don't disclose saved subscription key#23475
Open
orthagh wants to merge 2 commits intoglpi-project:11.0/bugfixesfrom
Open
don't disclose saved subscription key#23475orthagh wants to merge 2 commits intoglpi-project:11.0/bugfixesfrom
orthagh wants to merge 2 commits intoglpi-project:11.0/bugfixesfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR prevents admins from viewing an already-saved GLPI Network registration/subscription key in the UI, while reworking the setup page layout and adding a server-side “remove key” action.
Changes:
- Reworks the GLPI Network setup Twig template to only allow entering a key when none is saved, and adds a “Remove registration key” button.
- Adds a
reset_registration_keyhandler infront/config.form.phpto clear the saved key. - Updates Marketplace section UI (titles, helper text, buttons).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| templates/pages/setup/general/glpinetwork_setup.html.twig | Reworks the form/UI and hides the saved registration key; adds remove-key UI. |
| front/config.form.php | Adds POST handler to clear the saved registration key. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Following a discussion at Caen offices, I mainly removed the possibility to view a subscription key when it's already saved in GLPI configuration. Some people use it to copy advanced key from one instance to another.
It's always possible to retrieve the key in database, decrypt it with GLPI_KEY, but it requires more steps and more knowledge.
And I reworked a bit the page. The latter is rather simple, and the change should be OK even for 11.0/bugfixes.
Screenshots (if appropriate):