Self-Service Users is able to reserve all reservable items, not only the ones of his entities.

[fabriceverkor]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.10

Bug description

A Self-Service User can reserve any reservable asset, not only the ones of his entities.
User should be able to reserve assets of the entity his connected on.

Relevant log output

No response

Page URL

No response

Steps To reproduce

1- connect to entity A with a profile able to reserve asset
2- Go to reservations
3- user can reserve asset of any entity, not only the ones of entity A

Your GLPI setup information

Information about system installation & configuration

GLPI 10.0.10 ( => /var/www/public/glpi)
Installation mode: TARBALL
Current language:en_US

Server

 

Operating system: Linux glpi 5.10.0-26-amd64 #​1 SMP Debian 5.10.197-1 (2023-09-29) x86_64

PHP 7.4.33 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apc, apcu, bz2,

calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml,

mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg,

sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)

Setup: max_execution_time="30" memory_limit="1000M" post_max_size="8M" safe_mode="" session.save_handler="files"

upload_max_filesize="2M"

Software: Apache/2.4.56 (Debian) (Apache/2.4.56 (Debian) Server at glpi.*******.com Port 443

)

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

Server Software: Debian 11

Server Version: 10.5.21-MariaDB-0+deb11u1-log

Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Parameters: glpi@localhost:3306/glpi

Host info: Localhost via UNIX socket

PHP version (7.4.33) is supported.

Sessions configuration is OK.

Allocated memory is sufficient.

mysqli extension is installed.

Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.

curl extension is installed.

gd extension is installed.

intl extension is installed.

zlib extension is installed.

The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.

Database engine version (10.5.21) is supported.

No files from previous GLPI version detected.

The log file has been created successfully.

Write access to /var/www/public/glpi/files/_cache has been validated.

Write access to /var/www/public/glpi/config has been validated.

Write access to /var/www/public/glpi/files/_cron has been validated.

Write access to /var/www/public/glpi/files has been validated.

Write access to /var/www/public/glpi/files/_dumps has been validated.

Write access to /var/www/public/glpi/files/_graphs has been validated.

Write access to /var/www/public/glpi/files/_lock has been validated.

Write access to /var/www/public/glpi/files/_pictures has been validated.

Write access to /var/www/public/glpi/files/_plugins has been validated.

Write access to /var/www/public/glpi/files/_rss has been validated.

Write access to /var/www/public/glpi/files/_sessions has been validated.

Write access to /var/www/public/glpi/files/_tmp has been validated.

Write access to /var/www/public/glpi/files/_uploads has been validated.

PHP 7.4 official support has ended. An upgrade to a more recent PHP version is recommended.

Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.

The following directories should be placed outside "/var/www/public/glpi":

‣ "/var/www/public/glpi/files" ("GLPI_VAR_DIR")

‣ "/var/www/public/glpi/config" ("GLPI_CONFIG_DIR")

You can ignore this suggestion if your web server root directory is "/var/www/public/glpi/public".

PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol.

PHP directive "session.cookie_httponly" should be set to "on" to prevent client-side script to access cookie values.

OS and PHP are relying on 64 bits integers.

exif extension is installed.

ldap extension is installed.

openssl extension is installed.

Following extensions are installed: bz2, Phar, zip.

Zend OPcache extension is installed.

Following extensions are installed: ctype, iconv, mbstring, sodium.

Write access to /var/www/public/glpi/marketplace has been validated.

Access to timezone database (mysql) is not allowed.

GLPI constants

 

GLPI_ROOT: "/var/www/public/glpi"

GLPI_CONFIG_DIR: "/var/www/public/glpi/config"

GLPI_VAR_DIR: "/var/www/public/glpi/files"

GLPI_MARKETPLACE_DIR: "/var/www/public/glpi/marketplace"

GLPI_USE_CSRF_CHECK: "1"

GLPI_CSRF_EXPIRES: "7200"

GLPI_CSRF_MAX_TOKENS: "100"

GLPI_USE_IDOR_CHECK: "1"

GLPI_IDOR_EXPIRES: "7200"

GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false

GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"]

GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"

GLPI_INSTALL_MODE: "TARBALL"

GLPI_NETWORK_MAIL: "[email protected]"

GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"

GLPI_MARKETPLACE_ALLOW_OVERRIDE: true

GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true

GLPI_USER_AGENT_EXTRA_COMMENTS: ""

GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"

GLPI_AJAX_DASHBOARD: "1"

GLPI_CALDAV_IMPORT_STATE: 0

GLPI_DEMO_MODE: "0"

GLPI_CENTRAL_WARNINGS: "1"

GLPI_DOC_DIR: "/var/www/public/glpi/files"

GLPI_CACHE_DIR: "/var/www/public/glpi/files/_cache"

GLPI_CRON_DIR: "/var/www/public/glpi/files/_cron"

GLPI_DUMP_DIR: "/var/www/public/glpi/files/_dumps"

