View Issue Details

IDProjectCategoryView StatusLast Update
0029751mantisbtauthorizationpublic2022-05-10 10:31
Reporter00 Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.11.0 
Target Version2.25.4Fixed in Version2.25.4 
Summary0029751: APPLICATION ERROR #13 (access denied) while creating new user when theshold configured as MANAGER in administration interface
Description

After having configured <i>$g_manage_user_threshold</i> to MANAGER (70) in database (via the administration interface, <i>adm_config_report.php</i>, with an admin account), a manager account can access to the new account form (<i>manage_user_create_page.php</i>) but get an <i>APPLICATION ERROR #13</i> after submitting the form, on <i>manage_user_create.php</i>.

It seems to work if <i>$g_manage_user_threshold</i> is configured in <i>config/config_inc.php</i>.

TagsNo tags attached.

Relationships

related to 0023838 closedvboctor Create user via REST API 

Activities

00

00

2022-03-16 10:25

reporter   ~0066369

When user creation was in error, user management threshold was set from admin page to MANAGER:

image.png (86,920 bytes)   
image.png (86,920 bytes)   
atrol

atrol

2022-03-16 10:53

developer   ~0066370

I have no time at the moment to try myself.
Just a guess: You might have multiple entries of manage_user_threshold in your configuration (maybe for some specific projects)

00

00

2022-03-16 11:12

reporter   ~0066371

There are no other entries of manager_user_threshold. Actually, this problem occured on a fresh install of MantisBT 2.25.2 with 2 projects and 4 users and almost no customization by project.

The fix is not a priority as the file configuration seems to be a valid workaround.

atrol

atrol

2022-03-16 16:16

developer   ~0066372

Regression introduced in version 2.11.0 0023838

dregad

dregad

2022-04-07 07:31

developer   ~0066412

The access denied is triggered because the user creation command checks access at global level. This is necessary, because users are a global entity; allowing their creation based on access rights at project level is likely to introduce a security hole.

Without this restriction, a user A with a global access level of REPORTER but MANAGER in a specific project would be able to create a new user B with a global access level of MANAGER. User B could therefore be granted access to other projects, where A would normally only have a REPORTER access.

Regression introduced in version 2.11.0 0023838

@atrol this is not a regression from the issue you referenced.

The access_ensure_global_level() check against manage_user_threshold was already present before the introduction of UserCreateCommand (0023837), in fact that check has been there since MantisBT master 831e4368 (0.18.0a1).

Now arguably, the user management page should not provide the user creation button in that case. And we should probably check to make sure that there is no other loophole (e.g. when editing user).

atrol

atrol

2022-04-17 08:29

developer   ~0066438

@dregad did you try the original post?

When trying with a user with global level MANAGER and having set manage_user_threshold in database to value 70, creating a user works as expected in version 2.10.0.
Starting from version 2.11.0, it does not work any longer.
It still works, if manage_user_threshold is set just in config_inc.php but not database to 70.

atrol

atrol

2022-04-17 08:46

developer   ~0066439

PR https://github.com/mantisbt/mantisbt/pull/1803

dregad

dregad

2022-04-28 06:58

developer   ~0066509

did you try the original post?
When trying with a user with global level MANAGER [...]

Yes I did. The original post does not actually mention global access level, so I was concerned about a potential security loophole.

I just tested that scenario (i.e. reporter user with manager access in a single, specific project) and confirmed that in this case there is no access to global user management features, so everything is fine. I'll approve the PR.

atrol

atrol

2022-04-28 16:03

developer   ~0066513

PR for master-2.25 https://github.com/mantisbt/mantisbt/pull/1804

Related Changesets

MantisBT: master-2.25 67919341

2022-04-17 08:41

atrol

Details Diff
Fix access check when creating users

Fixes 0029751
Affected Issues
0029751
mod - core/commands/UserCreateCommand.php Diff File