0016993: Handler can be set without having appropriate access rights - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0016993	mantisbt	api soap	public	2014-02-19 02:24	2014-12-05 18:33

Reporter	atrol	Assigned To	vboctor
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.16
Target Version	1.2.18	Fixed in Version	1.2.18

Summary	0016993: Handler can be set without having appropriate access rights
Description	A reporter is able to report an issue using SOAP API and a) assign handlers without having update_bug_assign_threshold rights and b) assign users without having handle_bug_threshold rights #16990 is an example for it (I don't really know, but I am quite sure it has been created using SOAP)
Tags	No tags attached.

vboctor 2014-10-21 23:41 manager ~0041628	Here is the pull request: https://github.com/mantisbt/mantisbt/pull/518

vboctor 2014-10-22 00:27 manager ~0041629	The bug applied to mc_issue_add() and mc_issue_update(). I've updated target version to 1.2.x.

dregad 2014-10-28 11:21 developer ~0041695	If you are you going to backport this, then please change Fixed in Version back to 1.2.x

vboctor 2014-11-05 00:11 manager ~0041761	@dregad, this is now ported to 1.2.x.

MantisBT: master 2fe0ee6a 2014-10-21 19:40 vboctor Details Diff	Add handler access check to mc_issue_add() The mc_issue_add() API was missing a check to validate that specified handler has the appropriate access level. Fixes 0016993		Affected Issues 0016993
	mod - api/soap/mc_issue_api.php		Diff File
MantisBT: master bcd976bb 2014-10-21 20:22 vboctor Details Diff	Add can assign check to mc_issue_add() Users who report an issue with handler set must have the access level required to assign issues. Issue 0016993		Affected Issues 0016993
	mod - api/soap/mc_issue_api.php		Diff File
MantisBT: master d7e16cc5 2014-10-21 22:51 vboctor Details Diff	Add access check to mc_issue_get() for handler_id Disclose the handler id only if the user has the appropriate access level to see such information. Issue 0016993		Affected Issues 0016993
	mod - api/soap/mc_issue_api.php		Diff File
MantisBT: master a58d63ac 2014-10-21 23:12 vboctor Details Diff	Refactor handler access check for soap api Move the check to a shared method used by mc_issue_add() and mc_issue_update(). Issue 0016993		Affected Issues 0016993
	mod - api/soap/mc_issue_api.php		Diff File
MantisBT: master-1.2.x dc9f0157 2014-11-04 19:10 vboctor Details Diff	Handler access checks in SOAP API The mc_issue_add() and mc_issue_update() APIs were missing checks to validate that specified handler has the appropriate access level and that logged in user have access level to assign issues. mc_issue_get() was also missing the check that the user has access to view the handler assigned the issue. Fixes 0016993		Affected Issues 0016993
	mod - api/soap/mc_issue_api.php		Diff File