View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016993 | mantisbt | api soap | public | 2014-02-19 02:24 | 2014-12-05 18:33 |
Reporter | atrol | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.16 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0016993: Handler can be set without having appropriate access rights | ||||
Description | A reporter is able to report an issue using SOAP API and #16990 is an example for it (I don't really know, but I am quite sure it has been created using SOAP) | ||||
Tags | No tags attached. | ||||
Here is the pull request: |
|
The bug applied to mc_issue_add() and mc_issue_update(). I've updated target version to 1.2.x. |
|
If you are you going to backport this, then please change Fixed in Version back to 1.2.x |
|
@dregad, this is now ported to 1.2.x. |
|
MantisBT: master 2fe0ee6a 2014-10-21 19:40 Details Diff |
Add handler access check to mc_issue_add() The mc_issue_add() API was missing a check to validate that specified handler has the appropriate access level. Fixes 0016993 |
Affected Issues 0016993 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master bcd976bb 2014-10-21 20:22 Details Diff |
Add can assign check to mc_issue_add() Users who report an issue with handler set must have the access level required to assign issues. Issue 0016993 |
Affected Issues 0016993 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master d7e16cc5 2014-10-21 22:51 Details Diff |
Add access check to mc_issue_get() for handler_id Disclose the handler id only if the user has the appropriate access level to see such information. Issue 0016993 |
Affected Issues 0016993 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master a58d63ac 2014-10-21 23:12 Details Diff |
Refactor handler access check for soap api Move the check to a shared method used by mc_issue_add() and mc_issue_update(). Issue 0016993 |
Affected Issues 0016993 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
MantisBT: master-1.2.x dc9f0157 2014-11-04 19:10 Details Diff |
Handler access checks in SOAP API The mc_issue_add() and mc_issue_update() APIs were missing checks to validate that specified handler has the appropriate access level and that logged in user have access level to assign issues. mc_issue_get() was also missing the check that the user has access to view the handler assigned the issue. Fixes 0016993 |
Affected Issues 0016993 |
|
mod - api/soap/mc_issue_api.php | Diff File |