[0.85.5+] Group View SQL Bug + Solution

administrator · 2015-11-19 15:50:58

Hi,

I found a bug in the group view, resulting in missing ticket categories.

Maybe related: http://forum.glpi-project.org/viewtopic.php?id=130556

Affected versions: 0.85.5 , 0.90.0, current git master (and maybe 0.85.x)

The group view shows only "Tickets to be processed". All other categories (Your observed tickets, Your tickets to close, Your tickets in progress) will not work, due to a SQL bug.

In the function "showCentralList" of the file "ticket.class.php". https://github.com/glpi-project/glpi/bl … .class.php

Line: 4475 - 4493

      if ($showgrouptickets) {
         $search_users_id = " 0 = 1 ";
         $search_assign   = " 0 = 1 ";
         if (count($_SESSION['glpigroups'])) {
            $groups        = implode(",",$_SESSION['glpigroups']);
4481            $search_assign = " (`glpi_groups_tickets`.`groups_id` IN (".$groups.")
                                AND `glpi_groups_tickets`.`type` = '".CommonITILActor::ASSIGN."')";

            if (Session::haveRight(self::$rightname, self::READGROUP)) {
4485               $search_users_id = " (`glpi_groups_tickets`.`groups_id` IN ('$groups')
                                     AND `glpi_groups_tickets`.`type`
                                           = '".CommonITILActor::REQUESTER."') ";
4488               $search_observer = " (`glpi_groups_tickets`.`groups_id` IN ('$groups')
                                     AND `glpi_groups_tickets`.`type`
                                           = '".CommonITILActor::OBSERVER."') ";
            }
         }
      }

Short: ('$groups') must be replaced with (".$groups.") in line 4485 & 4488

Long:
Due to the single quote ' in ('$groups') the SQL filter is comparing a number (`glpi_groups_tickets`.`groups_id`) to a string (list of group ids). But we want to "find" the groups.id in a list of numbers.

Line 4481 shows the correct use.

 $search_assign = " (`glpi_groups_tickets`.`groups_id` IN (".$groups.")

Line 4485 & 4488 use the wrong syntax, including the group number list in single quotes and defining a SQL string.

 $search_users_id = " (`glpi_groups_tickets`.`groups_id` IN ('$groups')

I changed this two lines in our version 0.85.5 and the other ticket categories are now visible.

Last edited by administrator (2015-11-19 15:59:28)

yllen · 2015-11-20 14:07:02

Corrected: https://github.com/glpi-project/glpi/co … 81a30d9fa9
Thanks

Forum GLPI-Project

Announcement

#1 2015-11-19 15:50:58

[0.85.5+] Group View SQL Bug + Solution

#2 2015-11-20 14:07:02

Re: [0.85.5+] Group View SQL Bug + Solution

Board footer