View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016376 | mantisbt | customization | public | 2013-09-13 15:03 | 2016-12-30 04:33 |
Reporter | atrol | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.13 | ||||
Target Version | 1.2.16 | Fixed in Version | 1.2.16 | ||
Summary | 0016376: Not able to change status without having update issue rights | ||||
Description | It was possible to change status without having update issue rights in earlier versions of MantisBT <1.2.13. There where users in forum that noticed the regression or need the previous functionality for their workflow [2][3] Changing status is probably updating a bug but it seems that update_bug_threshold is more meant as a threshold which is considered if there is no other threshold which is more specific. Furthermore if changing status is considered to be an update we would have also to consider "assign to" as an update. My conclusion until now: Access to "Change status" should not be dependent on update_bug_threshold but update_bug_status_threshold Changing
to
in file core/html_api.php function html_button_bug_change_status should be enough to fix the issue without introducing a regression for 0015258 [1] https://github.com/mantisbt/mantisbt/commit/c88137343b0f6d47613ed7fefc5d1277b901b778#L0R1390 | ||||
Tags | No tags attached. | ||||
You're absolutely right, it's a mistake from my part to pick the wrong config setting in the fix for 0015258, I should indeed have used update_bug_status_threshold and not update_bug_threshold. I'll do some testing to ensure doing this does not reintroduce the original security issue whereby a reporter could change an issue status to new (if update_bug_status_threshold = REPORTER in this case), or other regressions. |
|
OK, so with this change a reporter can update the status to anything allowed by the workflow, and considering that it is obviously required for a reporter to be able to report issues (!), the only way to remove the possibility to change status back to NEW, is to uncheck it as available 'Next status'. This is not necessary however if the issue is in RESOLVED or CLOSED status as the Change Status list and button will not be displayed in this case. This does introduce potential inconsistencies, with default settings: a reporter can change an issue's status to ASSIGNED, RESOLVED or CLOSED, but since they are not able to assign an issue (update_bug_assign_threshold) the handler will not be set. I guess that's OK since we should expect the admin to set its workflow properly (i.e. set minimum access level for ASSIGNED and above). |
|
MantisBT: master-1.2.x e074efde 2013-09-14 00:38 Details Diff |
Use correct threshold for display of Change status list+button Fix for issue 0015258 introduced a check for 'update_bug_threshold' to prevent unauthorized users from changing issue status. This was not the correct config setting to use, the right one is 'update_bug_status_threshold'. Fixes 0016376 |
Affected Issues 0015258, 0016376 |
|
mod - core/html_api.php | Diff File | ||
MantisBT: master d5da1d24 2013-09-14 00:38 Details Diff |
Use correct threshold for display of Change status list+button Fix for issue 0015258 introduced a check for 'update_bug_threshold' to prevent unauthorized users from changing issue status. This was not the correct config setting to use, the right one is 'update_bug_status_threshold'. Fixes 0016376 |
Affected Issues 0015258, 0016376 |
|
mod - core/html_api.php | Diff File |