View Issue Details

IDProjectCategoryView StatusLast Update
0009828mantisbtbugtrackerpublic2014-12-08 00:34
Reporterolegos Assigned Todhx  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0a2 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0009828: Reopen issue access check is wrong
Description

I want to allow any reporter to reopen any issue.
In configuration in Workflow Thresholds, I checked everyone starting with Reporter for "Reopen an issue".
In Configuration Report, reopen_bug_threshold is 25 (Reporter - correct).
Looking at a resolved issue (where I'm not the submitter), I see the "Reopen Issue" button.
But clicking on it, I'm getting "Access Denied" (after the screen where I can add a note).

The problem is that bug_update.php is not checking reopen_bug_threshold. Its checks when a bug is being reopened should mirror the checks for placing the Reopen button.

Tagspatch
Attached Files
bug9828.patch (2,462 bytes)   
Index: bug_change_status_page.php
===================================================================
--- bug_change_status_page.php	(revision 5751)
+++ bug_change_status_page.php	(working copy)
@@ -285,6 +285,7 @@
 	if ( ON == $f_reopen_flag ) {
 		# bug was re-opened
 		printf("	<input type=\"hidden\" name=\"resolution\" value=\"%s\" />\n",  config_get( 'bug_reopen_resolution' ) );
+		printf("	<input type=\"hidden\" name=\"reopen_flag\" value=\"1\" />\n" );
 	}
 ?>
 
Index: bug_update.php
===================================================================
--- bug_update.php	(revision 5751)
+++ bug_update.php	(working copy)
@@ -39,6 +39,7 @@
 	$f_bug_id = gpc_get_int( 'bug_id' );
 	$f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page
 	$f_new_status	= gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) );
+	$f_reopen_flag = gpc_get_int( 'reopen_flag', OFF );
 
 	$t_bug_data = bug_get( $f_bug_id, true );
 	if( $t_bug_data->project_id != helper_get_current_project() ) {
@@ -47,12 +48,15 @@
 		$g_project_override = $t_bug_data->project_id;
 	}
 
-	if ( ! (
+	$t_is_reporter = ( bug_get_field( $f_bug_id, 'reporter_id' ) == auth_get_current_user_id() );
+	$t_reopen_status = config_get( 'bug_reopen_status' );
+
+	if ( ! ( ( ( ON == $f_reopen_flag ) && ( $f_new_status == $t_reopen_status ) &&
+					( access_has_bug_level( config_get( 'reopen_bug_threshold' ), $f_bug_id ) ||
+						( $t_is_reporter && ( ON == config_get( 'allow_reporter_reopen' ) ) ) ) ) ||
 				( access_has_bug_level( access_get_status_threshold( $f_new_status, bug_get_field( $f_bug_id, 'project_id' ) ), $f_bug_id ) ) ||
 				( access_has_bug_level( config_get( 'update_bug_threshold' ) , $f_bug_id ) ) ||
-				( ( bug_get_field( $f_bug_id, 'reporter_id' ) == auth_get_current_user_id() ) &&
-						( ( ON == config_get( 'allow_reporter_reopen' ) ) ||
-								( ON == config_get( 'allow_reporter_close' ) ) ) )
+				( $t_is_reporter && ( $f_new_status == CLOSED ) && ( ON == config_get( 'allow_reporter_close' ) ) )
 			) ) {
 		access_denied();
 	}
@@ -181,7 +185,7 @@
 				$t_bug_note_set = true;
 				break;
 
-			case config_get( 'bug_reopen_status' ):
+			case $t_reopen_status:
 				if ( $t_old_bug_status >= $t_resolved ) {
 					bug_set_field( $f_bug_id, 'handler_id', $t_bug_data->handler_id ); # fix: update handler_id before calling bug_reopen
 					# bug_reopen updates the status and bugnote and sends message
bug9828.patch (2,462 bytes)   

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
has duplicate 0012103 closeddhx g_reopen_bug_threshold - config parameter defined but reopen doesn't check it 
related to 0011396 closeddhx difference between closed and resolved 
related to 0015653 closeddregad APPLICATION ERROR 1303 when trying to reopen an issue 
child of 0012097 closedatrol Tracking issue for the refactoring of bug_update.php 

Activities

vboctor

vboctor

2008-11-18 01:42

manager   ~0019929

I agree that this issue needs to be fixed. This may require revisiting what goes through bug_update.php vs more specific action scripts.

jreese

jreese

2009-01-14 18:18

reporter   ~0020622

Targetting for future 1.2.x release.

olegos

olegos

2009-01-14 20:22

reporter   ~0020626

Last edited: 2009-01-14 20:30

A patch for fixing this issue is attached. Although it's against not the very latest trunk, it should apply cleanly to the head.

