View Issue Details

IDProjectCategoryView StatusLast Update
0019988mantisbtadministrationpublic2015-07-30 10:13
Reportercdijoux Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version1.2.17 
Summary0019988: Configuration "manage_user_thresold" is too general
Description

Hello,

We have encountered a problem with the option "manager_user_threshold" :

We need to set this option to "Manager", because our managers need to create and update users.
But we've got one problem : they also can "Delete" them, which is not acceptable because we need to keep all our users in database (enabled or disabled).
To avoid this problem (with manager not sensitized with the difference of "Delete" and "Disable"), we have add an option : "manage_user_delete_threshold".
With this, we keep the configuration "manager_user_threshold" for all, but we add the new option in some files to restrict access to the delete user function.

Additional Information

config_default_inc.php :
@@ -2413,6 +2413,12 @@
$g_manage_user_threshold = ADMINISTRATOR;

/**
    • Threshold needed to delete user accounts
    • @global int $g_manage_user_delete_threshold
  • */
  • $g_manager_user_delete_threshold = ADMINISTRATOR;
  • /**
    • Delete bug threshold
    • @global int $g_delete_bug_threshold
      */

manage_user_delete.php :
@@ -29,6 +29,7 @@

auth_reauthenticate();
access_ensure_global_level( config_get( 'manage_user_threshold' ) );
  • access_ensure_global_level( config_get( 'manage_user_delete_threshold', ADMINISTRATOR ) );

    $f_user_id = gpc_get_int( 'user_id' );

manage_user_edit_page.php :
@@ -183,7 +183,8 @@
$t_reset = $t_user['id'] != auth_get_current_user_id()
&& helper_call_custom_function( 'auth_can_change_password', array() );
$t_unlock = OFF != config_get( 'max_failed_login_count' ) && $t_user['failed_login_count'] > 0;

  • $t_delete = !( ( user_is_administrator( $t_user_id ) && ( user_count_level( config_get_global( 'admin_site_threshold' ) ) <= 1 ) ) );
  • $t_delete = !( ( user_is_administrator( $t_user_id ) && ( user_count_level( config_get_global( 'admin_site_threshold' ) ) <= 1 ) ) )
  • && config_get( 'manager_user_delete_threshold', ADMINISTRATOR ) <= user_get_access_level( auth_get_current_user_id(), ALL_PROJECTS );

    if( $t_reset || $t_unlock || $t_delete ) {
    ?>

TagsNo tags attached.

Activities

atrol

atrol

2015-07-30 10:13

developer   ~0051161

Last edited: 2015-07-30 10:13

View 2 revisions

Your change will certainly not work the expected way as you use two times (wrong)
manager_user_delete_threshold but also one time
manage_user_delete_threshold

Issue History

Date Modified Username Field Change
2015-07-30 09:45 cdijoux New Issue
2015-07-30 10:13 atrol Severity minor => feature
2015-07-30 10:13 atrol Category authorization => administration
2015-07-30 10:13 atrol Note Added: 0051161
2015-07-30 10:13 atrol Note Edited: 0051161 View Revisions