View Issue Details

IDProjectCategoryView StatusLast Update
0022224mantisbtbugtrackerpublic2022-05-16 08:53
ReporterMr.Bricodage Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.0.0 
Target Version2.26.0Fixed in Version2.26.0 
Summary0022224: Access Restrictions to "Print Reports", "CSV Export", "Excel Export" in view all bugs page
Description

Current Mantis version displays several options to export and print filtered bugs in view all bugs page, options displayed on top of bugs table.

This kind of options should be displayed only to a restricted list of users based on user rights on each project, at least in my company.

I see two solutions to restrict access to these options :

  • define a configuration option to set the minimum access to see each option ($g_view_export_excel_button_threshold, $g_view_export_csv_button_threshold, $g_view_print_report_button_threshold) and use each threshold in the 'view_all_inc.php' file.
  • use a plugin to catch an event and hide these options if user has no right.

What is your opinion about these solutions?

I tried to implement the plugin but I didn't found any plugin that is used to "hide" or "delete" information displayed by Mantis, only plugins that adds more information.

My goal is to implement the functionality according to your wishes (with a minimum of help if plugin can be used) and post here or in github the implemented solution.

Thanks for your help

TagsNo tags attached.

Relationships

has duplicate 0025622 closeddregad mantisbt print_all_bug_page_word.php runs out of memory 
related to 0025492 resolveddregad mantisbt Printing (print_all_bug_page) is a perf/security risk 

Activities

atrol

atrol

2017-01-20 02:16

developer   ~0055237

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways?

E.g. you could get the information by using the SOAP API or by using scripts to access "View Issue Details" page of all issues.

cproensa

cproensa

2017-01-20 03:38

developer   ~0055238

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways

Besides that.. in similar situations, that you may want to alter some of the screen elements, where there is not a provided hook by core or plugin events, you may use javascript to selectively hide or delete those elements.

Mr.Bricodage

Mr.Bricodage

2017-01-23 05:33

reporter   ~0055261

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways

Yes, I am. My "rejected export access users" have no technical knowledge to use SOAP or scripts. And my goal is to hide "easy access" to unwanted export functions for non technical users (REPORTER). If they found an other way, their account deserve to be upgraded ;-)

Maybe that CSV export and Excel Export should become plugins? Because XML Import / Export is configurable :

public function config() {
    return array(
        "import_threshold" => ADMINISTRATOR,
        "export_threshold" => DEVELOPER,
    );
}

This is the behaviour that I need and imagine for Excel and CSV exports. I have no idea for Print Reports. Your throughts?

in similar situations, that you may want to alter some of the screen elements, where there is not a provided hook by core or plugin events, you may use javascript to selectively hide or delete those elements

Thanks for the tip. That will be my solution if nothing can be done in core or (new) plugins.

Regards

cproensa

cproensa

2017-01-23 06:29

developer   ~0055264

Having a configurable threshold for users that can execute a export may be a convenient feature.
So, relating atrol comment:

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways?

Massive export can be a long running process, even if the same info can be accesed by the users, limiting the export execution could be used by some admin in some situations. For example: preventing server overload or DOS requests for small servers.

Mr.Bricodage

Mr.Bricodage

2017-02-05 13:47

reporter   ~0055494

@atrol : did you change your mind with cproensa use case ?

atrol

atrol

2017-02-05 14:00

developer   ~0055495

@atrol : did you change your mind with cproensa use case ?

Change my mind? Isn't 0022224:0055237 true?

Mr.Bricodage

Mr.Bricodage

2017-02-05 14:14

reporter   ~0055496

Change my mind? Isn't 0022224:0055237 true?

you're right, wrong formulation, my mistake and my apologies.

Are you in favor of adding this new configuration option ?

atrol

atrol

2017-02-06 07:47

developer   ~0055504

I don't need it myself, but I see no reason why it should not be implemented.

The options should not just prevent the display of the buttons, but also the access to the pages.
E.g. you should not be able open the link https://www.YourMantisbt.com/bugs/csv_export.php

So I would call the options
$g_export_excel_threshold, $g_export_csv_threshold, $g_print_report_threshold
instead of
$g_view_export_excel_button_threshold, $g_view_export_csv_button_threshold, $g_view_print_report_button_threshold

Not sure if 3 separate options are needed, maybe one is enough. Something like $g_export_issues_threshold

cproensa

cproensa

2017-02-06 15:02

developer   ~0055512

$g_print_report_threshold

I wasn't thinking in $g_print_report_threshold. I don't know if it falls in the same situation, if it can be easily used to output 1000s of issues at once.

