expand hlapi permission checks

Author: cconard96

phpunit/functional/Glpi/Api/HL/Controller/GraphQLControllerTest.php

@@ -34,6 +34,7 @@
 
 namespace tests\units\Glpi\Api\HL\Controller;
 
+use Glpi\Api\HL\Middleware\InternalAuthMiddleware;
 use Glpi\Http\Request;
 
 class GraphQLControllerTest extends \HLAPITestCase
@@ -230,4 +231,58 @@ public function testGetStateVisibilities()
                 });
         });
     }
+
+    public function testGetDirectlyWithoutRight()
+    {
+        /** @var \DBmysql $DB */
+        global $DB;
+
+        $this->assertTrue($DB->insert('glpi_tickets', [
+            'name' => __FUNCTION__,
+            'content' => __FUNCTION__,
+            'entities_id' => $this->getTestRootEntity(true),
+        ]));
+        $tickets_id = $DB->insertId();
+
+        $this->loginWeb();
+        $this->api->getRouter()->registerAuthMiddleware(new InternalAuthMiddleware());
+
+        $_SESSION['glpi_use_mode'] = 2;
+
+        // Can see no tickets
+        $_SESSION['glpiactiveprofile']['ticket'] = 0;
+        $this->api->call(new Request('POST', '/GraphQL', [], 'query { Ticket { id name } }'), function ($call) {
+            /** @var \HLAPICallAsserter $call */
+            $call->response
+                ->status(fn($status) => $this->assertEquals(200, $status))
+                ->jsonContent(function ($content) {
+                    $this->assertEmpty($content['data']['Ticket']);
+                });
+        });
+
+        // Can only see my own tickets
+        $_SESSION['glpiactiveprofile']['ticket'] = READ;
+
+        $this->api->call(new Request('POST', '/GraphQL', [], 'query { Ticket { id name } }'), function ($call) use ($tickets_id) {
+            /** @var \HLAPICallAsserter $call */
+            $call->response
+                ->status(fn($status) => $this->assertEquals(200, $status))
+                ->jsonContent(function ($content) use ($tickets_id) {
+                    $this->assertNotContains($tickets_id, array_column($content['data']['Ticket'], 'id'));
+                });
+        });
+        $this->api->call(new Request('POST', '/GraphQL', [], 'query { Ticket(id: ' . $tickets_id . ') { id name } }'), function ($call) {
+            /** @var \HLAPICallAsserter $call */
+            $call->response
+                ->status(fn($status) => $this->assertEquals(200, $status))
+                ->jsonContent(function ($content) {
+                    $this->assertEmpty($content['data']['Ticket']);
+                });
+        });
+    }
+
+    public function testGetTicketIndirectlyWithoutRight()
+    {
+        //TODO
+    }
 }

src/Change.php

@@ -59,10 +59,6 @@ class Change extends CommonITILObject
     public const IMPACT_MASK_FIELD             = 'impact_mask';
     public const STATUS_MATRIX_FIELD           = 'change_status';
 
-
-    public const READMY                        = 1;
-    public const READALL                       = 1024;
-
     // Specific status for changes
     public const EVALUATION             = 9;
     public const TEST                   = 11;

src/CommonITILObject.php

@@ -105,6 +105,8 @@ abstract class CommonITILObject extends CommonDBTM
     public const TIMELINE_ORDER_NATURAL = 'natural';
     public const TIMELINE_ORDER_REVERSE = 'reverse';
 
+    public const READMY           =      1;
+    public const READALL          =   1024;
     public const SURVEY           = 131072;
 
     abstract public static function getTaskClass();

src/Glpi/Api/HL/Controller/ITILController.php

@@ -38,7 +38,9 @@
 use Calendar;
 use Change;
 use ChangeTemplate;
+use ChangeValidation;
 use CommonDBTM;
+use CommonITILActor;
 use CommonITILObject;
 use Entity;
 use Glpi\Api\HL\Doc as Doc;
@@ -54,8 +56,10 @@
 use PlanningEventCategory;
 use PlanningExternalEventTemplate;
 use Problem;
+use Session;
 use Ticket;
 use TicketTemplate;
+use TicketValidation;
 use User;
 
