fork

Lainow · Sep 25, 2023 · 04ed007 · 04ed007
2 parents 9c3ab02 + 6d93588
commit 04ed007
Show file tree

Hide file tree

Showing 223 changed files with 276,658 additions and 260,522 deletions.
diff --git a/.github/workflows/audit_dependencies.yml b/.github/workflows/audit_dependencies.yml
@@ -32,7 +32,7 @@ jobs:
           rm -rf "${{ env.APPLICATION_ROOT }}/*"
           rm -rf "${{ env.APP_CONTAINER_HOME }}/*"
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
         with:
           ref: ${{ matrix.branch }}
       - name: "Restore dependencies cache"

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
@@ -19,7 +19,7 @@ jobs:
           --volume /glpi:/var/glpi
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
       - name: "Deploy source into app container"
         run: |
           sudo cp --no-target-directory --preserve --recursive `pwd` /glpi

diff --git a/.github/workflows/bump_version_after_release.yml b/.github/workflows/bump_version_after_release.yml
@@ -50,7 +50,7 @@ jobs:
           echo "CHANGELOG_ENTRY=${CHANGELOG_ENTRY//$'\n'/'\n'}" >> $GITHUB_ENV
       - name: "Checkout"
         if: ${{ env.IS_STABLE_RELEASE == 'yes' }}
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
       - name: "Update codebase"
         if: ${{ env.IS_STABLE_RELEASE == 'yes' }}
         run: |

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -45,7 +45,7 @@ jobs:
           rm -rf "${{ env.APPLICATION_ROOT }}/*"
           rm -rf "${{ env.APP_CONTAINER_HOME }}/*"
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
       - name: "Restore dependencies cache"
         uses: actions/cache@v3
         with:
@@ -136,7 +136,7 @@ jobs:
           rm -rf "${{ env.APP_CONTAINER_HOME }}/*"
       - name: "Checkout"
         if: env.skip != 'true'
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
       - name: "Restore dependencies cache"
         if: env.skip != 'true'
         uses: actions/cache@v3

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -37,7 +37,7 @@ jobs:
           rm -rf "${{ env.APPLICATION_ROOT }}/*"
           rm -rf "${{ env.APP_CONTAINER_HOME }}/*"
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
         with:
           ref: ${{ matrix.branch }}
       - name: "Restore dependencies cache"

diff --git a/.github/workflows/label-commenter.yml b/.github/workflows/label-commenter.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
 
       - name: "Label commenter"
         uses: "peaceiris/actions-label-commenter@v1"
diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml
@@ -29,7 +29,7 @@ jobs:
           --volume /glpi:/var/glpi
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"
         with:
           ref: ${{ matrix.branch }}
       - name: "Build if updated during the last 24h"
@@ -64,7 +64,7 @@ jobs:
           docker exec --interactive ${{ job.services.app.id }} tools/make_release.sh -y . ${{ env.release_name }}
           docker cp ${{ job.services.app.id }}:/tmp/glpi-${{ env.release_name }}.tgz ${{ github.workspace }}/${{ env.release_name }}.tar.gz
           cp ${{ github.workspace }}/${{ env.release_name }}.tar.gz ${{ github.workspace }}/${{ steps.release-name.outputs.basename }}.tar.gz
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: ${{ steps.updated.outputs.build == 'yes' }}
         with:
           repository: ${{ github.repository_owner }}/glpi-project.github.io

diff --git a/.webpack.config.js b/.webpack.config.js
@@ -46,7 +46,7 @@ let config = {
                     path.resolve(__dirname, 'node_modules/jquery-migrate'),
                     path.resolve(__dirname, 'node_modules/photoswipe'),
                     path.resolve(__dirname, 'node_modules/rrule'),
-                    path.resolve(__dirname, 'vendor/blueimp/jquery-file-upload'),
+                    path.resolve(__dirname, 'lib/blueimp/jquery-file-upload'),
                 ],
                 use: ['script-loader', 'strip-sourcemap-loader'],
             },

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,28 @@
 The present file will list all changes made to the project; according to the
 [Keep a Changelog](http://keepachangelog.com/) project.
 
