0030533: Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0030533	mantisbt	security	public	2022-06-10 08:54	2022-06-24 04:05

Reporter	gatis	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.25.4
Target Version	2.25.5	Fixed in Version	2.25.5

Summary	0030533: Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote
Description	When bugnote_user_edit_threshold for the project is set lower than the default value in configuration, users with permissions lower than the default bugnote_user_edit_threshold can get proceed to edit the bugnote, but actual editing throws access denied exception.
Steps To Reproduce	For example set default bugnote_user_edit_threshold to 55; Use user with level 50; Set bugnote_user_edit_threshold to 50 for project; Create a bug in project and add a bugnote; The user will see controls to edit the bugnote but will not be able to edit it;
Tags	No tags attached.

MantisBT: master 9596fdc8 2022-06-15 12:33 gatis Committer: community Details Diff	Fixed wrong bugnote_user_edit_threshold on update Because there was no check for correct $g_project_override in bugnote_update.php the default value of "bugnote_user_edit_threshold" was used instead of one set for the project. This caused problem that when project had lower user rights setting than the default access denied exception was thrown when editing bugnote. Fixes 0030533, PR https://github.com/mantisbt/mantisbt/pull/1818	Affected Issues 0030533
	mod - bugnote_update.php	Diff File
MantisBT: master 0c4ba874 2022-06-15 12:33 gatis Committer: dregad Details Diff	Fixed wrong bugnote_user_edit_threshold on update Because there was no check for correct $g_project_override in bugnote_update.php the default value of "bugnote_user_edit_threshold" was used instead of one set for the project. This caused problem that when project had lower user rights setting than the default access denied exception was thrown when editing bugnote. Fixes 0030533, PR https://github.com/mantisbt/mantisbt/pull/1818 (cherry picked from commit 9596fdc85260eaf29e04a4d8829f4f6fc0f6c5ed)	Affected Issues 0030533
	mod - bugnote_update.php	Diff File

dregad 2022-06-10 09:52 developer ~0066713	PR https://github.com/mantisbt/mantisbt/pull/1818