Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix(Core): Take care of item recursivity to load Dropdown values #17086

Closed
wants to merge 1 commit into from
Closed

Fix(Core): Take care of item recursivity to load Dropdown values #17086

wants to merge 1 commit into from

Conversation

stonebuzz
Copy link
Contributor

@stonebuzz stonebuzz commented May 7, 2024
edited

Since the release of version 10.0.15 with the following security fix :

d02c537

A user in a sub-entity who views an asset in the root entity (recurisf) can no longer load dropdowns.

image

When creating the dropdown, the entity_restrict option does not take into account the notion of recursiveness

an empty array is sent

image

I should see the values visible in the asset entity AND in my current entity (sub-entity)

I think the problem comes from the Session::getMatchingActiveEntities function, which filters theactive entities ($_SESSION) with the desired entity (1 in_array [] => false) (without taking into account the recusivity of the asset).

By adding entity_sons option, GLPI also retrieves the asset's sub-entities, which are then filtered to match the current user's active entities (1 in_array [1] => yes)

image

This PR deserves special attention because of the complexity of the filtering by entity, because I am not aware of the scope of this change and the criticality involved.

in other words, I don't really know what I'm doing.

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #32875

@cedric-anne
Copy link
Member

IMHO, we should not be able to edit these fields if the current entity differs from the item entity. Indeed, to be able to edit this field, we should either:

  • see all possible dropdown values, including elements that are not supposed to be visible in the current entity (e.g. elements from the same entity as the main item, but with no visibility in child entities);
  • see only visible elements in the current entity context, meaning that the current value(s) may be out of the possible values.

@cedric-anne
Copy link
Member

cedric-anne commented May 14, 2024
edited

As discussed IRL, items are not supposed to be editable when they are displayed outside the entity context. The "update" button is indeed not displayed in this case. The correct fix is probably to change all the form fields to make them "readonly", but is may have many impacts and should be done in the main branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stonebuzz @cedric-anne