View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0006719mantisbtsecuritypublic2006-02-15 10:122025-10-20 09:22
Reporterlangis Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.0.0rc1 
Fixed in Version1.1.0a1 
Summary0006719: Manager of a project can assign the Administrator role to a user.
Description

A manager should not be able to assign a role higher than manager to a user on any of his projects. When a user is assigned the Administrator role on a project, he can delete and create users, he can delete and create custom fields, he can change the system configuration. This is a major flaw in the security of MANTIS. The simpler way to fix this is to remove the ability to pick administrator as a role from a manager.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
has duplicate 0007392 closedvboctor a manager of a project can add other users to the project w/ administrative rights 
related to 0007466 closedvboctor Port: 6719: Manager of a project can assign the Administrator role to a user. 
related to 0008332 resolveddregad manage_project_threshold problems 

Activities

vboctor

vboctor

2006-03-21 08:05

manager   ~0012393

Fixed in CVS. Will be included in Mantis 1.1.0.

Index: manage_proj_edit_page.php

RCS file: /cvsroot/mantisbt/mantisbt/manage_proj_edit_page.php,v
retrieving revision 1.94
diff -u -r1.94 manage_proj_edit_page.php
--- manage_proj_edit_page.php 21 Mar 2006 12:50:24 -0000 1.94
+++ manage_proj_edit_page.php 21 Mar 2006 13:04:32 -0000
@@ -566,8 +566,8 @@
</td>
<td>
<select name="access_level">

  • <?php # No administrator choice ?>
  • <?php print_project_access_levels_option_list( config_get( 'default_new_account_access_level' ) ) ?>
  • <?php # only access levels that are less than or equal current user access level for current project ?>

  • <?php print_project_access_levels_option_list( config_get( 'default_new_account_access_level' ), $f_project_id ) ?>
    </select>
    </td>
    <td>
    Index: core/print_api.php

    RCS file: /cvsroot/mantisbt/mantisbt/core/print_api.php,v
    retrieving revision 1.151
    diff -u -r1.151 print_api.php
    --- core/print_api.php 21 Mar 2006 12:11:59 -0000 1.151
    +++ core/print_api.php 21 Mar 2006 13:05:18 -0000
    @@ -802,9 +802,11 @@
    print_user_option_list( 0, $p_project_id );
    }

    --------------------

  • prints the list of access levels exluding ADMINISTRATOR

  • this is used when adding users to projects

  • function print_project_access_levels_option_list( $p_val ) {

  • prints the list of access levels that are less than or equal to the access level of the

  • logged in user. This is used when adding users to projects

  • function print_project_access_levels_option_list( $p_val, $p_project_id = null ) {
  • $t_current_user_access_level = access_get_project_level( $p_project_id );
  • $t_access_levels_enum_string = config_get( 'access_levels_enum_string' );

# Add [default access level] to add the user to a project

    @@ -817,9 +819,10 @@
    for ($i=0;$i<$enum_count;$i++) {
    $t_elem = explode_enum_arr( $t_arr[$i] );

-# if ( $t_elem[0] >= ADMINISTRATOR ) {
-# continue;
-# }

  • a user must not be able to assign another user an access level that is higher than theirs.

  • if ( $t_elem[0] > $t_current_user_access_level ) {
  • continue;

  • }

        $t_access_level = get_enum_element( 'access_levels', $t_elem[0] );
    PRINT "<option value=\"$t_elem[0]\"";