 #[Route(path: '/Assistance', requirements: [
@@ -201,6 +205,138 @@ public static function getRawKnownSchemas(): array
         foreach ($itil_types as $itil_type) {
             $schemas[$itil_type] = $base_schema;
             $schemas[$itil_type]['x-version-introduced'] = '2.0';
+
+            $schemas[$itil_type]['x-rights-conditions'] = [
+                'read' => static function () use ($itil_type) {
+                    if (Session::haveRight($itil_type::$rightname, CommonITILObject::READALL)) {
+                        return true; // Can see all. No extra SQL conditions needed.
+                    }
+
+                    if ($itil_type !== Ticket::class) {
+                        if (Session::haveRight($itil_type::$rightname, CommonITILObject::READMY)) {
+                            $item = new $itil_type();
+                            $group_table = $item->grouplinkclass::getTable();
+                            $user_table = $item->userlinkclass::getTable();
+                            $criteria = [
+                                'LEFT JOIN' => [
+                                    $user_table => [
+                                        'ON' => [
+                                            $user_table => $itil_type::getForeignKeyField(),
+                                            '_' => 'id',
+                                        ],
+                                    ],
+                                ],
+                                'WHERE' => [
+                                    'OR' => [
+                                        '_.users_id_recipient' => Session::getLoginUserID(),
+                                        $user_table . '.users_id' => Session::getLoginUserID(),
+                                    ],
+                                ],
+                            ];
+
+                            if (!empty($_SESSION['glpigroups'])) {
+                                $criteria['LEFT JOIN'][$group_table] = [
+                                    'ON' => [
+                                        $group_table => $itil_type::getForeignKeyField(),
+                                        '_' => 'id',
+                                    ],
+                                ];
+                                $criteria['WHERE']['OR'][$group_table . '.groups_id'] = $_SESSION['glpigroups'];
+                            }
+                            return $criteria;
+                        }
+                    } else {
+                        // Tickets have expanded permissions
+                        $criteria = [
+                            'LEFT JOIN' => [
+                                'glpi_tickets_users' => [
+                                    'ON' => [
+                                        'glpi_tickets_users' => Ticket::getForeignKeyField(),
+                                        '_' => 'id',
+                                    ],
+                                ],
+                                'glpi_groups_tickets' => [
+                                    'ON' => [
+                                        'glpi_groups_tickets' => Ticket::getForeignKeyField(),
+                                        '_' => 'id',
+                                    ],
+                                ],
+                            ],
+                            'WHERE' => ['OR' => []],
+                        ];
+                        if (Session::haveRight(Ticket::$rightname, CommonITILObject::READMY)) {
+                            // Permission to see tickets as direct requester, observer or writer
+                            $criteria['WHERE']['OR'][] = [
+                                '_.users_id_recipient' => Session::getLoginUserID(),
+                                [
+                                    'AND' => [
+                                        'glpi_tickets_users' . '.users_id' => Session::getLoginUserID(),
+                                        'glpi_tickets_users' . '.type' => [CommonITILActor::REQUESTER, CommonITILActor::OBSERVER],
+                                    ],
+                                ],
+                            ];
+                        }
+                        if (!empty($_SESSION['glpigroups']) && Session::haveRight(Ticket::$rightname, Ticket::READGROUP)) {
+                            // Permission to see tickets as requester or observer group member
+                            $criteria['WHERE']['OR'][] = [
+                                'AND' => [
+                                    'glpi_groups_tickets.groups_id' => $_SESSION['glpigroups'],
+                                    'glpi_groups_tickets.type' => [CommonITILActor::REQUESTER, CommonITILActor::OBSERVER],
+                                ],
+                            ];
+                        }
+
+                        if (Session::haveRight(Ticket::$rightname, Ticket::OWN) || Session::haveRight(Ticket::$rightname, Ticket::READASSIGN)) {
+                            $criteria['WHERE']['OR'][] = [
+                                'AND' => [
+                                    'glpi_tickets_users' . '.users_id' => Session::getLoginUserID(),
+                                    'glpi_tickets_users' . '.type' => CommonITILActor::ASSIGN,
+                                ],
+                            ];
+                        }
+                        if (Session::haveRight(Ticket::$rightname, Ticket::READASSIGN)) {
+                            $criteria['WHERE']['OR'][] = [
+                                'AND' => [
+                                    'glpi_groups_tickets.groups_id' => $_SESSION['glpigroups'],
+                                    'glpi_groups_tickets.type' => CommonITILActor::ASSIGN,
+                                ],
+                            ];
+                        }
+                        if (Session::haveRight(Ticket::$rightname, Ticket::READNEWTICKET)) {
+                            $criteria['WHERE']['OR'][] = [
+                                '_.status' => CommonITILObject::INCOMING,
+                            ];
+                        }
+
+                        if (
+                            Session::haveRightsOr(
+                                'ticketvalidation',
+                                [\TicketValidation::VALIDATEINCIDENT,
+                                    \TicketValidation::VALIDATEREQUEST,
+                                ]
+                            )
+                        ) {
+                            $criteria['OR'][] = [
+                                'AND' => [
+                                    "glpi_ticketvalidations.itemtype_target" => User::class,
+                                    "glpi_ticketvalidations.items_id_target" => Session::getLoginUserID(),
+                                ],
+                            ];
+                            if (count($_SESSION['glpigroups'])) {
+                                $criteria['OR'][] = [
+                                    'AND' => [
+                                        "glpi_ticketvalidations.itemtype_target" => Group::class,
+                                        "glpi_ticketvalidations.items_id_target" => $_SESSION['glpigroups'],
+                                    ],
+                                ];
+                            }
+                        }
+                        return empty($criteria['WHERE']['OR']) ? false : $criteria;
+                    }
+                    return false; // Cannot see anything.
+                },
+            ];
+
             if ($itil_type === Ticket::class) {
                 $schemas[$itil_type]['properties']['type'] = [
                     'type' => Doc\Schema::TYPE_INTEGER,
@@ -469,12 +605,36 @@ public static function getRawKnownSchemas(): array
 
