MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0013748mantisbtsecuritypublic2012-01-09 08:112014-09-23 18:05
Reporterdregad 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013748: Can't move bugs from projects with access < report_bug_threshold
DescriptionWhen trying to move an issue from project A to project B, if the current user's access level is below report_bug_threshold in project A, they are not allowed to move the bug even though they should (i.e. they have move_bug_threshold in A and report_bug_threshold in B)
Steps To Reproduce- Set report_bug_threshold in project A to 100 (NOBODY)
- Select a bug in project A
- Try to Move it to project B

Error message
"You did not have appropriate permissions to perform that action" is displayed
TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0030874)
dregad (developer)
2012-01-09 08:24

The access check in bug_actiongroup.php is not correct. It should verify the user's report_bug_threshold in the target project, not the current project.
User avatar (0031396)
dhx (reporter)
2012-03-06 17:35

A CVE identifier has been assigned to this issue:

CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed
when moving bugs between projects
User avatar (0036306)
grangeway (reporter)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master 0da3f7ac
Timestamp: 2012-01-09 05:10:43
Author: dregad
Details ] Diff ]
Fix Move bugs from projects with access < report_bug_threshold

The access check in bug_actiongroup.php was not correct. It should
verify the user's report_bug_threshold in the target project, not the
current project.

Fixes 0013748
mod - bug_actiongroup.php Diff ] File ]
MantisBT: master-1.2.x 64af3ef8
Timestamp: 2012-01-09 05:10:43
Author: dregad
Details ] Diff ]
Fix Move bugs from projects with access < report_bug_threshold

The access check in bug_actiongroup.php was not correct. It should
verify the user's report_bug_threshold in the target project, not the
current project.

Fixes 0013748
mod - bug_actiongroup.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-01-09 08:11 dregad New Issue
2012-01-09 08:11 dregad Status new => assigned
2012-01-09 08:11 dregad Assigned To => dregad
2012-01-09 08:24 dregad Note Added: 0030874
2012-01-09 08:24 dregad Status assigned => resolved
2012-01-09 08:24 dregad Fixed in Version => 1.2.9
2012-01-09 08:24 dregad Resolution open => fixed
2012-01-09 09:00 dregad Changeset attached => MantisBT master 0da3f7ac
2012-01-09 09:00 dregad Changeset attached => MantisBT master-1.2.x 64af3ef8
2012-03-03 21:45 vboctor Status resolved => closed
2012-03-06 08:49 dhx Category bugtracker => security
2012-03-06 17:35 dhx Note Added: 0031396
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036306
2013-04-05 18:24 grangeway Relationship added related to 0015721
2013-04-06 03:42 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0837 seconds.
memory usage: 3,054 KB
Powered by Mantis Bugtracker