Skip to content

[HLAPI] Expanded permission checks #19678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[HLAPI] Expanded permission checks #19678

wants to merge 3 commits into from

Conversation

cconard96
Copy link
Contributor

Checklist before requesting a review

  • I have read the CONTRIBUTING document.
  • I have performed a self-review of my code.
  • I have added tests that prove my fix is effective or that my feature works.
  • This change requires a documentation update.

Description

This will address the last major blocker, AFIAK, with the new API for the stable GLPI 11 release.

Expand permission checks and some GraphQL handling:

  • Add more item-level checks and more unit tests related to permissions.
  • Rely on permission checking at the Search level instead of a middleware to account for permissions on indirectly requested itemtypes (GraphQL). For example this query is requesting Computers as the main itemtype, but also States which have different permissions:
query {
    Computer(limit: 10) {
        id
        status {
            name
            visibilities {
                computer
                monitor
            }
        }
    }
}
  • Fix GraphQL response having null values at incorrect levels when missing permissions.
  • Fix GraphQL response not including errors from the API.
  • Prevent expanding the schemas of itemtypes the user cannot view. For example, if a user can view Computers but not "Statuses of items", the user can see the computer with the ID and Name of the status (included directly in the Computer schema), but none of the expanded properties from the State schema like visibilities.
  • Add a "fast-fail" functionality to the read permission SQL restriction criteria. If a schema returns false for x-rights-critieria['read'], we know the user cannot view any of that itemtype so we can avoid querying the DB completely. This avoids sending a query with a condition like "1=0" which will resolve as false and return nothing anyways.
  • Fix HTTP status codes used for some API error responses.

This was originally waiting for another PR which may have reduced duplication on the SQL criteria between the new API and the search engine but that is a complex thing to make generic enough, notably with the different table aliases being used, and it is too late to continue that work for GLPI 11.0.

@cconard96 cconard96 force-pushed the fix/expanded_hlapi_right_checks branch from 6f02ca8 to 9ca5446 Compare June 5, 2025 00:09
@cconard96 cconard96 force-pushed the fix/expanded_hlapi_right_checks branch from c379270 to e995f14 Compare June 14, 2025 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cconard96