Skip to content

Users able to select any signature when generating a Purchase Orde #573

Open
Open
Users able to select any signature when generating a Purchase Orde#573
@stcithelpdesk

Description

@stcithelpdesk
stcithelpdesk
opened on Apr 17, 2026

Code of Conduct

  • I agree to follow this project's Code of Conduct

Is there an existing issue for this?

  • I have searched the existing issues

GLPI Version

11.0.4

Plugin version

2.12.6

Bug description

We have copied signature files to the server for the purpose of being placed in a generated PO to show who approved the purchase as part of the validation process. The appropriate signature has been selected in the user settings.

However, when going to the "Purchase Order" tab to generate the ODT, the end user is able to select which signature to us - including other peoples.

Image

Expected behaviour would be that the {sign} flag within the uploaded PO template should check who has validated the order and use their signature automatically. This not happening means that we cannot trust that the signature on the PO is proof and confirmation that the validation process has been completed.

Relevant log output



Page URL


https://ithelpdesk.stcaths.scs/plugins/order/front/order.form.php


Steps To reproduce


    

  1. Upload signature files to the signature folder matching usernames
    2. 

  2. Go to the users My Settings, and within the Orders tab select an appropriate signature (I do not know if this works without a signature selected as you cannot clear this once set)
    3. 

  3. Generate an order and validate as per normal process
    4. 

  4. Visit that orders Purchase Order tab and all signatures on the system are selectable.
    5. 

  5. Generate a PO using any template and any signature and that signature will be applied to the resulting file
    6. 



Your GLPI setup information


GLPI information
GLPI: 11.0.4 ( => /var/www/html/glpi)
Installation mode: TARBALL
Current language: en_GB
Source Integrity: 5 files changed
  A: inc/downstream.php
  A: public/pics/itlogo.svg
  A: public/pics/welcome_logo.png
  A: public/pics/welcome_logo_s.png
  A: public/pics/welcome_logo_xs.png
Server
Operating system: Linux itserver 6.8.0-107-generic #​107-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 13 19:51:50 UTC 2026 x86_64

PHP: 8.3.6 apache2handler


PHP extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, random, Reflection, SPL, session, standard, sodium,

apache2handler, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext,

iconv, igbinary, imap, intl, ldap, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, soap, sockets,

sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, Zend OPcache


Setup: disable_functions="" max_execution_time="60" max_input_vars="5000" memory_limit="256M" post_max_size="20M"

session.cookie_secure="1" session.cookie_httponly="1" session.cookie_samesite="" session.save_handler="files"

upload_max_filesize="20M"


Web server: Apache/2.4.58 (Ubuntu) (Apache/2.4.58 (Ubuntu) Server at ithelpdesk.stcaths.scs Port 443)


User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36


Database:


Server Software: Ubuntu 24.04


Server Version: 10.11.13-MariaDB-0ubuntu0.24.04.1


Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION


Parameters: glpi@localhost/glpi


Host info: Localhost via UNIX socket


Requirements:

PHP version (8.3.6) is supported.

OS and PHP are relying on 64 bits integers.

Sessions configuration is OK.

Allocated memory is sufficient.

Following extensions are installed: dom, fileinfo, filter, libxml, simplexml, tokenizer, xmlreader,

xmlwriter.

mysqli extension is installed

curl extension is installed

gd extension is installed

intl extension is installed

mbstring extension is installed

zlib extension is installed

bcmath extension is installed

The constant

SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.

openssl extension is installed

Database engine version (10.11.13) is

supported.

The log file has been created successfully.

Write access to /var/lib/glpi/_cache has been validated.

Write access to /var/lib/glpi/_cron has been validated.

Write access to /var/lib/glpi has been validated.

Write access to /var/lib/glpi/_graphs has been validated.

Write access to /var/lib/glpi/_lock has been validated.

Write access to /var/lib/glpi/_pictures has been validated.

Write access to /var/lib/glpi/_plugins has been validated.

Write access to /var/lib/glpi/_rss has been validated.

Write access to /var/lib/glpi/_sessions has been validated.

Write access to /var/lib/glpi/_tmp has been validated.

Write access to /var/lib/glpi/_uploads has been validated.


