Add action to reapply Authorization Assignment Rules

CHANGELOG.md

@@ -35,6 +35,7 @@ The present file will list all changes made to the project; according to the
 - CLI commands for creating local GLPI users, enabling/disabling/deleting users, resetting local GLPI user passwords and granting profile assignments.
 - Cloning templates (such as computer templates)
 - Creating a template from an existing item (such as a computer). This action is only available from the Actions menu within the item form (bulk action not allowed).
+- Massive action for users to reapply authorization assignment rules.
 
 ### Changed
 - ITIL Objects can now be linked to any other ITIL Objects similar to the previous Ticket/Ticket links.

phpunit/functional/UserTest.php

@@ -2056,4 +2056,68 @@ public function testUnsetUndisclosedFieldsWithPartialFields()
 
         $this->assertEquals(['name' => 'test'], $fields);
     }
+
+    public function testReapplyRightRules()
+    {
+        $this->login();
+        $entities_id = $this->getTestRootEntity(true);
+
+        $user = new \User();
+        $user->getFromDB($_SESSION['glpiID']);
+
+        // Create a group that will be used to add a profile
+        $group = new \Group();
+        $groups_id = $group->add([
+            'name' => __FUNCTION__,
+            'entities_id' => $entities_id,
+        ]);
+
+        // Create a profile that will be added to the user
+        $profile = new \Profile();
+        $profiles_id = $profile->add([
+            'name' => __FUNCTION__,
+        ]);
+
+        // Create a rule that associates the profile to users with the group
+        $rule = new \RuleRight();
+        $rules_id = $rule->add([
+            'name' => __FUNCTION__,
+            'entities_id' => $entities_id,
+            'match' => 'AND',
+        ]);
+        (new \RuleCriteria())->add([
+            'rules_id' => $rules_id,
+            'criteria' => '_groups_id',
+            'condition' => 0,
+            'pattern' => $groups_id,
+        ]);
+        $action = new \RuleAction();
+        $action->add([
+            'rules_id' => $rules_id,
+            'action_type' => 'assign',
+            'field' => 'profiles_id',
+            'value' => $profiles_id,
+        ]);
+        $action->add([
+            'rules_id' => $rules_id,
+            'action_type' => 'assign',
+            'field' => 'entities_id',
+            'value' => $entities_id,
+        ]);
+
+        $this->assertNotContains($profiles_id, Profile_User::getUserProfiles($user->getID()));
+
+        $group_user = new \Group_User();
+        $group_user_id = $group_user->add([
+            'groups_id' => $groups_id,
+            'users_id' => $user->getID(),
+        ]);
+
+        $user->reapplyRightRules();
+        $this->assertContains($profiles_id, Profile_User::getUserProfiles($user->getID()));
+
+        $group_user->delete(['id' => $group_user_id]);
+        $user->reapplyRightRules();
+        $this->assertNotContains($profiles_id, Profile_User::getUserProfiles($user->getID()));
+    }
 }

src/User.php

@@ -1353,6 +1353,34 @@ public function post_updateItem($history = true)
         }
     }
 
+    /**
+     * Force authorization assignment rules to be processed for this user
+     * @return void
+     */
+    public function reapplyRightRules()
+    {
+        $rules  = new RuleRightCollection();
+        $this->applyRightRules();
+        $groups = Group_User::getUserGroups($this->getID());
+        $groups_id = array_column($groups, 'id');
+        $result = $rules->processAllRules(
+            $groups_id,
+            $this->fields,
+            [
+                'type' => $this->fields['authtype'],
+                'login' => $this->fields['name'],
+                'email' => UserEmail::getDefaultForUser($this->getID())
+            ]
+        );
+
+        $this->input = $result;
+        $this->willProcessRuleRight();
+        $this->syncLdapGroups();
+        $this->syncDynamicEmails();
+        $this->applyGroupsRules();
+        $this->applyRightRules();
+    }
+
     /**
      * Apply rules to determine dynamic rights of the user.
      *
@@ -3728,6 +3756,8 @@ public function getSpecificMassiveActions($checkitem = null)
                                                     __s('Clean LDAP fields and force synchronisation');
             $actions[$prefix . 'disable_2fa']           = "<i class='fas fa-user-lock'></i>" .
                                                       __s('Disable 2FA');
+            $actions[$prefix . 'reapply_rights']            = "<i class='" . Profile::getIcon() . "'></i>" .
+                                                      __s('Reapply authorization assignment rules');
         }
         return $actions;
     }
@@ -3850,6 +3880,18 @@ public static function processMassiveActionsForOneItemtype(
                     $totp->disable2FAForUser($id);
                     $ma->itemDone($item->getType(), $id, MassiveAction::ACTION_OK);
                 }
+                break;
+            case 'reapply_rights':
+                $user = new self();
+                foreach ($ids as $id) {
+                    if ($user->getFromDB($id)) {
+                        $user->reapplyRightRules();
+                        $ma->itemDone(self::class, $id, MassiveAction::ACTION_OK);
+                    } else {
+                        $ma->itemDone(self::class, $id, MassiveAction::ACTION_KO);
+                    }
+                }
+                break;
         }
         parent::processMassiveActionsForOneItemtype($ma, $item, $ids);
     }