View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0013085mantisbttaggingpublic2011-06-16 06:322014-09-23 18:05
Reporterdregad Assigned Todhx  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.3 
Target Version1.2.6Fixed in Version1.2.6 
Summary0013085: Manage Tag menu should only work for users with global role
Description

Considering that tags are a global feature (as mentioned by jreese in 0009716:0019618), an option to Manage Tags globally should never be given to a user with a global role < Manager even if their project role is Manager.

Assume the following users are defined:
projmgr - global role reporter, manager role for project "A"
globmgr - global role manager

In view.php, both users see the tag hyperlinked, the tag_view_page.php is read-only for projmgr and globmgr can update or delete the tag ==> this works as expected

However, when selecting the "Manage" option in the top menu (manage_overview_page.php) and the active Project is "A", a "Manage Tags" sub-menu item appears. I think this menu item should not be displayed, since projmgr has no rights to edit tags (his global role is Reporter).

Clicking on "Manage Tags" shows the list of tags (manage_tags_page.php); it is fully functional for globmgr as expected (allowing them to create, update and delete tags), but for projmgr it is a read-only list - which is also expected, but in that case why is a (non-functional) "Create Tag" link displayed ?

In my opinion, the correct resolution for this would be to not display the "Manage Tags" sub-menu item when the global role is < Manager (and deny access to the corresponding pages), or at least to not display the "Create Tag" link.

Additional Information

In my installation, global roles are not really used, as there are multiple projects and subprojects, which are managed by different groups of people; all users have a global role of Reporter, they are granted additional privileges in specific projects depending on their function within that project. The only people with a global role higher than Reporter are the Administrators.

Tagspatch
Attached Files
0001-Fix-13085-do-not-display-Create-Tag-link-when-user-c.patch (1,071 bytes)    
From 11963e9f74c7bff149bd538ef8ad2ee5d10607bc Mon Sep 17 00:00:00 2001
From: Damien Regad <damien.regad@merckserono.net>
Date: Thu, 16 Jun 2011 13:23:44 +0200
Subject: [PATCH 1/2] Fix #13085: do not display "Create Tag" link when user can't edit tags

---
 manage_tags_page.php |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/manage_tags_page.php b/manage_tags_page.php
index 4ec6db0..c33d5d0 100644
--- a/manage_tags_page.php
+++ b/manage_tags_page.php
@@ -132,8 +132,12 @@ $t_result = db_query_bound( $t_query, $t_where_params, $t_per_page, $t_offset );
 <table class="width100" cellspacing="1">
 	<tr>
 		<td class="form-title" colspan="4">
-			<?php echo lang_get( 'manage_tags_link' ) ?> [<?php echo $t_total_tag_count ?>]
-			<?php print_link( '#tagcreate', lang_get( 'tag_create' ) ) ?>
+			<?php
+				echo lang_get( 'manage_tags_link' ) . ' [' . $t_total_tag_count . '] ';
+				if ( $t_can_edit ) {
+					print_link( '#tagcreate', lang_get( 'tag_create' ) );
+				}
+			?>
 		</td>
 	</tr>
 	<tr class="row-category">
-- 
1.7.4.1
0001-Fix-13085-do-not-display-Create-Tag-link-when-user-c.patch (1,071 bytes)   
0002-Fix-13085-Allow-Manage-Tags-only-for-global-level-ta.patch (1,886 bytes)    
From cab1f6d6aeffa354de2f48289ac20b9bfb118c03 Mon Sep 17 00:00:00 2001
From: Damien Regad <damien.regad@merckserono.net>
Date: Thu, 16 Jun 2011 14:17:18 +0200
Subject: [PATCH 2/2] Fix #13085: Allow Manage Tags only for global level >= tag_edit_threshold

Previously the level check in function print_manage_menu was made at project
level, which is not consistent with globally managed Tags.

