-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix(Core): Add entities_id and is_recursive fields to correctly filter data from the API #858
Conversation
d3fcbc0
to
8024801
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems ok.
Are you sure this doesn't break anything in the UI ?
Sorry, I forgot an important point about PR Check that the current user has access to the entity of the main itemtype linked to the fields The first commit only checks The latter also takes into account the entity of the main itemtype and checks whether the current user has rights to the entity. From the GUI this part is delegated to GLPI (If I have the right to see the ticket, I therefore have the right to see the associated fields), but from the API the entry point is not the |
You don't need any rights to purge outside of API ? |
No because there is no dedicated interface via GLPI, fields are accessed via the main itemtype. Fields are purged when the main item type is purged. |
Maybe it should return false then if the action is never possible, it avoid potential mistakes. |
indeed, it's work like a charm |
A bit late to change that but maybe it should have been an CommonDBChild ? Checking that the parent entity is visible is something that it can handle without extra code. |
50132e0
to
80b337a
Compare
Major changes :
But when the
a as I haven't found a way to deal with this case in detail, I suggest looking at I agree it's not “clean”, but I don't see any other solution. |
Another major change (hopefully the last) 1. Change in Class InheritanceBefore: The This allows data to be filtered automatically via the GLPI API, taking into account authorizations on the parent (entity / right). 2. Overloads of the
|
Here’s a summary of the three API calls and their behaviors: 1. First API Callcurl -X GET \
-H 'Content-Type: application/json' \
-H "Session-Token: dhkc65d0ajq1rfbvnlnedo4meu" \
-H "App-Token: eKVwtoTF4rMhg1m8rSAEuvOMcZNmneMNPM08D4P2" \
'http://127.0.0.1/GLPI/10.0-bugfixes/apirest.php/PluginFieldsComputertata' | jq This call retrieves a list of all items in the [
{
"id": 15,
"items_id": 77,
"itemtype": "Computer",
"plugin_fields_containers_id": 8,
"entities_id": 2,
"is_recursive": 1,
"testfieldthree": "sdfsdfsdf",
"links": [
{
"rel": "Computer",
"href": "http://127.0.0.1/GLPI/10.0-bugfixes/api/Computer/77"
},
{
"rel": "PluginFieldsContainer",
"href": "http://127.0.0.1/GLPI/10.0-bugfixes/api/PluginFieldsContainer/8"
},
{
"rel": "Entity",
"href": "http://127.0.0.1/GLPI/10.0-bugfixes/api/Entity/2"
}
]
}
] 2. Second API Callcurl -X GET \
-H 'Content-Type: application/json' \
-H "Session-Token: dhkc65d0ajq1rfbvnlnedo4meu" \
-H "App-Token: eKVwtoTF4rMhg1m8rSAEuvOMcZNmneMNPM08D4P2" \
'http://127.0.0.1/GLPI/10.0-bugfixes/apirest.php/PluginFieldsComputertata/15' | jq
{
"id": 15,
"items_id": 77,
"itemtype": "Computer",
"plugin_fields_containers_id": 8,
"entities_id": 2,
"is_recursive": 1,
"testfieldthree": "sdfsdfsdf",
"links": [
{
"rel": "Computer",
"href": "http://127.0.0.1/GLPI/10.0-bugfixes/api/Computer/77"
},
{
"rel": "PluginFieldsContainer",
"href": "http://127.0.0.1/GLPI/10.0-bugfixes/api/PluginFieldsContainer/8"
},
{
"rel": "Entity",
"href": "http://127.0.0.1/GLPI/10.0-bugfixes/api/Entity/2"
}
]
} 3. Third API Callcurl -X GET \
-H 'Content-Type: application/json' \
-H "Session-Token: dhkc65d0ajq1rfbvnlnedo4meu" \
-H "App-Token: eKVwtoTF4rMhg1m8rSAEuvOMcZNmneMNPM08D4P2" \
'http://127.0.0.1/GLPI/10.0-bugfixes/apirest.php/PluginFieldsComputertata/16' | jq
[
"ERROR_RIGHT_MISSING",
"You don't have permission to perform this action."
] This indicates that the item ( |
Are the new |
the new entities_id and is_recursive fields are simply a copy of the corresponding itemtype value |
@stonebuzz I get these errors when I try to add a computer with a fields.
|
Co-authored-by: Johan Cwiklinski <[email protected]>
fbddc23
to
f79f623
Compare
Co-authored-by: Cédric Anne <[email protected]>
Co-authored-by: Cédric Anne <[email protected]>
Checklist before requesting a review
Please delete options that are not relevant.
Description
This PR corrects a behaviour identified in the
fields
plugin. Until now, when calling the API to retrieve one or more containers (https://<FQDN>/apirest.php/PluginFields<BlockName>
), the plugin did not correctly check the associated access rights and return all data.This update introduces a systematic rights check for each container retrieved.
Before checl :
After :
Screenshots (if appropriate):