From 03e1d4658602e384feae798793011099c09ba555 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A5kon=20Harnes?= <hakon@harnes.co>
Date: Mon, 22 Sep 2025 16:51:32 +0200
Subject: [PATCH] =?UTF-8?q?:bug:=20N=C2=B08522=20-=20check=20if=20org=20id?=
 =?UTF-8?q?=20is=20null=20when=20filtering=20(#727)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/userrights.class.inc.php                 |  4 +-
 .../unitary-tests/core/OQLTest.php            | 89 +++++++++++++++++++
 2 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php
index aeea4fa20..3dae6815e 100644
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -142,7 +142,9 @@ abstract class UserRightsAddOnAPI
 		$oFilter  = new DBObjectSearch($sClass);
 		$oListExpr = ListExpression::FromScalars($aAllowedOrgs);
 
-		$oCondition = new BinaryExpression($oExpression, 'IN', $oListExpr);
+		$oNullCondition = new FunctionExpression('ISNULL', [$oExpression]);
+		$oInCondition = new BinaryExpression($oExpression, 'IN', $oListExpr);
+		$oCondition = $oNullCondition->LogOr($oInCondition);
 		$oFilter->AddConditionExpression($oCondition);
 
 		if ($this->HasSharing())
diff --git a/tests/php-unit-tests/unitary-tests/core/OQLTest.php b/tests/php-unit-tests/unitary-tests/core/OQLTest.php
index de81dc512..70cd2185c 100644
--- a/tests/php-unit-tests/unitary-tests/core/OQLTest.php
+++ b/tests/php-unit-tests/unitary-tests/core/OQLTest.php
@@ -13,12 +13,14 @@ namespace Combodo\iTop\Test\UnitTest\Core;
 use CMDBSource;
 use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
 use DBObjectSearch;
+use DBObjectSet;
 use DBSearch;
 use Exception;
 use MetaModel;
 use OqlInterpreter;
 use QueryBuilderContext;
 use SQLObjectQueryBuilder;
+use UserRights;
 use utils;
 
 class OQLTest extends ItopDataTestCase
@@ -499,4 +501,91 @@ SELECT
 			],
 		];
 	}
+
+	private function GivenVMAndLicence(int $iVmOrgId, ?int $iLicenceOrgId): int
+	{
+		$iOsFamilyId = $this->GivenObjectInDB('OSFamily', [
+			'name' => 'Test OS Family',
+		]);
+
+		$iOsVersionId = $this->GivenObjectInDB('OSVersion', [
+			'name'        => 'Test OS Version',
+			'osfamily_id' => $iOsFamilyId,
+		]);
+
+		$iOSLicenceId = $this->GivenObjectInDB('OSLicence', [
+			'name'         => 'Test OS Licence',
+			'osversion_id' => $iOsVersionId,
+			'org_id'       => $iLicenceOrgId,
+		]);
+
+		$iVClusterId = $this->GivenObjectInDB('Hypervisor', [
+			'name'   => 'Test Hypervisor',
+			'org_id' => $iVmOrgId,
+		]);
+
+		return $this->GivenObjectInDB('VirtualMachine', [
+			'name'           => 'Test VM with OS Licence',
+			'org_id'         => $iVmOrgId,
+			'virtualhost_id' => $iVClusterId,
+			'oslicence_id'   => $iOSLicenceId,
+		]);
+	}
+
+	public function testMultiColumnQueryBehaviorWithOrganizationRestrictions()
+	{
+		$sAllowedOrgId = $this->GivenObjectInDB('Organization', ['name' => 'Test organization']);
+		$sForbiddenOrgId = $this->GivenObjectInDB('Organization', ['name' => 'Test organization not allowed']);
+
+		$iVmWithOsLicenceAllowed = $this->GivenVMAndLicence($sAllowedOrgId, $sAllowedOrgId);
+		$iVmWithOsLicenceForbidden = $this->GivenVMAndLicence($sAllowedOrgId, $sForbiddenOrgId);
+		$iVmWithoutOsLicence = $this->GivenVMAndLicence($sAllowedOrgId, null);
+
+		$sLoginUserWithAllowedOrg = $this->GivenUserRestrictedToAnOrganizationInDB($sAllowedOrgId, 3);
+
+		$sQuery = <<<OQL
+			SELECT VM, OSL
+			FROM VirtualMachine AS VM
+			JOIN OSLicence AS OSL ON VM.oslicence_id = OSL.id
+		OQL;
+
+		UserRights::Login($sLoginUserWithAllowedOrg);
+
+		$oDbObjectSearch = DBObjectSearch::FromOQL($sQuery);
+
+		$oSet = new DBObjectSet($oDbObjectSearch);
+
+		$aQueryResult = $oSet->ToArray();
+		$this->assertArrayHasKey($iVmWithOsLicenceAllowed, $aQueryResult, 'The VM with OS Licence in allowed org should be found');
+		$this->assertArrayNotHasKey($iVmWithOsLicenceForbidden, $aQueryResult, 'The VM with OS Licence in forbidden org should NOT be found');
+		$this->assertArrayHasKey($iVmWithoutOsLicence, $aQueryResult, 'The VM without OS Licence should be found (cf. #727)');
+		UserRights::Logoff();
+	}
+
+	public function testMultiColumnQueryBehaviorWithoutOrganizationRestrictions()
+	{
+		$sOrgId = $this->GivenObjectInDB('Organization', ['name' => 'Test organization']);
+
+		$iVmWithOsLicence = $this->GivenVMAndLicence($sOrgId, $sOrgId);
+		$iVmWithoutOsLicence = $this->GivenVMAndLicence($sOrgId, null);
+
+		$sLoginUserWithNoRestriction = $this->GivenUserInDB('azerty', ['Configuration Manager']);
+
+		$sQuery = <<<OQL
+			SELECT VM, OSL
+			FROM VirtualMachine AS VM
+			JOIN OSLicence AS OSL ON VM.oslicence_id = OSL.id
+		OQL;
+
+		UserRights::Login($sLoginUserWithNoRestriction);
+
+		$oDbObjectSearch = DBObjectSearch::FromOQL($sQuery);
+
+		$oSet = new DBObjectSet($oDbObjectSearch);
+
+		$aQueryResult = $oSet->ToArray();
+		$this->assertArrayHasKey($iVmWithOsLicence, $aQueryResult, 'The VM with OS Licence should be found');
+		$this->assertArrayHasKey($iVmWithoutOsLicence, $aQueryResult, 'The VM without OS Licence should be found');
+		UserRights::Logoff();
+	}
 }