The access level check change in manage_tags_page.php is for consistency,
only to avoid users without the proper access level trying to reach the page
directly, even though it would only display a read-only list of tags.
---
 core/html_api.php    |    2 +-
 manage_tags_page.php |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/html_api.php b/core/html_api.php
index c3920bc..40611a0 100644
--- a/core/html_api.php
+++ b/core/html_api.php
@@ -967,7 +967,7 @@ function print_manage_menu( $p_page = '' ) {
 	if( access_has_project_level( config_get( 'manage_project_threshold' ) ) ) {
 		print_bracket_link( helper_mantis_url( $t_manage_project_menu_page ), lang_get( 'manage_projects_link' ) );
 	}
-	if( access_has_project_level( config_get( 'tag_edit_threshold' ) ) ) {
+	if( access_has_global_level( config_get( 'tag_edit_threshold' ) ) ) {
 		print_bracket_link( helper_mantis_url( $t_manage_tags_page ), lang_get( 'manage_tags_link' ) );
 	}
 	if( access_has_global_level( config_get( 'manage_custom_fields_threshold' ) ) ) {
diff --git a/manage_tags_page.php b/manage_tags_page.php
index c33d5d0..0718160 100644
--- a/manage_tags_page.php
+++ b/manage_tags_page.php
@@ -32,7 +32,7 @@ require_once( 'tag_api.php' );
 require_once( 'user_pref_api.php' );
 require_once( 'form_api.php' );
 
-access_ensure_global_level( config_get( 'tag_view_threshold' ) );
+access_ensure_global_level( config_get( 'tag_edit_threshold' ) );
 
 compress_enable();
 
-- 
1.7.4.1
0002-Fix-13085-Allow-Manage-Tags-only-for-global-level-ta.patch (1,886 bytes)   

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2011-06-16 06:36

developer   ~0029018

Can you please edit the issue's title to "Manage Tag menu should only work for users with global role", I inadvertantly clicked submit while updating it. Thanks.
dregad

dregad

2011-06-16 08:31

developer   ~0029019

Last edited: 2011-06-16 08:32

I attached two patch files to address this issue.

The first one is the "minimalist" fix, i.e. not to display the "Create Tag" link when user is not allowed to edit tags

The second patch prevents display of the "Manage Tags" sub-menu item and denies access to manage_tags_page.php when user does not have the access level defined in tag_edit_threshold.
dhx

dhx

2011-07-12 06:37

reporter   ~0029145

Agreed with the need for tag management to use global settings (rather than per-project).

Thanks for the patches Damien. I've committed them to master and master-1.2.x branches.
grangeway

grangeway

2013-04-05 17:57

reporter   ~0036444

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 4e6dfbad

2011-06-16 07:23

Damien Regad

Committer: dhx


Details Diff		 Fix 0013085: do not display "Create Tag" link when user can't edit tags

Forward ported from master-1.2.x to master by David Hicks.

Signed-off-by: David Hicks <d@hx.id.au>		 Affected Issues
0013085
mod - manage_tags_page.php Diff File

MantisBT: master-1.2.x c0ceefd2

2011-06-16 07:23

Damien Regad

Committer: dhx


Details Diff		 Fix 0013085: do not display "Create Tag" link when user can't edit tags

Signed-off-by: David Hicks <d@hx.id.au>		 Affected Issues
0013085
mod - manage_tags_page.php Diff File

MantisBT: master 570b0d2f

2011-06-16 08:17

Damien Regad

Committer: dhx


Details Diff		 Fix 0013085: Allow Manage Tags only for global level >= tag_edit_threshold

Previously the level check in function print_manage_menu was made at project
level, which is not consistent with globally managed Tags.

The access level check change in manage_tags_page.php is for consistency,
only to avoid users without the proper access level trying to reach the page
directly, even though it would only display a read-only list of tags.

Signed-off-by: David Hicks <d@hx.id.au>		 Affected Issues
0013085
mod - manage_tags_page.php Diff File
mod - core/html_api.php Diff File

MantisBT: master-1.2.x 208b59f6

2011-06-16 08:17

Damien Regad

Committer: dhx


Details Diff		 Fix 0013085: Allow Manage Tags only for global level >= tag_edit_threshold

Previously the level check in function print_manage_menu was made at project
level, which is not consistent with globally managed Tags.

The access level check change in manage_tags_page.php is for consistency,
only to avoid users without the proper access level trying to reach the page
directly, even though it would only display a read-only list of tags.

Signed-off-by: David Hicks <d@hx.id.au>		 Affected Issues
0013085
mod - manage_tags_page.php Diff File
mod - core/html_api.php Diff File