2014-12-20 16:32 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0008843mantisbttime trackingpublic2008-08-11 09:41
ReporterLoki 
Assigned Todaryn 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformWindowsOSServerOS Version2000
Product Version1.1.1 
Target VersionFixed in Version1.2.0a2 
Summary0008843: Ignores tracking_reporting_threshold
Description# access level required to run reports
    $g_time_tracking_reporting_threshold = MANAGER;

Time Tracking ignores this setting
Steps To ReproduceLogin as a developer with the default threshold of Manager and you can go to the Billing link and run reports.
TagsNo tags attached.
Attached Files
  • diff file icon billing_access_check.diff (1,248 bytes) 2008-02-01 07:25 - 
    diff -ru mantis-1.1.1.orig/billing_page.php mantis-1.1.1/billing_page.php
    --- mantis-1.1.1.orig/billing_page.php	2007-10-13 23:36:41.000000000 +0100
    +++ mantis-1.1.1/billing_page.php	2008-02-01 12:23:50.000000000 +0000
    @@ -25,6 +25,7 @@
     	require_once( 'core.php' );
     	
     	$t_core_path = config_get( 'core_path' );
    +	access_ensure_global_level( config_get( 'time_tracking_view_threshold' ) );
     ?>
     <?php
     /*
    diff -ru mantis-1.1.1.orig/core/html_api.php mantis-1.1.1/core/html_api.php
    --- mantis-1.1.1.orig/core/html_api.php	2008-01-19 08:14:32.000000000 +0000
    +++ mantis-1.1.1/core/html_api.php	2008-02-01 12:22:17.000000000 +0000
    @@ -590,7 +590,7 @@
     				# Add custom options
     				$t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' );
     				$t_menu_options = array_merge( $t_menu_options, $t_custom_options );
    -				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') )
    +				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_view_threshold' ) ) )
     					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
     
     				# Logout (no if anonymously logged in)
    
    diff file icon billing_access_check.diff (1,248 bytes) 2008-02-01 07:25 + 
  • diff file icon billing_access_check2.diff (1,108 bytes) 2008-02-04 05:43 - 
    --- mantis-1.1.1.orig/billing_page.php	2007-10-13 23:36:41.000000000 +0100
    +++ mantis-1.1.1/billing_page.php	2008-02-04 10:37:18.000000000 +0000
    @@ -25,6 +25,7 @@
     	require_once( 'core.php' );
     	
     	$t_core_path = config_get( 'core_path' );
    +	access_ensure_global_level( config_get( 'time_tracking_reporting_threshold' ) );
     ?>
     <?php
     /*
    --- mantis-1.1.1.orig/core/html_api.php	2008-01-19 08:14:32.000000000 +0000
    +++ mantis-1.1.1/core/html_api.php	2008-02-04 10:38:19.000000000 +0000
    @@ -590,7 +590,7 @@
     				# Add custom options
     				$t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' );
     				$t_menu_options = array_merge( $t_menu_options, $t_custom_options );
    -				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') )
    +				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_reporting_threshold' ) ) )
     					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
     
     				# Logout (no if anonymously logged in)
    
    diff file icon billing_access_check2.diff (1,108 bytes) 2008-02-04 05:43 + 

- Relationships
+ Relationships

-  Notes
User avatar

~0016907

kynx (reporter)

Attached diff that removes 'Billing' link from menu and prevents access to billing page if user does not have correct threshold
User avatar

~0016920

Loki (reporter)

I applied the diffs but still have access below threshold level.
User avatar

~0016925

GregorK (reporter)

Works perfect here...
User avatar

~0016933

kynx (reporter)

My mistake - I was checking the viewing threshold, not the reporting threshold. Will attach updated patch.
User avatar

~0016947

daudo (reporter)

IMO this is a major security flaw, because it unveils potential secret data to anyone.

Without the patch applied, even anonymous people not even have logged in can see and use the "billing" link and see at least the ID, title and resolver of any resolved bug.
User avatar

~0016953

kynx (reporter)

+1. If you're using time tracking, you'll want to have a look at 0008357 and 0008849, which also deal with the time showing to people it shouldn't.

The time tracking stuff is a great addition. It would be good to see these issues on the roadmap for the next release.
User avatar

~0016957

daudo (reporter)

excellent, thanks for the two additional hints :-)
User avatar

~0017637

daryn (reporter)

Applied modified patch. ( Changes to codebase caused initial patch to fail ).
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2008-01-31 14:20 Loki New Issue
2008-02-01 07:25 kynx File Added: billing_access_check.diff
2008-02-01 07:27 kynx Note Added: 0016907
2008-02-01 21:39 Loki Note Added: 0016920
2008-02-02 01:19 daryn Assigned To => daryn
2008-02-02 01:19 daryn Status new => acknowledged
2008-02-03 05:01 GregorK Note Added: 0016925
2008-02-04 05:35 kynx Note Added: 0016933
2008-02-04 05:43 kynx File Added: billing_access_check2.diff
2008-02-04 17:21 daudo Note Added: 0016947
2008-02-05 05:02 kynx Note Added: 0016953
2008-02-05 06:22 daudo Note Added: 0016957
2008-04-21 10:40 daryn Status acknowledged => resolved
2008-04-21 10:40 daryn Fixed in Version => 1.2.0a2
2008-04-21 10:40 daryn Resolution open => fixed
2008-04-21 10:40 daryn Note Added: 0017637
2008-08-11 09:41 giallu Status resolved => closed
2009-01-14 10:46 jreese Changeset attached master bb78e8a1 =>
2009-01-14 11:00 daryn Changeset attached master-1.1.x 1c203913 =>
+ Issue History