View Issue Details

IDProjectCategoryView StatusLast Update
0007196mantisbtsecuritypublic2006-06-14 09:02
Reporterredcom Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version1.0.3 
Target VersionFixed in Version 
Summary0007196: access_denied() function should indicate the reason why access was denied
Description

access_denied() should take a parameter to a language token that indicates the reason why access was denied. This will assist in finding bugs or misconfigurations in access control.

In our installation a user has developer access to the site, but in a specific project they have administrative access, and when cling on the manage link, they get taken to an access denighed.

I can't tell if this is a misconfiguration or if it is a real issue.

Additional Information

exampe of a call:

currently in file_download.php
53 # Check access rights
54 switch ( $f_type ) {
55 case 'bug':
56 if ( !file_can_download_bug_attachments( $v_bug_id ) ) {
57 access_denied();
58 }
59 break;
60 case 'doc':
61 # Check if project documentation feature is enabled.
62 if ( OFF == config_get( 'enable_project_documentation' ) ) {
63 access_denied();
64 }

could be changed to
53 # Check access rights
54 switch ( $f_type ) {
55 case 'bug':
56 if ( !file_can_download_bug_attachments( $v_bug_id ) ) {
57 access_denied( $MANTIS_ERROR[ERROR_ACCESS_DOWNLOAD_BUG_ATTACH] );
58 }
59 break;
60 case 'doc':
61 # Check if project documentation feature is enabled.
62 if ( OFF == config_get( 'enable_project_documentation' ) ) {
63 access_denied( $MANTIS_ERROR[ERROR_ACCESS_ENABLE_PROJECT_DOC] );
64 }

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2006-06-14 08:40 redcom New Issue