View Issue Details

IDProjectCategoryView StatusLast Update
0007225mantisbtsecuritypublic2012-11-01 07:45
Reporteratomoid Assigned Todregad  
Status closedResolutionduplicate 
Product Version1.0.1 
Summary0007225: Reporters can override their permissions if they have access to the "Update Issue" button

If you set your "Reporter" permissions to NOT be able to "Update Issue Status" ...they can still do so if you also have the tag set to allow them to "Update an Issue" (on same page).

This is configured in: manage_config_work_threshold_page.php : "Update Issue Status" checkmark NOT filled (setting for "All Projects"). I guess we need to have more limitations besides 'status'...

The problems with this:
"Reporters" should be able to edit their bugs to correct error, etc., but of course they should NOT be able to change the resolution, etc. Yet they can change everything as if they had administrator privaledges, even if it is specifically prohibited in the settings for 'Reporters' as noted above. As a result, beta sites are mangling their bugs with all sorts of incongruent settings.

TagsNo tags attached.


duplicate of 0008141 acknowledged Issue reporters should be able to update their own issues 




2007-05-01 14:17

reporter   ~0014410

Last edited: 2007-05-01 14:48

The "Status" field permissions breach can be mitigated by locking them out of most statii on the bottom of the "manage_config_workflow_page.php" page.

But there isnt any good way to block them out of being able to change things suchas the "Resolution", "Reporter" and other fields that should rightly be accessible only by developers (if there were a switch available), yet still allow them access to update their original bug text fields.

If i am a "reporter" and have access to only my own bugs, then if the "Update an issue" permission is enabled in the 'manage_config_work_threshold_page.php', i can go in and change the fields: "Reporter", "Resolution", "ETA", "Projection", "Fixed in Version" to whatever i want.
--> These are all fields that do not appear when reporting the bug, so there should be no access to them given the same permissions. For this project, only the 'Category', 'Reproducibility', 'Severity' and 'Project Version' fields are available when reporting the bug.

Ideally, reporters should only be able to change what they originally had access to on the original Bug Report page, however, this doesn't seem possible given the current available switches.

Mantis 1.0.6



2012-10-18 07:02

developer   ~0033262

Ability for reporter to update their own issues is tracked in 0008141

Issue History

Date Modified Username Field Change
2006-06-22 21:23 atomoid New Issue
2007-05-01 14:17 atomoid Note Added: 0014410
2007-05-01 14:48 atomoid Note Edited: 0014410
2012-10-18 07:02 dregad Note Added: 0033262
2012-10-18 07:02 dregad Relationship added duplicate of 0008141
2012-10-18 07:02 dregad Status new => resolved
2012-10-18 07:02 dregad Resolution open => duplicate
2012-10-18 07:02 dregad Assigned To => dregad
2012-11-01 07:45 atrol Status resolved => closed