Merge branch '10.0/bugfixes'

glpi-project · Apr 11, 2024 · e680b33 · e680b33
2 parents cb4f745 + c6ee99a
commit e680b33
Show file tree

Hide file tree

Showing 26 changed files with 368 additions and 245 deletions.
diff --git a/.npmrc b/.npmrc
@@ -1 +1,5 @@
+# Prevent installation on an unexpected node/npm version
 engine-strict=true
+
+# See https://github.com/tabler/tabler/pull/1864
+legacy-peer-deps=true
diff --git a/js/RichText/ContentTemplatesParameters.js b/js/RichText/ContentTemplatesParameters.js
@@ -64,7 +64,7 @@ GLPI.RichText.ContentTemplatesParameters = class {
         this.editor.ui.registry.addAutocompleter(
             'content_templates',
             {
-                ch: '{',
+                trigger: '{',
                 minChars: 0,
                 fetch: function (pattern) {
                     return that.fetchItems(pattern);

diff --git a/js/RichText/UserMention.js b/js/RichText/UserMention.js
@@ -66,7 +66,7 @@ GLPI.RichText.UserMention = class {
         this.editor.ui.registry.addAutocompleter(
             'user_mention',
             {
-                ch: '@',
+                trigger: '@',
                 minChars: 0,
                 fetch: function (pattern) {
                     return that.fetchItems(pattern);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -66,7 +66,7 @@
         "spectrum-colorpicker2": "^2.0.10",
         "spin.js": "^4.1.0",
         "swagger-ui-dist": "^5.13.0",
-        "tinymce": "^6.8.3",
+        "tinymce": "^7.0.0",
         "tinymce-i18n": "^24.3.11",
         "vue": "^3.3.4"
     },

diff --git a/src/Auth.php b/src/Auth.php
@@ -526,9 +526,8 @@ public function connection_db($name, $password)
                     ]
                 );
 
-                $this->user->fields = $result + [
-                    '_ruleright_process' => true,
-                ];
+                $this->user->fields = $result;
+                $this->user->willProcessRuleRight();
 
                 return true;
             }

diff --git a/src/Config.php b/src/Config.php
@@ -292,6 +292,22 @@ public function prepareInputForUpdate($input)
             $input['glpinetwork_registration_key'] = trim($input['glpinetwork_registration_key']);
         }
 
+        // Prevent invalid profile to be set as the lock profile.
+        // User updating the config from GLPI's UI should not be able to send
+        // invalid values but API or manual HTTP requests might be invalid.
+        if (isset($input['lock_lockprofile_id'])) {
+            $profile = Profile::getById($input['lock_lockprofile_id']);
+            if (!$profile || $profile->fields['interface'] !== 'central') {
+                // Invalid profile
+                Session::addMessageAfterRedirect(
+                    __s("The specified profile doesn't exist or is not allowed to access the central interface."),
+                    false,
+                    ERROR
+                );
+                unset($input['lock_lockprofile_id']);
+            }
+        }
+
         $tfa_enforced_changed = isset($input['2fa_enforced']) && $input['2fa_enforced'] !== $CFG_GLPI['2fa_enforced'];
         $tfa_grace_days_changed = isset($input['2fa_grace_days']) && $input['2fa_grace_days'] !== $CFG_GLPI['2fa_grace_days'];
         if ($tfa_grace_days_changed || $tfa_enforced_changed) {

diff --git a/src/Entity.php b/src/Entity.php
@@ -1469,7 +1469,7 @@ public function rawSearchOptions()
         $tab[] = [
             'id'                 => '51',
             'table'              => $this->getTable(),
-            'field'              => 'name',
+            'field'              => 'entities_id_software',
             'linkfield'          => 'entities_id_software', // not a dropdown because of special value
                                  //TRANS: software in plural
             'name'               => __('Entity for software creation'),
@@ -3145,7 +3145,7 @@ public static function getSpecificValueToDisplay($field, $values, array $options
 
             case 'tickettemplates_id':
                 $strategy = $values['tickettemplates_strategy'] ?? $values[$field];
-                if ($values['tickettemplates_strategy'] == self::CONFIG_PARENT) {
+                if ($strategy == self::CONFIG_PARENT) {
                     return __('Inheritance of the parent entity');
                 }
                 return Dropdown::getDropdownName(TicketTemplate::getTable(), $values[$field]);

diff --git a/src/Html.php b/src/Html.php
@@ -3948,6 +3948,7 @@ public static function initEditorSystem(
                skin_url: '{$skin_url}', // Doesn't matter which skin is used. We include the proper skins in the core GLPI styles.
                body_class: '{$body_class}',
                content_css: '{$content_css}',
+               highlight_on_focus: false,
                autoresize_bottom_margin: 0, // Avoid excessive bottom padding
                autoresize_overflow_padding: 0,
 
