View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008843 | mantisbt | time tracking | public | 2008-01-31 14:20 | 2008-08-11 09:41 |
Reporter | Loki | Assigned To | daryn | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Server | OS Version | 2000 |
Product Version | 1.1.1 | ||||
Fixed in Version | 1.2.0a2 | ||||
Summary | 0008843: Ignores tracking_reporting_threshold | ||||
Description | access level required to run reports
Time Tracking ignores this setting | ||||
Steps To Reproduce | Login as a developer with the default threshold of Manager and you can go to the Billing link and run reports. | ||||
Tags | No tags attached. | ||||
Attached Files | billing_access_check.diff (1,248 bytes)
diff -ru mantis-1.1.1.orig/billing_page.php mantis-1.1.1/billing_page.php --- mantis-1.1.1.orig/billing_page.php 2007-10-13 23:36:41.000000000 +0100 +++ mantis-1.1.1/billing_page.php 2008-02-01 12:23:50.000000000 +0000 @@ -25,6 +25,7 @@ require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); + access_ensure_global_level( config_get( 'time_tracking_view_threshold' ) ); ?> <?php /* diff -ru mantis-1.1.1.orig/core/html_api.php mantis-1.1.1/core/html_api.php --- mantis-1.1.1.orig/core/html_api.php 2008-01-19 08:14:32.000000000 +0000 +++ mantis-1.1.1/core/html_api.php 2008-02-01 12:22:17.000000000 +0000 @@ -590,7 +590,7 @@ # Add custom options $t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' ); $t_menu_options = array_merge( $t_menu_options, $t_custom_options ); - if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') ) + if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_view_threshold' ) ) ) $t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>'; # Logout (no if anonymously logged in) billing_access_check2.diff (1,108 bytes)
--- mantis-1.1.1.orig/billing_page.php 2007-10-13 23:36:41.000000000 +0100 +++ mantis-1.1.1/billing_page.php 2008-02-04 10:37:18.000000000 +0000 @@ -25,6 +25,7 @@ require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); + access_ensure_global_level( config_get( 'time_tracking_reporting_threshold' ) ); ?> <?php /* --- mantis-1.1.1.orig/core/html_api.php 2008-01-19 08:14:32.000000000 +0000 +++ mantis-1.1.1/core/html_api.php 2008-02-04 10:38:19.000000000 +0000 @@ -590,7 +590,7 @@ # Add custom options $t_custom_options = prepare_custom_menu_options( 'main_menu_custom_options' ); $t_menu_options = array_merge( $t_menu_options, $t_custom_options ); - if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') ) + if ( config_get('time_tracking_enabled') && config_get('time_tracking_with_billing') && access_has_global_level( config_get( 'time_tracking_reporting_threshold' ) ) ) $t_menu_options[] = '<a href="billing_page.php">' . lang_get( 'time_tracking_billing_link' ) . '</a>'; # Logout (no if anonymously logged in) | ||||
Attached diff that removes 'Billing' link from menu and prevents access to billing page if user does not have correct threshold |
|
I applied the diffs but still have access below threshold level. |
|
Works perfect here... |
|
My mistake - I was checking the viewing threshold, not the reporting threshold. Will attach updated patch. |
|
IMO this is a major security flaw, because it unveils potential secret data to anyone. Without the patch applied, even anonymous people not even have logged in can see and use the "billing" link and see at least the ID, title and resolver of any resolved bug. |
|
+1. If you're using time tracking, you'll want to have a look at 0008357 and 0008849, which also deal with the time showing to people it shouldn't. The time tracking stuff is a great addition. It would be good to see these issues on the roadmap for the next release. |
|
excellent, thanks for the two additional hints :-) |
|
Applied modified patch. ( Changes to codebase caused initial patch to fail ). |
|
MantisBT: master bb78e8a1 2008-04-21 10:30 Details Diff |
Permissions checks for timetracking. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5184 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008843, 0010050 |
|
mod - billing_page.php | Diff File | ||
mod - core/html_api.php | Diff File | ||
MantisBT: master-1.1.x 1c203913 2008-04-21 10:30 Details Diff |
Fix 0008843, 10050: Permissions checks for timetracking. <span class="signoff">Signed-off-by: John Reese <jreese@leetcode.net></span> |
Affected Issues 0008843, 0010050 |
|
mod - billing_page.php | Diff File | ||
mod - core/html_api.php | Diff File |