0011530: Support multiple access levels above manage_user_threshold - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0011530	mantisbt	security	public	2010-02-22 04:08	2010-04-23 14:30

Reporter	~~SUZ~~	Assigned To	dhx
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0
Target Version	1.2.1	Fixed in Version	1.2.1

Summary	0011530: Support multiple access levels above manage_user_threshold
Description	SOME_ROLE is a role lower than ADMINISTRATOR. g_manage_user_threshold is set to SOME_ROLE Now users with role SOME_ROLE can create new users, which is wanted. But they are able now to assign the newly created users global access levels greater than SOME_ROLE!
Tags	No tags attached.

~~SUZ~~ 2010-02-22 04:10 reporter ~0024456	Version is 1.1.8

dhx 2010-02-25 01:38 reporter ~0024509	Agreed with the need for this change. In the past MantisBT just made the wrong assumption that anyone with manage_user_threshold was an administrator. We also need to prevent those with manage_user_threshold from editing the accounts of people with equal or higher global access than they have. However this poses a problem with the top level of access (usually ADMINISTRATOR) where you want other administrators to be able to edit the accounts of fellow admins (ie. they should be able to delete themselves, make other people administrators, etc). These issues make the problem somewhat complicated (probably the reason MantisBT has just assumed manage_user_threshold should be set to ADMINISTRATOR all the time).

dhx 2010-03-31 09:51 reporter ~0024983	Fixed in 1.3.x and backported to 1.2.x. The changes are quite numerous (and complex in parts) so we need to test this thoroughly. Please let me know if you find any problems with the changes I've made. Thanks for reporting this bug.

MantisBT: master 25223c9e 2010-03-31 09:17 dhx Details Diff	Fix 0011530: Support multiple access levels above manage_user_threshold Traditionally manage_user_threshold was thought of as being an absolute global threshold which would allow any user the ability to modify any other user account. Thus manage_user_threshold effectively had to be the same as admin_site_threshold because users with manage_user_threshold could just modify accounts to escalate their permissions to the maximum level. This patch prevents users from modifying accounts which have an access level greater than their own. It also prevents users from creating accounts with with access levels greater than their own. Thus it is now possible to use manage_user_threshold as a separate permission level to admin_site_threshold. Users with an access level between manage_user_threshold <= user access level < admin_site_threshold can no longer escalate their permissions or modify the accounts of other users with a higher access level.	Affected Issues 0011530
	mod - manage_proj_user_remove.php	Diff File
	mod - manage_proj_user_copy.php	Diff File
	mod - manage_user_prune.php	Diff File
	mod - core/project_api.php	Diff File
	mod - manage_user_edit_page.php	Diff File
	mod - manage_user_proj_add.php	Diff File
	mod - manage_user_proj_delete.php	Diff File
	mod - manage_user_delete.php	Diff File
	mod - manage_user_update.php	Diff File
	mod - account_prefs_reset.php	Diff File
	mod - account_prefs_update.php	Diff File
	mod - manage_user_page.php	Diff File
	mod - manage_proj_edit_page.php	Diff File
	mod - manage_user_create.php	Diff File
	mod - manage_user_reset.php	Diff File
	mod - manage_user_create_page.php	Diff File
MantisBT: master-1.2.x 67f43bde 2010-03-31 09:17 dhx Details Diff	Fix 0011530: Support multiple access levels above manage_user_threshold Traditionally manage_user_threshold was thought of as being an absolute global threshold which would allow any user the ability to modify any other user account. Thus manage_user_threshold effectively had to be the same as admin_site_threshold because users with manage_user_threshold could just modify accounts to escalate their permissions to the maximum level. This patch prevents users from modifying accounts which have an access level greater than their own. It also prevents users from creating accounts with with access levels greater than their own. Thus it is now possible to use manage_user_threshold as a separate permission level to admin_site_threshold. Users with an access level between manage_user_threshold <= user access level < admin_site_threshold can no longer escalate their permissions or modify the accounts of other users with a higher access level.	Affected Issues 0011530
	mod - manage_user_proj_add.php	Diff File
	mod - manage_user_prune.php	Diff File
	mod - manage_user_delete.php	Diff File
	mod - account_prefs_update.php	Diff File
	mod - manage_user_proj_delete.php	Diff File
	mod - account_prefs_reset.php	Diff File
	mod - manage_user_page.php	Diff File
	mod - manage_user_edit_page.php	Diff File
	mod - manage_user_create_page.php	Diff File
	mod - manage_user_reset.php	Diff File
	mod - manage_user_create.php	Diff File
	mod - core/project_api.php	Diff File
	mod - manage_proj_edit_page.php	Diff File
	mod - manage_proj_user_copy.php	Diff File
	mod - manage_proj_user_remove.php	Diff File
	mod - manage_user_update.php	Diff File
MantisBT: master-1.2.x 86fc322d 2010-03-31 23:16 dhx Details Diff	Fix 0011530: Don't expose real name and email of higher users manage_user_threshold grants permission to users so that they can modify user accounts which have an equal or lower access level. Therefore we shouldn't be exposing the real name and email of users on view_user_page.php if the target user has a higher access level. The manage user link should also not appear when the target user has a higher access level.	Affected Issues 0011530
	mod - view_user_page.php	Diff File
MantisBT: master 7062c677 2010-03-31 23:16 dhx Details Diff	Fix 0011530: Don't expose real name and email of higher users manage_user_threshold grants permission to users so that they can modify user accounts which have an equal or lower access level. Therefore we shouldn't be exposing the real name and email of users on view_user_page.php if the target user has a higher access level. The manage user link should also not appear when the target user has a higher access level.	Affected Issues 0011530
	mod - view_user_page.php	Diff File
MantisBT: master 3c6e93b6 2010-08-10 08:59 dhx Details Diff	Fix 0011919: Typo prevents copying of users between projects A typo introduced with the patch for issue 0011530 prevented the copy users from project A to project B feature from working. Thanks to watergad for this patch.	Affected Issues 0011530, 0011919
	mod - manage_proj_user_copy.php	Diff File
MantisBT: master-1.2.x c6a1dd35 2010-08-10 08:59 dhx Details Diff	Fix 0011919: Typo prevents copying of users between projects A typo introduced with the patch for issue 0011530 prevented the copy users from project A to project B feature from working. Thanks to watergad for this patch.	Affected Issues 0011530, 0011919
	mod - manage_proj_user_copy.php	Diff File

View Issue Details

Activities

Related Changesets