View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011530 | mantisbt | security | public | 2010-02-22 04:08 | 2010-04-23 14:30 |
Reporter | Assigned To | dhx | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.1 | Fixed in Version | 1.2.1 | ||
Summary | 0011530: Support multiple access levels above manage_user_threshold | ||||
Description | SOME_ROLE is a role lower than ADMINISTRATOR. But they are able now to assign the newly created users global access levels greater than SOME_ROLE! | ||||
Tags | No tags attached. | ||||
Version is 1.1.8 |
|
Agreed with the need for this change. In the past MantisBT just made the wrong assumption that anyone with manage_user_threshold was an administrator. We also need to prevent those with manage_user_threshold from editing the accounts of people with equal or higher global access than they have. However this poses a problem with the top level of access (usually ADMINISTRATOR) where you want other administrators to be able to edit the accounts of fellow admins (ie. they should be able to delete themselves, make other people administrators, etc). These issues make the problem somewhat complicated (probably the reason MantisBT has just assumed manage_user_threshold should be set to ADMINISTRATOR all the time). |
|
Fixed in 1.3.x and backported to 1.2.x. The changes are quite numerous (and complex in parts) so we need to test this thoroughly. Please let me know if you find any problems with the changes I've made. Thanks for reporting this bug. |
|
MantisBT: master 25223c9e 2010-03-31 09:17 Details Diff |
Fix 0011530: Support multiple access levels above manage_user_threshold Traditionally manage_user_threshold was thought of as being an absolute global threshold which would allow any user the ability to modify any other user account. Thus manage_user_threshold effectively had to be the same as admin_site_threshold because users with manage_user_threshold could just modify accounts to escalate their permissions to the maximum level. This patch prevents users from modifying accounts which have an access level greater than their own. It also prevents users from creating accounts with with access levels greater than their own. Thus it is now possible to use manage_user_threshold as a separate permission level to admin_site_threshold. Users with an access level between manage_user_threshold <= user access level < admin_site_threshold can no longer escalate their permissions or modify the accounts of other users with a higher access level. |
Affected Issues 0011530 |
|
mod - manage_proj_user_remove.php | Diff File | ||
mod - manage_proj_user_copy.php | Diff File | ||
mod - manage_user_prune.php | Diff File | ||
mod - core/project_api.php | Diff File | ||
mod - manage_user_edit_page.php | Diff File | ||
mod - manage_user_proj_add.php | Diff File | ||
mod - manage_user_proj_delete.php | Diff File | ||
mod - manage_user_delete.php | Diff File | ||
mod - manage_user_update.php | Diff File | ||
mod - account_prefs_reset.php | Diff File | ||
mod - account_prefs_update.php | Diff File | ||
mod - manage_user_page.php | Diff File | ||
mod - manage_proj_edit_page.php | Diff File | ||
mod - manage_user_create.php | Diff File | ||
mod - manage_user_reset.php | Diff File | ||
mod - manage_user_create_page.php | Diff File | ||
MantisBT: master-1.2.x 67f43bde 2010-03-31 09:17 Details Diff |
Fix 0011530: Support multiple access levels above manage_user_threshold Traditionally manage_user_threshold was thought of as being an absolute global threshold which would allow any user the ability to modify any other user account. Thus manage_user_threshold effectively had to be the same as admin_site_threshold because users with manage_user_threshold could just modify accounts to escalate their permissions to the maximum level. This patch prevents users from modifying accounts which have an access level greater than their own. It also prevents users from creating accounts with with access levels greater than their own. Thus it is now possible to use manage_user_threshold as a separate permission level to admin_site_threshold. Users with an access level between manage_user_threshold <= user access level < admin_site_threshold can no longer escalate their permissions or modify the accounts of other users with a higher access level. |
Affected Issues 0011530 |
|
mod - manage_user_proj_add.php | Diff File | ||
mod - manage_user_prune.php | Diff File | ||
mod - manage_user_delete.php | Diff File | ||
mod - account_prefs_update.php | Diff File | ||
mod - manage_user_proj_delete.php | Diff File | ||
mod - account_prefs_reset.php | Diff File | ||
mod - manage_user_page.php | Diff File | ||
mod - manage_user_edit_page.php | Diff File | ||
mod - manage_user_create_page.php | Diff File | ||
mod - manage_user_reset.php | Diff File | ||
mod - manage_user_create.php | Diff File | ||
mod - core/project_api.php | Diff File | ||
mod - manage_proj_edit_page.php | Diff File | ||
mod - manage_proj_user_copy.php | Diff File | ||
mod - manage_proj_user_remove.php | Diff File | ||
mod - manage_user_update.php | Diff File | ||
MantisBT: master-1.2.x 86fc322d 2010-03-31 23:16 Details Diff |
Fix 0011530: Don't expose real name and email of higher users manage_user_threshold grants permission to users so that they can modify user accounts which have an equal or lower access level. Therefore we shouldn't be exposing the real name and email of users on view_user_page.php if the target user has a higher access level. The manage user link should also not appear when the target user has a higher access level. |
Affected Issues 0011530 |
|
mod - view_user_page.php | Diff File | ||
MantisBT: master 7062c677 2010-03-31 23:16 Details Diff |
Fix 0011530: Don't expose real name and email of higher users manage_user_threshold grants permission to users so that they can modify user accounts which have an equal or lower access level. Therefore we shouldn't be exposing the real name and email of users on view_user_page.php if the target user has a higher access level. The manage user link should also not appear when the target user has a higher access level. |
Affected Issues 0011530 |
|
mod - view_user_page.php | Diff File | ||
MantisBT: master 3c6e93b6 2010-08-10 08:59 Details Diff |
Fix 0011919: Typo prevents copying of users between projects A typo introduced with the patch for issue 0011530 prevented the copy users from project A to project B feature from working. Thanks to watergad for this patch. |
Affected Issues 0011530, 0011919 |
|
mod - manage_proj_user_copy.php | Diff File | ||
MantisBT: master-1.2.x c6a1dd35 2010-08-10 08:59 Details Diff |
Fix 0011919: Typo prevents copying of users between projects A typo introduced with the patch for issue 0011530 prevented the copy users from project A to project B feature from working. Thanks to watergad for this patch. |
Affected Issues 0011530, 0011919 |
|
mod - manage_proj_user_copy.php | Diff File |