Sessions configuration is secured.

exif extension is installed

ldap extension is installed

Following extensions are installed: bz2,

Phar, zip.

Zend OPcache extension is installed

Following extensions are installed:

ctype, iconv, sodium.

Write access to

/var/www/html/glpi/marketplace has been validated.

Timezones seems not loaded, see

https://glpi-install.readthedocs.io/en/latest/timezones.html.
GLPI constants
GLPI_ROOT: "/var/www/html/glpi"

GLPI_VERSION: "11.0.4"

GLPI_SCHEMA_VERSION: "11.0.4@9065df1ff6b8ff1d77b519d1c4856507d18258b0"

GLPI_FILES_VERSION: "11.0.4-1d4fbe9a"

GLPI_MIN_PHP: "8.2"

GLPI_MAX_PHP: "8.5"

GLPI_YEAR: "2025"

GLPI_I18N_DIR: "/var/www/html/glpi/locales"

GLPI_CONFIG_DIR: "/etc/glpi/"

GLPI_VAR_DIR: "/var/lib/glpi"

GLPI_DOC_DIR: "/var/lib/glpi"

GLPI_CACHE_DIR: "/var/lib/glpi/_cache"

GLPI_CRON_DIR: "/var/lib/glpi/_cron"

GLPI_GRAPH_DIR: "/var/lib/glpi/_graphs"

GLPI_LOCAL_I18N_DIR: "/var/lib/glpi/_locales"

GLPI_LOCK_DIR: "/var/lib/glpi/_lock"

GLPI_PICTURE_DIR: "/var/lib/glpi/_pictures"

GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi/_plugins"

GLPI_RSS_DIR: "/var/lib/glpi/_rss"

GLPI_SESSION_DIR: "/var/lib/glpi/_sessions"

GLPI_TMP_DIR: "/var/lib/glpi/tmp"

GLPI_UPLOAD_DIR: "/var/lib/glpi/uploads"

GLPI_INVENTORY_DIR: "/var/lib/glpi/inventories"

GLPI_THEMES_DIR: "/var/lib/glpi/themes"

GLPI_LOG_DIR: "/var/log/glpi"

GLPI_ENVIRONMENT_TYPE: "production"

GLPI_MARKETPLACE_DIR: "/var/www/html/glpi/marketplace"

GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false

GLPI_SERVERSIDE_URL_ALLOWLIST: ["~^\n                        (http|https|feed)://

# protocol\n                        (\n                            (?:\n

(?:xn--[a-z0-9-]++\.)*+xn--[a-z0-9-]++                      # a domain name using punycode\n

|\n                                (?:[\pL\pN\pS\pM\-\]++\.)+[\pL\pN\pM]++                    # a multi-level domain

name\n                                    |\n                                [a-z0-9\-\]++

# a single-level domain name\n                            )\.?\n                                |

# or\n                            \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

# an IP address\n                                |                                                           #

or\n                            \[\n

(?:(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){6})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:::(?:(?:(?:[0-9a-f]{1,4})):){5})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){4})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,1}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){3})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,2}(?:(?:[0-9a-f]{1,4})))?::(?:(?:(?:[0-9a-f]{1,4})):){2})(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,3}(?:(?:[0-9a-f]{1,4})))?::(?:(?:[0-9a-f]{1,4})):)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,4}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:(?:(?:(?:[0-9a-f]{1,4})):(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9]))\.){3}(?:(?:25[0-5]|(?:[1-9]|1[0-9]|2[0-4])?[0-9])))))))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,5}(?:(?:[0-9a-f]{1,4})))?::)(?:(?:[0-9a-f]{1,4})))|(?:(?:(?:(?:(?:(?:[0-9a-f]{1,4})):){0,6}(?:(?:[0-9a-f]{1,4})))?::))))\n

\]                                                              # an IPv6 address\n

)\n                        (?:/ (?:[\pL\pN\pS\pM\-.\~!$&'()+,;=:@]|%[0-9A-Fa-f]{2}) )*     # a path\n

(?:\? (?:[\pL\pN\-.\~!$&'\\+,;=:@/?]|%[0-9A-Fa-f]{2}) )?    # a query (optional)\n

