View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006390 | mantisbt | bugtracker | public | 2005-11-04 11:27 | 2009-08-20 15:38 |
Reporter | mmchenry | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | acknowledged | Resolution | open | ||
Product Version | 1.0.0rc3 | ||||
Summary | 0006390: Group action assign broken again | ||||
Description | Threshold and access validation on group action assign seems to be broken. Even if user has permission to change status and assign, and assigned user has permission to handle bugs, you get a permission denied message when assigning via group actions. Assigning an individual bug works as expected. Similar to 0006068, but problem is at the validation level instead of the UI level. | ||||
Additional Information | I believe the problem is in bug_actiongroup.php around line 112. It looks to me like it's checking if the assigned user has permission to change status to assigned instead of current user. Current code: I think should be changed to: | ||||
Tags | No tags attached. | ||||
Attached Files | bug_actiongroup.php.patch (1,607 bytes)
--- bug_actiongroup.php_1.50 2007-05-22 22:19:25.000000000 +0900 +++ bug_actiongroup.php 2007-05-24 23:43:16.000000000 +0900 @@ -111,12 +111,16 @@ } else { $t_assign_status = $t_status; } + $t_bug_sponsored = sponsorship_get_amount( sponsorship_get_all_ids( $t_bug_id ) ) > 0; # check that new handler has rights to handle the issue, and # that current user has rights to assign the issue - $t_threshold = access_get_status_threshold( $t_assign_status, bug_get_field( $t_bug_id, 'project_id' ) ); - if ( access_has_bug_level( $t_threshold , $t_bug_id, $f_assign ) && - access_has_bug_level( config_get( 'update_bug_assign_threshold', config_get( 'update_bug_threshold' ) ), $t_bug_id ) && - bug_check_workflow($t_status, $t_assign_status ) ) { + if ( access_has_bug_level( config_get( 'handle_bug_threshold' ) , $t_bug_id, $f_assign ) && + access_has_bug_level( config_get( 'update_bug_assign_threshold', config_get( 'update_bug_threshold' ) ), $t_bug_id ) && + bug_check_workflow($t_status, $t_assign_status ) && + # @@@ Iwao AVE!: added validation for sponsored bug + ( !$t_bug_sponsored || ( + access_has_bug_level( config_get( 'assign_sponsored_bugs_threshold' ), $t_bug_id ) && + access_has_bug_level( config_get( 'handle_sponsored_bugs_threshold' ), $t_bug_id, $f_assign ) ) ) ) { # @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) ); bug_assign( $t_bug_id, $f_assign ); helper_call_custom_function( 'issue_update_notify', array( $t_bug_id ) ); | ||||
Attached patch resolves inconsistency between group assigning and individual assigning. It basically reflects validation defined in bug_assign.php. |
|
Not to seem ungrateful, but we're going on four years later and this still has not been fixed as of 1.1.7. Is there some problem getting this patch into the shipping code? Or can we at least get it into the upcoming 1.2.x? It's not like this is an oddball enhancement request. It's incorrect validation preventing the feature from working as designed. It really should be fixed. |
|