View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009828 | mantisbt | bugtracker | public | 2008-11-17 17:13 | 2014-12-08 00:34 |
Reporter | olegos | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0a2 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0009828: Reopen issue access check is wrong | ||||
Description | I want to allow any reporter to reopen any issue. The problem is that bug_update.php is not checking reopen_bug_threshold. Its checks when a bug is being reopened should mirror the checks for placing the Reopen button. | ||||
Tags | patch | ||||
Attached Files | bug9828.patch (2,462 bytes)
Index: bug_change_status_page.php =================================================================== --- bug_change_status_page.php (revision 5751) +++ bug_change_status_page.php (working copy) @@ -285,6 +285,7 @@ if ( ON == $f_reopen_flag ) { # bug was re-opened printf(" <input type=\"hidden\" name=\"resolution\" value=\"%s\" />\n", config_get( 'bug_reopen_resolution' ) ); + printf(" <input type=\"hidden\" name=\"reopen_flag\" value=\"1\" />\n" ); } ?> Index: bug_update.php =================================================================== --- bug_update.php (revision 5751) +++ bug_update.php (working copy) @@ -39,6 +39,7 @@ $f_bug_id = gpc_get_int( 'bug_id' ); $f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page $f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); + $f_reopen_flag = gpc_get_int( 'reopen_flag', OFF ); $t_bug_data = bug_get( $f_bug_id, true ); if( $t_bug_data->project_id != helper_get_current_project() ) { @@ -47,12 +48,15 @@ $g_project_override = $t_bug_data->project_id; } - if ( ! ( + $t_is_reporter = ( bug_get_field( $f_bug_id, 'reporter_id' ) == auth_get_current_user_id() ); + $t_reopen_status = config_get( 'bug_reopen_status' ); + + if ( ! ( ( ( ON == $f_reopen_flag ) && ( $f_new_status == $t_reopen_status ) && + ( access_has_bug_level( config_get( 'reopen_bug_threshold' ), $f_bug_id ) || + ( $t_is_reporter && ( ON == config_get( 'allow_reporter_reopen' ) ) ) ) ) || ( access_has_bug_level( access_get_status_threshold( $f_new_status, bug_get_field( $f_bug_id, 'project_id' ) ), $f_bug_id ) ) || ( access_has_bug_level( config_get( 'update_bug_threshold' ) , $f_bug_id ) ) || - ( ( bug_get_field( $f_bug_id, 'reporter_id' ) == auth_get_current_user_id() ) && - ( ( ON == config_get( 'allow_reporter_reopen' ) ) || - ( ON == config_get( 'allow_reporter_close' ) ) ) ) + ( $t_is_reporter && ( $f_new_status == CLOSED ) && ( ON == config_get( 'allow_reporter_close' ) ) ) ) ) { access_denied(); } @@ -181,7 +185,7 @@ $t_bug_note_set = true; break; - case config_get( 'bug_reopen_status' ): + case $t_reopen_status: if ( $t_old_bug_status >= $t_resolved ) { bug_set_field( $f_bug_id, 'handler_id', $t_bug_data->handler_id ); # fix: update handler_id before calling bug_reopen # bug_reopen updates the status and bugnote and sends message | ||||
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
has duplicate | 0012103 | closed | dhx | g_reopen_bug_threshold - config parameter defined but reopen doesn't check it |
related to | 0011396 | closed | dhx | difference between closed and resolved |
related to | 0015653 | closed | dregad | APPLICATION ERROR 1303 when trying to reopen an issue |
child of | 0012097 | closed | atrol | Tracking issue for the refactoring of bug_update.php |
I agree that this issue needs to be fixed. This may require revisiting what goes through bug_update.php vs more specific action scripts. |
|
Targetting for future 1.2.x release. |
|
A patch for fixing this issue is attached. Although it's against not the very latest trunk, it should apply cleanly to the head. It also fixes a couple of security issues, I think. Looks to me if the user was a reporter, and allow_reporter_reopen was set, any update by the user would be allowed, not just reopening. Same with allow_reporter_close. The access check for reopen case is adapted from html_button_bug_reopen() in html_api.php (so if changes are made to this part of the patch, html_button_bug_reopen() may need to be updated to match). |
|
Welcome. if ( ON != $f_reopen_flag ) { } |
|
ahutta: it is quite plausible for users to be able to reopen bugs, but not have access to change the target_version and fixed_in_version fields. These permissions are independent of each other. |
|
Since no one seems to work on this issue and it has been bothering me for quite a while, I'm gonna give it a shot in the next few days (if only to get it fixed locally), and try to submit a working patch against the then-latest build. Right now, I'm mentally accounting for two cases in which a user should be able to reopen a bug: when the user meets or exceeds the required $g_reopen_bug_thresholdwhen the user is the reporter of the issue, and $g_allow_reporter_reopen is on...can anybody come up with additional cases in which a user would be allowed to reopen an issue? |
|
Thank you, dhx...I had given this a shot last month, but I ended up breaking something and got sidetracked with other projects before I could fix it. >_> |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 035a1302 2010-06-22 20:44 Details Diff |
Refactor bug_update to fix multiple bugs This is a large change to bug_update.php which refactors the code to make it clearer and easier to understand. More importantly this refactoring fixes a number of bugs including the prior ability for reporters (with allow_reporter_reopen enabled) to make any modifications to the bug in question even when they didn't have permission to make those changes. This refactoring brings about a structural change to the bug update process. Previously the update checked a field (or number of fields) and then committed changes to the database before moving on to the next field. Hence it was possible for some of the requested changes to be committed to the database before a validation error kicked in, preventing the remainder of updates from being committed. The new structure of bug_update prevents partial commits from occurring as all validation and access checks are done prior to ANY data being committed to the database. If all the validation checks pass then the user can be safe in knowing that all changes should be committed to the database. If any of the validation checks fail, none of the changes have been committed. One remaining problem with this approach is the race condition whereby the administrator updates access checks between the validation of a field and the attempted committal of a field to the database. As access checks are performed internally within bug_api (and elsewhere), these could actually fail during committal (and after the validation steps in bug_update) if the access levels have changed in the meantime. This is a problem with requires rewriting much of the MantisBT codebase - all for a problem that is unlikely to occur and which is of low severity. Email notifications also need to be sorted out correctly some time in the future as it is hard to determine what the expected course of action should be. This update tries sending an email in this order: resolved, closed, reopened, handler added, status changed, bug updated. Only one email is sent so if the handler and status of an issue are updated at once and a user has refused to receive handler notifications, they won't get any email. This is because we currently give higher priority to notifying users of the addition of a handler to an issue rather than a change of status. Issue 0012097: Refactor bug_update.php Fixes 0009828: Reopen issue access check is wrong Fixes 0010226: No email on 'update->assign' Fixes 0011396: difference between closed and resolved Fixes 0011804: allow_reporter_reopen lets reporter make any update |
Affected Issues 0009828, 0010226, 0011396, 0011782, 0011804, 0012097 |
|
mod - bug_update.php | Diff File |