Skip to content

Fix - Register CRUD hooks regardless of session state to support REST API#1154

Merged
stonebuzz merged 5 commits intomainfrom
fix/api-crud-hooks-registered-without-session
Mar 11, 2026
Merged

Fix - Register CRUD hooks regardless of session state to support REST API#1154
stonebuzz merged 5 commits intomainfrom
fix/api-crud-hooks-registered-without-session

Conversation

@RomainLvr
Copy link
Contributor

@RomainLvr RomainLvr commented Mar 3, 2026
edited
Loading

Checklist before requesting a review

Please delete options that are not relevant.

  • I have performed a self-review of my code.
  • I have added tests (when available) that prove my fix is effective or that my feature works.
  • I have updated the CHANGELOG with a short functional description of the fix or new feature.
  • This change requires a documentation update.

Description

  • It fixes !42453
  • Here is a brief description of what this PR does

When GLPI is booted to serve a REST API request, plugin_init_fields() runs before the API session is established (token auth happens after boot). Because the pre_item_update, pre_item_add, item_add and pre_item_purge hooks were registered inside the Session::getLoginUserID() guard, they were never registered for API calls. As a result, any PUT/POST to Ticket (or any other Fields-enabled itemtype) silently ignored all plugin field values and only persisted native GLPI fields.

A secondary issue in PluginFieldsContainer::preItem() caused the same failure: the else { return false; } branch on the profile rights check unconditionally rejected requests that had no active profile in session (cron, API token sessions).

Fix

  • setup.php — Move CRUD hooks (pre_item_update, pre_item_add, item_add, pre_item_purge), ITEM_TRANSFER and plugin_fields_register_plugin_types() outside the session guard. They are now registered as soon as the plugin is active, regardless of session state. Permission checks remain enforced inside the hook callbacks.
  • container.class.php — Remove the unconditional return false on missing session profile; the check is now skipped (not failed) when no profile is active in session.

Tests

ContainerItemUpdateTest.php — 4 new tests :

  • testCrudHooksRegisteredWithoutSession — asserts hooks are registered after a session-less plugin_init_fields() call
  • testUpdateTicketInApiLikeContext — full API lifecycle simulation (boot without session → restore session → update ticket with plugin fields)
  • testCreateTicketInApiLikeContext — same for ticket creation
  • testUpdateTicketWithExplicitCidInApiLikeContext — same with explicit c_id

@RomainLvr RomainLvr requested a review from stonebuzz March 3, 2026 14:22
@RomainLvr RomainLvr self-assigned this Mar 3, 2026
This was referenced Mar 4, 2026
Closed
Open
Closed
Closed
@stonebuzz stonebuzz requested a review from Rom1-B March 10, 2026 14:04
Rom1-B
Rom1-B requested changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@Rom1-B Rom1-B left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add "Using the Fields Plugin via GLPI REST API" to a new *.md file.

@RomainLvr RomainLvr requested a review from Rom1-B March 11, 2026 12:57
@stonebuzz stonebuzz merged commit 457944a into main Mar 11, 2026
3 checks passed
@stonebuzz stonebuzz deleted the fix/api-crud-hooks-registered-without-session branch March 11, 2026 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rom1-B Rom1-B Rom1-B approved these changes

@stonebuzz stonebuzz Awaiting requested review from stonebuzz

Assignees

@RomainLvr RomainLvr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RomainLvr @Rom1-B @stonebuzz