add read restrictions

cconard96 · cconard96 · commit a337bdff0a65 · 2025-10-22T17:07:38.000-04:00
diff --git a/src/Glpi/Api/HL/Controller/SetupController.php b/src/Glpi/Api/HL/Controller/SetupController.php
@@ -52,6 +52,8 @@ final class SetupController extends AbstractController
 {
     public static function getRawKnownSchemas(): array
     {
+        global $DB;
+
         return [
             'LDAPDirectory' => [
                 'x-version-introduced' => '2.0',
@@ -119,6 +121,29 @@ public static function getRawKnownSchemas(): array
                     'name' => ['type' => Doc\Schema::TYPE_STRING],
                     'value' => ['type' => Doc\Schema::TYPE_STRING],
                 ],
+                'x-rights-conditions' => [
+                    'read' => static function () use ($DB) {
+                        // Make a SQL request to get all config items so we can check which are undisclosed
+                        // We are using safe IDs rather than undisclosed IDs to avoid issues with concurrent modifications
+                        // We cannot reliably lock the table due to the fact that the DB connection here may differ from the one used to perform the actual read in the Search code
+                        $disclosed_ids = [];
+
+                        $it = $DB->request([
+                            'SELECT' => ['id', 'context', 'name'],
+                            'FROM'   => 'glpi_configs',
+                        ]);
+                        $test_configs = [];
+                        foreach ($it as $row) {
+                            $test_configs[] = $row + ['value' => 'dummy'];
+                        }
+                        foreach ($test_configs as $f) {
+                            if (!self::isUndisclosedConfig($f['context'], $f['name'])) {
+                                $disclosed_ids[] = $f['id'];
+                            }
+                        }
+                        return ['WHERE' => ['_.id' => $disclosed_ids]];
+                    }
+                ]
             ],
         ];
     }
@@ -230,7 +255,7 @@ public function deleteItem(Request $request): Response
         return ResourceAccessor::deleteBySchema($this->getKnownSchema($itemtype, $this->getAPIVersion($request)), $request->getAttributes(), $request->getParameters());
     }
 
-    private function isUndisclosedConfig(string $context, string $name): bool
+    private static function isUndisclosedConfig(string $context, string $name): bool
     {
         $f = ['context' => $context, 'name' => $name, 'value' => 'dummy'];
         Config::unsetUndisclosedFields($f);
@@ -254,7 +279,7 @@ public function setConfigValue(Request $request): Response
         $value = $request->getParameter('value');
         Config::setConfigurationValues($context, [$name => $value]);
         // Return the updated config
-        if ($this->isUndisclosedConfig($context, $name)) {
+        if (self::isUndisclosedConfig($context, $name)) {
             // If the field is undisclosed, only return a 204 to indicate success without revealing the value
             return new JSONResponse(null, 204);
         }
@@ -265,6 +290,27 @@ public function setConfigValue(Request $request): Response
         ]);
     }
 
+    #[Route(path: '/Config', methods: ['GET'], middlewares: [ResultFormatterMiddleware::class])]
+    #[RouteVersion(introduced: '2.1')]
+    #[Doc\SearchRoute(schema_name: 'Config')]
+    public function searchConfigValues(Request $request): Response
+    {
+        return ResourceAccessor::searchBySchema($this->getKnownSchema('Config', $this->getAPIVersion($request)), $request->getParameters());
+    }
+
+    #[Route(path: '/Config/{context}', methods: ['GET'], requirements: [
+        'context' => '\w+'
+    ], middlewares: [ResultFormatterMiddleware::class])]
+    #[RouteVersion(introduced: '2.1')]
+    #[Doc\SearchRoute(schema_name: 'Config')]
+    public function searchConfigValuesByContext(Request $request): Response
+    {
+        $filters = $request->hasParameter('filter') ? $request->getParameter('filter') : '';
+        $filters .= ';context==' . $request->getAttribute('context');
+        $request->setParameter('filter', $filters);
+        return ResourceAccessor::searchBySchema($this->getKnownSchema('Config', $this->getAPIVersion($request)), $request->getParameters());
+    }
+
     #[Route(path: '/Config/{context}/{name}', methods: ['GET'], requirements: [
         'context' => '\w+',
         'name' => '\w+',
@@ -280,7 +326,7 @@ public function getConfigValue(Request $request): Response
         if (!$config->getFromDBByCrit(['context' => $context, 'name'    => $name,])) {
             return AbstractController::getNotFoundErrorResponse();
         }
-        if ($this->isUndisclosedConfig($context, $name) || !$config->can($config->getID(), READ)) {
+        if (self::isUndisclosedConfig($context, $name) || !$config->can($config->getID(), READ)) {
             return AbstractController::getAccessDeniedErrorResponse();
         }
         return new JSONResponse([
diff --git a/tests/functional/Glpi/Api/HL/Controller/SetupControllerTest.php b/tests/functional/Glpi/Api/HL/Controller/SetupControllerTest.php
@@ -239,8 +239,24 @@ public function testCRUDConfigValues()
                 ->status(static fn ($status) => $status === 204);
         });
 
+        // Can get a config value using GraphQL
+        $request = new Request('POST', '/GraphQL', [], 'query { Config(filter: "context==core;name==priority_2") { context, name, value } }');
+        $this->api->call($request, function ($call) {
+            /** @var \HLAPICallAsserter $call */
+            $call->response
+                ->isOK()
+                ->jsonContent(function ($content) {
+                    $this->assertArrayHasKey('data', $content);
+                    $this->assertArrayHasKey('Config', $content['data']);
+                    $this->assertCount(1, $content['data']['Config']);
+                    $config = $content['data']['Config'][0];
+                    $this->assertEquals('core', $config['context']);
+                    $this->assertEquals('priority_2', $config['name']);
+                    $this->assertEquals('#ffe0e0', $config['value']);
+                });
+        });
+
         // Cannot get an undisclosable config value using GraphQL
-        //FIXME: There are currently no restrictions in GraphQL to avoid fetching undisclosable config values
         $request = new Request('POST', '/GraphQL', [], 'query { Config(filter: "context==core;name==smtp_passwd") { context, name, value } }');
         $this->api->call($request, function ($call) {
             /** @var \HLAPICallAsserter $call */
@@ -252,6 +268,34 @@ public function testCRUDConfigValues()
                     $this->assertEmpty($content['data']['Config']);
                 });
         });
+
+        // Can search config values
+        $request = new Request('GET', '/Setup/Config');
+        $request->setParameter('filter', 'name==priority_2');
+        $this->api->call($request, function ($call) {
+            /** @var \HLAPICallAsserter $call */
+            $call->response
+                ->isOK()
+                ->jsonContent(function ($content) {
+                    $this->assertCount(1, $content);
+                    $config = $content[0];
+                    $this->assertEquals('core', $config['context']);
+                    $this->assertEquals('priority_2', $config['name']);
+                    $this->assertEquals('#ffe0e0', $config['value']);
+                });
+        });
+
+        // Cannot search undisclosable config values
+        $request = new Request('GET', '/Setup/Config');
+        $request->setParameter('filter', 'name==smtp_passwd');
+        $this->api->call($request, function ($call) {
+            /** @var \HLAPICallAsserter $call */
+            $call->response
+                ->isOK()
+                ->jsonContent(function ($content) {
+                    $this->assertEmpty($content);
+                });
+        });
     }
 
     public function testConfigNotIn2_0()
