Skip to content

Fixing CLI usage not having enough rights in GLPI's profile system #22996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
C-Duv wants to merge 1 commit into
base: 11.0/bugfixes
Choose a base branch
from
Open

Fixing CLI usage not having enough rights in GLPI's profile system #22996

C-Duv wants to merge 1 commit into from
+5 −3

Conversation

@C-Duv
Copy link
Contributor

@C-Duv C-Duv commented Feb 3, 2026

Checklist before requesting a review

  • I have read the CONTRIBUTING document.
  • I have performed a self-review of my code.

Description

@trasher
Copy link
Contributor

trasher commented Feb 4, 2026

This breaks tests

cedric-anne
cedric-anne requested changes Feb 4, 2026
View reviewed changes
Copy link
Member

@cedric-anne cedric-anne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, it is preferable to combine the usage of Session::callAsSystem() in the command with a Session::isRightChecksDisabled() check in the Profile::currentUserHaveMoreRightThan() method.

@C-Duv C-Duv force-pushed the fix/gh22931-cli_commands_not_having_enough_rights branch from c897d76 to a748323 Compare February 4, 2026 09:59
@C-Duv
Copy link
Contributor Author

C-Duv commented Feb 4, 2026

IMHO, it is preferable to combine the usage of Session::callAsSystem() in the command with a Session::isRightChecksDisabled() check in the Profile::currentUserHaveMoreRightThan() method.

@cedric-anne Something like that?

 src/Glpi/Console/User/ResetPasswordCommand.php | 3 +--
 src/Profile.php                                | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/Glpi/Console/User/ResetPasswordCommand.php b/src/Glpi/Console/User/ResetPasswordCommand.php
index 05d211fd55..e234f5f172 100644
--- a/src/Glpi/Console/User/ResetPasswordCommand.php
+++ b/src/Glpi/Console/User/ResetPasswordCommand.php
@@ -76,8 +76,7 @@ class ResetPasswordCommand extends AbstractUserCommand
         $user_input['password'] = $password;
         $user_input['password2'] = $password;
 
-
-        if ($user->update($user_input)) {
+        if (Session::callAsSystem(fn() => $user->update($user_input))) {
             $output->writeln('<info>' . __('Reset password successful.') . '</info>');
             return 0;
         } else {
diff --git a/src/Profile.php b/src/Profile.php
index 047eed3522..cfbec75846 100644
--- a/src/Profile.php
+++ b/src/Profile.php
@@ -743,7 +743,10 @@ class Profile extends CommonDBTM implements LinkableToTilesInterface
     {
         global $DB;
 
-        if (Session::isCron()) {
+        if (
+            Session::isRightChecksDisabled()
+            || Session::isCron()
+        ) {
             return true;
         }
         if (count($IDs) === 0) {

@C-Duv C-Duv requested a review from cedric-anne February 4, 2026 10:00
cedric-anne
cedric-anne requested changes Feb 4, 2026
View reviewed changes
Copy link
Member

@cedric-anne cedric-anne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please validate it works as expected? According to the lint test failure, you did not test it, or you would have detect the failure.

src/Glpi/Console/User/ResetPasswordCommand.php Outdated


if ($user->update($user_input)) {
if (Session::callAsSystem(fn() => $user->update($user_input))) {
Copy link
Member

@cedric-anne cedric-anne Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (Session::callAsSystem(fn() => $user->update($user_input))) {
if (\Session::callAsSystem(fn() => $user->update($user_input))) {

Copy link
Contributor Author

@C-Duv C-Duv Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do

Copy link
Contributor Author

@C-Duv C-Duv Feb 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix applied, it made vendor/bin/phpstan analyze happy.

(and the code still fixes #22931)

@C-Duv
fix(user): Gives CLI usage enough rights to reset passwords
4fbd83d 
The CLI/console `user:reset_password` was failing to reset an user's
password with:

> An error occurred during password update
> Unable to reset password, please contact your administrator

It's caused by `User::currentUserHaveMoreRightThan()` and/or
`Profile::currentUserHaveMoreRightThan()` not detecting the CLI
context of execution.

This commit makes sure `User::update()` is executed as the system to
bypass permissions enforcement and checks for such bypass in
`Profile::currentUserHaveMoreRightThan()`.

Issue: glpi-project#22931
@C-Duv C-Duv force-pushed the fix/gh22931-cli_commands_not_having_enough_rights branch from a748323 to 4fbd83d Compare February 4, 2026 12:57
@trasher trasher requested a review from cedric-anne February 11, 2026 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trasher trasher trasher approved these changes

@cedric-anne cedric-anne Awaiting requested review from cedric-anne

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

user:reset_password console command gets an error

3 participants

@C-Duv @trasher @cedric-anne