View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027806 | mantisbt | bugtracker | public | 2020-12-28 12:57 | 2020-12-30 07:37 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.9.1 | ||||
Target Version | 2.24.4 | Fixed in Version | 2.24.4 | ||
Summary | 0027806: Impossible to edit issues with PHP8 | ||||
Description | Incorrect access level check in bug_update.php prevents any user from updating an issue when running on PHP8 In the switch statement at line 155, several calls to access_ensure_bug_level() calls are made, with passing a threshold name as $p_access_level parameter as a string instead of the actual threshold's value (i.e. the config_get() call was omitted) This "worked" in PHP < 8.0, because string comparisons worked differently https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions. In fact, it means there was no actual access check, as the strings were evaluated to 0 (ANYBODY) | ||||
Additional Information | Regression introduced by MantisBT master-2.9 bf1f02f7 | ||||
Tags | PHP 8 | ||||
related to | 0021393 | closed | vboctor | When disable "Update an issue", then "Assign to" become access denied |
related to | 0022093 | closed | vboctor | Reporter can´t change status of a bug |
has duplicate | 0027644 | closed | atrol | PHP 8: Access Denied on Bug Modification |
has duplicate | 0027751 | closed | atrol | Can't update any value, we got ACCESS DENIED |
Shame on me when approving the PR. |
|
Don't be hard on yourself, everyone makes mistakes... Proposed fix in PR https://github.com/mantisbt/mantisbt/pull/1721 |
|
The proposed fix does address the bug preventing editing issues in PHP 8, but I did not fully test whether the individual access check work as @vboctor originally intended them. Any additional testing or feedback would be appreciated. |
|
Looks good. Set all three possible values to REPORTER in config for a quick minute and was able to make changes with a dummy reporter account. Access went away when I deleted the config lines. |
|
MantisBT: master-2.9 bf1f02f7 2017-12-12 23:24:40 Details Diff |
Fix access checks for assign and change status - Users should be able to assign issues even if they can’t update issues. - Users should be able to change status even if they can’t update issues. Fixes 0021393, 0022093 |
Affected Issues 0021393, 0022093, 0027806 |
|
mod - bug_update.php | Diff File | ||
MantisBT: master-2.24 65567e0d 2020-12-28 18:41:32 Details Diff |
Properly check access level when updating issues Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093) introduced a bug in the access level check, as it passed the threshold as a string to access_ensure_bug_level() instead of its actual value. This seemed to work in PHP < 8.0, because string comparisons behaved differently [[1]], but in reality there was no actual access check, as the strings were evaluated to 0 (ANYBODY). Adding the missing config_get() call to fix the access level check. Fixes 0027806 [1]: https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions |
Affected Issues 0021393, 0022093, 0027806 |
|
mod - bug_update.php | Diff File |