View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007225 | mantisbt | security | public | 2006-06-22 21:23 | 2012-11-01 07:45 |
Reporter | atomoid | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Product Version | 1.0.1 | ||||
Summary | 0007225: Reporters can override their permissions if they have access to the "Update Issue" button | ||||
Description | If you set your "Reporter" permissions to NOT be able to "Update Issue Status" ...they can still do so if you also have the tag set to allow them to "Update an Issue" (on same page). This is configured in: manage_config_work_threshold_page.php : "Update Issue Status" checkmark NOT filled (setting for "All Projects"). I guess we need to have more limitations besides 'status'... The problems with this: | ||||
Tags | No tags attached. | ||||
The "Status" field permissions breach can be mitigated by locking them out of most statii on the bottom of the "manage_config_workflow_page.php" page. But there isnt any good way to block them out of being able to change things suchas the "Resolution", "Reporter" and other fields that should rightly be accessible only by developers (if there were a switch available), yet still allow them access to update their original bug text fields. If i am a "reporter" and have access to only my own bugs, then if the "Update an issue" permission is enabled in the 'manage_config_work_threshold_page.php', i can go in and change the fields: "Reporter", "Resolution", "ETA", "Projection", "Fixed in Version" to whatever i want. Ideally, reporters should only be able to change what they originally had access to on the original Bug Report page, however, this doesn't seem possible given the current available switches. Mantis 1.0.6 |
|
Ability for reporter to update their own issues is tracked in 0008141 |
|