2014-12-22 02:02 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0013561mantisbtsecuritypublic2014-09-23 18:05
Reporterspoidras 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013561: Any manager can delete global categories
DescriptionOnce user has been defined as manager on at least one project, he can edit or delete global categories for all projects.
Steps To Reproduce1. Go on Manage projects page
2. Delete a global category
TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
+ Relationships

-  Notes
User avatar

~0030755

dregad (developer)

The manage project page should check that the user's global access is at least equal to $g_manage_site_threshold config. If not, global categories should be displayed without any action buttons.
User avatar

~0031395

dhx (reporter)

A CVE identifier has been assigned to this issue:

CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could
update global category settings
User avatar

~0036307

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2011-11-24 09:40 spoidras New Issue
2011-11-24 14:19 dregad Status new => confirmed
2012-01-01 20:12 dregad Note Added: 0030755
2012-01-01 20:12 dregad Assigned To => dregad
2012-01-01 20:12 dregad Status confirmed => assigned
2012-01-01 20:12 dregad Target Version => 1.2.9
2012-01-01 20:12 dregad Status assigned => resolved
2012-01-01 20:12 dregad Fixed in Version => 1.2.9
2012-01-01 20:12 dregad Resolution open => fixed
2012-01-04 16:50 dregad Changeset attached => MantisBT master 94432587
2012-01-04 16:50 dregad Changeset attached => MantisBT master-1.2.x 385e0c90
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 08:33 dhx Category administration => security
2012-03-06 17:35 dhx Note Added: 0031395
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036307
2013-04-05 18:25 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+ Issue History