reauth on massive action actions

SebSept · SebSept · commit b02ce614d374 · 2026-04-29T15:07:31.000+02:00
diff --git a/ajax/dropdownMassiveActionAuthMethods.php b/ajax/dropdownMassiveActionAuthMethods.php
@@ -62,5 +62,5 @@
             break;
     }
 
-    echo "&nbsp;<input type='submit' name='" . htmlescape($name) . "' class='btn btn-primary' value=\"" . _sx('button', 'Post') . "\">";
+    echo "&nbsp;<input type='submit' name='" . htmlescape($name) . "' class='btn btn-primary' value=\"" . _sx('button', 'Post 1') . "\">";
 }
diff --git a/ajax/dropdownMassiveActionField.php b/ajax/dropdownMassiveActionField.php
@@ -55,7 +55,7 @@
 if (isset($_POST['inline']) && $_POST['inline']) {
     $inline = true;
 }
-$submitname = _sx('button', 'Post');
+$submitname = _sx('button', 'Post 2');
 if (isset($_POST['submitname']) && $_POST['submitname']) {
     $submitname = htmlescape($_POST['submitname']);
 }
diff --git a/ajax/massiveaction.php b/ajax/massiveaction.php
@@ -34,10 +34,15 @@
  */
 
 /**
- * @since 0.84
+ * Display a massive action form
  */
 
 global $CFG_GLPI;
+/**
+ * $_POST
+ *      - item
+ *          - <user_id> : <un nombre?>
+ */
 
 header("Content-Type: text/html; charset=UTF-8");
 Html::header_nocache();
diff --git a/front/massiveaction.php b/front/massiveaction.php
@@ -33,6 +33,9 @@
  * ---------------------------------------------------------------------
  */
 
+use Glpi\Exception\RedirectException;
+use Glpi\Security\ReAuth\ReAuthManager;
+
 require_once(__DIR__ . '/_check_webserver_config.php');
 
 global $CFG_GLPI;
@@ -41,7 +44,17 @@
 Html::header_nocache();
 
 try {
+    $referer = get_item_type_from_post() ?? '/'; // page used to trigger massive action
+    $reauth_manager = new ReAuthManager();
+    $reauth_manager->setCancelURL($referer);
+    $reauth_manager->checkReAuthenticationOrRedirect();
+
     $ma = new MassiveAction($_POST, $_GET, 'process');
+    $ma->setRedirect($referer);
+}
+// process redirect exceptions
+catch (RedirectException $e) {
+    throw $e;
 } catch (Throwable $e) {
     Html::popHeader(__('Bulk modification error'));
 
@@ -96,4 +109,22 @@
         Session::addMessageAfterRedirect($message, false, ERROR);
     }
 }
+
 Html::redirect($results['redirect']);
+
+function get_item_type_from_post(): ?string
+{
+    global $CFG_GLPI;
+
+    $items = isset($_POST['items']) ? array_keys($_POST['items']) : [];
+    if (count($items) === 1) {
+        /** @var class-string<CommonDBTM> $item_type */
+        $item_type = $items[0];
+        return (new $item_type())->getRedirectToListUrl();
+    } elseif (count($items) > 1) {
+        // the sole item list with mixed itemtype
+        return $CFG_GLPI["root_doc"] . '/front/allassets.php';
+    }
+
+    return null;
+}
diff --git a/src/Glpi/Controller/Security/ReAuthController.php b/src/Glpi/Controller/Security/ReAuthController.php
@@ -109,10 +109,11 @@ private function buildTemplateContext(): array
         }
 
         return [
-            'redirect' => $this->reAuthManager->getRedirectURL(),
-            'action'   => $this->router->generate('reauth_verify'),
-            'label'    => $this->reAuthManager->getLabel(),
-            'template' => $this->reAuthManager->getPromptTemplate(),
+            'redirect'      => $this->reAuthManager->getRedirectURL(),
+            'cancel_url'    => $this->reAuthManager->getCancelURL(),
+            'action'        => $this->router->generate('reauth_verify'),
+            'label'         => $this->reAuthManager->getLabel(),
+            'template'      => $this->reAuthManager->getPromptTemplate(),
         ];
     }
 }
diff --git a/src/Glpi/Security/ReAuth/ReAuthManager.php b/src/Glpi/Security/ReAuth/ReAuthManager.php
@@ -65,17 +65,20 @@ public function checkReAuthenticationOrRedirect(): void
      */
     public function redirect(): never
     {
-        global $CFG_GLPI;
-
-        $current_url = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . explode('?', $_SERVER['REQUEST_URI'])[0];
+        $this->setRedirect();
+        throw new RedirectException('/ReAuth/Prompt');
+    }
 
