View Issue Details

IDProjectCategoryView StatusLast Update
0024437mantisbtfilterspublic2018-05-23 02:03
ReporterintuityAssigned Toatrol 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version2.13.1 
Target Version2.15.0Fixed in Version2.15.0 
Summary0024437: Cannot save private filter if not allowed to save shared filter
Description

There is a bug in query_store.php where you cannot save a private filter if you do not have the privileges to save a shared filter (i.e. in my setup minimum access level to saving filters is 'Developer' and minimum access level to save shared filters is 'Manager'). The bug is on line 106 of query_store.php:

Original:

...
# ensure that we're not making this filter public if we're not allowed
if( !access_has_project_level( config_get( 'stored_query_create_shared_threshold' ) ) ) {
        access_denied();
}
..

I suggest that it should be corrected to:

...
# ensure that we're not making this filter public if we're not allowed
if( $f_is_public && !access_has_project_level( config_get( 'stored_query_create_shared_threshold' ) ) ) {
        access_denied();
}
...
Steps To Reproduce
  1. Setup shared filter saving as higher ACL than saving a private filter
  2. Create an account with privileges only high enough to share a private filter
  3. Attempt to save a private filter
TagsNo tags attached.

Activities

atrol

atrol

2018-05-16 09:48

developer   ~0059840

Thanks @intuity for reporting and providing the fix

PR https://github.com/mantisbt/mantisbt/pull/1350

Related Changesets

MantisBT: master b421ab2f

2018-05-16 09:42:54

atrol

Details Diff
Correct access checks when storing filters

Fixes 0024437
Affected Issues
0024437
mod - query_store.php Diff File

Issue History

Date Modified Username Field Change
2018-05-16 08:56 intuity New Issue
2018-05-16 09:46 atrol Assigned To => atrol
2018-05-16 09:46 atrol Status new => assigned
2018-05-16 09:46 atrol Target Version => 2.15.0
2018-05-16 09:48 atrol Note Added: 0059840
2018-05-23 01:40 atrol Changeset attached => MantisBT master b421ab2f
2018-05-23 01:40 atrol Status assigned => resolved
2018-05-23 01:40 atrol Resolution open => fixed
2018-05-23 01:40 atrol Fixed in Version => 2.15.0