pluginsGLPI
Self-Service profile can always modify some dropdowns
Hello !
First of all, thanks for this plugin that i found very useful and interesting.
I'm using the last version of GLPI and the plugin ( Glpi 9.4.2 and order 2.5.0)
I think i found something which is a little bit weird. Indeed, as a self-service user, i can access directly to the two new dropdowns that were created with the 2.3.0 release of the plugin (https://github.com/pluginsGLPI/order/pull/212).
There is nothing we can setup for this in the "Setup" rights of the profile. (Maybe the global dropdown right but it is not granted for self-service users)
Moreover, i tried to put 0 rights for this plugin to the self-service profile but i got the same results.
I can only modify this with the "full UI" (sorry if it sounds weird but i'm not sure about how to say this as i'm French). What i mean is that this menu is unreachable with the "formcreator" UI that i can activate for the profile.
The bad thing is that the user can create new Analytic Natures or Account Sections and he can even delete all of them.
Maybe i forgot to change something ? If anyone can tell us if he has the same behaviour, it would be nice.
If you want more details just tell me.
I don't really know where to look to fix this, sorry...
Step to reproduce this are quite easy, just use the self-service profile with the usual UI and go in setup -> dropdowns. They should be visible even if all rights are not granted to this menu.
Best regards, Anthn
I'm running GLPI 9.4.3 and Orders 2.5.1 and this problem still exists.
I created a Profile with every single item on every section unchecked, and I can still log in and update the "Analytic nature" and "Account section" dropdowns.
I can see why. If you look here:
https://github.com/pluginsGLPI/order/blob/develop/inc/analyticnature.class.php#L43-L66
...you can see that every permission check returns true. Ouch.
None of the others are like this.