-        $this->setRedirectURL($current_url);
-        $this->setRedirectMethod($_SERVER['REQUEST_METHOD'] === 'POST' ? 'POST' : 'GET');
-        $this->setRedirectData($_SERVER['REQUEST_METHOD'] === 'POST' ? $_POST : $_GET);
+    public function getButtonToReauthPrompt(): string
+    {
+        $this->setRedirect();
 
-        throw new RedirectException('/ReAuth/Prompt');
+        return '<a href="ReAuth/Prompt">Reauth</a>'; // @todo manque la base_url + sprintf avec i18n
     }
 
+    /**
+     * User has a valid reauth session
+     */
     public function isReAuthenticated(): bool
     {
         $current_limit_timestamp = $_SESSION['glpi_reauth_until'] ?? null;
@@ -118,6 +121,11 @@ public function getRedirectURL(): string
         return $_SESSION['glpi_reauth_redirect'] ?? '/';
     }
 
+    public function getCancelURL(): string
+    {
+        return $_SESSION['glpi_reauth_cancel_url'] ?? $this->getRedirectURL();
+    }
+
     /** @return array<string, string> */
     public function getRedirectData(): array
     {
@@ -132,6 +140,20 @@ public function getRedirectMethod(): string
         return $_SESSION['glpi_reauth_httpmethod'] ?? 'GET';
     }
 
+    public function setCancelURL(string $url): void
+    {
+        $_SESSION['glpi_reauth_cancel_url'] = $url;
+    }
+
+    private function setRedirect(): void
+    {
+        $current_url = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST'] . explode('?', $_SERVER['REQUEST_URI'])[0];
+
+        $this->setRedirectURL($current_url);
+        $this->setRedirectMethod($_SERVER['REQUEST_METHOD'] === 'POST' ? 'POST' : 'GET');
+        $this->setRedirectData($_SERVER['REQUEST_METHOD'] === 'POST' ? $_POST : $_GET);
+    }
+
     private function getStrategy(): ReAuthStrategyInterface
     {
         if ($this->strategy === null) {
diff --git a/src/Html.php b/src/Html.php
@@ -1979,6 +1979,7 @@ public static function getOpenMassiveActionsForm($name = '')
      *    - tag_to_send      : the tag of the elements to send to the ajax window (default: common)
      *    - action_button_classes : string of classes to add to the action button
      *    - display          : display or return the generated html (default true)
+     *    - reauth_needed    : a user reauth is required @todo revert
      *
      * @return bool|string     the html if display parameter is false, or true
      **/
@@ -1988,6 +1989,7 @@ public static function showMassiveActions($options = [])
 
         /// TODO : permit to pass several itemtypes to show possible actions of all types : need to clean visibility management after
 
+        // default values, if not set in $options
         $p['ontop']                 = true;
         $p['num_displayed']         = -1;
         $p['forcecreate']           = false;
@@ -2008,12 +2010,14 @@ public static function showMassiveActions($options = [])
         $p['tag_to_send']           = 'common';
         $p['action_button_classes'] = 'btn btn-sm btn-primary me-2';
         $p['display']               = true;
+        $p['reauth_needed']         = false;
 
         foreach ($options as $key => $val) {
             if (isset($p[$key])) {
                 $p[$key] = $val;
             }
         }
+        unset($options);
 
         $url = $CFG_GLPI['root_doc'] . "/ajax/massiveaction.php";
         if ($p['container']) {
@@ -2053,6 +2057,7 @@ public static function showMassiveActions($options = [])
             && ($max > 0)
             && ($max < ($p['num_displayed'] + 10))
         ) {
+            // error : too much checkbox checked, too much items to process
             if (
                 !$p['ontop']
                 || (isset($p['forcecreate']) && $p['forcecreate'])
@@ -2068,8 +2073,30 @@ public static function showMassiveActions($options = [])
                     );
                 }
             }
-        } else {
+        }
+        else
+        {
+//            @todo revert
+            // Reauth is needed : "Actions" button will trigger redirection to ReAuth/Prompt page instead of opening massive action modal
+//            if($p['reauth_needed'] === true) {
+//                $out = '<a role="button" class="'. htmlescape($p['action_button_classes']) . '" href="/ReAuth/Prompt" >Reauth</a>';
+//                // normalement : passer par reauthManager::redirect()
+//                // @todo i18n
+//                // @todo laisser le même libélé pour ne pas perturber les utilisateurs
+//                // @todo manque le ~glpi_rootdoc
+//                //         path: "/ReAuth/Prompt",
+//                //        name: "reauth_prompt",
+//                if ($p['display']) {
+//                    echo $out;
+//                    return true; // @todo false ??
+//                } else {
+//                    return $out;
+//                }
+//            }
+
             // Create Modal window on top
+
+
             if (
                 $p['ontop']
                 || (isset($p['forcecreate']) && $p['forcecreate'])
@@ -2188,6 +2215,7 @@ public static function showDateField($name, $options = [])
             'on_change'    => '',
         ];
 
