View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0023679||mantisbt||administration||public||2017-11-28 12:14||2017-12-13 00:34|
|Target Version||2.10.0||Fixed in Version||2.10.0|
|Summary||0023679: Limit change of impersonation threshold to global config|
If this is not fixed in the versions beyond 2.0.0, please fix it immediately!
I just found out that if I impersonate a user (let's call our user "Person X" for that sake) in our Mantis and commit
My Suggestion: Instead of just having "Person X" indicated in the username column of the Issue History
Because to me the "Impersonate User" feature is without that a severe security issue: A nasty admin who wants to smear Person X could now commit disastrous changes in Mantis
|Steps To Reproduce|
Login as a global Admin to your Mantis instance,
See attachment section for suggestions.
|Tags||No tags attached.|
Keep in mind that a nasty database admin can do even more.
There is a setting $g_impersonate_user_threshold that can be set to NOBODY to deactivate this functionalty.
No, not at all. The nasty admin of course can revert this config option to the default, so this is no adequate preventive action in my opinion.
And I am aware that a nasty database admin can do even more harm, but this is no reason why
Do you think that it's ok if the admin (user with access level administrator) is not able to change the option, but the admin (user with write access to config_inc.php) can change the option?
I am not sure about this.
Depends on the definition of "big deal".
I don't like especially that a database schema extension is needed for this quite special use case.
Again: Do you think that it's ok if the admin (user with access level administrator) is not able to change the option, but the admin (user with write access to config_inc.php) can change the option?
I think we should model our access into two high privilege personas:
I can see us limiting impersonation setting to "System Administrator", but once it is enabled for ADMINISTRATORS, we won't do any protections or bookkeeping to track what they have done. I can see value in doing some auditing for what a user has done in general, but that applies to all users and not just administrators.
|2017-11-28 12:14||covfefe||New Issue|
|2017-11-28 12:14||covfefe||File Added: 01_Suggestion_for_indicating_changes_done_by_admins_which_impersonate_an_user.png|
|2017-11-28 12:14||covfefe||File Added: 02_Suggestion_for_indicating_notes_posted_by_admins_which_impersonate_an_user.png|
|2017-11-28 12:25||atrol||Note Added: 0058258|
|2017-11-28 12:32||atrol||Relationship added||related to 0020772|
|2017-11-28 12:36||atrol||Status||new => feedback|
|2017-11-28 12:36||atrol||Note Added: 0058259|
|2017-11-28 12:46||covfefe||Note Added: 0058260|
|2017-11-28 12:46||covfefe||Status||feedback => new|
|2017-11-28 14:58||atrol||Status||new => feedback|
|2017-11-28 14:58||atrol||Note Added: 0058261|
|2017-12-07 10:53||covfefe||Note Added: 0058350|
|2017-12-07 10:53||covfefe||Status||feedback => new|
|2017-12-07 17:20||atrol||Status||new => feedback|
|2017-12-07 17:20||atrol||Note Added: 0058352|
|2017-12-08 02:03||atrol||Note Edited: 0058352||View Revisions|
|2017-12-09 18:39||vboctor||Note Added: 0058370|
|2017-12-09 18:39||vboctor||Note Edited: 0058370||View Revisions|
|2017-12-10 08:13||atrol||Note Added: 0058374|
|2017-12-10 15:25||atrol||Assigned To||=> atrol|
|2017-12-10 15:25||atrol||Status||feedback => assigned|
|2017-12-10 15:25||atrol||Additional Information Updated||View Revisions|
|2017-12-12 02:33||vboctor||Changeset attached||=> MantisBT master aaf79518|
|2017-12-12 02:33||atrol||Status||assigned => resolved|
|2017-12-12 02:33||atrol||Resolution||open => fixed|
|2017-12-12 02:33||atrol||Fixed in Version||=> 2.9.1|
|2017-12-12 15:50||atrol||Fixed in Version||2.9.1 => 2.10.0|
|2017-12-12 15:50||atrol||Target Version||=> 2.10.0|
|2017-12-13 00:34||vboctor||Summary||"Impersonate User" feature can be abused => Limit change of impersonation threshold to global config|