Dependency Graph

View IssueRelationship GraphVerticalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0013748mantisbtsecuritypublic2012-01-09 08:112014-09-23 18:05
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.9Fixed in Version1.2.9 
Summary0013748: Can't move bugs from projects with access < report_bug_threshold
Description

When trying to move an issue from project A to project B, if the current user's access level is below report_bug_threshold in project A, they are not allowed to move the bug even though they should (i.e. they have move_bug_threshold in A and report_bug_threshold in B)

Steps To Reproduce
  • Set report_bug_threshold in project A to 100 (NOBODY)
  • Select a bug in project A
  • Try to Move it to project B

Error message
"You did not have appropriate permissions to perform that action" is displayed

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-01-09 08:24

developer   ~0030874

The access check in bug_actiongroup.php is not correct. It should verify the user's report_bug_threshold in the target project, not the current project.
dhx

dhx

2012-03-06 17:35

reporter   ~0031396

A CVE identifier has been assigned to this issue:

CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed
when moving bugs between projects
grangeway

grangeway

2013-04-05 17:57

reporter   ~0036306

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 0da3f7ac

2012-01-09 00:10

dregad


Details Diff		 Fix Move bugs from projects with access < report_bug_threshold

The access check in bug_actiongroup.php was not correct. It should
verify the user's report_bug_threshold in the target project, not the
current project.

Fixes 0013748		 Affected Issues
0013748
mod - bug_actiongroup.php Diff File

MantisBT: master-1.2.x 64af3ef8

2012-01-09 00:10

dregad


Details Diff		 Fix Move bugs from projects with access < report_bug_threshold

The access check in bug_actiongroup.php was not correct. It should
verify the user's report_bug_threshold in the target project, not the
current project.

Fixes 0013748		 Affected Issues
0013748
mod - bug_actiongroup.php Diff File