|
MantisBT: master-1.2.x 179bfc01
2012-12-06 03:33
dregad
Details
Diff |
access_get_status_threshold() returns incorrect value for NEW
When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.
This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.
Fixes 0015260, affects issue 0015258 |
Affected Issues
0015258, 0015260 |
|
mod - core/access_api.php |
Diff
File |
|
MantisBT: master 53844e36
2012-12-06 03:33
dregad
Details
Diff |
access_get_status_threshold() returns incorrect value for NEW
When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.
This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.
Fixes 0015260, affects issue 0015258 |
Affected Issues
0015258, 0015260 |
|
mod - core/access_api.php |
Diff
File |
|
MantisBT: master-1.2.x c8813734
2012-12-06 03:39
dregad
Details
Diff |
Prevent reporters from changing issue status to 'new'
Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).
The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.
Fixes 0015258 |
Affected Issues
0015258 |
|
mod - core/html_api.php |
Diff
File |
|
MantisBT: master 53282ac6
2012-12-06 03:39
dregad
Details
Diff |
Prevent reporters from changing issue status to 'new'
Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).
The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.
Fixes 0015258 |
Affected Issues
0015258 |
|
mod - core/html_api.php |
Diff
File |
|
MantisBT: master-1.2.x e074efde
2013-09-14 00:38
dregad
Details
Diff |
Use correct threshold for display of Change status list+button
Fix for issue 0015258 introduced a check for 'update_bug_threshold' to
prevent unauthorized users from changing issue status.
This was not the correct config setting to use, the right one is
'update_bug_status_threshold'.
Fixes 0016376 |
Affected Issues
0015258, 0016376 |
|
mod - core/html_api.php |
Diff
File |
|
MantisBT: master d5da1d24
2013-09-14 00:38
dregad
Details
Diff |
Use correct threshold for display of Change status list+button
Fix for issue 0015258 introduced a check for 'update_bug_threshold' to
prevent unauthorized users from changing issue status.
This was not the correct config setting to use, the right one is
'update_bug_status_threshold'.
Fixes 0016376 |
Affected Issues
0015258, 0016376 |
|
mod - core/html_api.php |
Diff
File |
