View Issue Details

IDProjectCategoryView StatusLast Update
0008843mantisbttime trackingpublic2008-08-11 09:41
ReporterLokiAssigned Todaryn 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSServerOS Version2000
Product Version1.1.1 
Target VersionFixed in Version1.2.0a2 
Summary0008843: Ignores tracking_reporting_threshold
Description

access level required to run reports

$g_time_tracking_reporting_threshold = MANAGER;

Time Tracking ignores this setting

Steps To Reproduce

Login as a developer with the default threshold of Manager and you can go to the Billing link and run reports.

TagsNo tags attached.

Activities

2008-02-01 07:25

 

billing_access_check.diff (1,248 bytes)
diff -ru mantis-1.1.1.orig/billing_page.php mantis-1.1.1/billing_page.php
--- mantis-1.1.1.orig/billing_page.php	2007-10-13 23:36:41.000000000 +0100
+++ mantis-1.1.1/billing_page.php	2008-02-01 12:23:50.000000000 +0000
@@ -25,6 +25,7 @@
 	require_once( 'core.php' );
 	
 	$t_core_path = config_get( 'core_path' );
+	access_ensure_global_level( config_get( 'time_tracking_view_threshold' ) );
 ?>
 <?php
 /*
diff -ru mantis-1.1.1.orig/core/html_api.php mantis-1.1.1/core/html_api.php
--- mantis-1.1.1.orig/core/html_api.php	2008-01-19 08:14:32.000000000 +0000
+++ mantis-1.1.1/core/html_api.php	2008-02-01 12:22:17.000000000 +0000
@@ -590,7 +590,7 @@
 				# Add custom options
 				$t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' );
 				$t_menu_options = array_merge( $t_menu_options, $t_custom_options );
-				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') )
+				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_view_threshold' ) ) )
 					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
 
 				# Logout (no if anonymously logged in)
kynx

kynx

2008-02-01 07:27

reporter   ~0016907

Attached diff that removes 'Billing' link from menu and prevents access to billing page if user does not have correct threshold

Loki

Loki

2008-02-01 21:39

reporter   ~0016920

I applied the diffs but still have access below threshold level.

GregorK

GregorK

2008-02-03 05:01

reporter   ~0016925

Works perfect here...

kynx

kynx

2008-02-04 05:35

reporter   ~0016933

My mistake - I was checking the viewing threshold, not the reporting threshold. Will attach updated patch.

2008-02-04 05:43

 

billing_access_check2.diff (1,108 bytes)
--- mantis-1.1.1.orig/billing_page.php	2007-10-13 23:36:41.000000000 +0100
+++ mantis-1.1.1/billing_page.php	2008-02-04 10:37:18.000000000 +0000
@@ -25,6 +25,7 @@
 	require_once( 'core.php' );
 	
 	$t_core_path = config_get( 'core_path' );
+	access_ensure_global_level( config_get( 'time_tracking_reporting_threshold' ) );
 ?>
 <?php
 /*
--- mantis-1.1.1.orig/core/html_api.php	2008-01-19 08:14:32.000000000 +0000
+++ mantis-1.1.1/core/html_api.php	2008-02-04 10:38:19.000000000 +0000
@@ -590,7 +590,7 @@
 				# Add custom options
 				$t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' );
 				$t_menu_options = array_merge( $t_menu_options, $t_custom_options );
-				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') )
+				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_reporting_threshold' ) ) )
 					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
 
 				# Logout (no if anonymously logged in)
daudo

daudo

2008-02-04 17:21

reporter   ~0016947

IMO this is a major security flaw, because it unveils potential secret data to anyone.

Without the patch applied, even anonymous people not even have logged in can see and use the "billing" link and see at least the ID, title and resolver of any resolved bug.

kynx

kynx

2008-02-05 05:02

reporter   ~0016953

+1. If you're using time tracking, you'll want to have a look at 0008357 and 0008849, which also deal with the time showing to people it shouldn't.

The time tracking stuff is a great addition. It would be good to see these issues on the roadmap for the next release.

daudo

daudo

2008-02-05 06:22

reporter   ~0016957

excellent, thanks for the two additional hints :-)

daryn

daryn

2008-04-21 10:40

reporter   ~0017637

Applied modified patch. ( Changes to codebase caused initial patch to fail ).

Related Changesets

MantisBT: master bb78e8a1

2008-04-21 14:30:21

daryn

Details Diff
Permissions checks for timetracking.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5184 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
mod - billing_page.php Diff File
mod - core/html_api.php Diff File

MantisBT: master-1.1.x 1c203913

2008-04-21 14:30:21

daryn

Details Diff
Fix 0008843, 10050: Permissions checks for timetracking.

<span class="signoff">Signed-off-by: John Reese <jreese@leetcode.net></span>
mod - billing_page.php Diff File
mod - core/html_api.php Diff File

Issue History

Date Modified Username Field Change
2008-01-31 14:20 Loki New Issue
2008-02-01 07:25 kynx File Added: billing_access_check.diff
2008-02-01 07:27 kynx Note Added: 0016907
2008-02-01 21:39 Loki Note Added: 0016920
2008-02-02 01:19 daryn Assigned To => daryn
2008-02-02 01:19 daryn Status new => acknowledged
2008-02-03 05:01 GregorK Note Added: 0016925
2008-02-04 05:35 kynx Note Added: 0016933
2008-02-04 05:43 kynx File Added: billing_access_check2.diff
2008-02-04 17:21 daudo Note Added: 0016947
2008-02-05 05:02 kynx Note Added: 0016953
2008-02-05 06:22 daudo Note Added: 0016957
2008-04-21 10:40 daryn Status acknowledged => resolved
2008-04-21 10:40 daryn Fixed in Version => 1.2.0a2
2008-04-21 10:40 daryn Resolution open => fixed
2008-04-21 10:40 daryn Note Added: 0017637
2008-08-11 09:41 giallu Status resolved => closed
2009-01-14 10:46 jreese Changeset attached master bb78e8a1 =>
2009-01-14 11:00 daryn Changeset attached master-1.1.x 1c203913 =>