@@ -3987,6 +3988,10 @@ public static function initEditorSystem(
                browser_spellcheck: true,
                cache_suffix: '{$cache_suffix}',
 
+               // Security options
+               // Iframes are disabled by default. We assume that administrator that enable it are aware of the potential security issues.
+               sandbox_iframes: false,
+
                init_instance_callback: (editor) => {
                    const page_root_el = $(document.documentElement);
                    const root_el = $(editor.dom.doc.documentElement);

diff --git a/src/Inventory/Asset/Software.php b/src/Inventory/Asset/Software.php
@@ -744,7 +744,7 @@ private function storeSoftware()
             if (!isset($this->softwares[$skey])) {
                 $stmt_columns = $this->cleanInputToPrepare((array)$val, $soft_fields);
 
-                $software->handleCategoryRules($stmt_columns);
+                $software->handleCategoryRules($stmt_columns, true);
                 //set create date
                 $stmt_columns['date_creation'] = $_SESSION["glpi_currenttime"];
 

diff --git a/src/Link.php b/src/Link.php
@@ -49,7 +49,7 @@ class Link extends CommonDBTM
     public static $rightname = 'link';
     public static $tags      = ['LOGIN', 'ID', 'NAME', 'LOCATION', 'LOCATIONID', 'IP',
         'MAC', 'NETWORK', 'DOMAIN', 'SERIAL', 'OTHERSERIAL',
-        'USER', 'GROUP', 'REALNAME', 'FIRSTNAME'
+        'USER', 'GROUP', 'REALNAME', 'FIRSTNAME', 'MODEL'
     ];
 
     public static function getTypeName($nb = 0)
@@ -441,7 +441,9 @@ public static function generateLinkContents($link, CommonDBTM $item, bool $safe_
             'GROUP' => $item->isField('groups_id') ? Dropdown::getDropdownName('glpi_groups', $item->getField('groups_id')) : '',
             'REALNAME' => $item->isField('realname') ? $item->getField('realname') : '',
             'FIRSTNAME' => $item->isField('firstname') ? $item->getField('firstname') : '',
+            'MODEL' => '',
         ];
+
         $item_fields = $item->fields;
         $item::unsetUndisclosedFields($item_fields);
         if (count($item_fields)) {
@@ -450,6 +452,13 @@ public static function generateLinkContents($link, CommonDBTM $item, bool $safe_
             }
         }
 
+        if (($model_class = $item->getModelClass()) !== null) {
+            $vars['MODEL'] = Dropdown::getDropdownName(
+                $model_class::getTable(),
+                $item->getField($model_class::getForeignKeyField())
+            );
+        }
+
         $vars['LOCATION'] = $item->isField('locations_id') ?
             Dropdown::getDropdownName('glpi_locations', $item->getField('locations_id')) : '';
 

diff --git a/src/Profile.php b/src/Profile.php
@@ -341,6 +341,8 @@ public function getCloneRelations(): array
 
     public function prepareInputForUpdate($input)
     {
+        /** @var array $CFG_GLPI */
+        global $CFG_GLPI;
 
         if (isset($input["_helpdesk_item_types"])) {
             if ((!isset($input["helpdesk_item_type"])) || (!is_array($input["helpdesk_item_type"]))) {
@@ -462,6 +464,21 @@ public function prepareInputForUpdate($input)
             unset($input['interface']);
         }
 
+        // If the profile is used as the "Profile to be used when locking items",
+        // it can't be set to the "helpdesk" interface.
+        if (
+            isset($input['interface'])
+            && $input['interface'] === "helpdesk"
+            && $this->fields['id'] === (int) $CFG_GLPI['lock_lockprofile_id']
+        ) {
+            Session::addMessageAfterRedirect(
+                __s("This profile can't be moved to the simplified interface as it is used for locking items."),
+                false,
+                ERROR
+            );
+            unset($input['interface']);
+        }
+
         // KEEP AT THE END
         $this->profileRight = [];
         foreach (array_keys(ProfileRight::getAllPossibleRights()) as $right) {

diff --git a/src/RSSFeed.php b/src/RSSFeed.php
@@ -219,11 +219,11 @@ public static function addVisibilityJoins($forceall = false)
         $it = new \DBmysqlIterator(null);
         $it->buildQuery($criteria);
         $sql = $it->getSql();
-        $sql = str_replace(
-            'SELECT * FROM ' . $DB->quoteName(self::getTable()) . ' ',
+        $sql = trim(str_replace(
+            'SELECT * FROM ' . $DB->quoteName(self::getTable()),
             '',
             $sql
-        );
+        ));
         return $sql;
     }