View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014015 | mantisbt | security | public | 2012-03-07 16:53 | 2014-09-23 18:05 |
Reporter | atrol | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.9 | ||||
Target Version | 1.2.11 | Fixed in Version | 1.2.11 | ||
Summary | 0014015: Users with access level REPORTER cannot delete own attachments despite allow_delete_own_attachments = ON; | ||||
Description | Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. This error message is caused by the following line in bug_file_delete.php as default setting of update_bug_threshold is UPDATER. access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id ); ATM we can't replace this line just by checking allow_delete_own_attachments == ON || checking update_bug_threshold I will enter another related issue in short term which will show why I reported this issue with category "security" instead of "attachments" although it seems at first sight, that the user does not get enough access rights. | ||||
Tags | No tags attached. | ||||
MantisBT: master f82f98cc 2012-06-02 00:10 Details Diff |
Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue 0014015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated. Conflicts: bug_file_delete.php |
Affected Issues 0014015, 0014016 |
|
mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
mod - bug_file_delete.php | Diff File | ||
MantisBT: master-1.2.x ceafe6f0 2012-06-02 00:10 Details Diff |
Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue 0014015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated. |
Affected Issues 0014015, 0014016 |
|
mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
mod - bug_file_delete.php | Diff File | ||
MantisBT: master 31d11568 2012-06-02 00:35 Details Diff |
Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely. |
Affected Issues 0014015, 0014016 |
|
mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
mod - bug_file_delete.php | Diff File | ||
MantisBT: master-1.2.x 628e9370 2012-06-02 00:35 Details Diff |
Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely. Conflicts: bug_file_delete.php |
Affected Issues 0014015, 0014016 |
|
mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
mod - bug_file_delete.php | Diff File |