0008498: inconsistency in 'add news' access rights

ID	Project	Category	View Status	Date Submitted	Last Update
0008498	mantisbt	news	public	2007-10-22 15:19	2014-01-23 04:43

Reporter	pluntke	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	won't fix

Summary	0008498: inconsistency in 'add news' access rights
Description	Managers can add news to 'all projects' by a trick (and can even edit them)
Steps To Reproduce	When adding news as a manager from project 'all projects' I get forwarded to a page where I have to chose which project to add the news to. I choose a project and I'll reach the add news page. When I now change back the header's project field on the page to 'all projects' , then the news can be added to 'all projects' successfully (which I probably should not be allowed to). When trying to edit the news, first I can't reach it, because I can't chose the 'all projects' news page. I again have to start adding a news to any project and after reaching the 'add news page' I change to 'all projects' and will see the news I've added before in the bottom field 'edit/delete news'. I now can choose the message for editing but on this page there's a 'send to' field which finally stops me from re-adding it to 'all projects'.
Tags	No tags attached.

vboctor 2007-10-24 13:04 manager ~0015973	I haven't reproduced the problem but it seems that such authorization error should be fixed. In general we should make sure that all our APIs (and action scripts?) do the necessary authorization.

vboctor 2014-01-13 02:34 manager ~0039029	The news feature has been deprecated.