View Issue Details

IDProjectCategoryView StatusLast Update
0013561mantisbtsecuritypublic2014-09-23 18:05
Reporterspoidras Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013561: Any manager can delete global categories
Description

Once user has been defined as manager on at least one project, he can edit or delete global categories for all projects.

Steps To Reproduce
  1. Go on Manage projects page
  2. Delete a global category
TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-01-01 20:12

developer   ~0030755

The manage project page should check that the user's global access is at least equal to $g_manage_site_threshold config. If not, global categories should be displayed without any action buttons.

dhx

dhx

2012-03-06 17:35

reporter   ~0031395

A CVE identifier has been assigned to this issue:

CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could
update global category settings

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036307

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 94432587

2012-01-01 11:14

dregad


Details Diff
User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to
be allowed to add, edit or delete global categories.

Prior to this, once a user had been defined as Manager on at least one
project, they could freely update global categories.

Also prevents such updates through URL manipulation.

Fixes 0013561
Affected Issues
0013561
mod - manage_proj_cat_delete.php Diff File
mod - manage_proj_cat_edit_page.php Diff File
mod - manage_proj_page.php Diff File

MantisBT: master-1.2.x 385e0c90

2012-01-01 11:14

dregad


Details Diff
User must have global access to update global categories

The user's global access level must be >= $g_manage_site_threshold to
be allowed to add, edit or delete global categories.

Prior to this, once a user had been defined as Manager on at least one
project, they could freely update global categories.

Also prevents such updates through URL manipulation.

Fixes 0013561
Affected Issues
0013561
mod - manage_proj_cat_delete.php Diff File
mod - manage_proj_cat_edit_page.php Diff File
mod - manage_proj_page.php Diff File