View Issue Details

IDProjectCategoryView StatusLast Update
0022480mantisbtsecuritypublic2023-09-02 00:36
Reporteralberto.gonzag Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status confirmedResolutionopen 
Product Version2.0.0 
Summary0022480: Is not validating any security constraints for each profile in the action combo.
Description

The system is not validating any security constraints for each profile in the action combo over multiple selection. You can even edit read-only issues with a profile that you should not.

TagsNo tags attached.
Attached Files
Error security.png (13,155 bytes)   
Error security.png (13,155 bytes)   

Activities

atrol

atrol

2017-03-06 15:02

developer   ~0055928

alberto.gonzag,

Maybe I don't understand your issue, but I was not able to reproduce the issue using the given information with latest version 2.2.0.
I recommend to upgrade to this version.

If the problem persists, we need a complete and detailed description to get a clear understanding of the problem.

Please explain what you do, what are the results you expect to get and what you actually get.

Also provide detailed, step-by-step instructions to reproduce the issue; the additional information listed below may also be useful:

  • Exact version of PHP, Database, Web server, Browser and Operating System
  • Relevant customizations (e.g. changes in config_inc.php, etc)
  • Installed plugins or custom functions ?
  • Was the MantisBT source code modified in any way ?
alberto.gonzag

alberto.gonzag

2017-03-07 13:40

reporter   ~0055969

Atrol,
Thanks for your answer,
I have a question... with the update of version 2.2.0 will the problem be solved?
Add additional data:
Database version: 5.6.17.
Apache version: 2.4.9
PHP version: 5.5.12
Browser: Chrome Version 56.0.2924.87.
Changes in config_inc.php: $g_default_timezone = 'America/Mexico_City';
Installed plugins: only by default installation.
Source code modified: Only some tables summary, texts in general of the Spanish language.

Steps:
Step 1: Close any problem with the profile you have permission to close (in this case I use informator).
Step 2: Check the status settings when you consider problems in read-only (in this case, use closed).
Step 3: Log in with a user with settings where you do not have permission to edit problems in read-only (in this case, I use the developer).
Step 4: Go to the list of problems and select a problem close. (Use the checkbox and select one).
Step 5: Go to the action list and select update status.
Step 6: Click on Accept and select Assign.
Step 7: Click on Accept.

At this point you are allowing update status and do not consider workflow settings. The same goes for updating visibility.

atrol

atrol

2017-03-07 14:37

developer   ~0055970

Last edited: 2017-03-07 14:38

I am able to reproduce the issue using the steps provided in 0022480:0055969 in any version between 1.3.0 and 2.2.0

jeffh

jeffh

2017-05-16 13:12

reporter   ~0056866

Prior to today(5/8/2017), you WERE able to pick the format by selecting the delimiter. However, I made a change today that takes away the need to select a delimiter and will now present the user with a dialog box that allows for selecting of the format, including Excel, and sending the export as email.

jeffh

jeffh

2017-05-16 13:13

reporter   ~0056867

Please disregard note above. testing a POST issue in our MBT install.