GLPI_GRAPH_DIR: "/var/www/public/glpi/files/_graphs"

GLPI_LOCAL_I18N_DIR: "/var/www/public/glpi/files/_locales"

GLPI_LOCK_DIR: "/var/www/public/glpi/files/_lock"

GLPI_LOG_DIR: "/var/www/public/glpi/files/_log"

GLPI_PICTURE_DIR: "/var/www/public/glpi/files/_pictures"

GLPI_PLUGIN_DOC_DIR: "/var/www/public/glpi/files/_plugins"

GLPI_RSS_DIR: "/var/www/public/glpi/files/_rss"

GLPI_SESSION_DIR: "/var/www/public/glpi/files/_sessions"

GLPI_TMP_DIR: "/var/www/public/glpi/files/_tmp"

GLPI_UPLOAD_DIR: "/var/www/public/glpi/files/_uploads"

GLPI_INVENTORY_DIR: "/var/www/public/glpi/files/_inventories"

GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"

GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"

GLPI_I18N_DIR: "/var/www/public/glpi/locales"

GLPI_VERSION: "10.0.10"

GLPI_SCHEMA_VERSION: "10.0.10@05de68add675fb55abaeec10f3a2552085594a16"

GLPI_MARKETPLACE_PRERELEASES: false

GLPI_MIN_PHP: "7.4.0"

GLPI_MAX_PHP: "8.4.0"

GLPI_YEAR: "2023"

Libraries

 

htmlawed/htmlawed version 1.2.14 in (/var/www/public/glpi/vendor/htmlawed/htmlawed)

phpmailer/phpmailer version 6.8.0 in (/var/www/public/glpi/vendor/phpmailer/phpmailer/src)

simplepie/simplepie version 1.5.8 in (/var/www/public/glpi/vendor/simplepie/simplepie/library)

tecnickcom/tcpdf version 6.6.2 in (/var/www/public/glpi/vendor/tecnickcom/tcpdf)

michelf/php-markdown in (/var/www/public/glpi/vendor/michelf/php-markdown/Michelf)

true/punycode in (/var/www/public/glpi/vendor/true/punycode/src)

iamcal/lib_autolink in (/var/www/public/glpi/vendor/iamcal/lib_autolink)

sabre/dav in (/var/www/public/glpi/vendor/sabre/dav/lib/DAV)

sabre/http in (/var/www/public/glpi/vendor/sabre/http/lib)

sabre/uri in (/var/www/public/glpi/vendor/sabre/uri/lib)

sabre/vobject in (/var/www/public/glpi/vendor/sabre/vobject/lib)

laminas/laminas-i18n in (/var/www/public/glpi/vendor/laminas/laminas-i18n/src)

laminas/laminas-servicemanager in (/var/www/public/glpi/vendor/laminas/laminas-servicemanager/src)

monolog/monolog in (/var/www/public/glpi/vendor/monolog/monolog/src/Monolog)

sebastian/diff in (/var/www/public/glpi/vendor/sebastian/diff/src)

donatj/phpuseragentparser in (/var/www/public/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)

elvanto/litemoji in (/var/www/public/glpi/vendor/elvanto/litemoji/src)

symfony/console in (/var/www/public/glpi/vendor/symfony/console)

scssphp/scssphp in (/var/www/public/glpi/vendor/scssphp/scssphp/src)

laminas/laminas-mail in (/var/www/public/glpi/vendor/laminas/laminas-mail/src/Protocol)

laminas/laminas-mime in (/var/www/public/glpi/vendor/laminas/laminas-mime/src)

rlanvin/php-rrule in (/var/www/public/glpi/vendor/rlanvin/php-rrule/src)

ramsey/uuid in (/var/www/public/glpi/vendor/ramsey/uuid/src)

psr/log in (/var/www/public/glpi/vendor/psr/log/Psr/Log)

psr/simple-cache in (/var/www/public/glpi/vendor/psr/simple-cache/src)

psr/cache in (/var/www/public/glpi/vendor/psr/cache/src)

league/csv in (/var/www/public/glpi/vendor/league/csv/src)

mexitek/phpcolors in (/var/www/public/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)

guzzlehttp/guzzle in (/var/www/public/glpi/vendor/guzzlehttp/guzzle/src)

guzzlehttp/psr7 in (/var/www/public/glpi/vendor/guzzlehttp/psr7/src)

glpi-project/inventory_format in (/var/www/public/glpi/vendor/glpi-project/inventory_format/lib/php)

wapmorgan/unified-archive in (/var/www/public/glpi/vendor/wapmorgan/unified-archive/src)

paragonie/sodium_compat in (/var/www/public/glpi/vendor/paragonie/sodium_compat/src)

symfony/cache in (/var/www/public/glpi/vendor/symfony/cache)

html2text/html2text in (/var/www/public/glpi/vendor/html2text/html2text/src)

