ACL does not work when AJAX reload

Moderator: crythias

Post Reply
takeno
Znuny newbie
Posts: 17
Joined: 06 Sep 2017, 14:33
Znuny Version: OTRS6
Location: Kanagawa,Japan

ACL does not work when AJAX reload

Post by takeno »

Hello.

I'm setup ACL configration like below.

Code: Select all

$Self->{TicketAcl}->{'04-restrict-ITSMDecision'} = {
  'Possible' => {},
  'PossibleAdd' => {},
  'PossibleNot' => {
    'Ticket' => {
      'DynamicField_ITSMDecisionResult' => [
        'Approved',
        'Rejected'
      ]
    }
  },
  'Properties' => {
    'Frontend' => {
      'Action' => [
        'CustomerTicketProcess'
      ]
    }
  },
  'PropertiesDatabase' => {},
  'StopAfterMatch' => 0
};
1. Open new process ticket. -> /customer.pl?Action=CustomerTicketProcess
2. Focus ITSMDecisionResult.It seems good, that customer cannot select "Approved" or "Rejected".
3. Reselect one of other fields. e.g) Priority "5 very high"
4. (Ajax reload.)
5. Focus ITSMDecisionResult, "Approved" and" Rejected" is selectable.

Is this a bug or something wrong with my settings? :(
I'm useing OTRS 5.0.15.
OTRS 6.0.19, CentOS 7, postgreSQL 9.2.4
takeno
Znuny newbie
Posts: 17
Joined: 06 Sep 2017, 14:33
Znuny Version: OTRS6
Location: Kanagawa,Japan

Re: ACL does not work when AJAX reload

Post by takeno »

After Updating otrs to 5.0.22, this problem has disappeared. :)
OTRS 6.0.19, CentOS 7, postgreSQL 9.2.4
takeno
Znuny newbie
Posts: 17
Joined: 06 Sep 2017, 14:33
Znuny Version: OTRS6
Location: Kanagawa,Japan

Re: ACL does not work when AJAX reload

Post by takeno »

After updating OTRS to 5.0.23, the problem is reproduced.
ACL does not appropriately restrict options.

I was updated to;
  • OTRS-5.0.23
  • ITSMCore-5.0.15
  • ITSMIncientProblemManagement-5.0.15
  • ITSMConfigurationManagemanet-5.0.15
I found CVE-2010-4763. (http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-4763)
I feel this report resembles my problem.

Anyone can help me?
OTRS 6.0.19, CentOS 7, postgreSQL 9.2.4
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: ACL does not work when AJAX reload

Post by jojo »

please show your process how the customer would change this field
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
takeno
Znuny newbie
Posts: 17
Joined: 06 Sep 2017, 14:33
Znuny Version: OTRS6
Location: Kanagawa,Japan

Re: ACL does not work when AJAX reload

Post by takeno »

My process is below.(I replaced some field name due to my organization policy.)
At the moment customer select DynamicField_LocationClass or Queue, immediately AJAX reload, and DynamicField_ITSMDecisionResult does not to be restricted.

