Restrict webhooks by itemtype (#21989)

Author: cconard96

src/Webhook.php

@@ -117,6 +117,18 @@ public static function canDelete(): bool
         return static::canUpdate();
     }
 
+    public function canCreateItem(): bool
+    {
+        $itemtype = $this->fields['itemtype'];
+        return empty($itemtype) || (is_subclass_of($itemtype, CommonGLPI::class) && $itemtype::canView());
+    }
+
+    public function canUpdateItem(): bool
+    {
+        $itemtype = $this->fields['itemtype'];
+        return empty($itemtype) || (is_subclass_of($itemtype, CommonGLPI::class) && $itemtype::canView());
+    }
+
     public function defineTabs($options = [])
     {
         $parent_tabs = parent::defineTabs();
@@ -457,7 +469,9 @@ public static function getItemtypesDropdownValues(): array
         // Move leaf values to the keys and make the value the ::getTypeName
         foreach ($values as $category => $itemtypes) {
             foreach ($itemtypes as $i => $itemtype) {
-                $values[$category][$itemtype] = $itemtype::getTypeName(1);
+                if ($itemtype::canView()) {
+                    $values[$category][$itemtype] = $itemtype::getTypeName(1);
+                }
                 unset($values[$category][$i]);
             }
         }

tests/functional/WebhookTest.php

@@ -37,6 +37,7 @@
 use Glpi\Api\HL\Controller\AbstractController;
 use Glpi\Search\SearchOption;
 use Psr\Log\LogLevel;
+use Webhook;
 
 class WebhookTest extends \DbTestCase
 {
@@ -46,7 +47,7 @@ class WebhookTest extends \DbTestCase
      */
     public function testWebhookTypesHaveIDOpt()
     {
-        $supported = \Webhook::getItemtypesDropdownValues();
+        $supported = Webhook::getItemtypesDropdownValues();
         $itemtypes = [];
         foreach ($supported as $types) {
             $itemtypes = array_merge($itemtypes, array_keys($types));
@@ -228,7 +229,7 @@ public function testWebhookHeaderTemplate()
     public function testGetResultForPath()
     {
         $this->login();
-        /** @var \Webhook $webhook */
+        /** @var Webhook $webhook */
         $webhook = $this->createItem('Webhook', [
             'name' => 'Test webhook',
             'entities_id' => $_SESSION['glpiactive_entity'],
@@ -249,7 +250,7 @@ public function testGetAPIItemtypeData()
         $this->login();
         $this->initAssetDefinition();
 
-        $supported_types = \Webhook::getAPIItemtypeData();
+        $supported_types = Webhook::getAPIItemtypeData();
         foreach ($supported_types as $controller => $type_data) {
             $this->assertTrue(is_subclass_of($controller, AbstractController::class));
             foreach ($type_data as $category => $types) {
@@ -266,7 +267,7 @@ public function testGetAPIPath()
     {
         $this->login();
 
-        $webhook = new \Webhook();
+        $webhook = new Webhook();
         $computer = getItemByTypeName('Computer', '_test_pc01');
         $this->assertEquals('/Assets/Computer/' . $computer->getID(), $webhook->getAPIPath($computer));
 
@@ -283,7 +284,7 @@ public function testWithHLAPIDisabled(): void
         global $CFG_GLPI;
         $this->login();
         $CFG_GLPI['enable_hlapi'] = 0;
-        /** @var \Webhook $webhook */
+        /** @var Webhook $webhook */
         $webhook = $this->createItem('Webhook', [
             'name' => 'Test webhook',
             'entities_id' => $_SESSION['glpiactive_entity'],
@@ -301,12 +302,12 @@ public function testWithHLAPIDisabled(): void
 
     public function testGetMonacoSuggestions()
     {
-        $itemtypes = \Webhook::getItemtypesDropdownValues();
+        $itemtypes = Webhook::getItemtypesDropdownValues();
 
         foreach ($itemtypes as $types) {
             $this->assertIsArray($types);
             foreach ($types as $itemtype => $label) {
-                $suggestions = \Webhook::getMonacoSuggestions($itemtype);
+                $suggestions = Webhook::getMonacoSuggestions($itemtype);
                 $this->assertNotEmpty($suggestions, "Missing suggestions for $itemtype");
             }
         }
@@ -316,7 +317,7 @@ public function testWebhookNotBlocker(): void
     {
         global $DB;
 
-        $this->createItem(\Webhook::class, [
+        $this->createItem(Webhook::class, [
             'name' => 'Test webhook',
             'entities_id' => $_SESSION['glpiactive_entity'],
             'url' => 'http://localhost',
@@ -360,4 +361,35 @@ public function testWebhookNotBlocker(): void
             ]
         );
     }
+
+    public function testItemtypeDropdownExcludesNoReadItemtypes()
+    {
+        $this->login();
+        $this->assertContains('Computer', Webhook::getItemtypesDropdownValues()['Assets']);
+        $this->assertContains('Monitor', Webhook::getItemtypesDropdownValues()['Assets']);
+        $_SESSION['glpiactiveprofile']['computer'] = ALLSTANDARDRIGHT & ~READ;
+        $this->assertNotContains('Computer', Webhook::getItemtypesDropdownValues()['Assets']);
+        $this->assertContains('Monitor', Webhook::getItemtypesDropdownValues()['Assets']);
+    }
+
+    public function testCreateUpdateNoReadItemtypes()
+    {
+        $this->login();
+        $webhook = $this->createItem('Webhook', [
+            'name' => 'Test webhook',
+            'entities_id' => $_SESSION['glpiactive_entity'],
+            'url' => 'http://localhost',
+            'itemtype' => 'Computer',
+            'event' => 'new',
+            'is_active' => 1,
+            'use_default_payload' => 1,
+        ]);
+        $this->assertTrue($webhook->canUpdateItem());
+        $_SESSION['glpiactiveprofile']['computer'] = ALLSTANDARDRIGHT & ~READ;
+        $this->assertFalse($webhook->canUpdateItem());
+
+        $this->assertFalse($webhook->canCreateItem());
+        $webhook->fields['itemtype'] = 'Monitor';
+        $this->assertTrue($webhook->canCreateItem());
+    }
 }