View Issue Details

IDProjectCategoryView StatusLast Update
0016024mantisbtsecuritypublic2014-12-08 00:33
ReporterChewitsAssigned Todregad 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0016024: When user reports an issue, the unpermitted project can be selected
Description
  1. If you select active project as 'All Projects' and then try to report an issue, you will be able to select project you don't have permission to report to it. As a result you get "Access Denied." error in this case.
    I think that this list should be limited with projects you can actually submit an issue to. Also, the error message in this case should be more informative.

  2. Why shouldn't we use the Default project (if Active project == 'All projects' && Default project != 'All projects') when reporting issue?
TagsNo tags attached.

Activities

dregad

dregad

2013-06-07 03:32

developer   ~0037130

Thanks for the bug report.

  1. If you select active project as 'All Projects' and then try to report an
    issue, you will be able to select project you don't have permission to report
    to it. As a result you get "Access Denied." error in this case.

I am not able to reproduce this on 1.2.15, with a reporter account, I only see projects I have access to.

Please confirm that you are not using customized code, and provide detailed steps to reproduce the issue.

  1. Why shouldn't we use the Default project

That's an option indeed, could you kindly open a separate issue to cover this ?

atrol

atrol

2013-06-07 03:38

developer   ~0037131

The problem is that you get also projects in the list where you are just VIEWER.

Chewits

Chewits

2013-06-07 05:55

reporter   ~0037133

dregad, atrol:
I don't use customized code.
In my case the situation is as follows: I have several projects with changed report_bug_threshold (Manage->Manage Configuration->Workflow Thresholds->Report an issue-> uncheck 'Reporter'). Suppose, for example, one of these is called "Test Project". So I can browse issues in these projects but cannot report a new bug.
When I set active project as 'All Projects' (top right of pages) and then click on the link 'Report Issue' and then select 'Test Project' I'll get 'Access Denied.' error.

In my opinion, it's not the correct behavior. I should not see 'Test project' in that list.

dregad

dregad

2013-06-07 06:28

developer   ~0037134

@atrol

The problem is that you get also projects in the list where you are just VIEWER.

You're confusing me. As viewer, you don't get the 'report issue' menu to begin with so you should not even see the login_select_proj_page.php... Am I missing something ?

@Chewits

OK, I can reproduce the issue now.

it's not the correct behavior. I should not see 'Test project' in that list.

Agreed.

atrol

atrol

2013-06-07 06:36

developer   ~0037135

Create a user which is
REPORTER in private project A and
VIEWER in private project B

-> You get the 'report issue' menue
-> You get projects A and B in the list

dregad

dregad

2013-06-07 09:57

developer   ~0037140

Last edited: 2013-06-07 09:58

View 2 revisions

@atrol, OK; I get it now. It's the same problem actually.

My first thought was do not add the projects where user can't report issues, but that was causing problems / confusion when using subprojects.

So I'm now working on a patch which sets the option to disabled instead. Will post a solution shortly.

dregad

dregad

2013-06-07 10:12

developer   ~0037141

Please test https://github.com/dregad/mantisbt/tree/fix-16024

Note that this branch also fixes 0016029 which is a bug I discovered while testing this.

Chewits

Chewits

2013-06-07 11:20

reporter   ~0037144

Thanks a lot!

Please try this case:

  1. Select 'All Projects' (top right drop-down list) or any permitted to report Project
  2. Click 'Report Issue'
    (3. Select any available project) - not needed if you select particular project in the first step
  3. Select 'Test Project' (which is not allowed to report to) in the top right drop down select box
  4. You have 'Access Denied.' error
atrol

atrol

2013-06-07 12:09

developer   ~0037146

Last edited: 2013-06-07 12:09

View 2 revisions

Quite a lot of source code changed.
Severity is "minor" maybe even "feature"

I prefer to not fix this in master-1.2.x as I fear introducing regressions.

dregad

dregad

2013-06-07 18:26

developer   ~0037147

@atrol

Not sure what you qualify as "quite a lot", the changes are quite limited (excluding whitespace, 4 files changed, 60 insertions(+), 24 deletions(-)) and I think the risk of regression is quite low.

