View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012517 | mantisbt | api soap | public | 2010-11-06 12:27 | 2011-04-05 14:23 |
Reporter | maschneider | Assigned To | rombert | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 1.2.5 | Fixed in Version | 1.2.5 | ||
Summary | 0012517: Users can view private bugs | ||||
Description | If you use the mc_issue_get() method of the soap interface to get bug notice you can return information of issuse be in private projects. | ||||
Steps To Reproduce |
| ||||
Additional Information | i just looking in the source. i mentation that the securty checks looks like: if( !mci_has_readonly_access( $t_user_id, $t_project_id ) ) { in the mc_issue_get() in mc_issue_api.php this use the: user_get_access_level( ) this use the: project_get_local_user_access_level() if you look to the documentation you can read: Return the user's local (overridden) access level on the project or falseif the user is not listed on the projectto priject_api.php:452 If the user is not related to the project the method always return false and the global access level will compare, the problem of private projects will never asked. The only way is to fix this, use the internal access_api of mantis. So the fix is: if( !access_has_bug_level( VIEWER, $p_issue_id, $t_user_id ) ){ | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
related to | 0012328 | acknowledged | Normalise access checks between the web interface and the SOAP API |
i think there are more security problems related to the soap api while using their own code an not the access_api.php of mantis itself. |
|
Thanks for the report. Since you looked into it, would you be willing to provide a Git patch? |
|
The question is which is the best way. Fixing this problem by including a check for private projects or start to rewrite the access checks for the SOAP API. |
|
I'd say just include more access checks in the SOAP API. Doing something larger is probably not feasible right now. |
|
I appand a git patch to have one more check include |
|
MantisBT: master 004c39b6 2011-01-26 04:40 Committer: rombert Details Diff |
SOAP API: ensure that the user has a proper access level Fixes 0012517: Users can view private bugs Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com> |
Affected Issues 0012517 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master-1.2.x bde76f1f 2011-01-26 04:40 Committer: rombert Details Diff |
SOAP API: ensure that the user has a proper access level Fixes 0012517: Users can view private bugs Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com> |
Affected Issues 0012517 |
|
mod - api/soap/mc_issue_api.php | Diff File |