-## [10.0.10] unreleased
+## [10.0.11] unreleased
+
+### Added
+
+### Changed
+
+### Deprecated
+
+### Removed
+
+### API changes
+
+#### Added
+
+#### Changes
+
+#### Deprecated
+
+#### Removed
+
+
+## [10.0.10] 2023-09-25
 
 ### Added
 

diff --git a/README.md b/README.md
@@ -123,6 +123,10 @@ See :
     * Bug reporting / Man pages
     * [Contribute to this documentation!](https://github.com/glpi-project/doc-agent)
 
+* [GLPI Plugins](https://glpi-plugins.readthedocs.io)
+    * Usage and features for some GLPI plugins
+    * [Contribute to this documentation!](https://github.com/pluginsglpi/doc)
+
 ## Additional resources
 
 * [Official website](http://glpi-project.org)

diff --git a/ajax/cable.php b/ajax/cable.php
@@ -50,7 +50,7 @@
             $_POST['itemtype']::dropdown(['name'                => $_POST['dom_name'],
                 'rand'                => $_POST['dom_rand'],
                 'display_emptychoice' => true,
-                'display_dc_position' => true,
+                'display_dc_position' => in_array($_POST['itemtype'], $CFG_GLPI['rackable_types']),
                 'width'               => '100%',
             ]);
         }

diff --git a/ajax/common.tabs.php b/ajax/common.tabs.php
@@ -35,6 +35,8 @@
 
 use Glpi\Toolbox\Sanitizer;
 
+$SECURITY_STRATEGY = 'no_check'; // specific checks done later to allow anonymous access to public FAQ tabs
+
 include('../inc/includes.php');
 $AJAX_INCLUDE = 1;
 

diff --git a/ajax/dashboard.php b/ajax/dashboard.php
@@ -33,6 +33,8 @@
  * ---------------------------------------------------------------------
  */
 
+$SECURITY_STRATEGY = 'no_check'; // specific checks done later to allow anonymous access to embed dashboards
+
 include('../inc/includes.php');
 
 use Glpi\Dashboard\Grid;

diff --git a/ajax/displayMessageAfterRedirect.php b/ajax/displayMessageAfterRedirect.php
@@ -36,10 +36,15 @@
 $AJAX_INCLUDE = 1;
 include('../inc/includes.php');
 
-// Send UTF8 Headers
-header("Content-Type: text/html; charset=UTF-8");
 Html::header_nocache();
-
 Session::checkLoginUser();
 
-Html::displayMessageAfterRedirect(filter_var(($_GET['display_container'] ?? true), FILTER_VALIDATE_BOOLEAN));
+if (isset($_GET['get_raw']) && filter_var(($_GET['display_container'] ?? true), FILTER_VALIDATE_BOOLEAN)) {
+    header("Content-Type: application/json; charset=UTF-8");
+    echo json_encode($_SESSION['MESSAGE_AFTER_REDIRECT'] ?? []);
+    $_SESSION['MESSAGE_AFTER_REDIRECT'] = [];
+} else {
+    // Send UTF8 Headers
+    header("Content-Type: text/html; charset=UTF-8");
+    Html::displayMessageAfterRedirect(filter_var(($_GET['display_container'] ?? true), FILTER_VALIDATE_BOOLEAN));
+}
diff --git a/ajax/itillayout.php b/ajax/itillayout.php
@@ -33,23 +33,27 @@
  * ---------------------------------------------------------------------
  */
 
+use Glpi\Toolbox\Sanitizer;
+
 include('../inc/includes.php');
 
 header('Content-Type: application/json; charset=UTF-8');
 Html::header_nocache();
 
 Session::checkLoginUser();
 
-$itillayout = json_encode($_POST['itil_layout']);
-if ($itillayout === false) {
+$raw_itillayout  = Sanitizer::unsanitize($_POST['itil_layout']);
+
+$json_itillayout = json_encode($raw_itillayout);
+if ($json_itillayout === false) {
     exit;
 }
 
 $user = new User();
 $success = $user->update(
     [
         'id' => Session::getLoginUserID(),
-        'itil_layout' => $itillayout,
+        'itil_layout' => Sanitizer::dbEscape($json_itillayout),
     ]
 );
 echo json_encode(['success' => $success]);
diff --git a/ajax/kanban.php b/ajax/kanban.php
@@ -55,7 +55,7 @@
 }
 $action = $_REQUEST['action'];
 
