0010014: Provide a way to disable form token validation for intranet installations - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0010014	mantisbt	bugtracker	public	2009-01-04 06:29	2010-04-23 23:22

Reporter	RoboDoc	Assigned To	jreese
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	1.1.6

Summary	0010014: Provide a way to disable form token validation for intranet installations
Description	I use Mantis for maintaining a big computer network. Instead of re-typing or copy+changing issues, I do the following: Report Issue. Fill out the form. Check the Report Stay box. Submit Report. then, I used to: Click BACK in my browser. Do minor changes to the summary / other fields. Submit Report. Then; redo step 5-7 for each server I want to maintain - e.g. Summary: "webnode01 -- Rebuild world + kernel" ... "webnode26 -- Rebuild world + kernel". In v1.1.6 I get app. err. #2800, even though the summary and/or other form fields are different from the previously submitted bug, probably because of the forms having the same security token. Would it be possible to EITHER validate the summary and/or other form fields before ditching my new, unique issue -- or: add another checkbox at the bottom: "ignore security token"..? In v1.1.1 it was easier to (almost) "bulk-add" a lot of issues, but in v1.1.6 it's a bit harder, due to the security token (form) check.
Tags	No tags attached.

vboctor 2009-01-05 00:26 manager ~0020535	Why don't you clone the bug you just created and do the necessary modifications? If we add support to ignore security token, then hackers will use it :)

RoboDoc 2009-01-06 19:51 reporter ~0020549	Yeah, that's what I was afraid of. :/ The Mantis-installation I use, is for 'internal' use only, and doesn't permit user signup. I use it as a big 'to-do'-list as well as an internal system for reporting all kinds of errors or activities, not only software development. Cloning takes too much time. If I have to bulk-add 32 issues for maintenance on 32 servers, with the same description but with different host-names for each summary-field, that's A LOT of work. In v1.1.1 I could click 'BACK/PREV' in my browser, and even the cursor was at the same spot; allowing me to click 'backspace, number, ENTER' - just to submit a new, unique issue! :) Adding maintenance work to our 'to do list' was suddenly both easy AND quick! Would it be possible to keep some kind of security token / security functionality, and still be able to [re-]submit the form with DIFFERENT content, and instead - display an error message if someone tries to re-submit an IDENTICAL issue (to avoid spam / abuse)..?

vboctor 2009-10-27 21:08 manager ~0023423	I've acknowledged this and updated the subject. The reason to implement this would be: Provide a way for users who are hitting the App Error 2800 and have an internal only bug tracker to disable the feature. The configuration option for it should provide a warning of the possible implications.

RoboDoc 2009-10-31 15:23 reporter ~0023513	Very good! If the feature could be limited by user access levels as well, that would be optimal (e.g. "requires manager access or higher", etc).

jreese 2009-12-16 08:42 reporter ~0023916	This has been a configuration option for this in 1.1.x. Set $g_form_security_validation = OFF in your config_inc.php. See config_defaults_inc.php for the description and warning message.

RoboDoc 2009-12-16 09:08 reporter ~0023918	I did. We're still using 1.1.6 because of some configuration options in 1.1.6 not being completely compatible with 1.1.8.. Didn't find anything about "$g_form_security_validation" in 1.1.6... Guess I'll have to have another look at 1.1.8 then.. Tnx.