+        // replace $p values with value from $option
         foreach ($options as $key => $val) {
             if (isset($p[$key])) {
                 $p[$key] = $val;
diff --git a/src/MassiveAction.php b/src/MassiveAction.php
@@ -80,6 +80,7 @@ class MassiveAction
 
     /**
      * Class used to process current action.
+     * @var class-string|null
      */
     private string $processor;
 
@@ -819,7 +820,7 @@ public function showSubForm()
      **/
     public function showDefaultSubForm()
     {
-        echo Html::submit(_x('button', 'Post'), [
+        echo Html::submit(_x('button', 'Post 3'), [
             'name'  => 'massiveaction',
             'icon'  => 'ti ti-device-floppy',
             'class' => 'btn btn-sm btn-primary',
@@ -852,6 +853,7 @@ public static function showMassiveActionsSubForm(MassiveAction $ma)
                 ]);
                 echo '<br>';
                 echo Html::submit(_x('button', 'Post'), [
+                echo Html::submit(_x('button', 'Post 4'), [
                     'name'  => 'massiveaction',
                 ]);
                 return true;
@@ -1068,7 +1070,19 @@ public static function showMassiveActionsSubForm(MassiveAction $ma)
                             "infocom"  => UPDATE,
                         ]);
                     } else {
-                        $so_item->checkGlobal(UPDATE);
+                        // redirect to reauth if needed // @todo cleanup
+                        // pas possible de faire redirection ici, c'est géré en ajax : pas d'effet
+                        // mais on peut afficher un bouton vers la reauth et on redirige vers la page actuelle
+                        $reauth_needed = null;
+                        $allowed = $so_item->canGlobal(UPDATE, $reauth_needed); // @todo juste update ? action delete/purge/etc
+                        if (!$allowed && !$reauth_needed) {
+                            // just to throw the redirect Exception, maybe we can refactor
+                            // maybe we can refactor \CommonDBTM::checkGlobal to call \CommonDBTM::throwAccessDeniedException.
+                            // then we can just call this method here instead of checkGlobal()
+                            $so_item->checkGlobal(UPDATE);
+                        }
+                        // continue event if not currently authorized, to show the submit button
+                        // right check (and reauth redirection) will be process on form submission
                     }
 
                     $itemtype_search_options = SearchOption::getOptionsForItemtype($so_itemtype);
@@ -1160,7 +1174,7 @@ public static function showMassiveActionsSubForm(MassiveAction $ma)
                 if (isset($ma->POST['submitname']) && $ma->POST['submitname']) {
                     $submitname = $ma->POST['submitname'];
                 } else {
-                    $submitname = _x('button', 'Post');
+                    $submitname = _x('button', 'Post 5');
                     $submit_options['icon'] = 'ti ti-device-floppy';
                 }
                 echo Html::submit($submitname, $submit_options);
@@ -1192,7 +1206,7 @@ public static function showMassiveActionsSubForm(MassiveAction $ma)
                 if (isset($ma->POST['submitname']) && $ma->POST['submitname']) {
                     $submitname = $ma->POST['submitname'];
                 } else {
-                    $submitname = _x('button', 'Post');
+                    $submitname = _x('button', 'Post 6');
                     $submit_options['icon'] = 'ti ti-device-floppy';
                 }
                 echo Html::submit($submitname, $submit_options);
@@ -1218,7 +1232,7 @@ public static function showMassiveActionsSubForm(MassiveAction $ma)
                 if (isset($ma->POST['submitname']) && $ma->POST['submitname']) {
                     $submitname = $ma->POST['submitname'];
                 } else {
-                    $submitname = _x('button', 'Post');
+                    $submitname = _x('button', 'Post 7');
                     $submit_options['icon'] = 'ti ti-device-floppy';
                 }
                 echo Html::submit($submitname, $submit_options);
diff --git a/src/User.php b/src/User.php
@@ -3145,7 +3145,9 @@ public static function processMassiveActionsForOneItemtype(
             case 'force_user_ldap_update':
             case 'clean_ldap_fields':
                 foreach ($ids as $id) {
-                    if ($item->can($id, UPDATE)) {
+
+                    $reauth_needed = null;
+                    if ($item->can($id, UPDATE, reauth_needed: $reauth_needed)) {
                         if (
                             $item instanceof User
                             && (
@@ -3164,6 +3166,10 @@ public static function processMassiveActionsForOneItemtype(
                             $ma->addMessage($item->getErrorMessage(ERROR_ON_ACTION));
                         }
                     } else {
+                        if ($reauth_needed) {
+                            self::redirectToReauthPrompt();
+                        }
+
                         $ma->itemDone($item::class, $id, MassiveAction::ACTION_NORIGHT);
                         $ma->addMessage($item->getErrorMessage(ERROR_RIGHT));
                     }
diff --git a/templates/components/form/buttons.html.twig b/templates/components/form/buttons.html.twig
@@ -73,6 +73,7 @@
 
