cedric-anne
commented
2 days ago Unless I miss something, there is no "current user" in a crontask context. What user is used then?
Open cconard96 opened 2 days ago
cedric-anne
commented
2 days ago Unless I miss something, there is no "current user" in a crontask context. What user is used then?
cconard96
commented
2 days ago If no user is logged in, no user is used. The requests to the API are made directly through the router rather than making HTTP requests through curl or Guzzle. The only "authentication" that is done is through InternalAuthMiddleware where it sets the client info manually or causes the authentication process to fail if there is no logged in user.
orthagh
commented
2 days ago cf !35208
I don't know if we need a bypass (maybe yes) but we need more and more cli executions and rights checkings are locking too much in this context. more example, already identified execution of workflows. We need this before 11.0 release.
I am not sure, but as an alternative to opening the gates, we may use the SYSTEM_GLPI user for that instead, and check if can have full rights for him (it may already be the case). It will help also identify actions in logs.
cconard96
commented
2 days ago I had two ideas when I was made aware of the issue yesterday:
For workflows, we could try forcing all permission-dependent interaction through the GLPI APIs or create a bridge in the GLPI core that lets that specific feature bypass permission checks.
The Webhook feature currently makes requests for the related data through the new API and uses the current logged in user. In most cases, this isn't an issue since whoever creates/updates something also has the ability to view that item. When webhooks get triggered from a Crontask though, the current user may be too low privileged, in another entity, or there may not be any user logged in at all in the case of externally triggered tasks.
This issue was noticed with tickets created from collected emails.