         $schemas['TicketValidation'] = $base_validation_schema;
         $schemas['TicketValidation']['x-version-introduced'] = '2.0';
-        $schemas['TicketValidation']['x-itemtype'] = \TicketValidation::class;
+        $schemas['TicketValidation']['x-itemtype'] = TicketValidation::class;
+        $schemas['TicketValidation']['x-rights-conditions'] = [
+            'read' => static function () {
+                return Session::haveRightsOr(
+                    TicketValidation::$rightname,
+                    array_merge(
+                        TicketValidation::getCreateRights(),
+                        TicketValidation::getValidateRights(),
+                        TicketValidation::getPurgeRights()
+                    )
+                );
+            },
+        ];
         $schemas['TicketValidation']['properties'][Ticket::getForeignKeyField()] = ['type' => Doc\Schema::TYPE_INTEGER, 'format' => Doc\Schema::FORMAT_INTEGER_INT64];
 
         $schemas['ChangeValidation'] = $base_validation_schema;
         $schemas['ChangeValidation']['x-version-introduced'] = '2.0';
-        $schemas['ChangeValidation']['x-itemtype'] = \ChangeValidation::class;
+        $schemas['ChangeValidation']['x-itemtype'] = ChangeValidation::class;
+        $schemas['ChangeValidation']['x-rights-conditions'] = [
+            'read' => static function () {
+                return Session::haveRightsOr(
+                    ChangeValidation::$rightname,
+                    array_merge(
+                        ChangeValidation::getCreateRights(),
+                        ChangeValidation::getValidateRights(),
+                        ChangeValidation::getPurgeRights()
+                    )
+                );
+            },
+        ];
         $schemas['ChangeValidation']['properties'][Change::getForeignKeyField()] = ['type' => Doc\Schema::TYPE_INTEGER, 'format' => Doc\Schema::FORMAT_INTEGER_INT64];
 
         $schemas['RecurringTicket'] = [

src/Glpi/Api/HL/GraphQL.php

@@ -36,6 +36,7 @@
 namespace Glpi\Api\HL;
 
 use Glpi\Http\Request;
+use GraphQL\Error\Error;
 use GraphQL\Type\Definition\ResolveInfo;
 use GraphQL\Utils\BuildSchema;
 
@@ -55,6 +56,7 @@ public static function processRequest(Request $request): array
         $query = (string) $request->getBody();
         $generator = new GraphQLGenerator($api_version);
         $schema_str = $generator->getSchema();
+
         try {
             $result = \GraphQL\GraphQL::executeQuery(
                 schema: BuildSchema::build($schema_str),
@@ -75,10 +77,17 @@ public static function processRequest(Request $request): array
                         $completed_schema = self::expandSchemaFromRequestedFields($schema, $field_selection, null, $api_version);
 
                         if (isset($args['id'])) {
-                            $result = json_decode(Search::getOneBySchema($completed_schema, ['id' => $args['id']], [])->getBody(), true);
-                            return [$result];
+                            $result = Search::getOneBySchema($completed_schema, ['id' => $args['id']], []);
+                            if ($result->getStatusCode() !== 200) {
+                                throw new Error($result->getBody());
+                            }
+                            return [json_decode($result->getBody(), true)];
+                        }
+                        $result = Search::searchBySchema($completed_schema, $args);
+                        if ($result->getStatusCode() !== 200) {
+                            throw new Error($result->getBody());
                         }
-                        return json_decode(Search::searchBySchema($completed_schema, $args)->getBody(), true);
+                        return json_decode($result->getBody(), true);
                     }
 
                     return $source[$info->fieldName] ?? null;
@@ -95,6 +104,10 @@ private static function expandSchemaFromRequestedFields(array $schema, array $fi
     {
         $is_schema_array = array_key_exists('items', $schema) && !array_key_exists('properties', $schema);
         $itemtype = self::getSchemaItemtype($schema, $api_version);
+        if (is_subclass_of($itemtype, \CommonDBTM::class) && !$itemtype::canView()) {
+            // Cannot view this itemtype so we shouldn't expand it further
+            return $schema;
+        }
         if ($is_schema_array) {
             $properties = $schema['items']['properties'];
         } else {

src/Glpi/Api/HL/RightConditionNotMetException.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2025 Teclib' and contributors.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+namespace Glpi\Api\HL;
+
+/**
+ * An exception thrown specifically when a right condition is known to be a failure without needing to perform any SQL query.
+ * For example, if a user has no Ticket permission then we know they cannot read any Tickets.
+ * Instead of performing a SQL query with a condition that always resolve to no records, we can fail-fast and use an empty iterator result.
+ */
+class RightConditionNotMetException extends APIException {}