View Issue Details

IDProjectCategoryView StatusLast Update
0013561mantisbtsecuritypublic2014-09-23 18:05
ReporterspoidrasAssigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013561: Any manager can delete global categories
Description

Once user has been defined as manager on at least one project, he can edit or delete global categories for all projects.

Steps To Reproduce
  1. Go on Manage projects page
  2. Delete a global category
TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-01-01 20:12

developer   ~0030755

The manage project page should check that the user's global access is at least equal to $g_manage_site_threshold config. If not, global categories should be displayed without any action buttons.

dhx

dhx

2012-03-06 17:35

reporter   ~0031395

A CVE identifier has been assigned to this issue:

CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could
update global category settings

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036307

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 94432587

2012-01-01 16:14:31

dregad

Details Diff
User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to
be allowed to add, edit or delete global categories.

Prior to this, once a user had been defined as Manager on at least one
project, they could freely update global categories.

Also prevents such updates through URL manipulation.

Fixes 0013561
mod - manage_proj_cat_delete.php Diff File
mod - manage_proj_cat_edit_page.php Diff File
mod - manage_proj_page.php Diff File

MantisBT: master-1.2.x 385e0c90

2012-01-01 16:14:31

dregad

Details Diff
User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to
be allowed to add, edit or delete global categories.

Prior to this, once a user had been defined as Manager on at least one
project, they could freely update global categories.

Also prevents such updates through URL manipulation.

Fixes 0013561
mod - manage_proj_cat_delete.php Diff File
mod - manage_proj_cat_edit_page.php Diff File
mod - manage_proj_page.php Diff File

Issue History

Date Modified Username Field Change
2011-11-24 09:40 spoidras New Issue
2011-11-24 14:19 dregad Status new => confirmed
2012-01-01 20:12 dregad Note Added: 0030755
2012-01-01 20:12 dregad Assigned To => dregad
2012-01-01 20:12 dregad Status confirmed => assigned
2012-01-01 20:12 dregad Target Version => 1.2.9
2012-01-01 20:12 dregad Status assigned => resolved
2012-01-01 20:12 dregad Fixed in Version => 1.2.9
2012-01-01 20:12 dregad Resolution open => fixed
2012-01-04 16:50 dregad Changeset attached => MantisBT master 94432587
2012-01-04 16:50 dregad Changeset attached => MantisBT master-1.2.x 385e0c90
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 08:33 dhx Category administration => security
2012-03-06 17:35 dhx Note Added: 0031395
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036307
2013-04-05 18:25 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check