It also fixes a couple of security issues, I think. Looks to me if the user was a reporter, and allow_reporter_reopen was set, any update by the user would be allowed, not just reopening. Same with allow_reporter_close.

The access check for reopen case is adapted from html_button_bug_reopen() in html_api.php (so if changes are made to this part of the patch, html_button_bug_reopen() may need to be updated to match).

ahutta

ahutta

2009-09-02 09:24

reporter   ~0022849

Welcome.
I have the same problem even when attached patch was applied.
After checking bug_api.php I found that user should have permission to assign 'target_version' and 'resolved_in_version'. I think that restricion is not necessary then reporter have permision to reopen the bug.
Resolution for me was to place 'if' rule in bug_update.php:

if ( ON != $f_reopen_flag ) {
$t_bug_data->fixed_in_version = gpc_get_string( 'fixed_in_version', $t_bug_data->fixed_in_version );
$t_bug_data->target_version = gpc_get_string( 'target_version', $t_bug_data->target_version );

}

dhx

dhx

2009-09-04 07:16

reporter   ~0022863

ahutta: it is quite plausible for users to be able to reopen bugs, but not have access to change the target_version and fixed_in_version fields. These permissions are independent of each other.

Renegade

Renegade

2010-05-22 00:02

reporter   ~0025587

Since no one seems to work on this issue and it has been bothering me for quite a while, I'm gonna give it a shot in the next few days (if only to get it fixed locally), and try to submit a working patch against the then-latest build.

Right now, I'm mentally accounting for two cases in which a user should be able to reopen a bug:

when the user meets or exceeds the required $g_reopen_bug_threshold

when the user is the reporter of the issue, and $g_allow_reporter_reopen is on

...can anybody come up with additional cases in which a user would be allowed to reopen an issue?

Renegade

Renegade

2010-06-23 09:47

reporter   ~0025966

Thank you, dhx...I had given this a shot last month, but I ended up breaking something and got sidetracked with other projects before I could fix it. >_>

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036503

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 035a1302

2010-06-22 20:44

dhx


Details Diff
Refactor bug_update to fix multiple bugs

This is a large change to bug_update.php which refactors the code to
make it clearer and easier to understand. More importantly this
refactoring fixes a number of bugs including the prior ability for
reporters (with allow_reporter_reopen enabled) to make any modifications
to the bug in question even when they didn't have permission to make
those changes.

This refactoring brings about a structural change to the bug update
process. Previously the update checked a field (or number of fields) and
then committed changes to the database before moving on to the next
field. Hence it was possible for some of the requested changes to be
committed to the database before a validation error kicked in,
preventing the remainder of updates from being committed.

The new structure of bug_update prevents partial commits from occurring
as all validation and access checks are done prior to ANY data being
committed to the database. If all the validation checks pass then the
user can be safe in knowing that all changes should be committed to the
database. If any of the validation checks fail, none of the changes have
been committed.

One remaining problem with this approach is the race condition whereby
the administrator updates access checks between the validation of a
field and the attempted committal of a field to the database. As access
checks are performed internally within bug_api (and elsewhere), these
could actually fail during committal (and after the validation steps in
bug_update) if the access levels have changed in the meantime. This is a
problem with requires rewriting much of the MantisBT codebase - all for
a problem that is unlikely to occur and which is of low severity.

Email notifications also need to be sorted out correctly some time in
the future as it is hard to determine what the expected course of action
should be. This update tries sending an email in this order: resolved,
closed, reopened, handler added, status changed, bug updated. Only one
email is sent so if the handler and status of an issue are updated at
once and a user has refused to receive handler notifications, they won't
get any email. This is because we currently give higher priority to
notifying users of the addition of a handler to an issue rather than a
change of status.

Issue 0012097: Refactor bug_update.php
Fixes 0009828: Reopen issue access check is wrong
Fixes 0010226: No email on 'update->assign'
Fixes 0011396: difference between closed and resolved
Fixes 0011804: allow_reporter_reopen lets reporter make any update
Affected Issues
0009828, 0010226, 0011396, 0011782, 0011804, 0012097
mod - bug_update.php Diff File