Bootstrap sync - dry run#20
Open
f2cmb wants to merge 4 commits into
Open
Conversation
- ajax/syncexecute.php: import Safe\session_write_close and narrow POST id with is_numeric before int cast (avoids cast.int on mixed) - src/Inventory/LdapSyncExecutor.php, src/SyncFilter.php: rector FlipTypeControlToUseExclusiveTypeRector + NewlineAfterStatementRector - front/authldapsyncfilter.form.php: drop always-true null guard and ignore argument.type on add() (phpstan drift from GLPI core bump)
Critical: - SyncFilter: use AuthLDAP field 'deref_option' (not 'deref', which never exists and silently fell back to 0); robust is_numeric cast in both spots. Major: - LdapSyncExecutor: stop silently returning empty results — log + skipped++ when a SyncFilter has no linked AuthLDAP (executeSingleFilter) and log the null-AuthLDAP/null-builder preview paths. Prevents a false 'disappeared' signal for future lifecycle handling. - LdapSyncExecutor::replacePlaceholders: substitute LDAP values inside the PHP structure (string leaves only) instead of into a re-serialized JSON string with a hand-rolled addcslashes escaper. Closes JSON key-injection and control-character corruption from attacker-controlled LDAP values. - AuthLdapSyncFilter::prepareInputForAdd: whitelist the two relation foreign keys (array_intersect_key) to prevent mass assignment. - SyncFilter::showBuilderMappingTab: render alerts via a Twig partial using core alerts_macros and pass Monaco CSS as a template var instead of echoing raw HTML from a class method. - LdapSyncExecutor: trim verbose narrating class PHPDoc. Tests: - previewSyncFilter without linked AuthLDAP (result + log); - replacePlaceholders cannot inject inventory keys / preserves control chars; - prepareInputForAdd strips unknown keys. Note: Hooks::CSRF_COMPLIANT intentionally NOT added — deprecated since GLPI 11.0 (CSRF enforced by CheckCsrfListener); declaring it would fail phpstan.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Trigger an LDAP → GLPI inventory sync from a
SyncFilter(Computer itemtype),in dry-run (preview create/update counts, no write) or execute (inject viaGlpi\Inventory\Inventory).Adds
ajax/syncexecute.php(rights + auth checks),LdapSyncExecutor,previewSyncFilter()and the execution UI. Rebased onmain(PR #18).