View Issue Details

IDProjectCategoryView StatusLast Update
0008843mantisbttime trackingpublic2008-08-11 09:41
ReporterLoki Assigned Todaryn  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSServerOS Version2000
Product Version1.1.1 
Fixed in Version1.2.0a2 
Summary0008843: Ignores tracking_reporting_threshold
Description

access level required to run reports

$g_time_tracking_reporting_threshold = MANAGER;

Time Tracking ignores this setting

Steps To Reproduce

Login as a developer with the default threshold of Manager and you can go to the Billing link and run reports.

TagsNo tags attached.
Attached Files
billing_access_check.diff (1,248 bytes)   
diff -ru mantis-1.1.1.orig/billing_page.php mantis-1.1.1/billing_page.php
--- mantis-1.1.1.orig/billing_page.php	2007-10-13 23:36:41.000000000 +0100
+++ mantis-1.1.1/billing_page.php	2008-02-01 12:23:50.000000000 +0000
@@ -25,6 +25,7 @@
 	require_once( 'core.php' );
 	
 	$t_core_path = config_get( 'core_path' );
+	access_ensure_global_level( config_get( 'time_tracking_view_threshold' ) );
 ?>
 <?php
 /*
diff -ru mantis-1.1.1.orig/core/html_api.php mantis-1.1.1/core/html_api.php
--- mantis-1.1.1.orig/core/html_api.php	2008-01-19 08:14:32.000000000 +0000
+++ mantis-1.1.1/core/html_api.php	2008-02-01 12:22:17.000000000 +0000
@@ -590,7 +590,7 @@
 				# Add custom options
 				$t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' );
 				$t_menu_options = array_merge( $t_menu_options, $t_custom_options );
-				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') )
+				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_view_threshold' ) ) )
 					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
 
 				# Logout (no if anonymously logged in)
billing_access_check.diff (1,248 bytes)   
billing_access_check2.diff (1,108 bytes)   
--- mantis-1.1.1.orig/billing_page.php	2007-10-13 23:36:41.000000000 +0100
+++ mantis-1.1.1/billing_page.php	2008-02-04 10:37:18.000000000 +0000
@@ -25,6 +25,7 @@
 	require_once( 'core.php' );
 	
 	$t_core_path = config_get( 'core_path' );
+	access_ensure_global_level( config_get( 'time_tracking_reporting_threshold' ) );
 ?>
 <?php
 /*
--- mantis-1.1.1.orig/core/html_api.php	2008-01-19 08:14:32.000000000 +0000
+++ mantis-1.1.1/core/html_api.php	2008-02-04 10:38:19.000000000 +0000
@@ -590,7 +590,7 @@
 				# Add custom options
 				$t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' );
 				$t_menu_options = array_merge( $t_menu_options, $t_custom_options );
-				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') )
+				if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_reporting_threshold' ) ) )
 					$t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>';
 
 				# Logout (no if anonymously logged in)
billing_access_check2.diff (1,108 bytes)   

Activities

kynx

kynx

2008-02-01 07:27

reporter   ~0016907

Attached diff that removes 'Billing' link from menu and prevents access to billing page if user does not have correct threshold

Loki

Loki

2008-02-01 21:39

reporter   ~0016920

I applied the diffs but still have access below threshold level.

GregorK

GregorK

2008-02-03 05:01

reporter   ~0016925

Works perfect here...

kynx

kynx

2008-02-04 05:35

reporter   ~0016933

My mistake - I was checking the viewing threshold, not the reporting threshold. Will attach updated patch.

daudo

daudo

2008-02-04 17:21

reporter   ~0016947

IMO this is a major security flaw, because it unveils potential secret data to anyone.

Without the patch applied, even anonymous people not even have logged in can see and use the "billing" link and see at least the ID, title and resolver of any resolved bug.

kynx

kynx

2008-02-05 05:02

reporter   ~0016953

+1. If you're using time tracking, you'll want to have a look at 0008357 and 0008849, which also deal with the time showing to people it shouldn't.

The time tracking stuff is a great addition. It would be good to see these issues on the roadmap for the next release.

daudo

daudo

2008-02-05 06:22

reporter   ~0016957

excellent, thanks for the two additional hints :-)

daryn

daryn

2008-04-21 10:40

reporter   ~0017637

Applied modified patch. ( Changes to codebase caused initial patch to fail ).

Related Changesets

MantisBT: master bb78e8a1

2008-04-21 10:30

daryn


Details Diff
Permissions checks for timetracking.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5184 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9
Affected Issues
0008843, 0010050
mod - billing_page.php Diff File
mod - core/html_api.php Diff File

MantisBT: master-1.1.x 1c203913

2008-04-21 10:30

daryn


Details Diff
Fix 0008843, 10050: Permissions checks for timetracking.

<span class="signoff">Signed-off-by: John Reese <jreese@leetcode.net></span>
Affected Issues
0008843, 0010050
mod - billing_page.php Diff File
mod - core/html_api.php Diff File