Skip to content

Commit

Permalink
Add post update processing to prevent unauthorized deletion of ticket…
Browse files Browse the repository at this point in the history
… actors (pluginsGLPI#186)

* Add post update processing to prevent unauthorized deletion of ticket actors

* Update CHANGELOG.md

* Update CHANGELOG.md

---------

Co-authored-by: Romain B <[email protected]>
  • Loading branch information
RomainLvr and Rom1-B authored May 6, 2024
1 parent 3fcf791 commit 3663936
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 2 deletions.
8 changes: 7 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).

## [2.9.4] - 20204-04-03
## [unreleased] -

### Fixed

- Fix unauthorized deletion of ticket actors according to plugin configuration

## [2.9.4] - 2024-04-03

### Fixed

Expand Down
60 changes: 59 additions & 1 deletion inc/ticket.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,11 @@ public static function pre_item_update(CommonDBTM $item)
!empty(array_filter(
$item->input['_actors']['assign'] ?? [],
fn ($actor) => $actor['itemtype'] == 'Group'
)) && $item->input['_from_assignment']
))
&& (
isset($item->input['_from_assignment'])
&& $item->input['_from_assignment']
)
) {
//handle status behavior
if ($_SESSION['plugins']['escalade']['config']['ticket_last_status'] != -1) {
Expand All @@ -54,6 +58,60 @@ public static function pre_item_update(CommonDBTM $item)
if (isset($input['_itil_assign'])) {
$item->input['_do_not_compute_status'] = true;
}

$config = $_SESSION['plugins']['escalade']['config'];

// Get actual actors for the ticket
if ($item instanceof Ticket) {
$actorTypes = [CommonITILActor::REQUESTER, CommonITILActor::OBSERVER, CommonITILActor::ASSIGN];
$ticket_actors = array_reduce(
$actorTypes,
function ($carry, $type) use ($item) {
$carry[$item->getActorFieldNameType($type)] = $item->getActorsForType($type);
return $carry;
},
[]
);

// Get updated actors
$actors_update = $item->input['_actors'] ?? [];

// Get deletion rights for each type of actor
$deletion_rights = [
User::getType() => [
'requester' => $config['remove_delete_requester_user_btn'],
'observer' => $config['remove_delete_watcher_user_btn'],
'assign' => $config['remove_delete_assign_user_btn'],
],
Group::getType() => [
'requester' => $config['remove_delete_requester_group_btn'],
'observer' => $config['remove_delete_watcher_group_btn'],
'assign' => $config['remove_delete_assign_group_btn'],
],
Supplier::getType() => [
'assign' => $config['remove_delete_assign_supplier_btn'],
],
];

// Iteration through actor types and verification of deletion rights
foreach ($ticket_actors as $type => $actors) {
$updatedActors = array_map(
function ($a) {
return [$a['items_id'], $a['itemtype']];
},
$actors_update[$type] ?? []
);

foreach ($actors as $actor) {
$actorKey = [$actor['items_id'], $actor['itemtype']];

// If the actor has been deleted and deletion is forbidden, it is readjusted to simulate a non-deletion
if (!in_array($actorKey, $updatedActors) && empty($deletion_rights[$actor['itemtype']][$type])) {
$item->input['_actors'][$type][] = $actor;
}
}
}
}
}

/**
Expand Down

0 comments on commit 3663936

Please sign in to comment.