expand read and update permissions for assets

front/computer.form.php

@@ -37,7 +37,7 @@
 
 include('../inc/includes.php');
 
-Session::checkRight("computer", READ);
+Session::checkRightsOr("computer", [READ, Computer::$read_assigned]);
 
 if (!isset($_GET["id"])) {
     $_GET["id"] = "";
@@ -124,6 +124,7 @@
 
    // Disconnect a computer from a printer/monitor/phone/peripheral
 } else {//print computer information
+    $computer->check($_GET['id'], READ);
     $menus = ["assets", "computer"];
     Computer::displayFullPageForItem($_GET['id'], $menus, [
         'withtemplate' => $_GET["withtemplate"],

front/computer.php

@@ -35,7 +35,7 @@
 
 include('../inc/includes.php');
 
-Session::checkRight("computer", READ);
+Session::checkRightsOr("computer", [READ, Computer::$read_assigned]);
 
 Html::header(Computer::getTypeName(Session::getPluralNumber()), $_SERVER['PHP_SELF'], "assets", "computer");
 

src/Cartridge.php

@@ -42,6 +42,7 @@
 class Cartridge extends CommonDBRelation
 {
     use Glpi\Features\Clonable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     protected static $forward_entity_to = ['Infocom'];
@@ -1433,10 +1434,14 @@ public static function displayTabContentForItem(CommonGLPI $item, $tabnum = 1, $
     public function getRights($interface = 'central')
     {
         $ci = new CartridgeItem();
-        return $ci->getRights($interface);
+        $rights = $ci->getRights($interface);
+        $rights[READ] = __('View all');
+        $rights[self::$read_assigned = __('View assigned');
+        $rights[UPDATE] = __('Update all');
+        $rights[self::$update_assigned] = __('Update assigned');
+        return $rights;
     }
 
-
     public static function getIcon()
     {
         return "ti ti-droplet-half-2-filled";

src/Computer.php

@@ -43,6 +43,7 @@ class Computer extends CommonDBTM
     use Glpi\Features\DCBreadcrumb;
     use Glpi\Features\Clonable;
     use Glpi\Features\Inventoriable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;

src/Consumable.php

@@ -46,6 +46,7 @@
 class Consumable extends CommonDBChild
 {
     use Glpi\Features\Clonable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     protected static $forward_entity_to = ['Infocom'];
@@ -1089,7 +1090,12 @@ public static function displayTabContentForItem(CommonGLPI $item, $tabnum = 1, $
     public function getRights($interface = 'central')
     {
         $ci = new ConsumableItem();
-        return $ci->getRights($interface);
+        $rights = $ci->getRights($interface);
+        $rights[READ] = __('View all');
+        $rights[self::$read_assigned] = __('View assigned');
+        $rights[UPDATE] = __('Update all');
+        $rights[self::$update_assigned] = __('Update assigned');
+        return $rights;
     }
 
 

src/DeviceSimcard.php

@@ -36,6 +36,8 @@
 /// Class DeviceSimcard
 class DeviceSimcard extends CommonDevice
 {
+    use Glpi\Features\AssignableAsset;
+
     protected static $forward_entity_to = ['Item_DeviceSimcard', 'Infocom'];
 
     public static function getTypeName($nb = 0)
@@ -118,7 +120,6 @@ public function getImportCriteria()
         ];
     }
 
-
     public static function getIcon()
     {
         return "fas fa-sim-card";

src/Features/AssignableAsset.php

@@ -0,0 +1,142 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2023 Teclib' and contributors.
+ * @copyright 2003-2014 by the INDEPNET Development Team.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+namespace Glpi\Features;
+
+use Glpi\DBAL\QueryExpression;
+use Session;
+
+trait AssignableAsset
+{
+    // TODO with PHP 8.2, we can use constants for these rights
+    public static int $read_assigned = 256;
+    public static int $update_assigned = 512;
+
+    public static function canView()
+    {
+        return Session::haveRightsOr(static::$rightname, [READ, self::$read_assigned]);
+    }
+
+    public function canViewItem()
+    {
+        if (!parent::canViewItem()) {
+            return false;
+        }
+
+        $is_assigned = $this->fields['users_id_tech'] === $_SESSION['glpiID'] ||
+            in_array((int) ($this->fields['groups_id_tech'] ?? 0), $_SESSION['glpigroups'], true);
+
+        if (!Session::haveRight(static::$rightname, READ)) {
+            return $is_assigned && Session::haveRight(static::$rightname, self::$read_assigned);
+        }
+
+        // Has global READ right
+        return true;
+    }
+
+    public static function canUpdate()
+    {
+        return Session::haveRightsOr(static::$rightname, [UPDATE, self::$update_assigned]);
+    }
+
+    public function canUpdateItem()
+    {
+        if (!parent::canUpdateItem()) {
+            return false;
+        }
+
+        $is_assigned = $this->fields['users_id_tech'] === $_SESSION['glpiID'] ||
+            in_array((int) ($this->fields['groups_id_tech'] ?? 0), $_SESSION['glpigroups'], true);
+
+        if (!Session::haveRight(static::$rightname, UPDATE)) {
+            return $is_assigned && Session::haveRight(static::$rightname, self::$update_assigned);
+        }
+
+        // Has global UPDATE right
+        return true;
+    }
+
+    public static function canDelete()
+    {
+        return parent::canDelete() && static::canUpdate();
+    }
+
+    public function canDeleteItem()
+    {
+        return parent::canDeleteItem() && $this->canUpdateItem();
+    }
+
+    public static function canPurge()
+    {
+        return parent::canPurge() && static::canUpdate();
+    }
+
+    public function canPurgeItem()
+    {
+        return parent::canPurgeItem() && $this->canUpdateItem();
+    }
+
+    public static function getAssignableVisiblityCriteria()
+    {
+        if (Session::haveRight(static::$rightname, READ)) {
+            return [new QueryExpression('1')];
+        }
+        if (Session::haveRight(static::$rightname, self::$read_assigned)) {
+            return [
+                'OR' => [
+                    'users_id_tech' => $_SESSION['glpiID'],
+                    'groups_id_tech' => $_SESSION['glpigroups'],
+                ],
+            ];
+        }
+        return [new QueryExpression('0')];
+    }
+
+    /**
+     * @param string $interface
+     * @phpstan-param 'central'|'helpdesk' $interface
+     * @return array
+     * @phpstan-return array<integer, string|array>
+     */
+    public function getRights($interface = 'central')
+    {
+        $rights = parent::getRights($interface);
+        $rights[READ] = __('View all');
+        $rights[self::$read_assigned] = __('View assigned');
+        $rights[UPDATE] = __('Update all');
+        $rights[self::$update_assigned] = __('Update assigned');
+        return $rights;
+    }
+}

