Closed loyolajavi closed 2 years ago
Informations requested from template has not been provided.
Describe the bug
Watchers of a ticket can modify it, when ticket "Update" right is enabled and "See all tickets" is disabled in their profile. As I see, the watchers should only see the tickets (if they also do not have the ticket assigned to themselves) with that rights applied
Page(s) URL
https://dev-glpi.mpf.gov.ar/front/ticket.form.php?id=XX Where XX is the ticket ID
To reproduce
Steps to reproduce the behavior:
Expected behavior
"John Doe" only should see the ticket, rather than update the ticket
Logs
No logs, because there are no errors
Screenshots
Your GLPI setup (you can find it in Setup > General menu, System tab)
Information about system installation and configuration [code]
GLPI 9.4.2 ( => /var/www/glpi) Installation mode: TARBALL
Server
Operating system: Linux 4.4.0-141-generic #167-Ubuntu PHP 7.2.16-1+ubuntu16.04.1+deb.sury.org+1 apache2handler (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apc, apcu, bcmath, bz2, calendar, ctype, curl, date, dba, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="1200" memory_limit="512M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="20M" Software: Apache/2.4.18 (Ubuntu) (Apache/2.4.18 (Ubuntu) Server at Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Server Software: mariadb.org binary distribution Server Version: 10.2.19-MariaDB-10.2.19+maria~xenial Server SQL Mode: Parameters: Host info:
mysqli extension is installed ctype extension is installed fileinfo extension is installed json extension is installed mbstring extension is installed iconv extension is installed zlib extension is installed curl extension is installed gd extension is installed simplexml extension is installed xml extension is installed ldap extension is installed imap extension is installed Zend OPcache extension is installed APCu extension is installed xmlrpc extension is installed exif extension is installed CAS extension is not present Database version seems correct (10.2.19) - Perfect!Database version seems correct (10.2.19) - Perfect! OK/var/www/glpi/files/_log : OK OK/var/www/glpi/config : OK OK/var/www/glpi/files : OK OK/var/www/glpi/files/_dumps : OK OK/var/www/glpi/files/_sessions : OK OK/var/www/glpi/files/_cron : OK OK/var/www/glpi/files/_graphs : OK OK/var/www/glpi/files/_lock : OK OK/var/www/glpi/files/_plugins : OK OK/var/www/glpi/files/_tmp : OK OK/var/www/glpi/files/_cache : OK OK/var/www/glpi/files/_rss : OK OK/var/www/glpi/files/_uploads : OK OK/var/www/glpi/files/_pictures : OK Web access to the files directory should not be allowed Check the .htaccess file and the web server configuration.
Libraries
htmLawed version 1.2.4 in (/var/www/glpi/lib/htmlawed) phpmailer/phpmailer version 6.0.7 in (/var/www/glpi/vendor/phpmailer/phpmailer/src) simplepie/simplepie version 1.5.2 in (/var/www/glpi/vendor/simplepie/simplepie/library) tecnickcom/tcpdf version 6.2.26 in (/var/www/glpi/vendor/tecnickcom/tcpdf) michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf) true/punycode in (/var/www/glpi/vendor/true/punycode/src) iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink) sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib) zendframework/zend-cache in (/var/www/glpi/vendor/zendframework/zend-cache/src) zendframework/zend-i18n in (/var/www/glpi/vendor/zendframework/zend-i18n/src) zendframework/zend-serializer in (/var/www/glpi/vendor/zendframework/zend-serializer/src) monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog) sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src) elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src) symfony/console in (/var/www/glpi/vendor/symfony/console) leafo/scssphp in (/var/www/glpi/vendor/leafo/scssphp/src)
LDAP directories
SQL replicas
Not active
Notifications
Way of sending emails: SMTP
Mails receivers
Plugins list
fields Name: Additionnal fields Version: 1.10.0 State: Enabled
dashboard Name: Dashboard Version: 0.9.7 State: Not activated
mydashboard Name: Dashboard access Version: 1.7.4 State: Enabled
escalade Name: Escalation Version: 2.4.4 State: Enabled
fusioninventory Name: FusionInventory Version: 9.4+1.1 State: Enabled
reports Name: Informes Version: 1.13.1 State: Enabled
Additional context
You should update to last version (or latest nightly) an try again.
Hi trasher,
I already update to 9.4.3 and the Watchers still can update the ticket: In this example the user XSoporte1 is on XGSoporte group and this group is a Watcher, so XSoporte1 only should see the ticket, rather than update the ticket (as i espected).
I tried with only XSoporte1 as Watcher, but he still can update the ticket.
I tried too with escalation plugin deactivated, but he still can update the ticket.
Trasher, I could review the code and try to make the Watchers only have read permissions, despite having the "update" permission in Tickets, but I dont know anything about permissions handle in glpi. If you want tell me some tips, I can check the code for help you, if this issue is relevant, of course.
Thanks a lot for your attention
There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.
If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.
You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.
Describe the bug
Watchers of a ticket can modify it, when ticket "Update" right is enabled and "See all tickets" is disabled in their profile. As I see, the watchers should only see the tickets (if they also do not have the ticket assigned to themselves) with that rights applied
Screenshots