$g_export_excel_threshold, $g_export_csv_threshold

I would define only one export threshold.
We still keep separated pages and configs for csv and excel operations, but in the future i think we'll probably want to join them into one single export functionality

Mr.Bricodage

Mr.Bricodage

2017-02-06 16:33

reporter   ~0055513

Thanks for your responses.

In hindsight, I'm not able to provide a good reason to hide "Print reports" option. I made the mistake to group print and export functions when I wrote the issue.

I'll provide ASAP a PR with one configuration variable '$g_export_issues_threshold' that will be used to check user rights for Export Excel and Export CSV functionalities (display menus and access to pages).

Mr.Bricodage

Mr.Bricodage

2017-02-07 17:43

reporter   ~0055569

PR : https://github.com/mantisbt/mantisbt/pull/1021

atrol

atrol

2017-02-08 03:27

developer   ~0055574

Last edited: 2018-09-07 06:07

I don't know if it falls in the same situation, if it can be easily used to output 1000s of issues at once.

In hindsight, I'm not able to provide a good reason to hide "Print reports" option.

"Print reports" can easily be used to export all issues.

Mr.Bricodage

Mr.Bricodage

2017-02-08 16:44

reporter   ~0055593

Last edited: 2018-09-07 06:01

"Print reports" can easily be used to export all issues.

I agree. My contribution (overview in 0022224:0055513) is based on last response from @cproensa :

$g_print_report_threshold

I wasn't thinking in $g_print_report_threshold. I don't know if it falls in the same situation, if it can be easily used to output 1000s of issues at once.

$g_export_excel_threshold, $g_export_csv_threshold

I would define only one export threshold.

Should I add a second threshold ($g_print_report_threshold ?) for "Print Reports" option ? Or use the same threshold for the 3 options?

mak

mak

2018-09-07 02:05

reporter   ~0060618

Has this issue been addressed ?
I have the same requirement as described.

dregad

dregad

2018-09-07 06:08

developer   ~0060620

Should I add a second threshold ($g_print_report_threshold ?) for "Print Reports" option ? Or use the same threshold for the 3 options?

In my opinion, a single threshold is sufficient.

dregad

dregad

2021-10-31 06:31

developer   ~0065976

Picking this up where @Mr.Bricodage left off.

For now, I have rebased his original work onto latest master - https://github.com/dregad/mantisbt/tree/pr1021. Will test and adapt the code in the coming days as time allows.

dregad

dregad

2022-05-12 11:28

developer   ~0066570

Please see new PR https://github.com/mantisbt/mantisbt/pull/1810, replacing the original contribution by @Mr.Bricodage.

Related Changesets

MantisBT: master 267418c1

2022-05-16 05:55

dregad

Details Diff
Add new configs to Workflow Thresholds page

Issue 0022224
Affected Issues
0022224
mod - lang/strings_english.txt Diff File
mod - manage_config_work_threshold_page.php Diff File
mod - manage_config_work_threshold_set.php Diff File

MantisBT: master 20cd415e

2022-05-16 08:51

dregad


Committer: community Details Diff
Restrict access to Export and Print Reports

Adds 2 new config options to control access restrictions to these View
Issues page functionalities:

- CSV/Excel Export ($g_export_issues_threshold)
- Print Reports ($g_print_reports_threshold)

The default value for print_reports_threshold is UPDATER, to reduce the
risk of denial of service attacks overloading the server via multiple
concurrent executions of print_all_bug_page_word.php. This changes from
earlier behavior, where access to this function was not restricted.

Fixes 0022224, 0025492,
PR https://github.com/mantisbt/mantisbt/pull/1810
Affected Issues
0022224, 0025492
mod - config_defaults_inc.php Diff File
mod - css/default.css Diff File
mod - csv_export.php Diff File
mod - docbook/Admin_Guide/en-US/config/misc.xml Diff File
mod - excel_xml_export.php Diff File
mod - lang/strings_english.txt Diff File
mod - manage_config_work_threshold_page.php Diff File
mod - manage_config_work_threshold_set.php Diff File
mod - print_all_bug_page.php Diff File
mod - print_all_bug_page_word.php Diff File
mod - view_all_inc.php Diff File