View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016024 | mantisbt | security | public | 2013-06-07 02:52 | 2014-12-08 00:33 |
Reporter | Chewits | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.15 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0016024: When user reports an issue, the unpermitted project can be selected | ||||
Description |
| ||||
Tags | No tags attached. | ||||
Thanks for the bug report.
I am not able to reproduce this on 1.2.15, with a reporter account, I only see projects I have access to. Please confirm that you are not using customized code, and provide detailed steps to reproduce the issue.
That's an option indeed, could you kindly open a separate issue to cover this ? |
|
The problem is that you get also projects in the list where you are just VIEWER. |
|
dregad, atrol: In my opinion, it's not the correct behavior. I should not see 'Test project' in that list. |
|
You're confusing me. As viewer, you don't get the 'report issue' menu to begin with so you should not even see the login_select_proj_page.php... Am I missing something ? OK, I can reproduce the issue now.
Agreed. |
|
Create a user which is -> You get the 'report issue' menue |
|
@atrol, OK; I get it now. It's the same problem actually. My first thought was do not add the projects where user can't report issues, but that was causing problems / confusion when using subprojects. So I'm now working on a patch which sets the option to disabled instead. Will post a solution shortly. |
|
Please test https://github.com/dregad/mantisbt/tree/fix-16024 Note that this branch also fixes 0016029 which is a bug I discovered while testing this. |
|
Thanks a lot! Please try this case:
|
|
Quite a lot of source code changed. I prefer to not fix this in master-1.2.x as I fear introducing regressions. |
|
Not sure what you qualify as "quite a lot", the changes are quite limited (excluding whitespace, 4 files changed, 60 insertions(+), 24 deletions(-)) and I think the risk of regression is quite low. But anyway if you're not comfortable, I'm fine with holding this (and the other fixes 0016026 and 0016029 too) to 1.3. The access denied case you describe in 0016024:0037144 is normal, expected and can't be avoided, without completely preventing selection of your 'Test Project' from other places in the system. |
|
MantisBT: master cf773147 2013-06-07 05:28 Details Diff |
Add new helper API function check_disabled() Prerequisite to fix issue 0016024 |
Affected Issues 0016024 |
|
mod - core/helper_api.php | Diff File | ||
MantisBT: master ef31cc7c 2013-06-07 05:29 Details Diff |
Disable selection of projects in which user can't report issues When the current project is 'All Projects' and user clicks on 'Report Issue', login_select_proj_page.php presents them with a list of projects, which includes those in which the user is not allowed to report issues. If one of these projects is selected, an 'Access Denied' error occurs. This commit makes the functionality more user-friendly by disabling these projects in the list, so users can't select them. To implement this, a new optional parameter was added to functions print_project_option_list() and print_subproject_option_list(). Fixes 0016024 Conflicts: core/print_api.php |
Affected Issues 0016024 |
|
mod - core/print_api.php | Diff File | ||
mod - login_select_proj_page.php | Diff File | ||
MantisBT: master 6acca71c 2013-06-07 11:28 Details Diff |
Add new helper API function check_disabled() Prerequisite to fix issue 0016024 |
Affected Issues 0016024 |
|
mod - core/helper_api.php | Diff File | ||
MantisBT: master 6209c86d 2013-06-07 11:29 Details Diff |
Disable selection of projects in which user can't report issues When the current project is 'All Projects' and user clicks on 'Report Issue', login_select_proj_page.php presents them with a list of projects, which includes those in which the user is not allowed to report issues. If one of these projects is selected, an 'Access Denied' error occurs. This commit makes the functionality more user-friendly by disabling these projects in the list, so users can't select them. To implement this, a new optional parameter was added to functions print_project_option_list() and print_subproject_option_list(). Fixes 0016024 |
Affected Issues 0016024 |
|
mod - core/print_api.php | Diff File | ||
mod - login_select_proj_page.php | Diff File |