0020539: Billing report exposes information about inaccessible projects when All Projects is selected

ID	Project	Category	View Status	Date Submitted	Last Update
0020539	mantisbt	security	public	2016-01-22 21:07	2020-12-30 08:28

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.19
Target Version	1.3.0-rc.2	Fixed in Version	1.3.0-rc.2

Summary	0020539: Billing report exposes information about inaccessible projects when All Projects is selected
Description	The billing information shows up in two places: Within the scope of an issue - in such case access level is checked on the whole page. Within the billing page - in this case we are missing the appropriate check. This probably affects 1.2.x as well. In the export to csv/Excel - was added recently based on 2 and hence missing the appropriate check.
Tags	mantishub
Attached Files	0001-Add-access-check-filtering-for-billing-report.patch (1,178 bytes) From e4ded41f9d31018da29e550d002fbe17bc24108b Mon Sep 17 00:00:00 2001 From: Victor Boctor <vboctor@gmail.com> Date: Sat, 23 Jan 2016 02:08:28 +0000 Subject: [PATCH 1/3] Add access check / filtering for billing report - In case of all projects, filter to user accessible ones. - In case of a specific project, double check that user has access to it. Fixes #20539 --- core/bugnote_api.php \| 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/bugnote_api.php b/core/bugnote_api.php index a508b70..2266c0f 100644 --- a/core/bugnote_api.php +++ b/core/bugnote_api.php @@ -705,10 +705,13 @@ function bugnote_stats_get_project_array( $p_project_id, $p_from, $p_to, $p_cost } if( ALL_PROJECTS != $p_project_id ) { + access_ensure_project_level( config_get( 'view_bug_threshold' ), $p_project_id ); + $t_project_where = ' AND b.project_id = ' . db_param() . ' AND bn.bug_id = b.id '; $t_params[] = $p_project_id; } else { - $t_project_where = ''; + $t_project_ids = current_user_get_accessible_projects(); + $t_project_where = ' AND b.project_id in (' . implode( ', ', $t_project_ids ). ')'; } if( !is_blank( $c_from ) ) { -- 1.9.1 0001-Add-access-check-filtering-for-billing-report.patch (1,178 bytes) 0002-Add-access-check-filtering-for-billing-exports.patch (1,177 bytes) From 03b20dd56c15088ed5119a5b82fc36ee897da411 Mon Sep 17 00:00:00 2001 From: Victor Boctor <vboctor@gmail.com> Date: Sat, 23 Jan 2016 02:10:34 +0000 Subject: [PATCH 2/3] Add access check / filtering for billing exports - In case of all projects, filter to user accessible ones. - In case of a specific project, double check that user has access to it. Fixes #20539 --- core/billing_api.php \| 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/billing_api.php b/core/billing_api.php index c2ddc49..12be079 100644 --- a/core/billing_api.php +++ b/core/billing_api.php @@ -67,10 +67,13 @@ function billing_get_for_project( $p_project_id, $p_from, $p_to, $p_cost_per_hou } if( ALL_PROJECTS != $p_project_id ) { + access_ensure_project_level( config_get( 'view_bug_threshold' ), $p_project_id ); + $t_project_where = ' AND b.project_id = ' . db_param() . ' AND bn.bug_id = b.id '; $t_params[] = $p_project_id; } else { - $t_project_where = ''; + $t_project_ids = current_user_get_accessible_projects(); + $t_project_where = ' AND b.project_id in (' . implode( ', ', $t_project_ids ). ')'; } if( !is_blank( $c_from ) ) { -- 1.9.1 0002-Add-access-check-filtering-for-billing-exports.patch (1,177 bytes) 0003-Use-billing-api-for-billing-page-access-check.patch (978 bytes) From 171b72ca3381a8e1063224e275c88b662e8bdc09 Mon Sep 17 00:00:00 2001 From: Victor Boctor <vboctor@gmail.com> Date: Sat, 23 Jan 2016 02:14:01 +0000 Subject: [PATCH 3/3] Use billing api for billing page access check --- billing_page.php \| 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/billing_page.php b/billing_page.php index b62ebd4..ff6de97 100644 --- a/billing_page.php +++ b/billing_page.php @@ -32,16 +32,13 @@ require_once( 'core.php' ); require_api( 'access_api.php' ); +require_api( 'billing_api.php' ); require_api( 'config_api.php' ); require_api( 'constant_inc.php' ); require_api( 'html_api.php' ); require_api( 'lang_api.php' ); -if( !config_get( 'time_tracking_enabled' ) ) { - trigger_error( ERROR_ACCESS_DENIED, ERROR ); -} - -access_ensure_project_level( config_get( 'time_tracking_reporting_threshold' ) ); +billing_ensure_reporting_access(); html_page_top( lang_get( 'time_tracking_billing_link' ) ); ?> -- 1.9.1 0003-Use-billing-api-for-billing-page-access-check.patch (978 bytes)

