View Issue Details

IDProjectCategoryView StatusLast Update
0010491mantisbtapi soappublic2012-01-06 20:52
Reportereriede_globalgoldinc_com Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
OSWindowsOS VersionServer 2003 
Product Version1.1.6 
Fixed in Version1.2.0 
Summary0010491: mc_issue_add incorrect access level check
Description

mc_issue_add requires an access level of "developer" by default to add an issue. I believe that this should mirror the UI access level model which lets users add access levels at "reporter".

patch and files included.

Steps To Reproduce

make user a reporter, then execute this php snippet. mantisconnect.php helper class files included in post

require("mantisconnect.php");
$mantis = new mantisconnect('http://ggserver/mantis/api/soap/mantisconnect.php',$_POST["username"],$_POST["password"]);

$issue = new mc_issue();
$issue->project = new mc_enum(3);
$issue->category = $_POST["category"];
$issue->reproducibility =new mc_enum($_POST["reproducibility"]);
$issue->severity = new mc_enum( $_POST["severity"]);
$issue->priority = new mc_enum( $_POST["priority"]);
$issue->summary = $_POST["summary"];
$issue->description = $_POST["description"];
$id = $mantis->mc_issue_add($issue);

Additional Information

in mc_issue_api.php, line 394 the function mci_has_readwrite_access is called to check permissions. This by default requires DEVELOPER access. by changing the if condition to (user_get_access_level( $t_user_id, $t_project_id ) < REPORTER), my reporter users can now add issues through the soap api.

Patch may not be acceptable in your mainstream branch, because it looks like the user levels are configurable, so perhaps another access level check function is in order.

TagsNo tags attached.
Attached Files
mantisconnect.php (3,393 bytes)   
<?php
include("SOAP/Client.php");

class mantisconnect{
	function __construct($url,$user,$password)
	{
		$this->soapclient =  new SOAP_Client($url."?wsdl",true);
		$this->soapoptions = array('namespace' => 'http://futureware.biz/mantisconnect', 'trace' => 0);

		$this->username    = $user;
		$this->password    = $password;
		$this->error_code  = 0; // error message
		$this->error_msg   = ""; // error message
	}

	function docall($function,$params)
	{
		$ret = $this->soapclient->call($function,$params, $this->soapoptions);

		if (PEAR::isError($ret))
		{
			$this->error_code =  $ret->getCode(); 
			$this->error_msg  =  $ret->getMessage();
			return null;
		}
		$this->error_code  = 0; // error message
		$this->error_msg   = ""; // error message
		return $ret;	
	}

	function mc_enum_priorities()
	{
 		$params = array(
                'username' => $this->username, 
                'password' => $this->password
        	);
		return $this->docall(__FUNCTION__,$params);
	}

	function mc_enum_reproducibilities()
	{
 		$params = array(
                'username' => $this->username, 
                'password' => $this->password
        	);
		return $this->docall(__FUNCTION__,$params);
	}

	function mc_enum_severities()
	{
 		$params = array(
                'username' => $this->username, 
                'password' => $this->password
        	);
		return $this->docall(__FUNCTION__,$params);
	}

	function mc_project_get_categories($id)
	{
 		$params = array(
                'username' => $this->username, 
                'password' => $this->password,
		    'project_id' => $id
        	);
		return $this->docall(__FUNCTION__,$params);
	}

	function mc_issue_get($id)
	{
 		$params = array(
                'username' => $this->username, 
                'password' => $this->password,
		    'issue_id' => $id
        	);
		return $this->docall(__FUNCTION__,$params);
	}

	function mc_issue_add($issue)
	{
 		$params = array(
                'username' => $this->username, 
                'password' => $this->password,
		    'issue' => $issue
        	);
		return $this->docall(__FUNCTION__,$params);
	}

}


/**** helper classes ****/

class mc_issue{
	function __construct()
	{
	$this->id= 0;
      $this->view_state   = null;
	$this->last_updated = null;
	$this->project      = null;
	$this->category     = null;
    	$this->priority     = null;
      $this->severity     = null;
      $this->status=null;
      $this->reporter=null;

    	$this->summary=null;
	$this->version=null;
      $this->build=null;
      $this->platform=null;
      $this->os=null;
      $this->os_build=null;
      $this->reproducibility=null;

    $this->date_submitted=null;
    $this->sponsorship_total=null;
    $this->handler=null;
    $this->projection=null;

    $this->eta=null;

    $this->resolution=null;

    $this->fixed_in_version=null;
    $this->description=null;
    $this->steps_to_reproduce=null;
    $this->additional_information=null;
    $this->attachments = array();
    $this->relationships = array();
    $this->notes = array();
    $this->custom_fields = array();
}

}

class mc_enum
{
function __construct($id, $name=null)
{
	if($id != null)
	{
		$this->id = $id;
	}
	if($name != null)
	{
		$this->name = $name;
	}
}
}
mantisconnect.php (3,393 bytes)   

Relationships

related to 0013656 closedrombert Reporters have read/write access to existing data of other users 
has duplicate 0009076 closedvboctor mc_issue_add fails to create issue using user with "informer" access level 

Activities

vboctor

vboctor

2009-10-06 03:47

manager   ~0023074

Marked as confirmed. This was by design, however, so far I found two issues reported relating to this. I guess it makes sense for reporters to have access by default.

Related Changesets

MantisBT: master 2ceb6071

2009-10-10 00:27

vboctor


Details Diff
Fix 0010491: mc_issue_add incorrect access level check. Affected Issues
0010491
mod - api/soap/mc_config_defaults_inc.php Diff File

MantisBT: master-1.2.x 5d821dd1

2009-10-10 00:27

vboctor


Details Diff
Fix 0010491: mc_issue_add incorrect access level check. Affected Issues
0010491
mod - api/soap/mc_config_defaults_inc.php Diff File