Merge branch 'main' into fix/form-question-handle-null-value

Author: ccailly

API.md

@@ -5,12 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [1.23.4] - Unreleased
+## [1.23.5] - Unreleased
 
 ### Fixed
 
 - Fix error when submitting a form with an hidden question of type `Field`
 
+## [1.23.4] - 2026-03-26
+
+### Fixed
+
+- Fix CRUD hooks to support the REST API regardless of session state
+- Fix SQL errors with custom dropdown fields
+- Fix wrong values displayed in massive actions when a form contains multiple custom dropdowns
+- Fix field entity during parent asset entity transfer
+
 ## [1.23.3] - 2026-02-12
 
 ### Added
@@ -19,6 +28,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Fixed
 
+- Fix `CVE-2026-23489`
 - Fix migration error caused by unknown itemtype in containers
 - Fix empty default value in multiple dropdown fields
 

CHANGELOG.md

@@ -211,7 +211,7 @@ function plugin_fields_MassiveActionsFieldsDisplay($options = [])
     $itemtypes = PluginFieldsContainer::getEntries('all');
 
     if (in_array($options['itemtype'], $itemtypes)) {
-        if ($options['options']['is_multiple']) {
+        if (isset($options['options']['is_multiple']) && $options['options']['is_multiple']) {
             Dropdown::showFromArray(
                 'multiple_dropdown_action',
                 [
@@ -434,3 +434,21 @@ function plugin_fields_addWhere($link, $nott, $itemtype, $ID, $val, $searchtype)
 
     return null;
 }
+
+function plugin_item_transfer_fields(array $options): void
+{
+    $itemtype = $options['type'] ?? null;
+    $container_ids = PluginFieldsContainer::findAllContainers($itemtype);
+
+    $container = new PluginFieldsContainer();
+    foreach ($container_ids as $id) {
+        $container->getFromDB($id);
+        $data = [
+            'plugin_fields_containers_id' => $id,
+            'itemtype' => $itemtype,
+            'items_id' => $options['newID'],
+            'entities_id' => $options['entities_id'],
+        ];
+        $container->updateFieldsValues($data, $itemtype, true);
+    }
+}

hook.php

@@ -1793,6 +1793,38 @@ public static function findContainer($itemtype, $type = 'tab', $subtype = '')
         return $id;
     }
 
+    public static function findAllContainers($itemtype)
+    {
+        $condition = ['is_active' => 1];
+
+        $entity = $_SESSION['glpiactiveentities'] ?? 0;
+        $condition += getEntitiesRestrictCriteria('', '', $entity, true, true);
+
+        $container = new PluginFieldsContainer();
+        $itemtypes = $container->find($condition);
+
+        if (empty($itemtypes)) {
+            return false;
+        }
+
+        $ids = [];
+        foreach ($itemtypes as $data) {
+            $dataitemtypes = PluginFieldsToolbox::decodeJSONItemtypes($data['itemtypes']);
+            if (in_array($itemtype, $dataitemtypes)) {
+                $id = $data['id'];
+                //profiles restriction
+                if (isset($_SESSION['glpiactiveprofile']['id']) && $_SESSION['glpiactiveprofile']['id'] != null && $id > 0) {
+                    $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $id);
+                    if ($right >= READ) {
+                        $ids[] = $id;
+                    }
+                }
+            }
+        }
+
+        return $ids;
+    }
+
     /**
      * Post item hook for add
      * Do store data in db
@@ -1889,14 +1921,15 @@ public static function preItem(CommonDBTM $item)
         $loc_c->getFromDB($c_id);
 
         // check rights on $c_id
-
+        // The profile check is only enforced when an active user profile is present in session.
+        // Automated contexts (cron jobs, API token sessions without profile) bypass the check
+        // so that plugin fields can still be persisted — authentication is already enforced
+        // at a higher level by the GLPI API/cron layer.
         if (isset($_SESSION['glpiactiveprofile']['id']) && $_SESSION['glpiactiveprofile']['id'] != null && $c_id > 0) {
             $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $c_id);
             if (($right > READ) === false) {
                 return false;
             }
-        } else {
-            return false;
         }
 
 
@@ -2217,8 +2250,11 @@ public static function getAddSearchOptions($itemtype, $containers_id = false)
                     $opt[$i]['datatype']   = 'specific';
                     $opt[$i]['searchtype'] = ['equals', 'notequals'];
                 } else {
-                    $opt[$i]['table']    = CommonDBTM::getTable($dropdown_matches['class']);
-                    $opt[$i]['field']    = 'name';
+                    $opt[$i]['table']    = getTableForItemType($dropdown_matches['class']);
+                    $opt[$i]['field']    = is_a($dropdown_matches['class'], CommonTreeDropdown::class, true)
+                        ? 'completename'
+                        : 'name';
+                    $opt[$i]['itemtype'] = $dropdown_matches['class'];
                     $opt[$i]['right']    = 'all';
                     $opt[$i]['datatype'] = 'dropdown';
 

inc/container.class.php

@@ -1151,13 +1151,15 @@ public static function prepareHtmlFields(
             $classname    = PluginFieldsContainer::getClassname($item->getType(), $container_obj->fields['name']);
             $dbu = new DbUtils();
             $obj = $dbu->getItemForItemtype($classname);
-            $found_values = $obj->find(
-                [
-                    'plugin_fields_containers_id' => $first_field['plugin_fields_containers_id'],
-                    'items_id'                    => $item->getID(),
-                ],
-            );
-            $found_v = array_shift($found_values);
+            if ($obj instanceof CommonDBTM) {
+                $found_values = $obj->find(
+                    [
+                        'plugin_fields_containers_id' => $first_field['plugin_fields_containers_id'],
+                        'items_id'                    => $item->getID(),
+                    ],
+                );
+                $found_v = array_shift($found_values);
+            }
         }
 
         // test status for "CommonITILObject" objects