symfony/css-selector in (/var/www/public/glpi/vendor/symfony/css-selector)

symfony/dom-crawler in (/var/www/public/glpi/vendor/symfony/dom-crawler)

twig/twig in (/var/www/public/glpi/vendor/twig/twig/src)

twig/string-extra in (/var/www/public/glpi/vendor/twig/string-extra)

symfony/polyfill-ctype not found

symfony/polyfill-iconv not found

symfony/polyfill-mbstring not found

symfony/polyfill-php80 in (/var/www/public/glpi/vendor/symfony/polyfill-php80)

symfony/polyfill-php81 in (/var/www/public/glpi/vendor/symfony/polyfill-php81)

symfony/polyfill-php82 in (/var/www/public/glpi/vendor/symfony/polyfill-php82)

league/oauth2-client in (/var/www/public/glpi/vendor/league/oauth2-client/src/Provider)

league/oauth2-google in (/var/www/public/glpi/vendor/league/oauth2-google/src/Provider)

thenetworg/oauth2-azure in (/var/www/public/glpi/vendor/thenetworg/oauth2-azure/src/Provider)

phpCas version 1.3.8 in (/usr/share/php/CAS/source)

LDAP directories

 

Server: 'ldaps://ad1.ad..com', Port: '636', BaseDN: 'OU=AADDC Users,DC=ad,DC=,DC=com', Connection filter:

'(&(objectClass=user)(objectCategory=person)(userprincipalname=@*.com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',

RootDN: 'CN=GLPI AD,OU=AADDC Users,DC=ad,DC=,DC=com', Use TLS: none

SQL replicas

 

Not active

Notifications

 

Way of sending emails: SMTP+TLS (glpi.notifications@*****[email protected])

Plugins list

 

accounts             Name: Accounts                       Version: 3.0.3      State: Enabled

Install Method: Marketplace

fields               Name: Additional Fields              Version: 1.21.6     State: Enabled

Install Method: Marketplace

badges               Name: Badges                         Version: 3.0.0      State: Not installed

Install Method: Marketplace

behaviors            Name: Behaviours                     Version: 2.7.2      State: Enabled

Install Method: Marketplace

connections          Name: Connections                    Version: 10.0.0     State: Enabled

Install Method: Marketplace

datainjection        Name: Data injection                 Version: 2.13.4     State: Enabled

Install Method: Marketplace

archimap             Name: Diagrams                       Version: 3.3.2      State: Enabled

Install Method: Marketplace

formcreator          Name: Form Creator                   Version: 2.13.8     State: Enabled

Install Method: Marketplace

glpiinventory        Name: GLPI Inventory                 Version: 1.3.3      State: Enabled

Install Method: Marketplace

geninventorynumber   Name: Inventory number generation    Version: 2.8.3      State: Enabled

Install Method: Marketplace

addressing           Name: IP Adressing                   Version: 3.0.1      State: Enabled

Install Method: Marketplace

oauthimap            Name: Oauth IMAP                     Version: 1.4.3      State: Enabled

Install Method: Marketplace

genericobject        Name: Objects management             Version: 2.14.8     State: Enabled

Install Method: Marketplace

screenshot           Name: Screenshot                     Version: 2.0.2      State: Enabled

Install Method: Marketplace

singlesignon         Name: Single Sign-on                 Version: 1.3.3      State: Enabled

Install Method: Manual

tag                  Name: Tag Management                 Version: 2.11.6     State: Enabled

Install Method: Marketplace

Anything else?

No response

[fabriceverkor]

All
Has anybody noticed this problem ? Or am I doing something wrong ?
Because If we cannot isolate reservable items in their entities, we will need another tool for reservations, which would be a pity

[cedric-anne]

Hi,

On my side, I can only reserve items that are from the user entity or from a parent entity with the "+child entities" visibility flag active. I think it is the normal behaviour.

[fabriceverkor]

I agree that the behaviour you describe is the normal one. But It's not my case.
I did another test :
I connect with a technician profile on a A entity that have no computer : Computers page show no item found => normal
I go to Reservations : it shows no item that could be reserved => normal

Then I go to calendar and try ro reserve items : It proposes me Computers of B entity, which is parallel to A entity
When I click on Add, it says that Item has be reserved , but the reservation is not visible in the calendar => abnormal

When I connect to B entity with the same profile, I can see the reservation => normal

I'm confused.

[cedric-anne]

I confirm the issue. The list from the reservation calendar view (/front/reservation.php) is not correctly filtered.

[fabriceverkor]

Thanks. As I'm in a blocking situation (A whole team may not come to GLPI because of this bug) , I'm volontary to test fixes on my dev GLPI server when you have them.

[cconard96]

Can you test the fix proposed in #16359?

[fabriceverkor]

I confirm that the new src/ReservationItem.php fixes the issue.
Be careful, when plugin FormCreator is present, it must be disabled/enabled it to see the fix effect.
Thank you very much !!!