-$nonkanban_actions = ['update', 'bulk_add_item', 'add_item', 'move_item', 'show_card_edit_form', 'delete_item', 'load_item_panel',
+$nonkanban_actions = ['update', 'bulk_add_item', 'add_item', 'move_item', 'delete_item', 'load_item_panel',
     'add_teammember', 'delete_teammember', 'restore_item'
 ];
 if (isset($_REQUEST['itemtype'])) {
@@ -79,16 +79,15 @@
         }
     }
     if (in_array($action, ['update', 'load_item_panel', 'delete_teammember'])) {
-        $item->getFromDB($_REQUEST['items_id']);
-        if (!$item->canUpdateItem()) {
+        if (!$item->can($_REQUEST['items_id'], UPDATE)) {
             // Missing rights
             http_response_code(403);
             return;
         }
     }
     if (in_array($action, ['add_teammember'])) {
         $item->getFromDB($_REQUEST['items_id']);
-        $can_assign = method_exists($item, 'canAssign') ? $item->canAssign() : $item->canUpdateItem();
+        $can_assign = method_exists($item, 'canAssign') ? $item->canAssign() : $item->can($_REQUEST['items_id'], UPDATE);
         if (!$can_assign) {
            // Missing rights
             http_response_code(403);
@@ -143,7 +142,11 @@
     $inputs = [];
     parse_str($_UPOST['inputs'], $inputs);
 
-    $item->add(Sanitizer::sanitize($inputs));
+    $result = $item->add(Sanitizer::sanitize($inputs));
+    if (!$result) {
+        http_response_code(400);
+        return;
+    }
 } else if (($_POST['action'] ?? null) === 'bulk_add_item') {
     $checkParams(['inputs']);
     $item = new $itemtype();
@@ -247,15 +250,6 @@
     header("Content-Type: application/json; charset=UTF-8", true);
     $column = $itemtype::getKanbanColumns($_REQUEST['items_id'], $_REQUEST['column_field'], [$_REQUEST['column_id']]);
     echo json_encode($column, JSON_FORCE_OBJECT);
-} else if ($_REQUEST['action'] === 'show_card_edit_form') {
-    $checkParams(['card']);
-    $item->getFromDB($_REQUEST['card']);
-    if ($item->canViewItem() && $item->canUpdateItem()) {
-        $item->showForm($_REQUEST['card']);
-    } else {
-        http_response_code(403);
-        return;
-    }
 } else if (($_POST['action'] ?? null) === 'delete_item') {
     $checkParams(['items_id']);
     $item->getFromDB($_POST['items_id']);

diff --git a/ajax/knowbase.php b/ajax/knowbase.php
@@ -33,18 +33,11 @@
  * ---------------------------------------------------------------------
  */
 
+$SECURITY_STRATEGY = 'faq_access';
+
 include('../inc/includes.php');
 Html::header_nocache();
 
-/** @global array $CFG_GLPI */
-
-if (
-    !$CFG_GLPI["use_public_faq"]
-    && !Session::haveRightsOr('knowbase', [KnowbaseItem::READFAQ, READ])
-) {
-    exit;
-}
-
 $_SESSION['kb_cat_id'] = $_REQUEST['cat_id'] ?? 0;
 
 switch ($_REQUEST['action']) {

diff --git a/ajax/updateTranslationValue.php b/ajax/updateTranslationValue.php
@@ -0,0 +1,59 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2023 Teclib' and contributors.
+ * @copyright 2003-2014 by the INDEPNET Development Team.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+include('../inc/includes.php');
+
+header("Content-Type: text/html; charset=UTF-8");
+Html::header_nocache();
+
+Session::checkRight("dropdown", UPDATE);
+
+$matching_field = null;
+
+if (isset($_POST['itemtype'], $_POST['field']) && is_a($_POST['itemtype'], CommonDropdown::class, true)) {
+    $itemtype = new $_POST['itemtype']();
+    $matching_field = $itemtype->getAdditionalField($_POST['field']);
+}
+
+if (($matching_field['type'] ?? null) === 'tinymce') {
+    Html::textarea([
+        'name'              => 'value',
+        'enable_richtext'   => true,
+        'enable_images'     => false,
+        'enable_fileupload' => false,
+    ]);
+} else {
+    echo "<input type='text' name='value' size='50'>";
+}
diff --git a/composer.json b/composer.json
@@ -26,7 +26,6 @@
         "ext-session": "*",
         "ext-simplexml": "*",
         "ext-zlib": "*",
-        "blueimp/jquery-file-upload": "^10.32",
         "donatj/phpuseragentparser": "^1.7",
         "elvanto/litemoji": "^4.1",
         "glpi-project/inventory_format": "^1.1",