0016376: Not able to change status without having update issue rights - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0016376	mantisbt	customization	public	2013-09-13 15:03	2016-12-30 04:33

Reporter	atrol	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.13
Target Version	1.2.16	Fixed in Version	1.2.16

Summary	0016376: Not able to change status without having update issue rights
Description	It was possible to change status without having update issue rights in earlier versions of MantisBT <1.2.13. The changed behavior has been introduced in fix for 0015258 [1] There where users in forum that noticed the regression or need the previous functionality for their workflow [2][3] Changing status is probably updating a bug but it seems that update_bug_threshold is more meant as a threshold which is considered if there is no other threshold which is more specific. Furthermore if changing status is considered to be an update we would have also to consider "assign to" as an update. Access to "Assign to" is not dependent on update_bug_threshold but only handle_bug_threshold. My conclusion until now: Access to "Change status" should not be dependent on update_bug_threshold but update_bug_status_threshold Changing if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $p_bug->id ) ) { to if( !access_has_bug_level( config_get( 'update_bug_status_threshold' ), $p_bug->id ) ) { in file core/html_api.php function html_button_bug_change_status should be enough to fix the issue without introducing a regression for 0015258 [1] https://github.com/mantisbt/mantisbt/commit/c88137343b0f6d47613ed7fefc5d1277b901b778#L0R1390 [2] http://www.mantisbt.org/forums/viewtopic.php?f=3&t=21642 [3] http://www.mantisbt.org/forums/viewtopic.php?f=3&t=21676
Tags	No tags attached.

dregad 2013-09-14 04:24 developer ~0038041	You're absolutely right, it's a mistake from my part to pick the wrong config setting in the fix for 0015258, I should indeed have used update_bug_status_threshold and not update_bug_threshold. I'll do some testing to ensure doing this does not reintroduce the original security issue whereby a reporter could change an issue status to new (if update_bug_status_threshold = REPORTER in this case), or other regressions.

dregad 2013-09-14 04:40 developer ~0038042	OK, so with this change a reporter can update the status to anything allowed by the workflow, and considering that it is obviously required for a reporter to be able to report issues (!), the only way to remove the possibility to change status back to NEW, is to uncheck it as available 'Next status'. This is not necessary however if the issue is in RESOLVED or CLOSED status as the Change Status list and button will not be displayed in this case. This does introduce potential inconsistencies, with default settings: a reporter can change an issue's status to ASSIGNED, RESOLVED or CLOSED, but since they are not able to assign an issue (update_bug_assign_threshold) the handler will not be set. I guess that's OK since we should expect the admin to set its workflow properly (i.e. set minimum access level for ASSIGNED and above).

MantisBT: master-1.2.x e074efde 2013-09-14 00:38 dregad Details Diff	Use correct threshold for display of Change status list+button Fix for issue 0015258 introduced a check for 'update_bug_threshold' to prevent unauthorized users from changing issue status. This was not the correct config setting to use, the right one is 'update_bug_status_threshold'. Fixes 0016376		Affected Issues 0015258, 0016376
	mod - core/html_api.php		Diff File
MantisBT: master d5da1d24 2013-09-14 00:38 dregad Details Diff	Use correct threshold for display of Change status list+button Fix for issue 0015258 introduced a check for 'update_bug_threshold' to prevent unauthorized users from changing issue status. This was not the correct config setting to use, the right one is 'update_bug_status_threshold'. Fixes 0016376		Affected Issues 0015258, 0016376
	mod - core/html_api.php		Diff File