search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.12k stars 1.27k forks source link

Watchers of a ticket can modify it, when ticket "Update" right is enabled and "See all tickets" is disabled in their profile #6123

Closed loyolajavi closed 2 years ago

loyolajavi commented 5 years ago

Describe the bug

Watchers of a ticket can modify it, when ticket "Update" right is enabled and "See all tickets" is disabled in their profile. As I see, the watchers should only see the tickets (if they also do not have the ticket assigned to themselves) with that rights applied

Screenshots image

trasher commented 5 years ago

Informations requested from template has not been provided.

loyolajavi commented 5 years ago

Describe the bug

Watchers of a ticket can modify it, when ticket "Update" right is enabled and "See all tickets" is disabled in their profile. As I see, the watchers should only see the tickets (if they also do not have the ticket assigned to themselves) with that rights applied

Page(s) URL

https://dev-glpi.mpf.gov.ar/front/ticket.form.php?id=XX Where XX is the ticket ID

To reproduce

Steps to reproduce the behavior:

  1. When a ticket is created, the user "John Doe" with Update tickets permission and without "See all tickets" permission is added to Watchers of the ticket
  2. This user "John Doe" is only a Watcher of the ticket, but he can update the ticket

Expected behavior

"John Doe" only should see the ticket, rather than update the ticket

Logs

No logs, because there are no errors

Screenshots

image

Your GLPI setup (you can find it in Setup > General menu, System tab)

Information about system installation and configuration [code]

GLPI 9.4.2 ( => /var/www/glpi) Installation mode: TARBALL

Server

Operating system: Linux 4.4.0-141-generic #167-Ubuntu PHP 7.2.16-1+ubuntu16.04.1+deb.sury.org+1 apache2handler (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apc, apcu, bcmath, bz2, calendar, ctype, curl, date, dba, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="1200" memory_limit="512M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="20M" Software: Apache/2.4.18 (Ubuntu) (Apache/2.4.18 (Ubuntu) Server at Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Server Software: mariadb.org binary distribution Server Version: 10.2.19-MariaDB-10.2.19+maria~xenial Server SQL Mode: Parameters: Host info:

mysqli extension is installed ctype extension is installed fileinfo extension is installed json extension is installed mbstring extension is installed iconv extension is installed zlib extension is installed curl extension is installed gd extension is installed simplexml extension is installed xml extension is installed ldap extension is installed imap extension is installed Zend OPcache extension is installed APCu extension is installed xmlrpc extension is installed exif extension is installed CAS extension is not present Database version seems correct (10.2.19) - Perfect!Database version seems correct (10.2.19) - Perfect! OK/var/www/glpi/files/_log : OK OK/var/www/glpi/config : OK OK/var/www/glpi/files : OK OK/var/www/glpi/files/_dumps : OK OK/var/www/glpi/files/_sessions : OK OK/var/www/glpi/files/_cron : OK OK/var/www/glpi/files/_graphs : OK OK/var/www/glpi/files/_lock : OK OK/var/www/glpi/files/_plugins : OK OK/var/www/glpi/files/_tmp : OK OK/var/www/glpi/files/_cache : OK OK/var/www/glpi/files/_rss : OK OK/var/www/glpi/files/_uploads : OK OK/var/www/glpi/files/_pictures : OK Web access to the files directory should not be allowed Check the .htaccess file and the web server configuration.

Libraries

htmLawed version 1.2.4 in (/var/www/glpi/lib/htmlawed) phpmailer/phpmailer version 6.0.7 in (/var/www/glpi/vendor/phpmailer/phpmailer/src) simplepie/simplepie version 1.5.2 in (/var/www/glpi/vendor/simplepie/simplepie/library) tecnickcom/tcpdf version 6.2.26 in (/var/www/glpi/vendor/tecnickcom/tcpdf) michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf) true/punycode in (/var/www/glpi/vendor/true/punycode/src) iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink) sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib) zendframework/zend-cache in (/var/www/glpi/vendor/zendframework/zend-cache/src) zendframework/zend-i18n in (/var/www/glpi/vendor/zendframework/zend-i18n/src) zendframework/zend-serializer in (/var/www/glpi/vendor/zendframework/zend-serializer/src) monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog) sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src) elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src) symfony/console in (/var/www/glpi/vendor/symfony/console) leafo/scssphp in (/var/www/glpi/vendor/leafo/scssphp/src)

LDAP directories

SQL replicas

Not active

Notifications

Way of sending emails: SMTP

Mails receivers

Plugins list

fields               Name: Additionnal fields             Version: 1.10.0     State: Enabled
dashboard            Name: Dashboard                      Version: 0.9.7      State: Not activated
mydashboard          Name: Dashboard access               Version: 1.7.4      State: Enabled
escalade             Name: Escalation                     Version: 2.4.4      State: Enabled
fusioninventory      Name: FusionInventory                Version: 9.4+1.1    State: Enabled
reports              Name: Informes                       Version: 1.13.1     State: Enabled

Additional context

trasher commented 5 years ago

You should update to last version (or latest nightly) an try again.

loyolajavi commented 5 years ago

Hi trasher,

I already update to 9.4.3 and the Watchers still can update the ticket: In this example the user XSoporte1 is on XGSoporte group and this group is a Watcher, so XSoporte1 only should see the ticket, rather than update the ticket (as i espected). image

I tried with only XSoporte1 as Watcher, but he still can update the ticket. image

I tried too with escalation plugin deactivated, but he still can update the ticket. image

Trasher, I could review the code and try to make the Watchers only have read permissions, despite having the "update" permission in Tickets, but I dont know anything about permissions handle in glpi. If you want tell me some tips, I can check the code for help you, if this issue is relevant, of course.

Thanks a lot for your attention

github-actions[bot] commented 2 years ago

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.