Merge remote-tracking branch 'origin/support/2.7' into develop

# Conflicts: # core/config.class.inc.php # datamodels/2.x/itop-core-update/view/SelectUpdateFile.html.twig # datamodels/2.x/itop-core-update/view/SelectUpdateFile.ready.js.twig # setup/setuputils.class.inc.php # test/setup/SetupUtilsTest.php
2026-04-23 18:48:51 +02:00 · 2021-03-02 14:34:19 +01:00
parent 77d4613bd8 d4607ee815
commit 9cbaced1f3
21 changed files with 271 additions and 50 deletions
--- a/application/dashlet.class.inc.php
+++ b/application/dashlet.class.inc.php
@@ -438,17 +438,21 @@ EOF
 					$sAttType = $aTargetAttCodes[$sTargetAttCode];
 					$sExtFieldAttCode = $sTargetAttCode;
 				}
-				if (is_a($sAttType, 'AttributeLinkedSet', true))
-				{
-					continue;
-				}
-				if (is_a($sAttType, 'AttributeFriendlyName', true))
-				{
-					continue;
-				}
-				if (is_a($sAttType, 'AttributeOneWayPassword', true))
-				{
-					continue;
+
+				$aForbidenAttType = [
+					'AttributeLinkedSet',
+					'AttributeFriendlyName',
+
+					'iAttributeNoGroupBy', //we cannot only use iAttributeNoGroupBy since this method is also used by the designer who do not have access to the classes' PHP reflection API. So the known classes has to be listed altogether
+					'AttributeOneWayPassword',
+					'AttributeEncryptedString',
+					'AttributePassword',
+				];
+				foreach ($aForbidenAttType as $sForbidenAttType) {
+					if (is_a($sAttType, $sForbidenAttType, true))
+					{
+						continue 2;
+					}
 				}

 				$sLabel = $this->oModelReflection->GetLabel($sClass, $sAttCode);
--- a/application/displayblock.class.inc.php
+++ b/application/displayblock.class.inc.php
@@ -636,8 +636,21 @@ HTML;
 			$this->m_oSet = new CMDBObjectSet($this->m_oFilter, $aOrderBy, $aQueryParams);
 		}
 		$this->m_oSet->SetShowObsoleteData($this->m_bShowObsoleteData);
-		switch($this->m_sStyle)
-		{
+
+		switch($this->m_sStyle) {
+			case 'list_search':
+			case 'list':
+				break;
+			default:
+				// N°3473: except for 'list_search' and 'list' (which have more granularity, see the other switch below),
+				// refuse to render if the user is not allowed to see the class.
+				if (! UserRights::IsActionAllowed($this->m_oSet->GetClass(), UR_ACTION_READ, $this->m_oSet) == UR_ALLOWED_YES) {
+					$sHtml .= $oPage->GetP(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $this->m_oSet->GetClass()));
+					return $sHtml;
+				}
+		}
+
+		switch ($this->m_sStyle) {
 			case 'count':
 				$oBlock = $this->RenderCount($aExtraParams);
 				break;
--- a/application/transaction.class.inc.php
+++ b/application/transaction.class.inc.php
@@ -297,11 +297,19 @@ class privUITransactionFile
 	 * Cleanup old transactions which have been pending since more than 24 hours
 	 * Use filemtime instead of filectime since filectime may be affected by operations on the directory (like changing the access rights)
 	 */
-	protected static function CleanupOldTransactions()
+	protected static function CleanupOldTransactions($sTransactionDir = null)
 	{
-		$iLimit = time() - 24*3600;
+		$iThreshold = (int) MetaModel::GetConfig()->Get('transactions_gc_threshold');
+		$iThreshold = min(100, $iThreshold);
+		$iThreshold = max(1, $iThreshold);
+		if ((100 != $iThreshold) && (rand(1, 100) > $iThreshold)) {
+			return;
+		}
+
 		clearstatcache();
-		$aTransactions = glob(APPROOT.'data/transactions/*-*');
+		$iLimit = time() - 24*3600;
+		$sPattern = $sTransactionDir ? "$sTransactionDir/*" : APPROOT.'data/transactions/*';
+		$aTransactions = glob($sPattern);
 		foreach($aTransactions as $sFileName)
 		{
 			if (filemtime($sFileName) < $iLimit)