View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0014478mantisbtadministrationpublic2012-07-12 05:072014-09-23 18:05
ReporterVeMag Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.11 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014478: The global category "General" can be deleted, but the $g_default_category_for_moves must be protected from suppression
Description

The site will be blocked after the first public bug moved from a project to another where its category doesn't exist.
The error is :

APPLICATION ERROR # 1502
Category not found

I think many other issues are child of this one : 0012945 0012431 0014189 ...

Steps To Reproduce

Create 2 public projects (Project1, Project2)
Create "category1" only in Project1
Create a bug in Project1 with category1

Delete the category "General" in administration

Move bug from Project1 to Project2

Go to "View Issues" or "My View"... Error :
APPLICATION ERROR 0001502
Category not found

Additional Information

repair with :

INSERT INTO mantis.mantis_category_table
(id, project_id, user_id, name, status)
VALUES ('1', '0', '0', 'General', '0');

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0014190 acknowledged When moving an issue, allow selection of both the Project and the Category 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
has duplicate 0014528 closedatrol Moving an issue from project with specific categories to project with global categories changes category to default 
related to 0015222 closedrombert mc_project_delete_category fails to delete category 

Activities

atrol

atrol

2012-07-12 06:37

developer   ~0032310

Last edited: 2012-07-13 05:15

VeMag, what do you mean when writing "The global category "General" can be suppress"
Unchecking "Inherit Global Categories" in the project settings?

Edited 1:
Forget my question, I didn't read in "Steps to reproduce"
You probably mean unchecking "Inherit Global Categories"

Edited 2:
German tries to understand French in English ;-)
You mean "deletion" and not "supression"
So what I wrote in Edited 1 is wrong.
You mean "Manage" > "Manage Projects" and push the "Delete" button for category "General"
atrol

atrol

2012-07-12 06:55

developer   ~0032311

Do you think we can close your issue and should follow up 0014190
VeMag

VeMag

2012-07-12 07:31

reporter   ~0032312

Only if 0014190 is implemented in 1.2.12 ...
it seams easier to return an error and refuse to delete the category if its ID is equal to $g_default_category_for_moves
dregad

dregad

2012-07-30 19:24

developer   ~0032409

I think VeMag's suggestion makes sense and is quite straightforward to implement.

The only catch is that 'default_category_for_moves' can also technically be defined on a per-project (or even per-user) basis, therefore it is not sufficient to just check for the global variable's value...

Therefore I propose to prevent deletion when the category is set as default anywhere (i.e. in config_inc.php or in the config table for any project/user) - see https://github.com/dregad/mantisbt/commit/88a1f0858fbb193e4fba3331f4683f1cb6bae9cc

Let me know what you think and if that works for you.
atrol

atrol

2012-07-31 07:17

developer   ~0032416

dregad, I had a short look at your fix.
Concatenating the where clause of the statment instead of using bind variables (db_param) is not the typical MantisBT programming style.
I think this is to prevent SQL injections. (a bit theoretic in this case)
dregad

dregad

2012-07-31 07:36

developer   ~0032418

You're probably right, it's better practice to use bind variables (also helps RDBMS parse SQL and cache it I guess, although the SQL injection does not quite apply in the case of a constant.

Anyway I'll make the change.
atrol

atrol

2012-07-31 09:39

developer   ~0032423

although the SQL injection does not quite apply in the case of a constant.
You are right, my mistake was that I had the value of the configuration option in my head when writing this.
dregad

dregad

2012-08-03 18:05

developer   ~0032462

Updated as per our discussion https://github.com/dregad/mantisbt/tree/fix-14478
dregad

dregad

2012-08-16 04:59

developer   ~0032576

@VeMag - any feedback on this, or are you happy with my proposed fix ?
VeMag

VeMag

2012-08-21 08:14

reporter   ~0032617

Looks great ! Many thanks !
grangeway

grangeway

2013-04-05 17:56

reporter   ~0036138

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master-1.2.x f50762c1

2012-07-30 10:49

dregad


Details Diff		 Protect $g_default_category_for_moves from deletion

When a category defined as default_category_for_moves is deleted and an
issue is subsequently moved to another project where its current
category does not exist, it gets assigned a non-existing category. This
causes application error 1502 to be triggered whenever MantisBT tries to
display the issue's Category, which can cause a system lock up.

This commit reduces the risk of this situation from happening, by
preventing users from deleting categories which are used as default
(either defined in config_inc.php or in the config table).

Fixes 0014478		 Affected Issues
0014478
mod - core/constant_inc.php Diff File
mod - lang/strings_english.txt Diff File
mod - manage_proj_cat_delete.php Diff File

MantisBT: master 6f76cf63

2012-07-30 10:49

dregad


Details Diff		 Protect $g_default_category_for_moves from deletion

When a category defined as default_category_for_moves is deleted and an
issue is subsequently moved to another project where its current
category does not exist, it gets assigned a non-existing category. This
causes application error 1502 to be triggered whenever MantisBT tries to
display the issue's Category, which can cause a system lock up.

This commit reduces the risk of this situation from happening, by
preventing users from deleting categories which are used as default
(either defined in config_inc.php or in the config table).

Fixes 0014478		 Affected Issues
0014478
mod - core/constant_inc.php Diff File
mod - lang/strings_english.txt Diff File
mod - manage_proj_cat_delete.php Diff File