Code: Select all

---
Activities:
  Activity-1227716d977eb146a6e3339c5179701f:
    ActivityDialogs:
    - ActivityDialog-1f34156bcadc20a3d9bf84409aa7c27b
    ChangeTime: 2017-03-08 18:46:42
    Config:
      ActivityDialog:
        '1': ActivityDialog-1f34156bcadc20a3d9bf84409aa7c27b
    CreateTime: 2017-03-08 18:46:32
    EntityID: Activity-1227716d977eb146a6e3339c5179701f
    ID: 1
    Name: some_request
ActivityDialogs:
  ActivityDialog-1f34156bcadc20a3d9bf84409aa7c27b:
    ChangeTime: 2017-09-06 19:01:01
    Config:
      DescriptionLong: ''
      DescriptionShort: some_request-forma
      FieldOrder:
      - DynamicField_corpid
      - DynamicField_ITSMDueDate
      - Type
      - Queue
      - Priority
      - CustomerID
      - State
      - DynamicField_unit
      - DynamicField_LocationClass
      - DynamicField_ITSMReviewRequired
      - Article
      - DynamicField_ITSMDecisionResult
      Fields:
        Article:
          Config:
            ArticleType: note-external
            TimeUnits: '0'
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        CustomerID:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        DynamicField_ITSMDecisionResult:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '1'
        DynamicField_ITSMDueDate:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '1'
        DynamicField_ITSMReviewRequired:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '1'
        DynamicField_LocationClass:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        DynamicField_corpid:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        DynamicField_unit:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '1'
        Priority:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        Queue:
          DefaultValue: desk_agent
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        State:
          DefaultValue: ''
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
        Type:
          DefaultValue: ServiceRequest
          DescriptionLong: ''
          DescriptionShort: ''
          Display: '2'
      Interface:
      - AgentInterface
      - CustomerInterface
      Permission: ''
      RequiredLock: '0'
      SubmitAdviceText: ''
      SubmitButtonText: ''
    CreateTime: 2017-03-08 18:45:44
    EntityID: ActivityDialog-1f34156bcadc20a3d9bf84409aa7c27b
    ID: 1
    Name: some_request-forma
Process:
  Activities:
  - Activity-1227716d977eb146a6e3339c5179701f
  ChangeTime: 2017-03-08 18:47:01
  Config:
    Description: some_request
    Path:
      Activity-1227716d977eb146a6e3339c5179701f: {}
    StartActivity: Activity-1227716d977eb146a6e3339c5179701f
    StartActivityDialog: ActivityDialog-1f34156bcadc20a3d9bf84409aa7c27b
  CreateTime: 2017-03-08 18:41:38
  EntityID: Process-1a50af452502049431aef8a4045a8bdf
  ID: 1
  Layout:
    Activity-1227716d977eb146a6e3339c5179701f:
      left: '176'
      top: '79'
  Name: some_request
  State: Active
  StateEntityID: S1
  TransitionActions: []
  Transitions: []
OTRS 6.0.19, CentOS 7, postgreSQL 9.2.4
takeno
Znuny newbie
Posts: 17
Joined: 06 Sep 2017, 14:33
Znuny Version: OTRS6
Location: Kanagawa,Japan

Re: ACL does not work when AJAX reload

Post by takeno »

It's my mistake.After updating new ITSM package 5.0.23, the problem is cleared.

Sorry, everyone.
OTRS 6.0.19, CentOS 7, postgreSQL 9.2.4
nedmaj
Znuny expert
Posts: 167
Joined: 26 Nov 2014, 20:34
Znuny Version: 6.3.4
Real Name: Samuel Casimiro
Company: Câmara dos Deputados
Contact:

Re: ACL does not work when AJAX reload

Post by nedmaj »

I use OTRS 5.0.26 and the problem remains.

ACL works properly when the process form loads for the first time. But after a ajax reload, the ACL doesn't work.

Here's my ACL code:

Code: Select all

---
- ChangeBy: P_7029
  ChangeTime: 2018-07-11 18:10:52
  Comment: ~
  ConfigChange:
    Possible:
      Ticket:
        SLA:
        - '[regexp].*\(AMC\).*'
  ConfigMatch:
    PropertiesDatabase:
      Queue:
        QueueID:
        - '381'
  CreateBy: P_7029
  CreateTime: 2018-07-11 16:22:09
  Description: ''
  ID: '681'
  Name: TicketXFilaAMCSLA
  StopAfterMatch: 0
  ValidID: '1'
Samuel

Znuny 6.3.4 | OTRS 5.0.17
OS: Debian 11 | CentOS 6.5
Database: Postgres | Oracle 12.1
Number of agents: 450 | Number of customers: 20000 | Number of CIs: 30000
Post Reply