But anyway if you're not comfortable, I'm fine with holding this (and the other fixes 0016026 and 0016029 too) to 1.3.

@Chewits

The access denied case you describe in 0016024:0037144 is normal, expected and can't be avoided, without completely preventing selection of your 'Test Project' from other places in the system.

Related Changesets

MantisBT: master cf773147

2013-06-07 09:28:02

dregad

Details Diff
Add new helper API function check_disabled()

Prerequisite to fix issue 0016024
mod - core/helper_api.php Diff File

MantisBT: master ef31cc7c

2013-06-07 09:29:03

dregad

Details Diff
Disable selection of projects in which user can't report issues

When the current project is 'All Projects' and user clicks on 'Report
Issue', login_select_proj_page.php presents them with a list of projects,
which includes those in which the user is not allowed to report issues.
If one of these projects is selected, an 'Access Denied' error occurs.

This commit makes the functionality more user-friendly by disabling
these projects in the list, so users can't select them.

To implement this, a new optional parameter was added to functions
print_project_option_list() and print_subproject_option_list().

Fixes 0016024

Conflicts:
core/print_api.php
mod - core/print_api.php Diff File
mod - login_select_proj_page.php Diff File

MantisBT: master 6acca71c

2013-06-07 15:28:02

dregad

Details Diff
Add new helper API function check_disabled()

Prerequisite to fix issue 0016024
mod - core/helper_api.php Diff File

MantisBT: master 6209c86d

2013-06-07 15:29:03

dregad

Details Diff
Disable selection of projects in which user can't report issues

When the current project is 'All Projects' and user clicks on 'Report
Issue', login_select_proj_page.php presents them with a list of projects,
which includes those in which the user is not allowed to report issues.
If one of these projects is selected, an 'Access Denied' error occurs.

This commit makes the functionality more user-friendly by disabling
these projects in the list, so users can't select them.

To implement this, a new optional parameter was added to functions
print_project_option_list() and print_subproject_option_list().

Fixes 0016024
mod - core/print_api.php Diff File
mod - login_select_proj_page.php Diff File

Issue History

Date Modified Username Field Change
2013-06-07 02:52 Chewits New Issue
2013-06-07 03:32 dregad Note Added: 0037130
2013-06-07 03:32 dregad Status new => feedback
2013-06-07 03:38 atrol Note Added: 0037131
2013-06-07 05:55 Chewits Note Added: 0037133
2013-06-07 05:55 Chewits Status feedback => new
2013-06-07 06:28 dregad Note Added: 0037134
2013-06-07 06:28 dregad Status new => confirmed
2013-06-07 06:36 atrol Note Added: 0037135
2013-06-07 09:56 dregad Assigned To => dregad
2013-06-07 09:56 dregad Status confirmed => assigned
2013-06-07 09:57 dregad Note Added: 0037140
2013-06-07 09:58 dregad Note Edited: 0037140 View Revisions
2013-06-07 10:12 dregad Note Added: 0037141
2013-06-07 10:12 dregad Status assigned => feedback
2013-06-07 11:20 Chewits Note Added: 0037144
2013-06-07 11:20 Chewits Status feedback => assigned
2013-06-07 12:09 atrol Note Added: 0037146
2013-06-07 12:09 atrol Note Edited: 0037146 View Revisions
2013-06-07 18:26 dregad Note Added: 0037147
2013-10-09 11:03 dregad Changeset attached => MantisBT master cf773147
2013-10-09 11:03 dregad Changeset attached => MantisBT master ef31cc7c
2013-10-09 11:03 dregad Status assigned => resolved
2013-10-09 11:03 dregad Resolution open => fixed
2013-10-09 11:03 dregad Fixed in Version => 1.3.0-beta.1
2013-10-09 12:43 dregad Target Version => 1.3.0-beta.1
2013-10-11 23:23 dregad Changeset attached => MantisBT master 6209c86d
2013-10-11 23:23 dregad Changeset attached => MantisBT master 6acca71c
2013-10-18 17:08 atrol Product Version => 1.2.15
2014-11-07 13:20 vboctor Category bugtracker => security
2014-12-08 00:33 vboctor Status resolved => closed