glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.24k stars 1.29k forks source link

Group manager's access to tickets of all group members #14724

Closed f0rextazy closed 1 year ago

f0rextazy commented 1 year ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.7

Bug description

A group with 3 members and one group manager has been created. When a ticket is created by a group member, the group manager cannot see these tickets created by group members. The user profile of the group manager has the permission "SEE GROUP TICKET"

How to configure the behavior of glpi to display all tickets created by group members for the group manager?

Relevant log output

No response

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

Information about system installation and configuration
GLPI 10.0.7 ( => /var/www/glpi)
Installation mode: TARBALL
Current language:en_GB

Server
 
Operating system: Linux inv 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
PHP 8.1.2-1ubuntu2.11 fpm-fcgi (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, bz2, calendar, cgi-fcgi, ctype,
    curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd,
    openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml,
    xmlreader, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="4096M" post_max_size="8M" safe_mode="" session.save_handler="files"
    upload_max_filesize="2M" 
Software: nginx/1.18.0
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 YaBrowser/23.3.1.895 Yowser/2.5 Safari/537.36
Server Software: Ubuntu 22.04
    Server Version: 10.6.12-MariaDB-0ubuntu0.22.04.1
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: glpi@localhost/glpi
    Host info: Localhost via UNIX socket

PHP version (8.1.2-1ubuntu2.11) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.
gd extension is installed.
intl extension is installed.
libxml extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.6.12) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/glpi/files/_cache has been validated.
Write access to /var/www/glpi/config has been validated.
Write access to /var/www/glpi/files/_cron has been validated.
Write access to /var/www/glpi/files has been validated.
Write access to /var/www/glpi/files/_dumps has been validated.
Write access to /var/www/glpi/files/_graphs has been validated.
Write access to /var/www/glpi/files/_lock has been validated.
Write access to /var/www/glpi/files/_pictures has been validated.
Write access to /var/www/glpi/files/_plugins has been validated.
Write access to /var/www/glpi/files/_rss has been validated.
Write access to /var/www/glpi/files/_sessions has been validated.
Write access to /var/www/glpi/files/_tmp has been validated.
Write access to /var/www/glpi/files/_uploads has been validated.

Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.
The following directories should be placed outside "/var/www/glpi":
‣ "/var/www/glpi/files" ("GLPI_VAR_DIR")
‣ "/var/www/glpi/config" ("GLPI_CONFIG_DIR")
You can ignore this suggestion if your web server root directory is "/var/www/glpi/public".
Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi/marketplace has been validated.
Timezones seems loaded in database.

GLPI constants
 
GLPI_ROOT: "/var/www/glpi"
GLPI_CONFIG_DIR: "/var/www/glpi/config"
GLPI_VAR_DIR: "/var/www/glpi/files"
GLPI_MARKETPLACE_DIR: "/var/www/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_DOC_DIR: "/var/www/glpi/files"
GLPI_CACHE_DIR: "/var/www/glpi/files/_cache"
GLPI_CRON_DIR: "/var/www/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/www/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/www/glpi/files/_lock"
GLPI_LOG_DIR: "/var/www/glpi/files/_log"
GLPI_PICTURE_DIR: "/var/www/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/www/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/www/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/www/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/"
GLPI_I18N_DIR: "/var/www/glpi/locales"
GLPI_VERSION: "10.0.7"
GLPI_SCHEMA_VERSION: "10.0.7@5d45269702917a32805e25b678f6779a98b145f6"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.3.0"
GLPI_YEAR: "2023"

Libraries
 
htmlawed/htmlawed version 1.2.9 in (/var/www/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.6.2 in (/var/www/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/glpi/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi/vendor/psr/cache/src)
league/csv in (/var/www/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/glpi/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/glpi/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/glpi/vendor/thenetworg/oauth2-azure/src/Provider)

LDAP directories
 
Server: 'ldap://10.100.143.21', Port: '389', BaseDN: 'ou=csp,ou=users,ou=csp,dc=pak-cspmz,dc=ru', Connection filter: none,
        RootDN: 'ldap@pak-cspmz.ru', Use TLS: none

SQL replicas
 
Not active

Notifications
 
Way of sending emails: SMTP (anonymous@mail.cspfmba.ru)

Plugins list
 
    formcreator          Name: Form Creator                   Version: 2.13.5     State: Enabled                                 
        Install Method: Marketplace
    glpiinventory        Name: GLPI Inventory                 Version: 1.2.1      State: Enabled                                 
        Install Method: Marketplace
    onetimesecret        Name: OneTimeSecret                  Version: 2.0.0      State: Installed / not activated               
        Install Method: Marketplace
    stab                 Name: Split Timeline Action Buttons  Version: 1.1.2      State: Enabled                                 
        Install Method: Marketplace
    vip                  Name: VIP                            Version: 1.8.2      State: Enabled                                 
        Install Method: Marketplace
    yagp                 Name: yagp                           Version: 2.1.1      State: Enabled                                 
        Install Method: Marketplace
    accounts             Name: Аккаунты                       Version: 3.0.3      State: Enabled                           
              Install Method: Marketplace
    datainjection        Name: Добавление данных        Version: 2.13.0     State: Enabled                         
                Install Method: Marketplace
    news                 Name: Оповещения                     Version: 1.10.6     State: Enabled                         
                Install Method: Marketplace
    behaviors            Name: Поведения                      Version: 2.7.2      State: Enabled                          
               Install Method: Marketplace
    shellcommands        Name: Служебные команды        Version: 4.0.1      State: Enabled                         
                Install Method: Marketplace
    printercounters      Name: Счетчики принтера        Version: 2.0.0      State: Enabled                         
                Install Method: Marketplace
    resources            Name: Человеческие Ресурсы  Version: 3.0.4      State: Enabled                         
                Install Method: Marketplace

Anything else?

No response

cedric-anne commented 1 year ago

Hi,

The SEE GROUP TICKET right permits to a user to see tickets that have one of their group either as requester, either as observer. There is currently no right that can be used to permit to a manager to see only tickets created by one of the group members.

github-actions[bot] commented 1 year ago

This issue has been closed as we only track bugs here.

You can get community support on forums or you can consider taking a subscription to get professional support. You can also contact GLPI editor team directly.

f0rextazy commented 1 year ago

Hi,

The SEE GROUP TICKET right permits to a user to see tickets that have one of their group either as requester, either as observer. There is currently no right that can be used to permit to a manager to see only tickets created by one of the group members.

@cedric-anne Users do not see tickets created by a user from a group with set permissions SEE GROUP TICKET Other users begin to see the ticket only if they add the group they belong to directly to this ticket. For example, there are 2 users, they are part of a group. user 1 creates a ticket. user 2 does not see this ticket. If you add a group to the ticket as an observer or as an initiator, then user 2 will start seeing the ticket. Is this the correct behavior of the system?

cedric-anne commented 1 year ago

@cedric-anne Users do not see tickets created by a user from a group with set permissions SEE GROUP TICKET Other users begin to see the ticket only if they add the group they belong to directly to this ticket. For example, there are 2 users, they are part of a group. user 1 creates a ticket. user 2 does not see this ticket. If you add a group to the ticket as an observer or as an initiator, then user 2 will start seeing the ticket. Is this the correct behavior of the system?

This is indeed the expected behaviour.

serge2016 commented 1 year ago

Dear @cedric-anne Is it possible to somehow automatically add such a group (or simply a specific user) as an observer to all tickets that a group member creates?

cedric-anne commented 1 year ago

@serge2016

You hav to use Business rules for tickets. Please user forums to be help on this.