Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Knowledge base show articles without access when impersonate user #14164

Closed
2 tasks done
ftoledo opened this issue Feb 24, 2023 · 7 comments
Closed
2 tasks done

Knowledge base show articles without access when impersonate user #14164

ftoledo opened this issue Feb 24, 2023 · 7 comments
Labels
Need feedback

Comments

@ftoledo
Copy link

ftoledo commented Feb 24, 2023

Code of Conduct

  • I agree to follow this project's Code of Conduct

Is there an existing issue for this?

  • I have searched the existing issues

Version

10.0.6

Bug description

When I impersonte user.. the FAQ section with self-service profile shows items he shouldn't have access to

Target is Supervisor profile on Root entity:

imagen

the KB is still show on user whitout the Supervisor profile and sub entity:

imagen

on click on the item it's show access deny (not bad for security concerns):

imagen

The expected result is that this item is not displayed because the user do not have the profile/entity as defined in target

Relevant log output

No response

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

No response

Anything else?

No response
@Phil-ipp1
Copy link

We have the same issue on our side.
We have multiple entities and each entity manages their own knowledge base.
The knowledge articles Target is linked to one entity only but users from other entities (not sub entities) can see the articles as well.
Luckily this articles cannot be opened by users that are assigned to an entity which is not mentioned within the Target. So it is the same issue as described by ftoledo.

It would be important that users that are not part of the Target definition could not see the article (not even the topic/header).

@cedric-anne
Copy link
Member

Hi,

Can you try to apply #13890 and see if problem persist?

@trasher
Copy link
Contributor

trasher commented Mar 30, 2023

N o feedback , I close

@trasher trasher closed this as completed Mar 30, 2023
@Phil-ipp1
Copy link

@cedric-anne Sorry for the late reply.
This fix solved the issue! Thank you so much for the support finding the fix.
FYI: Tested it with formCreator as well and the plugin is fully compatible to the fix

@ftoledo
Copy link
Author

ftoledo commented Apr 4, 2023
edited
Loading

alo! sorry for delay too!,
I try to apply the patch over 10.0.6:

patch -p1 </tmp/13890.patch 

patching file src/KnowbaseItem.php
Hunk #2 FAILED at 1534.
1 out of 2 hunks FAILED -- saving rejects to file src/KnowbaseItem.php.rej
patching file src/KnowbaseItemCategory.php

@cedric-anne
Copy link
Member

alo! sorry for delay too!, I try to apply the patch over 10.0.6:

patch -p1 </tmp/13890.patch 

patching file src/KnowbaseItem.php
Hunk #2 FAILED at 1534.
1 out of 2 hunks FAILED -- saving rejects to file src/KnowbaseItem.php.rej
patching file src/KnowbaseItemCategory.php

GLPI 10.0.7 will be released tomorrow. You will be able to update directly.

@ftoledo
Copy link
Author

ftoledo commented Apr 7, 2023

I can confirm that update to 10.0.7 fix the issue. thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Need feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ftoledo @trasher @cedric-anne @Phil-ipp1