fix missing removal of undisclosedFields

Author: orthagh

inc/apiclient.class.php

@@ -45,6 +45,10 @@ class APIClient extends CommonDBTM {
    // From CommonDBTM
    public $dohistory                   = true;
 
+   static $undisclosedFields = [
+      'app_token'
+   ];
+
    static function canCreate() {
       return Session::haveRight(static::$rightname, UPDATE);
    }

inc/authldap.class.php

@@ -94,6 +94,10 @@ class AuthLDAP extends CommonDBTM {
    //connection caching stuff
    static $conn_cache = [];
 
+   static $undisclosedFields = [
+      'rootdn_passwd',
+   ];
+
    static function getTypeName($nb = 0) {
       return _n('LDAP directory', 'LDAP directories', $nb);
    }
@@ -134,9 +138,6 @@ function post_getEmpty() {
       $this->fields['responsible_field']           = '';
    }
 
-   static public function unsetUndisclosedFields(&$fields) {
-      unset($fields['rootdn_passwd']);
-   }
 
    /**
     * Preconfig datas for standard system

inc/commondbtm.class.php

@@ -167,6 +167,13 @@ class CommonDBTM extends CommonGLPI {
     */
    protected static $foreign_key_fields_of = [];
 
+
+   /**
+    * Fields to remove when querying data with api
+    * @var array
+    */
+   static $undisclosedFields = [];
+
    /**
     * Constructor
    **/
@@ -456,6 +463,9 @@ function post_getFromDB() {
     * @return void
     */
    static public function unsetUndisclosedFields(&$fields) {
+      foreach (static::$undisclosedFields as $key) {
+         unset($fields[$key]);
+      }
    }
 
 

inc/mailcollector.class.php

@@ -94,6 +94,10 @@ class MailCollector  extends CommonDBTM {
    const REQUESTER_FIELD_FROM = 0;
    const REQUESTER_FIELD_REPLY_TO = 1;
 
+   static $undisclosedFields = [
+      'passwd',
+   ];
+
    static function getTypeName($nb = 0) {
       return _n('Receiver', 'Receivers', $nb);
    }
@@ -2004,10 +2008,6 @@ function cleanDBonPurge() {
       Rule::cleanForItemCriteria($this, '_mailgate');
    }
 
-   static public function unsetUndisclosedFields(&$fields) {
-      unset($fields['passwd']);
-   }
-
    /**
     * Get the requester field
     *

inc/user.class.php

@@ -55,6 +55,13 @@ class User extends CommonDBTM {
 
    static $rightname = 'user';
 
+   static $undisclosedFields = [
+      'password',
+      'personal_token',
+      'api_token',
+      'cookie_token',
+   ];
+
    private $entities = null;
 
 
@@ -273,9 +280,6 @@ function post_getEmpty() {
       }
    }
 
-   static public function unsetUndisclosedFields(&$fields) {
-      unset($fields['password']);
-   }
 
    function pre_deleteItem() {
       global $DB;

tests/APIBaseClass.php

@@ -1307,6 +1307,32 @@ public function testGetGlpiConfig() {
          ->hasKey('cfg_glpi');
       $this->array($data['cfg_glpi'])
          ->hasKey('infocom_types');
+   }
+
+
+   public function testUndisclosedField() {
+      // test common cases
+      $itemtypes = [
+         'APIClient', 'AuthLDAP', 'MailCollector', 'User'
+      ];
+      foreach ($itemtypes as $itemtype) {
+         $data = $this->query($itemtype, [
+            'headers'  => ['Session-Token' => $this->session_token]
+         ]);
+
+         $this->array($itemtype::$undisclosedFields)
+            ->size->isGreaterThan(0);
+
+         foreach ($itemtype::$undisclosedFields as $key) {
+            $this->array($data)->notHasKey($key);
+         }
+      }
+
+      // test specific cases
+      // Config
+      $data = $this->query('getGlpiConfig', [
+         'headers'  => ['Session-Token' => $this->session_token]
+      ]);
 
       // Test undisclosed data are actually not disclosed
       $this->array(Config::$undisclosedFields)