0013561: Any manager can delete global categories

ID	Project	Category	View Status	Date Submitted	Last Update
0013561	mantisbt	security	public	2011-11-24 09:40	2014-09-23 18:05

Reporter	spoidras	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.8
Target Version	1.2.9	Fixed in Version	1.2.9

Summary	0013561: Any manager can delete global categories
Description	Once user has been defined as manager on at least one project, he can edit or delete global categories for all projects.
Steps To Reproduce	Go on Manage projects page Delete a global category
Tags	No tags attached.

dregad 2012-01-01 20:12 developer ~0030755	The manage project page should check that the user's global access is at least equal to $g_manage_site_threshold config. If not, global categories should be displayed without any action buttons.

dhx 2012-03-06 17:35 reporter ~0031395	A CVE identifier has been assigned to this issue: CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could update global category settings

grangeway 2013-04-05 17:57 reporter ~0036307	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master 94432587 2012-01-01 11:14 dregad Details Diff	User must have global access to update global categories The user's global access level must be >= $g_manage_site_threshold to be allowed to add, edit or delete global categories. Prior to this, once a user had been defined as Manager on at least one project, they could freely update global categories. Also prevents such updates through URL manipulation. Fixes 0013561	Affected Issues 0013561
	mod - manage_proj_cat_delete.php	Diff File
	mod - manage_proj_cat_edit_page.php	Diff File
	mod - manage_proj_page.php	Diff File
MantisBT: master-1.2.x 385e0c90 2012-01-01 11:14 dregad Details Diff	User must have global access to update global categories The user's global access level must be >= $g_manage_site_threshold to be allowed to add, edit or delete global categories. Prior to this, once a user had been defined as Manager on at least one project, they could freely update global categories. Also prevents such updates through URL manipulation. Fixes 0013561	Affected Issues 0013561
	mod - manage_proj_cat_delete.php	Diff File
	mod - manage_proj_cat_edit_page.php	Diff File
	mod - manage_proj_page.php	Diff File