Self-Service profile can always modify some dropdowns

[Anthn]

Hello !

First of all, thanks for this plugin that i found very useful and interesting.

I'm using the last version of GLPI and the plugin ( Glpi 9.4.2 and order 2.5.0)

I think i found something which is a little bit weird.
Indeed, as a self-service user, i can access directly to the two new dropdowns that were created with the 2.3.0 release of the plugin (#212).

There is nothing we can setup for this in the "Setup" rights of the profile. (Maybe the global dropdown right but it is not granted for self-service users)

Moreover, i tried to put 0 rights for this plugin to the self-service profile but i got the same results.

I can only modify this with the "full UI" (sorry if it sounds weird but i'm not sure about how to say this as i'm French). What i mean is that this menu is unreachable with the "formcreator" UI that i can activate for the profile.

The bad thing is that the user can create new Analytic Natures or Account Sections and he can even delete all of them.

Maybe i forgot to change something ? If anyone can tell us if he has the same behaviour, it would be nice.

If you want more details just tell me.

I don't really know where to look to fix this, sorry...

Step to reproduce this are quite easy, just use the self-service profile with the usual UI and go in setup -> dropdowns. They should be visible even if all rights are not granted to this menu.

Best regards,
Anthn

[AHinMaine]

I'm running GLPI 9.4.3 and Orders 2.5.1 and this problem still exists.

I created a Profile with every single item on every section unchecked, and I can still log in and update the "Analytic nature" and "Account section" dropdowns.

[AHinMaine]

I can see why. If you look here:

https://github.com/pluginsGLPI/order/blob/develop/inc/analyticnature.class.php#L43-L66

...you can see that every permission check returns true. Ouch.

None of the others are like this.