vboctor 2016-01-22 21:21 manager ~0052362	I've added a 3 commit patch. First commit, is likely to apply to both master and master-1.2.x Second commit, master only Third commit, re-use billing_api for access checks. The access is now needed in a couple of places because the logic done for reporting in CSV/Excel is different from the web page. Where the web page deals with aggregates and the Excel/CSV provide separate entries for separate notes. Let me know your feedback.

vboctor 2016-01-22 22:06 manager ~0052363	Reminder sent to: atrol, cproensa, dregad, syncguru Please review the attached patch.

vboctor 2016-01-26 22:56 manager ~0052396	I've published this to a github branch under my account with a fix to my change to handle sub-projects successfully. Let me know your feedback so that I can apply to master/master-1.2.x. https://github.com/vboctor/mantisbt/tree/time_tracking_access_check

atrol 2016-01-27 02:25 developer ~0052399	I have no time at the moment to have a deeper look or for any tests. But I just would like to mention that maybe even more information can be exposed without having appropriate access rights. e.g., do we check for private_bug_threshold, private_bugnote_threshold ...?

vboctor 2016-01-27 02:49 manager ~0052400	@atrol Good catch. Fixing this for the export csv/excel is easy. Fixing it for the web report is harder because it currently aggregates time so I have to change how it works. Will update you once fixed

dregad 2016-01-27 06:50 developer ~0052405	I've published this to a github branch under my account with a fix to my change to handle sub-projects successfully I think we really need a way to share private branches in a non-public manner. I'll delay testing this until you have a patch as per your last note 0020539:0052400

atrol 2016-01-27 07:11 developer ~0052407	I think we really need a way to share private branches in a non-public manner. We should use GitLab for it.

vboctor 2016-01-27 11:58 manager ~0052408	I've pushed the code refactoring to add the access check and have one method that does the correct extraction of billing information from the database. All billing reporting APIs are now in core/billing_api.php.

dregad 2016-01-27 13:42 developer ~0052411 Last edited: 2016-01-27 19:38	The numbers don't add up. After enabling time tracking and creating a couple bugs and bugnotes, running the reports with a reporter profile CSV export is correct Issue #,Project Name,Summary,Username,Timestamp,minutes,Time spent:,note 0000001,Test project,asdf,administrator,2016-01-27 18:15,1,00:01,a 0000001,Test project,asdf,administrator,2016-01-27 18:15,60,01:00,b 0000001,Test project,asdf,administrator,2016-01-27 18:19,62,01:02,c 0000001,Test project,asdf,trep,2016-01-27 18:33,180,03:00,d 0000002,Test project,bb,administrator,2016-01-27 18:34,60,01:00,a Note: bugnotes 1a + 1c are public, 1b + 1d are private Online report is wrong - aggregation of administrator time does fails to consider bugnotes 1a + 1b Username Time tracking 0000001: asdf administrator 01:02 trep 03:00 0000002: bb administrator 01:00 Total time 06:03

vboctor 2016-01-28 01:09 manager ~0052413	Fixed, please try again.

MantisBT: master 66f735c5 2016-02-04 07:34 vboctor Details Diff	Check access for every time tracking note - Add access level check per bugnote. - Refactor code to have a single place where time tracking entries are calculated. Fixes 0020539	Affected Issues 0020539
	mod - billing_inc.php	Diff File
	mod - billing_page.php	Diff File
	mod - core/billing_api.php	Diff File
	mod - core/bugnote_api.php	Diff File
	mod - core/user_api.php	Diff File

View Issue Details

Activities

Related Changesets