View Issue Details

IDProjectCategoryView StatusLast Update
0006390mantisbtbugtrackerpublic2009-08-20 15:38
Reportermmchenry Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version1.0.0rc3 
Summary0006390: Group action assign broken again
Description

Threshold and access validation on group action assign seems to be broken. Even if user has permission to change status and assign, and assigned user has permission to handle bugs, you get a permission denied message when assigning via group actions.

Assigning an individual bug works as expected.

Similar to 0006068, but problem is at the validation level instead of the UI level.

Additional Information

I believe the problem is in bug_actiongroup.php around line 112. It looks to me like it's checking if the assigned user has permission to change status to assigned instead of current user.

Current code:
if ( access_has_bug_level( $t_threshold , $t_bug_id, $f_assign ) &&
access_has_bug_level( config_get( 'update_bug_assign_threshold', config_get( 'update_bug_threshold' ) ), $t_bug_id ) &&

I think should be changed to:
if ( access_has_bug_level( $t_threshold , $t_bug_id ) &&
access_has_bug_level( config_get( 'update_bug_assign_threshold', config_get( 'update_bug_threshold' ) ), $t_bug_id, $f_assign ) &&

TagsNo tags attached.
Attached Files
bug_actiongroup.php.patch (1,607 bytes)   
--- bug_actiongroup.php_1.50	2007-05-22 22:19:25.000000000 +0900
+++ bug_actiongroup.php	2007-05-24 23:43:16.000000000 +0900
@@ -111,12 +111,16 @@
 			} else {
 				$t_assign_status = $t_status;
 			}
+			$t_bug_sponsored = sponsorship_get_amount( sponsorship_get_all_ids( $t_bug_id ) ) > 0;
 			# check that new handler has rights to handle the issue, and
 			#  that current user has rights to assign the issue
-			$t_threshold = access_get_status_threshold( $t_assign_status, bug_get_field( $t_bug_id, 'project_id' ) );
-			if ( access_has_bug_level( $t_threshold , $t_bug_id, $f_assign ) &&
-				 access_has_bug_level( config_get( 'update_bug_assign_threshold', config_get( 'update_bug_threshold' ) ), $t_bug_id ) &&
-					bug_check_workflow($t_status, $t_assign_status )	) {
+			if ( access_has_bug_level( config_get( 'handle_bug_threshold' ) , $t_bug_id, $f_assign ) &&
+					access_has_bug_level( config_get( 'update_bug_assign_threshold', config_get( 'update_bug_threshold' ) ), $t_bug_id ) &&
+					bug_check_workflow($t_status, $t_assign_status ) &&
+					# @@@ Iwao AVE!: added validation for sponsored bug
+					( !$t_bug_sponsored || (
+						access_has_bug_level( config_get( 'assign_sponsored_bugs_threshold' ), $t_bug_id ) &&
+						access_has_bug_level( config_get( 'handle_sponsored_bugs_threshold' ), $t_bug_id, $f_assign ) ) ) ) {
 				# @@@ we need to issue a helper_call_custom_function( 'issue_update_validate', array( $t_bug_id, $t_bug_data, $f_bugnote_text ) );
 				bug_assign( $t_bug_id, $f_assign );
 				helper_call_custom_function( 'issue_update_notify', array( $t_bug_id ) );
bug_actiongroup.php.patch (1,607 bytes)   

Activities

ave

ave

2007-05-24 10:56

reporter   ~0014630

Attached patch resolves inconsistency between group assigning and individual assigning.
It is against bug_actiongroup.php v 1.50.

It basically reflects validation defined in bug_assign.php.
As a result, this patch also fixes another bug ; sponsored issues can be assigned via group action regardless of the values of '$g_assign_sponsored_bugs_threshold' and '$g_handle_sponsored_bugs_threshold'.

mmchenry

mmchenry

2009-05-14 18:33

reporter   ~0021823

Not to seem ungrateful, but we're going on four years later and this still has not been fixed as of 1.1.7.

Is there some problem getting this patch into the shipping code? Or can we at least get it into the upcoming 1.2.x?

It's not like this is an oddball enhancement request. It's incorrect validation preventing the feature from working as designed. It really should be fixed.