0027806: Impossible to edit issues with PHP8

ID	Project	Category	View Status	Date Submitted	Last Update

0027806	mantisbt	bugtracker	public	2020-12-28 12:57	2020-12-30 07:37

Reporter	dregad	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.9.1
Target Version	2.24.4	Fixed in Version	2.24.4

Summary	0027806: Impossible to edit issues with PHP8
Description	Incorrect access level check in bug_update.php prevents any user from updating an issue when running on PHP8 In the switch statement at line 155, several calls to access_ensure_bug_level() calls are made, with passing a threshold name as $p_access_level parameter as a string instead of the actual threshold's value (i.e. the config_get() call was omitted) This "worked" in PHP < 8.0, because string comparisons worked differently https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions. In fact, it means there was no actual access check, as the strings were evaluated to 0 (ANYBODY)
Additional Information	Regression introduced by MantisBT master-2.9 bf1f02f7
Tags	PHP 8

atrol 2020-12-28 13:24 developer ~0064852	In fact, it means there was no actual access check, as the strings were evaluated to 0 (ANYBODY) Shame on me when approving the PR. Seems I tested the original issues, which were resolved by the changes, but didn't have a real look at the code.

dregad 2020-12-28 18:46 developer ~0064854 Last edited: 2020-12-29 03:07	Shame on me when approving the PR. Don't be hard on yourself, everyone makes mistakes... Proposed fix in PR https://github.com/mantisbt/mantisbt/pull/1721

dregad 2020-12-28 18:51 developer ~0064855	The proposed fix does address the bug preventing editing issues in PHP 8, but I did not fully test whether the individual access check work as @vboctor originally intended them. Any additional testing or feedback would be appreciated.

RealityRipple 2020-12-28 20:11 reporter ~0064857	Looks good. Set all three possible values to REPORTER in config for a quick minute and was able to make changes with a dummy reporter account. Access went away when I deleted the config lines.

MantisBT: master-2.9 bf1f02f7 2017-12-12 23:24:40 vboctor Details Diff	Fix access checks for assign and change status - Users should be able to assign issues even if they can’t update issues. - Users should be able to change status even if they can’t update issues. Fixes 0021393, 0022093	Affected Issues 0021393, 0022093, 0027806
	mod - bug_update.php	Diff File
MantisBT: master-2.24 65567e0d 2020-12-28 18:41:32 dregad Details Diff	Properly check access level when updating issues Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093) introduced a bug in the access level check, as it passed the threshold as a string to access_ensure_bug_level() instead of its actual value. This seemed to work in PHP < 8.0, because string comparisons behaved differently [[1]], but in reality there was no actual access check, as the strings were evaluated to 0 (ANYBODY). Adding the missing config_get() call to fix the access level check. Fixes 0027806 [1]: https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions	Affected Issues 0021393, 0022093, 0027806
	mod - bug_update.php	Diff File

related to	0021393	closed	vboctor	When disable "Update an issue", then "Assign to" become access denied
related to	0022093	closed	vboctor	Reporter can´t change status of a bug
has duplicate	0027644	closed	atrol	PHP 8: Access Denied on Bug Modification
has duplicate	0027751	closed	atrol	Can't update any value, we got ACCESS DENIED