[ ] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
[X] I have searched the existing issues
Version
10.0.9
Bug description
When using the API at path http://127.0.0.1/apirest.php/Config inventory settings are not available, this includes edit. As such configuration of inventory is not possible. specifically if the config context is not core, it's not available within the API.
Viewing the database in table glpi_configs the inventory settings are there and have context set to inventory. navigating specifically to an inventory by id via the api http://127.0.0.1/apirest.php/Config/{inventory_item_id}, gives permission denied as super-user. All permissions appear to be correct.
Relevant log output
N/A
Page URL
apirest.php/Config
Steps To reproduce
HTTP/GET api call to apirest.php/Config?range=0-1000 and no inventory setting is visible.
Your GLPI setup information
Information about system installation & configuration
GLPI 10.0.9 ( => /var/www/html)
Installation mode: TARBALL
Current language:en_US
Server
Operating system: Linux glpi 5.10.0-23-amd64 #1 SMP Debian 5.10.179-3 (2023-07-27) x86_64
PHP 7.4.33 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bz2, calendar, ctype,
curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, igbinary, imap, intl, json, ldap, libxml, mbstring,
mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, redis, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem,
sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"
upload_max_filesize="2M"
Software: Apache/2.4.56 (Debian) (Apache/2.4.56 (Debian) Server at 127.0.0.1 Port 80
)
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Server Software: mariadb.org binary distribution
Server Version: 10.7.8-MariaDB-1:10.7.8+maria~ubu2004
Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
Parameters: root@mariadb/glpidb
Host info: mariadb via TCP/IP
PHP version (7.4.33) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.
gd extension is installed.
intl extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.7.8) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/html/files/_cache has been validated.
Write access to /var/www/html/config has been validated.
Write access to /var/www/html/files/_cron has been validated.
Write access to /var/www/html/files has been validated.
Write access to /var/www/html/files/_dumps has been validated.
Write access to /var/www/html/files/_graphs has been validated.
Write access to /var/www/html/files/_lock has been validated.
Write access to /var/www/html/files/_pictures has been validated.
Write access to /var/www/html/files/_plugins has been validated.
Write access to /var/www/html/files/_rss has been validated.
Write access to /var/www/html/files/_sessions has been validated.
Write access to /var/www/html/files/_tmp has been validated.
Write access to /var/www/html/files/_uploads has been validated.
PHP 7.4 official support has ended. An upgrade to a more recent PHP version is recommended.
Web server root directory configuration seems safe.
PHP directive "session.cookie_httponly" should be set to "on" to prevent client-side script to access cookie values.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/html/marketplace has been validated.
Timezones seems loaded in database.
htmlawed/htmlawed version 1.2.14 in (/var/www/html/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/html/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/html/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.6.2 in (/var/www/html/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/html/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/html/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/html/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/html/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/html/vendor/sabre/http/lib)
sabre/uri in (/var/www/html/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/html/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/html/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/html/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/html/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/html/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/html/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/html/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/html/vendor/symfony/console)
scssphp/scssphp in (/var/www/html/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/html/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/html/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/html/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/html/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/html/vendor/ramsey/uuid/src)
psr/log in (/var/www/html/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/html/vendor/psr/simple-cache/src)
psr/cache in (/var/www/html/vendor/psr/cache/src)
league/csv in (/var/www/html/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/html/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/html/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/html/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/html/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/html/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/html/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/html/vendor/symfony/cache)
html2text/html2text in (/var/www/html/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/html/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/html/vendor/symfony/dom-crawler)
twig/twig in (/var/www/html/vendor/twig/twig/src)
twig/string-extra in (/var/www/html/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 in (/var/www/html/vendor/symfony/polyfill-php80)
symfony/polyfill-php81 in (/var/www/html/vendor/symfony/polyfill-php81)
symfony/polyfill-php82 in (/var/www/html/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/html/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/html/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/html/vendor/thenetworg/oauth2-azure/src/Provider)
phpCas version 1.3.8 in (/usr/share/php/CAS/source)
LDAP directories
Server: 'ldap', Port: '389', BaseDN: '', Use TLS:
none
on code diving to src/Config.php#L118-L128 making the following change
to lift the context restriction, enabled me to individually pull the config if the id was specified. i.e. http://127.0.0.1/apirest.php/Config/{inventory_item_id}
public function canViewItem()
{
if (
isset($this->fields['context']) &&
- ($this->fields['context'] == 'core' ||
- Plugin::isPluginActive($this->fields['context']))
+ Plugin::isPluginActive($this->fields['context'])
) {
return true;
}
return false;
}
I could not locate the code that prevented the items with a context of inventory from being displayed or edited
cedric-anne
commented
1 year ago
Code of Conduct
Is there an existing issue for this?
