0026107: Mantis 2.21 - Bug on project_add_users - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0026107	mantisbt	authorization	public	2019-09-03 09:33	2019-09-16 16:35

Reporter	fabio.sirchia	Assigned To	dregad
Priority	urgent	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate

Summary	0026107: Mantis 2.21 - Bug on project_add_users
Description	Hi, there is a bug on the new project_add_users function inside the project_api.php. Seems that the update code is not taking care about the project_id: if( !empty( $t_updating ) ) { $t_update = new DbQuery( 'UPDATE {project_user_list} SET access_level = :new_value WHERE user_id = :user_id' ); foreach( $t_updating as $t_id ) { $t_params = array( 'user_id' => (int)$t_id, 'new_value' => $t_changes[$t_id] ); $t_update->execute( $t_params ); unset( $t_changes[$t_id] ); } } In this way like you can see you will update the role of the user for ALL the project where the user is enabled. i Think this is a big update bug, please could you insert the project_id on the where condition? Thank you Fabio
Tags	No tags attached.

fabio.sirchia 2019-09-03 10:09 reporter ~0062714 Last edited: 2019-09-03 10:12	ok on the 2.22 seems resolved. you can close the issue

dregad 2019-09-03 11:35 developer ~0062716	Next time, please check before reporting a bug ;-)