View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013561 | mantisbt | security | public | 2011-11-24 09:40 | 2014-09-23 18:05 |
Reporter | spoidras | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.8 | ||||
Target Version | 1.2.9 | Fixed in Version | 1.2.9 | ||
Summary | 0013561: Any manager can delete global categories | ||||
Description | Once user has been defined as manager on at least one project, he can edit or delete global categories for all projects. | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
The manage project page should check that the user's global access is at least equal to $g_manage_site_threshold config. If not, global categories should be displayed without any action buttons. |
|
A CVE identifier has been assigned to this issue: CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 94432587 2012-01-01 11:14 Details Diff |
User must have global access to update global categories The user's global access level must be >= $g_manage_site_threshold to be allowed to add, edit or delete global categories. Prior to this, once a user had been defined as Manager on at least one project, they could freely update global categories. Also prevents such updates through URL manipulation. Fixes 0013561 |
Affected Issues 0013561 |
|
mod - manage_proj_cat_delete.php | Diff File | ||
mod - manage_proj_cat_edit_page.php | Diff File | ||
mod - manage_proj_page.php | Diff File | ||
MantisBT: master-1.2.x 385e0c90 2012-01-01 11:14 Details Diff |
User must have global access to update global categories The user's global access level must be >= $g_manage_site_threshold to be allowed to add, edit or delete global categories. Prior to this, once a user had been defined as Manager on at least one project, they could freely update global categories. Also prevents such updates through URL manipulation. Fixes 0013561 |
Affected Issues 0013561 |
|
mod - manage_proj_cat_delete.php | Diff File | ||
mod - manage_proj_cat_edit_page.php | Diff File | ||
mod - manage_proj_page.php | Diff File |