View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0015530mantisbtsecuritypublic2013-02-21 19:402013-03-15 16:21
ReporterAdamR Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionwon't fix 
Product Version1.2.14 
Summary0015530: [Issue view] Many of the bug options have disappeared for updaters
Description

Users that are at updaters level no longer have the option to change the issue status to confirmed when an issue is currently at acknowledged status. In the past an updater could change the status of an issue if it were assigned to them.

This has only been happening since updating to 1.2.14. I have not changed any permissions while updating Mantis.

We use the updater status to define testers that confirm issues being present before and after being resolved, though they can no longer do this.

Additional Information

Permissions attached. I do not allow updaters the general permission to update issue details as this is not their purpose as a tester. They should be able to adjust only the status of it though.

TagsNo tags attached.
Attached Files
global-workflow-thresholds.png (58,547 bytes)   
global-workflow-thresholds.png (58,547 bytes)   

Relationships

Relationship GraphDependency Graph
related to 0015258 closeddregad CVE-2013-1811 Reporter can change issue status to 'new' 

Activities

dregad

dregad

2013-02-22 05:19

developer   ~0035276

Did you check that your Workflow Transitions allow UPDATER role to reach CONFIRMED status (check the access level section at bottom of page) ?
AdamR

AdamR

2013-02-22 13:29

reporter   ~0035290

Last edited: 2013-02-22 13:30

Yes, we've always had those set as follows:

  • New: Reporter
  • List/Feedback: Manager
  • Testing: Manager
  • Tested: Updater
  • Assigned: Manager
  • Resolved: Developer
  • Closed: Manager

(nb: List/Feedback, Testing, and Tested are Feedback/Ackowledged/Confirmed renamed in the English language definition file to be a bit more relevant for us -- no changes in the code constants)
AdamR

AdamR

2013-03-04 11:23

reporter   ~0035372

Last edited: 2013-03-04 11:24

I've done a compare of 1.2.12 and 1.2.14, and tracked this issue down to function "html_button_bug_change_status" in "core/html_api.php", specifically this block at line 1395:

# User must have updater access to use the change status button
if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $p_bug->id ) ) {
    return;
}

This block was not present in 1.2.12, and commenting it out fixes this issue. I can also confirm this with a test account with updater access to a private project, it was able to change the status of an issue on Acknowledged to Confirmed as intended.
dregad

dregad

2013-03-04 11:42

developer   ~0035373

This check was introduced to fix a security issue 0015258, so the system works as designed now.

Let's just say that until today you have been benefiting from a security hole, which has been closed in 1.2.13. User must have "update issues" access level to use this button.
AdamR

AdamR

2013-03-04 14:53

reporter   ~0035375

"User must have "update issues" access level to use this button."

That means the users can then edit the details of an issue, not just the status of it as the permissions configuration page suggests. What else would a permission called "Update issue status" be for?