0007225: Reporters can override their permissions if they have access to the "Update Issue" button - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0007225	mantisbt	security	public	2006-06-22 21:23	2012-11-01 07:45

Reporter	atomoid	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate
Product Version	1.0.1

Summary	0007225: Reporters can override their permissions if they have access to the "Update Issue" button
Description	If you set your "Reporter" permissions to NOT be able to "Update Issue Status" ...they can still do so if you also have the tag set to allow them to "Update an Issue" (on same page). This is configured in: manage_config_work_threshold_page.php : "Update Issue Status" checkmark NOT filled (setting for "All Projects"). I guess we need to have more limitations besides 'status'... The problems with this: "Reporters" should be able to edit their bugs to correct error, etc., but of course they should NOT be able to change the resolution, etc. Yet they can change everything as if they had administrator privaledges, even if it is specifically prohibited in the settings for 'Reporters' as noted above. As a result, beta sites are mangling their bugs with all sorts of incongruent settings.
Tags	No tags attached.

atomoid 2007-05-01 14:17 reporter ~0014410 Last edited: 2007-05-01 14:48	The "Status" field permissions breach can be mitigated by locking them out of most statii on the bottom of the "manage_config_workflow_page.php" page. But there isnt any good way to block them out of being able to change things suchas the "Resolution", "Reporter" and other fields that should rightly be accessible only by developers (if there were a switch available), yet still allow them access to update their original bug text fields. If i am a "reporter" and have access to only my own bugs, then if the "Update an issue" permission is enabled in the 'manage_config_work_threshold_page.php', i can go in and change the fields: "Reporter", "Resolution", "ETA", "Projection", "Fixed in Version" to whatever i want. --> These are all fields that do not appear when reporting the bug, so there should be no access to them given the same permissions. For this project, only the 'Category', 'Reproducibility', 'Severity' and 'Project Version' fields are available when reporting the bug. Ideally, reporters should only be able to change what they originally had access to on the original Bug Report page, however, this doesn't seem possible given the current available switches. Mantis 1.0.6

dregad 2012-10-18 07:02 developer ~0033262	Ability for reporter to update their own issues is tracked in 0008141