View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010647 | mantisbt | bugtracker | public | 2009-06-29 10:10 | 2009-10-07 14:19 |
Reporter | kc | Assigned To | dhx | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0rc1 | ||||
Target Version | 1.2.0rc2 | Fixed in Version | 1.2.0rc2 | ||
Summary | 0010647: bug_update access denied error when user hasn't got permission to update roadmap | ||||
Description | After update to 1.2rc1 I can't close any projects with access level Tester and below. | ||||
Tags | No tags attached. | ||||
By default we don't have a "tester" access level. I assume you have defined your own access level in custom_constants_inc.php (note that custom_constant_inc.php was renamed, yet they both still work until v1.3). 1.2.0rc1 includes a stack of bug fixes that make custom access levels work correctly. The fact that your TESTER level was working OK in 1.1.x is probably a bit of luck and coincidence. You will need to go through config_defaults_inc.php and copy relevant settings to your own config_inc.php file, changing the access level as required to TESTER. Also review the documentation in reference to how you setup a custom workflow. You will need to setup the custom TESTER status correctly according to the documentation. |
|
I am having the same problem as this, but with the built-in UPDATER role. [Workflow Transitions] [Workflow Thresholds] For updater: Notes Capability Also, if the user does not have permission to perform an operation, should the option be there at all? |
|
I solved the proplem. $g_handle_bug_threshold = REPORTER; AND $g_roadmap_update_threshold = REPORTER; |
|
I notice that you haven't set: Update an issue: yes This is required for someone to update an issue. These checks must all be true for someone to be able to update an issue: I'm fairly certain there is a bug with (3) which I'll look into. Could you please try setting either of these options to ON in config_inc.php to see if that solves your issue? Also ensure that the "Update an issue" checkbox is ticked on the Workflow Thresholds page for the Updater access level. |
|
kc, I'm confused about what your actual problem was... you said "close any projects" yet I'm not sure what this means. Which page does the problem occur on (check the URL in your browser). Is it view.php? |
|
@kc @dhx In this instance, the user has not previously been involved in the issue at all, he is simply a tester who is verifying that the issue has been resolved and then closes the issue. Therefore, the options you have mentioned would appear to be irrelevant. |
|
no, it is bug_update.php I think the error occurs because of the differnt acces levels of this two variables: $g_handle_bug_threshold = REPORTER; The access level of the user is REPORTER. After I changed the variables to $g_handle_bug_threshold = REPORTER; everything works. |
|
Aha, I understand now. This is pretty much the same bug I fixed a while ago in bug_report.php but I didn't think about porting it across to bug_update.php as well. Please see http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=bd5076906d7c8596dc3ba9ce5352c9be9c85f4b3 I'll patch this in a minute. Thanks for your patience in trying to explain this to me :) |
|
Fixed. Thanks again for taking the time to report this bug! |
|
MantisBT: master c2ef5a6c 2009-06-30 22:17 Details Diff |
Fix 0010647: check permissions before updating target_version Related to bd5076906d7c8596dc3ba9ce5352c9be9c85f4b3 The new BugData class has access checks built into __set so we can't update a field without permission to do so. We need to ensure that target_version is only updated when the current user has permission to do so. |
Affected Issues 0010647 |
|
mod - bug_update.php | Diff File | ||
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master-1.2.x ad56aaa8 2009-06-30 22:17 Details Diff |
Fix 0010647: check permissions before updating target_version Related to bd5076906d7c8596dc3ba9ce5352c9be9c85f4b3 The new BugData class has access checks built into __set so we can't update a field without permission to do so. We need to ensure that target_version is only updated when the current user has permission to do so. |
Affected Issues 0010647 |
|
mod - bug_update.php | Diff File | ||
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master 0cfb73e9 2009-06-30 22:26 Details Diff |
Don't require access check for fixed_in_version handle_bug_threshold is documented as the threshold at which someone can be assigned to a bug. Therefore we shouldn't be checking this threshold when changing the fixed_in_version field - update_bug_threshold is enough (we use it for every other field). Fixes 0010647 |
Affected Issues 0010647 |
|
mod - core/bug_api.php | Diff File | ||
MantisBT: master-1.2.x 87a5dc26 2009-06-30 22:26 Details Diff |
Don't require access check for fixed_in_version handle_bug_threshold is documented as the threshold at which someone can be assigned to a bug. Therefore we shouldn't be checking this threshold when changing the fixed_in_version field - update_bug_threshold is enough (we use it for every other field). Fixes 0010647 |
Affected Issues 0010647 |
|
mod - core/bug_api.php | Diff File |