src/Monitor.php

@@ -43,6 +43,7 @@ class Monitor extends CommonDBTM
     use Glpi\Features\DCBreadcrumb;
     use Glpi\Features\Clonable;
     use Glpi\Features\Inventoriable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;
@@ -496,7 +497,6 @@ public static function rawSearchOptionsToAdd($itemtype = null)
         return $tab;
     }
 
-
     public static function getIcon()
     {
         return "ti ti-device-desktop";

src/NetworkEquipment.php

@@ -45,6 +45,7 @@ class NetworkEquipment extends CommonDBTM
     use Glpi\Features\DCBreadcrumb;
     use Glpi\Features\Clonable;
     use Glpi\Features\Inventoriable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;

src/NetworkName.php

@@ -49,6 +49,8 @@
  **/
 class NetworkName extends FQDNLabel
 {
+    use Glpi\Features\AssignableAsset;
+
    // From CommonDBChild
     public static $itemtype              = 'itemtype';
     public static $items_id              = 'items_id';

src/Peripheral.php

@@ -43,6 +43,7 @@ class Peripheral extends CommonDBTM
     use Glpi\Features\DCBreadcrumb;
     use Glpi\Features\Clonable;
     use Glpi\Features\Inventoriable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;
@@ -411,7 +412,6 @@ public static function rawSearchOptionsToAdd($itemtype = null)
         return $tab;
     }
 
-
     public static function getIcon()
     {
         return "fab fa-usb";

src/Phone.php

@@ -43,6 +43,7 @@ class Phone extends CommonDBTM
 {
     use Glpi\Features\Clonable;
     use Glpi\Features\Inventoriable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;
@@ -510,7 +511,6 @@ public static function rawSearchOptionsToAdd($itemtype = null)
         return $tab;
     }
 
-
     public static function getIcon()
     {
         return "ti ti-phone";

src/Printer.php

@@ -45,6 +45,7 @@ class Printer extends CommonDBTM
 {
     use Glpi\Features\Clonable;
     use Glpi\Features\Inventoriable;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;
@@ -808,7 +809,6 @@ public function removeFromTrash($ID)
         return $this->restore(["id" => $ID]);
     }
 
-
     public static function getIcon()
     {
         return "ti ti-printer";

src/Search/Provider/SQLProvider.php

@@ -41,6 +41,7 @@
 use DBmysqlIterator;
 use Glpi\Application\View\TemplateRenderer;
 use Glpi\Debug\Profiler;
+use Glpi\Features\AssignableAsset;
 use Glpi\RichText\RichText;
 use Glpi\Search\Input\QueryBuilder;
 use Glpi\Search\SearchEngine;
@@ -992,6 +993,11 @@ public static function getDefaultWhereCriteria(string $itemtype): array
                 break;
         }
 
+        if (Toolbox::hasTrait($itemtype, AssignableAsset::class)) {
+            /** @var AssignableAsset $itemtype */
+            $criteria[] = $itemtype::getAssignableVisiblityCriteria();
+        }
+
         /* Hook to restrict user right on current itemtype */
         //TODO Plugin call works on raw SQL, should use criteria array instead
         [$itemtype, $criteria] = \Plugin::doHookFunction('add_default_where', [$itemtype, $criteria]);

src/Session.php

@@ -1362,7 +1362,7 @@ public static function haveRight($module, $right)
         }
 
         if (isset($_SESSION["glpiactiveprofile"][$module])) {
-            return intval($_SESSION["glpiactiveprofile"][$module]) & $right;
+            return (int)$_SESSION["glpiactiveprofile"][$module] & $right;
         }
 
         return false;

src/Software.php

@@ -43,6 +43,7 @@ class Software extends CommonDBTM
     use Glpi\Features\Clonable;
     use Glpi\Features\TreeBrowse;
     use AssetImage;
+    use Glpi\Features\AssignableAsset;
 
    // From CommonDBTM
     public $dohistory                   = true;