pluginsGLPI · stonebuzz · May 5, 2025 · May 2, 2025 · May 5, 2025 · May 5, 2025
diff --git a/ajax/container.php b/ajax/container.php
@@ -29,10 +29,18 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 use Glpi\Http\Response;
 
 if (isset($_GET['action']) && $_GET['action'] === 'get_fields_html') {
+
+    $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $_GET['id']);
+    if ($right < READ) {
+        Response::sendError(403, 'Forbidden');
+        return;
+    }
+
     $containers_id = $_GET['id'];
     $itemtype      = $_GET['itemtype'];
     $items_id      = (int) $_GET['items_id'];

diff --git a/ajax/container_display_condition.php b/ajax/container_display_condition.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (isset($_GET['action'])) {
     if ($_GET['action'] === 'get_add_form') {

diff --git a/ajax/container_itemtypes_dropdown.php b/ajax/container_itemtypes_dropdown.php
@@ -29,5 +29,6 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 PluginFieldsContainer::showFormItemtype($_REQUEST);
diff --git a/ajax/container_subtype_dropdown.php b/ajax/container_subtype_dropdown.php
@@ -29,5 +29,6 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 PluginFieldsContainer::showFormSubtype($_REQUEST, true);
diff --git a/ajax/reorder.php b/ajax/reorder.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (
     !array_key_exists('container_id', $_POST)

diff --git a/ajax/status_override.php b/ajax/status_override.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (isset($_GET['action'])) {
     if ($_GET['action'] === 'get_status_dropdown') {

diff --git a/front/commondropdown.form.php b/front/commondropdown.form.php
@@ -29,6 +29,7 @@
  */
 
 include '../../../inc/includes.php';
+Session::checkLoginUser();
 if (preg_match('/[a-z]/i', $_REQUEST['ddtype']) !== 1) {
     throw new \RuntimeException(sprintf('Invalid itemtype "%1$s"', $_REQUEST['ddtype']));
 }

diff --git a/front/commondropdown.php b/front/commondropdown.php
@@ -29,6 +29,7 @@
  */
 
 include '../../../inc/includes.php';
+Session::checkLoginUser();
 if (preg_match('/[a-z]/i', $_REQUEST['ddtype']) !== 1) {
     throw new \RuntimeException(sprintf('Invalid itemtype "%1$s"', $_REQUEST['ddtype']));
 }

diff --git a/front/container.form.php b/front/container.form.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (empty($_GET['id'])) {
     $_GET['id'] = '';
@@ -59,6 +60,12 @@
     }
     Html::back();
 } else {
+
+    $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $_GET['id']);
+    if ($right < READ) {
+        Html::displayRightError("User is missing the " . READ . " ('read') right for container");
+    }
+
     Html::header(
         __('Additional fields', 'fields'),
         $_SERVER['PHP_SELF'],

diff --git a/front/container.php b/front/container.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 Html::header(
     __('Additional fields', 'fields'),
@@ -38,7 +39,7 @@
     'fieldscontainer',
 );
 
-Session::checkRight('entity', READ);
+Session::checkRight('config', READ);
 
 PluginFieldsContainer::titleList();
 Search::show('PluginFieldsContainer');

diff --git a/front/containerdisplaycondition.form.php b/front/containerdisplaycondition.form.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkRight('config', READ);
 
 $status_override = new PluginFieldsContainerDisplayCondition();
 if (isset($_POST['add'])) {

diff --git a/front/export_to_yaml.php b/front/export_to_yaml.php
@@ -31,7 +31,7 @@
 include('../../../inc/includes.php');
 include('../hook.php');
 
-Session::checkRight('entity', READ);
+Session::checkRight('config', READ);
 
 $ID = null;
 if (isset($_GET['id'])) {

diff --git a/front/field.form.php b/front/field.form.php
@@ -34,7 +34,7 @@
     $_GET['id'] = '';
 }
 
-Session::checkRight('entity', READ);
+Session::checkRight('config', READ);
 
 $field = new PluginFieldsField();
 

diff --git a/front/labeltranslation.form.php b/front/labeltranslation.form.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkRight('config', UPDATE);
 
 $translation = new PluginFieldsLabelTranslation();
 if (isset($_POST['add'])) {

diff --git a/front/profile.form.php b/front/profile.form.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkRight('config', UPDATE);
 
 if (isset($_POST['update'])) {
     PluginFieldsProfile::updateProfile($_POST);

diff --git a/front/regenerate_files.php b/front/regenerate_files.php
@@ -31,7 +31,7 @@
 include('../../../inc/includes.php');
 include('../hook.php');
 
-Session::checkRight('entity', READ);
+Session::checkRight('config', READ);
 
 plugin_fields_checkFiles();
 

diff --git a/front/statusoverride.form.php b/front/statusoverride.form.php
@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkRight('config', READ);
 
 $status_override = new PluginFieldsStatusOverride();
 if (isset($_POST['add'])) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ @@
      */
     include('../../../inc/includes.php');
+    Session::checkLoginUser();
     if (
         !array_key_exists('container_id', $_POST)
@@ Expand Down @@