/var/www/glpi/vendor/guzzlehttp/psr7/src) glpi-project/inventory_format in (/var/www/glpi/vendor/glpi-project/inventory_format/lib/php) wapmorgan/unified-archive in (/var/www/glpi/vendor/wapmorgan/unified-archive/src) paragonie/sodium_compat in (/var/www/glpi/vendor/paragonie/sodium_compat/src) symfony/cache in (/var/www/glpi/vendor/symfony/cache) html2text/html2text in (/var/www/glpi/vendor/html2text/html2text/src) symfony/css-selector in (/var/www/glpi/vendor/symfony/css-selector) symfony/dom-crawler in (/var/www/glpi/vendor/symfony/dom-crawler) twig/twig in (/var/www/glpi/vendor/twig/twig/src) twig/string-extra in (/var/www/glpi/vendor/twig/string-extra) symfony/polyfill-ctype not found symfony/polyfill-iconv not found symfony/polyfill-mbstring not found symfony/polyfill-php80 in (/var/www/glpi/vendor/symfony/polyfill-php80) symfony/polyfill-php81 in (/var/www/glpi/vendor/symfony/polyfill-php81) symfony/polyfill-php82 in (/var/www/glpi/vendor/symfony/polyfill-php82) phpCas version 1.3.8 in (/usr/share/php/CAS/source)

Anything else?

No response

cedric-anne commented 1 year ago

Hi,

The page URL contains formcreator. Are you able to reproduce the issue outside formcreator plugin view? It you are not, you should open an issue on plugin repository.

fabioneres commented 1 year ago

Yes, the problem happens even outside the forms plugin. Link: https://server/front/ticket.form.php

cedric-anne commented 1 year ago

Hi,

I just checked on GLPI 10.0.7 a profile that has no rights to see the categories, and the "i" icon located next to the categories dropdown only shows a tooltip with complete name and comments. There is no link to the category page, and when I tried to access the page directly, I have a "You don't have permission to perform this action." message.

Profiles with simplified interface could not have any rights on dropdowns. Have you switched your "Self-service" profile to the standard interface? In such case, you should remove the "READ" right on Setup > Ticket categories.

trasher commented 1 year ago

No feedback, I close