0007196: access_denied() function should indicate the reason why access was denied - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0007196	mantisbt	security	public	2006-06-14 08:40	2022-05-28 11:24

Reporter	redcom	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	won't fix
Product Version	1.0.3

Summary	0007196: access_denied() function should indicate the reason why access was denied
Description	access_denied() should take a parameter to a language token that indicates the reason why access was denied. This will assist in finding bugs or misconfigurations in access control. In our installation a user has developer access to the site, but in a specific project they have administrative access, and when cling on the manage link, they get taken to an access denighed. I can't tell if this is a misconfiguration or if it is a real issue.
Additional Information	exampe of a call: currently in file_download.php 53 # Check access rights 54 switch ( $f_type ) { 55 case 'bug': 56 if ( !file_can_download_bug_attachments( $v_bug_id ) ) { 57 access_denied(); 58 } 59 break; 60 case 'doc': 61 # Check if project documentation feature is enabled. 62 if ( OFF == config_get( 'enable_project_documentation' ) ) { 63 access_denied(); 64 } could be changed to 53 # Check access rights 54 switch ( $f_type ) { 55 case 'bug': 56 if ( !file_can_download_bug_attachments( $v_bug_id ) ) { 57 access_denied( $MANTIS_ERROR[ERROR_ACCESS_DOWNLOAD_BUG_ATTACH] ); 58 } 59 break; 60 case 'doc': 61 # Check if project documentation feature is enabled. 62 if ( OFF == config_get( 'enable_project_documentation' ) ) { 63 access_denied( $MANTIS_ERROR[ERROR_ACCESS_ENABLE_PROJECT_DOC] ); 64 }
Tags	No tags attached.

View Issue Details

Activities

dregad 2022-05-18 10:35 developer ~0066598	Giving no extra information ensures we do not disclose something that could then be used to exploit the system.