             {% set reauth_needed = null %}
             {% set _canedit = canedit and item.can(id, constant('UPDATE'), {}, reauth_needed) %}
+             {# @todo autre droits que UPDATE traiter #}
             {% if canedit or reauth_needed %}
                <button
                   class="btn btn-primary me-2"
diff --git a/templates/components/search/controls.html.twig b/templates/components/search/controls.html.twig
@@ -32,6 +32,10 @@
 
 {% if showmassiveactions and count > 0 %}
     <div class="massiveactions-control card-header search-header ps-3 animate__animated animate__faster d-none">
+        {# add reauth_needed entry in massiveactionparams #}
+{#        {{ dump(item, item.fields) }}#}
+        {# @todo revert - c géré dans  ajax/massiveaction.php #}
+{#        {% set massiveactionparams = massiveactionparams|merge({'reauth_needed': item.isUserReauthenticationNeeded, 'item': item }) %} #}{# @todo peut être qu'il ne faudrait pas écraser les val de item #}
         {% do call('Html::showMassiveActions', [massiveactionparams]) %}
     </div>
 {% endif %}
diff --git a/templates/pages/reauth/prompt.html.twig b/templates/pages/reauth/prompt.html.twig
@@ -44,7 +44,6 @@
    {% endif %}
 
    <form method="post" action="{{ action }}" data-submit-once autocomplete="off">
-      <input type="hidden" name="_glpi_csrf_token" value="{{ csrf_token() }}" />
       <input type="hidden" name="redirect" value="{{ redirect }}" />
 
       <div class="mb-3">
@@ -53,8 +52,13 @@
       </div>
 
       <div class="d-flex justify-content-end gap-2">
-         <a href="{{ redirect }}" class="btn btn-outline-secondary">{{ __('Cancel') }}</a>
+
+          {# cancel button #}
+         <a href="{{ cancel_url }}" class="btn btn-outline-secondary">{{ __('Cancel') }}</a>
+
+          {# submit/verify button #}
          <button type="submit" class="btn btn-primary">{{ __('Verify') }}</button>
+
       </div>
    </form>
 {% endblock %}
diff --git a/templates/pages/redirect_post.html.twig b/templates/pages/redirect_post.html.twig
@@ -50,7 +50,6 @@
 </head>
 <body>
     <form method="{{ http_method }}" action="{{ url }}" id="redirect-form" data-submit-once>
-        <input type="hidden" name="_glpi_csrf_token" value="{{ csrf_token() }}">
         {{ _self.render_inputs(post_data, '') }}
     </form>
     <script>document.getElementById('redirect-form').submit();</script>

Original file line number	Diff line number	Diff line change
`@@ -62,5 +62,5 @@`
`62`	`62`	`break;`
`63`	`63`	`}`
`64`	`64`
`65`		`- echo " <input type='submit' name='" . htmlescape($name) . "' class='btn btn-primary' value=\"" . _sx('button', 'Post') . "\">";`
	`65`	`+ echo " <input type='submit' name='" . htmlescape($name) . "' class='btn btn-primary' value=\"" . _sx('button', 'Post 1') . "\">";`
`66`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@`
`55`	`55`	`if (isset($_POST['inline']) && $_POST['inline']) {`
`56`	`56`	`$inline = true;`
`57`	`57`	`}`
`58`		`-$submitname = _sx('button', 'Post');`
	`58`	`+$submitname = _sx('button', 'Post 2');`
`59`	`59`	`if (isset($_POST['submitname']) && $_POST['submitname']) {`
`60`	`60`	`$submitname = htmlescape($_POST['submitname']);`
`61`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -109,10 +109,11 @@ private function buildTemplateContext(): array`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`return [`
`112`		`- 'redirect' => $this->reAuthManager->getRedirectURL(),`
`113`		`- 'action' => $this->router->generate('reauth_verify'),`
`114`		`- 'label' => $this->reAuthManager->getLabel(),`
`115`		`- 'template' => $this->reAuthManager->getPromptTemplate(),`
	`112`	`+ 'redirect' => $this->reAuthManager->getRedirectURL(),`
	`113`	`+ 'cancel_url' => $this->reAuthManager->getCancelURL(),`
	`114`	`+ 'action' => $this->router->generate('reauth_verify'),`
	`115`	`+ 'label' => $this->reAuthManager->getLabel(),`
	`116`	`+ 'template' => $this->reAuthManager->getPromptTemplate(),`
`116`	`117`	`];`
`117`	`118`	`}`
`118`	`119`	`}`