View Issue Details

IDProjectCategoryView StatusLast Update
0016771mantisbtadministrationpublic2016-01-22 13:56
Reporterbenv8Assigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.3.0-rc.1Fixed in Version1.3.0-rc.1 
Summary0016771: workflow configuration
Description

I have a problem when I submit the form the page workflow configurations "thresholds that affect Workflow" are not good.
Below is a screen showing the steps to reproduce the problem. If we do not change the values ​​on the role the value passed to "ADMIN".

manage_config_workflow_set.php

The current code:

foreach( $t_valid_thresholds as $t_threshold ) {
$t_access_current = config_get_access( $t_threshold );
if( $t_access >= $t_access_current ) {
$f_value = gpcget( 'threshold' . $t_threshold );
$t_value_current = config_get( $t_threshold );
$f_access = gpcget( 'access' . $t_threshold );
if( $f_value == $t_value_current && $f_access == $t_access_current ) {

If new value is equal to parent and access has not changed

            config_delete( $t_threshold, ALL_USERS , $t_project );
        } else if( $f_value != $t_value_current || $f_access != $t_access_current ) {
            # Set config if value or access have changed
            config_set( $t_threshold, $f_value, NO_USER, $t_project, $f_access );
        }
    }
}
  • $ f_value: is the old value
  • $ t_value_current: corresponds to the new value

The comment does not match what is being done:

If new value is equal to the parent and access HAS not changed

More functionally if it is the same as the parent project parameterization why delete it if the parent project that you do not want to change the sub-project is changed.

the code should look like :

foreach( $t_valid_thresholds as $t_threshold ) {
    $t_access_current = config_get_access( $t_threshold );
    if( $t_access >= $t_access_current ) {
        $f_value = gpc_get( 'threshold_' . $t_threshold );
        $t_value_current = config_get( $t_threshold );
        $f_access = gpc_get( 'access_' . $t_threshold );
        if( $f_value != $t_value_current || $f_access != $t_access_current ) {
            # Set config if value or access have changed
            config_set( $t_threshold, $f_value, NO_USER, $t_project, $f_access );
        }
    }
}
TagsNo tags attached.

Relationships

related to 0014496 closeddregad CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default' 
has duplicate 0020441 closeddregad Thresholds that Affect Workflow configuration deleted when not changed 
has duplicate 0019695 closedcproensa Error in page "manage_config_workflow_set.php" 
related to 0019970 closeddregad Status to which reopened issues are set drops to 'feedback' 

Activities

benv8

benv8

2013-12-30 02:34

reporter  

atrol

atrol

2013-12-30 07:29

developer   ~0038943

No time for a deeper look at the moment.
Seems to be introduced by fix of 0014496 at first sight.

atrol

atrol

2014-01-14 16:00

developer   ~0039050

Reminder sent to: dregad

I found still no time to have a deeper look at it and I don't like to introduce a regression as your commit fixed a security issue.
Maybe you could have a look at it to get it fixed in 1.2.16.

Related Changesets

MantisBT: master a8f1c088

2015-09-10 17:37:09

cproensa


Committer: dregad Details Diff
Fix Workflow Transitions reverted to default when saving

Some fields were reverted to default setting when updating the page
twice.

Corrections:
- lookup proper variable 'set_status_threshold' when performing access
check, as well as when updating the threshold
- compare against parent settings instead of current

Fixes 0019970, 0016771

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Changes from original commit:
- whitespace
- reworded commit message
mod - manage_config_workflow_set.php Diff File

MantisBT: master b36e56ab

2015-10-30 12:40:13

dregad

Details Diff
Fix warning 'config option "threshold_xxx" not found'

The original fix prepended 'threshold_' to $t_threshold, which
is incorrect (maybe a copy/paste error ?).

The 'threshold_' prefix is used to determine the name of the
corresponding GPC variable's name; $t_threshold already contains the
correct config option's name.

Fixes 0019970, 0016771
mod - manage_config_workflow_set.php Diff File

MantisBT: master 63bbb193

2015-10-31 19:56:01

dregad

Details Diff
Fix resetting of access level when updating workflow

If the access level needed to update a Threshold has been changed from
default, it is reset to that default value when the workflow
configuration is updated again without changes to that Threshold.

This commit fixes the incorrect behavior by applying the same mechanism
used to detect a change in the status to the access level, i.e.
comparing the updated access level with the parent and not the current
value.

Fixes 0016771
mod - manage_config_workflow_set.php Diff File

MantisBT: master 576fd772

2015-11-03 14:24:56

cproensa


Committer: dregad Details Diff
Fix resetting of access level when updating workflow

This is the same fix as 63bbb19393c3a2b9bdc7e159992c160561a7ce09, and
addresses the incorrect behavior for the fields
- Who can change workflow
- Who can change access levels
by applying the same mechanism used to detect a change in the status to
the access level, i.e. comparing the updated access level with the
parent and not the current value.

Fixes 0016771

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Original commit message reworded
mod - manage_config_workflow_set.php Diff File

Issue History

Date Modified Username Field Change
2013-12-30 02:34 benv8 New Issue
2013-12-30 02:34 benv8 File Added: workflow_configuration.PNG
2013-12-30 07:27 atrol Status new => confirmed
2013-12-30 07:27 atrol Relationship added related to 0014496
2013-12-30 07:29 atrol Note Added: 0038943
2014-01-14 16:00 atrol Note Added: 0039050
2015-09-11 02:30 dregad Relationship added related to 0019970
2015-11-22 05:32 dregad Changeset attached => MantisBT master a8f1c088
2015-11-22 05:32 dregad Changeset attached => MantisBT master b36e56ab
2015-11-22 05:32 dregad Changeset attached => MantisBT master 63bbb193
2015-11-22 05:32 dregad Changeset attached => MantisBT master 576fd772
2015-11-22 05:32 dregad Assigned To => dregad
2015-11-22 05:32 dregad Status confirmed => resolved
2015-11-22 05:32 dregad Resolution open => fixed
2015-11-22 05:32 dregad Fixed in Version => 1.3.0-rc.1
2015-11-22 05:33 dregad Target Version => 1.3.0-rc.1
2015-12-06 02:45 vboctor Status resolved => closed
2015-12-31 18:46 dregad Relationship added has duplicate 0020441
2016-01-22 13:56 cproensa Relationship added has duplicate 0019695