View Issue Details

IDProjectCategoryView StatusLast Update
0013748mantisbtsecuritypublic2014-09-23 18:05
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013748: Can't move bugs from projects with access < report_bug_threshold
Description

When trying to move an issue from project A to project B, if the current user's access level is below report_bug_threshold in project A, they are not allowed to move the bug even though they should (i.e. they have move_bug_threshold in A and report_bug_threshold in B)

Steps To Reproduce
  • Set report_bug_threshold in project A to 100 (NOBODY)
  • Select a bug in project A
  • Try to Move it to project B

Error message
"You did not have appropriate permissions to perform that action" is displayed

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-01-09 08:24

developer   ~0030874

The access check in bug_actiongroup.php is not correct. It should verify the user's report_bug_threshold in the target project, not the current project.

dhx

dhx

2012-03-06 17:35

reporter   ~0031396

A CVE identifier has been assigned to this issue:

CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed
when moving bugs between projects

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036306

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 0da3f7ac

2012-01-09 00:10

dregad


Details Diff
Fix Move bugs from projects with access < report_bug_threshold

The access check in bug_actiongroup.php was not correct. It should
verify the user's report_bug_threshold in the target project, not the
current project.

Fixes 0013748
Affected Issues
0013748
mod - bug_actiongroup.php Diff File

MantisBT: master-1.2.x 64af3ef8

2012-01-09 00:10

dregad


Details Diff
Fix Move bugs from projects with access < report_bug_threshold

The access check in bug_actiongroup.php was not correct. It should
verify the user's report_bug_threshold in the target project, not the
current project.

Fixes 0013748
Affected Issues
0013748
mod - bug_actiongroup.php Diff File