MantisBT: master f82f98cc

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master 2012-06-02 00:10 master 8208170b
Affected Issues  0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON;
 0014016: CVE-2012-2692 Users with access level >= update_bug_threshold can delete any attachment
Changeset

Fix 0014016: delete_attachments_threshold is not checked

Roland Becker (MantisBT developer) reported the following
security/access control bug:

In a default installation delete_attachments_threshold is set to
DEVELOPER but having access level >= update_bug_threshold is enough to
delete attachments if form_security_validation is set to OFF.

MantisBT was not checking the access level of the user requesting
deletion of an attachment to an issue against
$g_delete_attachments_threshold.

The new access control logic for deleting an issue attachment is now:

  1. Does the user have an access level of at least update_bug_threshold?
  2. If the user is the owner of the file and
    $g_allow_delete_own_attachments=OFF, does this user have an access level
    of at least delete_attachments_threshold?
  3. If the user is not the owner of the file, do they have an access
    level of at least delete_attachments_threshold?

Also refer to issue 0014015 for discussion on whether
update_bug_threshold should be part of the access control logic.

The relevant SOAP API call has also been updated.

Conflicts:
bug_file_delete.php
mod - api/soap/mc_issue_attachment_api.php Diff File
mod - bug_file_delete.php Diff File