$~ixuD"]

GLPI_DISALLOWED_UPLOADS_PATTERN: "/\.(php\d*|phar)$/i"

GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"

GLPI_INSTALL_MODE: "TARBALL"

GLPI_NETWORK_MAIL: "glpi@teclib.com"

GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"

GLPI_MARKETPLACE_ENABLE: 3

GLPI_MARKETPLACE_PRERELEASES: false

GLPI_MARKETPLACE_ALLOW_OVERRIDE: true

GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true

GLPI_USER_AGENT_EXTRA_COMMENTS: ""

GLPI_DOCUMENTATION_ROOT_URL: "https://links.glpi-project.org"

GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"

GLPI_LOG_LVL: "warning"

GLPI_SKIP_UPDATES: false

GLPI_STRICT_ENV: false

GLPI_AJAX_DASHBOARD: "1"

GLPI_CALDAV_IMPORT_STATE: 0

GLPI_CENTRAL_WARNINGS: "1"

GLPI_SYSTEM_CRON: false

GLPI_TEXT_MAXSIZE: "4000"

GLPI_WEBHOOK_ALLOW_RESPONSE_SAVING: "0"

GLPI_WEBHOOK_CRA_MANDATORY: false

GLPI_ALTCHA_MODE: "interactive"

GLPI_ALTCHA_MAX_NUMBER: 50000

GLPI_ALTCHA_EXPIRATION_INTERVAL: "PT20M"

GLPI_PLUGINS_DIRECTORIES: ["/var/www/html/glpi/marketplace","/var/www/html/glpi/plugins"]

GLPI_NETWORK_API_URL: "https://services.glpi-network.com/api"

GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"

GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
LDAP directories
Server: '10.10.10.2',

Port: '389',

BaseDN: 'OU=Staff,DC=stcaths,DC=scs',

Connection filter: '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',

RootDN: 'admin1@stcaths.scs',

Use TLS: none
SQL replicas
Not active
Notifications
Way of sending emails: SMTP(smtp://ithelpdesk%40stcatherines.org.uk:********@smtp.gmail.com:465)

Name: 'ithelpdesk@stcatherines.org.uk'

Active: Yes

Server: '{imap.gmail.com/imap/ssl}INBOX'

Login: 'ithelpdesk@stcatherines.org.uk'

Password: Yes
Plugins list
camerainput          Name: Camera Input                   Version: 2.1.0      State: Not installed

Install Method: Marketplace

positions            Name: Cartography                    Version: 7.0.2      State: Installed / not activated

Install Method: Marketplace

datainjection        Name: Data Injection                 Version: 2.15.3     State: Installed / not activated

Install Method: Marketplace

archimap             Name: Diagrams                       Version: 3.3.12     State: Not installed

Install Method: Marketplace

financialreports     Name: Financial reports              Version: 3.0.0      State: Not installed

Install Method: Marketplace

gappessentials       Name: Gapp Essentials                Version: 2.3.0      State: Installed / not activated

Install Method: Marketplace

glpiinventory        Name: GLPI Inventory                 Version: 1.6.4      State: Enabled

Install Method: Marketplace

addressing           Name: IP Report                      Version: 3.2.0      State: Installed / not activated

Install Method: Marketplace

mreporting           Name: More Reporting                 Version: 1.9.2      State: Installed / not activated

Install Method: Marketplace

mydashboard          Name: My Dashboard                   Version: 2.2.5      State: Installed / not activated

Install Method: Marketplace

order                Name: Orders management              Version: 2.12.6     State: Enabled

Install Method: Marketplace

pdf                  Name: PDF                            Version: 4.1.2      State: Enabled

Install Method: Marketplace

reports              Name: Reports                        Version: 1.16.0     State: Installed / not activated

Install Method: Marketplace

samlsso              Name: samlsso                        Version: 1.2.5      State: Enabled

Install Method: Marketplace

manufacturersimports Name: Suppliers imports              Version: 3.1.2      State: Enabled

Install Method: Marketplace

treeview             Name: Tree View                      Version: 1.20.0     State: Enabled

Install Method: Marketplace


Anything else?


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions