0029751: APPLICATION ERROR #13 (access denied) while creating new user when theshold configured as MANAGER in administration interface - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0029751	mantisbt	authorization	public	2022-03-16 10:00	2022-05-10 10:31

Reporter	00	Assigned To	atrol
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	2.11.0
Target Version	2.25.4	Fixed in Version	2.25.4

Summary	0029751: APPLICATION ERROR #13 (access denied) while creating new user when theshold configured as MANAGER in administration interface
Description	After having configured $g_manage_user_threshold to MANAGER (70) in database (via the administration interface, adm_config_report.php, with an admin account), a manager account can access to the new account form (manage_user_create_page.php) but get an APPLICATION ERROR #13 after submitting the form, on manage_user_create.php. It seems to work if $g_manage_user_threshold is configured in config/config_inc.php.
Tags	No tags attached.

00 2022-03-16 10:25 reporter ~0066369	When user creation was in error, user management threshold was set from admin page to MANAGER: image.png (86,920 bytes) image.png (86,920 bytes)

atrol 2022-03-16 10:53 developer ~0066370	I have no time at the moment to try myself. Just a guess: You might have multiple entries of manage_user_threshold in your configuration (maybe for some specific projects)

00 2022-03-16 11:12 reporter ~0066371	There are no other entries of manager_user_threshold. Actually, this problem occured on a fresh install of MantisBT 2.25.2 with 2 projects and 4 users and almost no customization by project. The fix is not a priority as the file configuration seems to be a valid workaround.

atrol 2022-03-16 16:16 developer ~0066372	Regression introduced in version 2.11.0 0023838

dregad 2022-04-07 07:31 developer ~0066412	The access denied is triggered because the user creation command checks access at global level. This is necessary, because users are a global entity; allowing their creation based on access rights at project level is likely to introduce a security hole. Without this restriction, a user A with a global access level of REPORTER but MANAGER in a specific project would be able to create a new user B with a global access level of MANAGER. User B could therefore be granted access to other projects, where A would normally only have a REPORTER access. Regression introduced in version 2.11.0 0023838 @atrol this is not a regression from the issue you referenced. The access_ensure_global_level() check against manage_user_threshold was already present before the introduction of UserCreateCommand (0023837), in fact that check has been there since MantisBT master 831e4368 (0.18.0a1). Now arguably, the user management page should not provide the user creation button in that case. And we should probably check to make sure that there is no other loophole (e.g. when editing user).

atrol 2022-04-17 08:29 developer ~0066438	@dregad did you try the original post? When trying with a user with global level MANAGER and having set manage_user_threshold in database to value 70, creating a user works as expected in version 2.10.0. Starting from version 2.11.0, it does not work any longer. It still works, if manage_user_threshold is set just in config_inc.php but not database to 70.

atrol 2022-04-17 08:46 developer ~0066439	PR https://github.com/mantisbt/mantisbt/pull/1803

dregad 2022-04-28 06:58 developer ~0066509	did you try the original post? When trying with a user with global level MANAGER [...] Yes I did. The original post does not actually mention global access level, so I was concerned about a potential security loophole. I just tested that scenario (i.e. reporter user with manager access in a single, specific project) and confirmed that in this case there is no access to global user management features, so everything is fine. I'll approve the PR.

atrol 2022-04-28 16:03 developer ~0066513	PR for master-2.25 https://github.com/mantisbt/mantisbt/pull/1804