Task Templates: Self-Service-Users can mark tasks as "Done", even without the permissions to do so

[hypermagicmountain]

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• [x] I have searched the existing issues

Version

10.0.15

Bug description

We have multiple task templates that will be automatically added to a ticket when our customers open a ticket in a specific template (Hardware-request for example). Wether they do so via the Forms plugin or by opening a normal ticket and choosing the template, the issue remains the same.

Those tasks are for the technicians to do, and the customer should only be able to see the progress.

However, the customers are now able to click the checkbox next to the tasks and mark them as done that way. Additionally, they can "edit" the task, but they can't save them.

When a technician inserts a task manually, the customers can't click on the check box, which is the expected behavior.

Side notes: Our Self-Service profile set to the default settings, so the users should not be able to add or edit tasks. Additionally we tried setting the "By" and the "Groups" field in the task template, but that doesn't change the behavior.

Relevant log output

No response

Page URL

No response

Steps To reproduce

Make a ticket template that adds tasks templates. As an end user, open a ticket in this category, you will now be able to ckeck the task as done.

Your GLPI setup information

Information about system installation & configuration

GLPI 10.0.15 ( => /var/www/html/glpi)
Installation mode: TARBALL
Current language:en_US

Server

 
Operating system: Linux vm-ticketsystem 6.8.0-36-generic #​36-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 10 10:49:14 UTC 2024 x86_64
PHP 8.3.6 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apcu, bcmath, bz2,
    calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, igbinary, imap, intl, json, ldap,
    libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, random, readline, redis, session, shmop, soap, sockets,
    sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="60" memory_limit="256M" post_max_size="20M" safe_mode="" session.save_handler="files"
    upload_max_filesize="20M" disable_functions="" 
Software: Apache/2.4.58 (Ubuntu) (Apache/2.4.58 (Ubuntu) Server at glpi-it.cdotenter.de Port 443
)
    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Server Software: Ubuntu 24.04
    Server Version: 10.11.8-MariaDB-0ubuntu0.24.04.1
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: glpi@localhost/glpi
    Host info: Localhost via UNIX socket

PHP version (8.3.6) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.
gd extension is installed.
intl extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.11.8) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/lib/glpi/_cache has been validated.
Write access to /var/lib/glpi/_cron has been validated.
Write access to /var/lib/glpi has been validated.
Write access to /var/lib/glpi/_dumps has been validated.
Write access to /var/lib/glpi/_graphs has been validated.
Write access to /var/lib/glpi/_lock has been validated.
Write access to /var/lib/glpi/_pictures has been validated.
Write access to /var/lib/glpi/_plugins has been validated.
Write access to /var/lib/glpi/_rss has been validated.
Write access to /var/lib/glpi/_sessions has been validated.
Write access to /var/lib/glpi/_tmp has been validated.
Write access to /var/lib/glpi/_uploads has been validated.

Web server root directory configuration seems safe.
PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/html/glpi/marketplace has been validated.
Timezones seems loaded in database.

GLPI constants

 
GLPI_ROOT: "/var/www/html/glpi"
GLPI_CONFIG_DIR: "/etc/glpi/"
GLPI_VAR_DIR: "/var/lib/glpi"
GLPI_DOC_DIR: "/var/lib/glpi"
GLPI_CRON_DIR: "/var/lib/glpi/_cron"
GLPI_DUMP_DIR: "/var/lib/glpi/_dumps"
GLPI_GRAPH_DIR: "/var/lib/glpi/_graphs"
GLPI_LOCK_DIR: "/var/lib/glpi/_lock"
GLPI_PICTURE_DIR: "/var/lib/glpi/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi/_plugins"
GLPI_RSS_DIR: "/var/lib/glpi/_rss"
GLPI_SESSION_DIR: "/var/lib/glpi/_sessions"
GLPI_TMP_DIR: "/var/lib/glpi/_tmp"
GLPI_UPLOAD_DIR: "/var/lib/glpi/_uploads"
GLPI_CACHE_DIR: "/var/lib/glpi/_cache"
GLPI_LOG_DIR: "/var/log/glpi"
GLPI_MARKETPLACE_DIR: "/var/www/html/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_TEXT_MAXSIZE: "4000"
GLPI_LOCAL_I18N_DIR: "/var/lib/glpi/_locales"
GLPI_INVENTORY_DIR: "/var/lib/glpi/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
GLPI_I18N_DIR: "/var/www/html/glpi/locales"
GLPI_VERSION: "10.0.15"
GLPI_SCHEMA_VERSION: "10.0.15@2eed74704cb07e0bac48b933cbd5c1c356f09629"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.4.0"
GLPI_YEAR: "2024"

Libraries

 
htmlawed/htmlawed version 1.2.14 in (/var/www/html/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/html/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/html/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.7.5 in (/var/www/html/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/html/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/html/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/html/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/html/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/html/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/html/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/html/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/html/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/html/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/html/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/html/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/html/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/html/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/html/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/html/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/html/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/html/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/html/glpi/vendor/rlanvin/php-rrule/src)
ramsey/uuid in (/var/www/html/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/html/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/html/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/html/glpi/vendor/psr/cache/src)
league/csv in (/var/www/html/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/html/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/html/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/html/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/html/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/html/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/html/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/html/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/html/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/html/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/html/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/html/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/html/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/html/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/html/glpi/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/html/glpi/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/html/glpi/vendor/thenetworg/oauth2-azure/src/Provider)
phpCas version 1.6.0 in (/usr/share/php/CAS/source)

Notifications

 
Way of sending emails: SMTP+SSL (m06fb2d5@w014b4a4.kasserver.com)

Plugins list

 
    formcreator          Name: Form Creator                   Version: 2.13.9     State: Enabled                                 
        Install Method: Marketplace
    glpisaml             Name: Glpisaml                       Version: 1.1.6      State: Enabled                                 
        Install Method: Marketplace

Anything else?

No response

[cconard96]

I cannot recreate the issue. When the canUpdateItem check fails for tasks, the checkbox is disabled and the edit option is missing. Please test again with 10.0.16.

[hypermagicmountain]

@cconard96 @trasher

I updated to version 10.0.16, bit that didn't solve the issue.

What you describe is true for tasks that we as technicians add to a ticket. The author of the ticket cannot edit those in any way.

The tasks however that are added automatically via ticket templates can be checked as "done" by the author.

On the top right you can see that we are in the Profile "Self Service". We didn't touch the default profile settings (updating tasks is not allowed in this profile). I hovered over the first task with the mouse, you can see the three dots for the edit mode an that I checked the box.

The tasks are inserted by the user "Self Service Test", because that user used the ticket template to create the ticket.

Also I have a screenshot for the Ticket history:

I hope you can find a way to reproduce this, because the automatic task insert funtion is great and almost perfect, but this bug makes it pretty uncrontrollable, because the user can mark the technician's tasks as done...

[hypermagicmountain]

@trasher Can you reopen the issue? I can reproduce the bug very reliably.

[github-actions[bot]]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.