View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014496 | mantisbt | security | public | 2012-07-19 02:59 | 2014-12-22 08:23 |
Reporter | TomR | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.8 | ||||
Target Version | 1.2.12 | Fixed in Version | 1.2.12 | ||
Summary | 0014496: CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default' | ||||
Description | Related to 0011894 If you have in your config_inv.php $g_update_bug_status_threshold = DEVELOPER; you would expect that de defaults in Manage Configuration - Workflow Thresholds would be for every status 'developee'. Instead it shows for ever state ( except 'new' ) 'viewer. In my opinion the default for each status should be taken from $g_set_status_threshold, but if not set, it should 'fall back' to $g_update_bug_status_threshold and not to 'viewer'. | ||||
Tags | No tags attached. | ||||
related to | 0011894 | closed | dregad | Update issue status in workflow thresholds not working |
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
related to | 0007325 | feedback | project dependent "Allow Reporter to close Issue" has no effect, or? | |
related to | 0016771 | closed | dregad | workflow configuration |
Confirmed. |
|
Work-in-progress fix https://github.com/dregad/mantisbt/tree/manage-config-workflow Testing & feedback welcome |
|
The display of the access levels at "Minimum Access Level to Change to this Status" is fine now, but I found some other issues Test environment: Workflow 1: Workflow 2: Workflow 3: I stop testing more workflows Minor code issue: |
|
Thanks for testing, I'll look into the issues you found |
|
any new code to test? :) |
|
Not yet no, been busy |
|
The problem is that depending on the value of $g_bug_submit_status ('NEW' by default, but in your test case, set to 'ACKNOWLEDGED'), the access level for the corresponding status is controlled (overridden in fact) by $g_report_bug_threshold instead of $g_set_status_threshold. Since in a single update operation, the code is both changing $g_bug_submit_status and $g_set_status_threshold, I think what we're seeing is the expected behavior, even though it's a bit confusing. This is because as part of the update process, $g_report_bug_threshold is actually set to match the access level for $g_bug_submit_status; since this happens after setting $g_bug_submit_status, you're effectively preventing REPORTERS from reporting new (i.e. acknowledged) issues, unless you change the access level for status 'ACKNOWLEDGED' to 'REPORTER' before updating. This can easily be confirmed by checking the Manage Workflow Threshold page after the update. So there is a logical explanation for the 'ACKNOWLEDGED' color change. For 'NEW', you have to keep in mind that with default configuration, $g_set_status_threshold is defined in config_defaults_inc.php as an empty array, so there is no 'file' value, while at 'global' (all projects) level it's set to 'REPORTER'. I believe that one possible way to fix this could be to define in config_defaults_inc.php: $g_set_statusthreshold = array( NEW => REPORTER ); Let me know what you think.
Confirmed; this is due to an initial attempt at fixing case 3 below, which was not completely tested.
Yep, I had already identified that one, and marked it as a todo in the code. Need to implement a comparison to remove (or avoid setting) the config when matching the default
Good catch, thanks. Fixed. |
|
I revised and updated the github branch [1] with a few additional commits that should fix the issues raised by atrol in 0014496:0033192 as per my comments below. Let me know if you notice any additional issues in testing. [1] https://github.com/dregad/mantisbt/tree/manage-config-workflow |
|
Ported the 1.2.12 changes to master branch |
|
CVE-2012-5522 assigned on oss-security mailing list on 2012-11-14 |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master-1.2.x d893ca3f 2012-10-12 18:37 Details Diff |
Manage config workflow page does not reflect actual config The code did not properly reflect the configuration state when building the Access Levels form, if the minimum access level was defined using update_bug_status_threshold and set_status_threshold wass empty, showing 'viewer' for each status except 'new'. Consequently, saving the page without changes would cause the config to be saved with all access levels as 'viewer'. Fixes 0014496 |
Affected Issues 0014496 |
|
mod - manage_config_workflow_page.php | Diff File | ||
mod - manage_config_workflow_set.php | Diff File | ||
MantisBT: master a4144388 2012-10-12 18:37 Details Diff |
Manage config workflow page does not reflect actual config The code did not properly reflect the configuration state when building the Access Levels form, if the minimum access level was defined using update_bug_status_threshold and set_status_threshold wass empty, showing 'viewer' for each status except 'new'. Consequently, saving the page without changes would cause the config to be saved with all access levels as 'viewer'. Fixes 0014496 |
Affected Issues 0014496 |
|
mod - manage_config_workflow_page.php | Diff File | ||
mod - manage_config_workflow_set.php | Diff File | ||
MantisBT: master-1.2.x d982fc99 2012-10-28 18:47 Details Diff |
Workflow config: delete override if identical to parent The code in manage_config_workflow_set.php now deletes the config override for the current project if the new settings are identical to the parent's (ALL_PROJECTS level if project, or file-level if all projects). Follow-up fix for issue 0014496 |
Affected Issues 0014496 |
|
mod - manage_config_workflow_set.php | Diff File | ||
MantisBT: master c96ca214 2012-10-28 18:47 Details Diff |
Workflow config: delete override if identical to parent The code in manage_config_workflow_set.php now deletes the config override for the current project if the new settings are identical to the parent's (ALL_PROJECTS level if project, or file-level if all projects). Follow-up fix for issue 0014496 |
Affected Issues 0014496 |
|
mod - manage_config_workflow_set.php | Diff File | ||
MantisBT: master-1.2.x 361089d2 2012-10-28 19:00 Details Diff |
Define default $g_set_status_threshold for NEW to REPORTER This prevents incorrect highlighting of NEW status as an override in the Access Levels section of manage_config_workflow_page.php, when $g_bug_submit_status is different from default. Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325) |
Affected Issues 0014496 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master 7c46e287 2012-10-28 19:00 Details Diff |
Define default $g_set_status_threshold for NEW to REPORTER This prevents incorrect highlighting of NEW status as an override in the Access Levels section of manage_config_workflow_page.php, when $g_bug_submit_status is different from default. Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325) |
Affected Issues 0014496 |
|
mod - config_defaults_inc.php | Diff File |