Version
10.0.9
Bug description
When using the API at path
http://127.0.0.1/apirest.php/Configinventory settings are not available, this includes edit. As such configuration of inventory is not possible. specifically if the config context is notcore, it's not available within the API.Viewing the database in table
glpi_configsthe inventory settings are there and have context set toinventory. navigating specifically to an inventory by id via the apihttp://127.0.0.1/apirest.php/Config/{inventory_item_id}, gives permission denied as super-user. All permissions appear to be correct.Relevant log output
Page URL
apirest.php/Config
Steps To reproduce
HTTP/GET api call to
apirest.php/Config?range=0-1000and no inventory setting is visible.Your GLPI setup information
Information about system installation & configuration
Server
Operating system: Linux glpi 5.10.0-23-amd64 #1 SMP Debian 5.10.179-3 (2023-07-27) x86_64 PHP 7.4.33 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bz2, calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, igbinary, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, redis, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="2M" Software: Apache/2.4.56 (Debian) (Apache/2.4.56 (Debian) Server at 127.0.0.1 Port 80 ) Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Server Software: mariadb.org binary distribution Server Version: 10.7.8-MariaDB-1:10.7.8+maria~ubu2004 Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION Parameters: root@mariadb/glpidb Host info: mariadb via TCP/IP PHP version (7.4.33) is supported. Sessions configuration is OK. Allocated memory is sufficient. mysqli extension is installed. Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter. curl extension is installed. gd extension is installed. intl extension is installed. zlib extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. Database engine version (10.7.8) is supported. No files from previous GLPI version detected. The log file has been created successfully. Write access to /var/www/html/files/_cache has been validated. Write access to /var/www/html/config has been validated. Write access to /var/www/html/files/_cron has been validated. Write access to /var/www/html/files has been validated. Write access to /var/www/html/files/_dumps has been validated. Write access to /var/www/html/files/_graphs has been validated. Write access to /var/www/html/files/_lock has been validated. Write access to /var/www/html/files/_pictures has been validated. Write access to /var/www/html/files/_plugins has been validated. Write access to /var/www/html/files/_rss has been validated. Write access to /var/www/html/files/_sessions has been validated. Write access to /var/www/html/files/_tmp has been validated. Write access to /var/www/html/files/_uploads has been validated. PHP 7.4 official support has ended. An upgrade to a more recent PHP version is recommended. Web server root directory configuration seems safe. PHP directive "session.cookie_httponly" should be set to "on" to prevent client-side script to access cookie values. OS and PHP are relying on 64 bits integers. exif extension is installed. ldap extension is installed. openssl extension is installed. Following extensions are installed: bz2, Phar, zip. Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, mbstring, sodium. Write access to /var/www/html/marketplace has been validated. Timezones seems loaded in database.GLPI constants
Libraries
LDAP directories
Server: 'ldap', Port: '389', BaseDN: '', Use TLS: noneSQL replicas
Notifications
Plugins list
actualtime Name: ActualTime Version: 2.1.0 State: Enabled Install Method: Marketplace fields Name: Additional Fields Version: 1.20.6 State: Not installed Install Method: Manual costs Name: Costs Version: 3.0.1 State: Not installed Install Method: Marketplace formcreator Name: Form Creator Version: 2.13.6 State: Enabled Install Method: Manual glpiinventory Name: GLPI Inventory Version: 1.2.3 State: Enabled Install Method: Manual geninventorynumber Name: Inventory number generation Version: 2.8.3 State: Not installed Install Method: Marketplace metademands Name: Meta-Demands Version: 3.3.1 State: Not installed Install Method: Manual genericobject Name: Objects management Version: 2.14.3 State: Not installed Install Method: Manual order Name: Orders management Version: 2.10.4 State: Not installed Install Method: Marketplace phpsaml Name: PHP SAML Version: 1.2.2 State: Not installed Install Method: Manual releases Name: Releases Version: 2.0.3 State: Not installed Install Method: Marketplace typology Name: Typologies Version: 3.0.0 State: Not installed Install Method: Marketplace webhook Name: Webhooks Version: 1.0.14 State: Not installed Install Method: MarketplaceAnything else?
on code diving to src/Config.php#L118-L128 making the following change to lift the context restriction, enabled me to individually pull the config if the id was specified. i.e.
http://127.0.0.1/apirest.php/Config/{inventory_item_id}I could not locate the code that prevented the items with a context of
inventoryfrom being displayed or edited