View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007743 | mantisbt | security | public | 2007-01-28 18:29 | 2007-05-08 03:42 |
Reporter | giallu | Assigned To | vboctor | ||
Priority | high | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.0.6 | ||||
Target Version | 1.0.7 | Fixed in Version | 1.0.7 | ||
Summary | 0007743: Port: CVE-2006-6574 | ||||
Description | Mantis before 1.1.0a2 does not implement per-item access control for Issue | ||||
Tags | No tags attached. | ||||
Attached Files | mantis-1.0.6-private_history.patch (3,882 bytes)
Index: core/history_api.php =================================================================== RCS file: /cvsroot/mantisbt/mantisbt/core/history_api.php,v retrieving revision 1.34 retrieving revision 1.36 diff -U3 -r1.34 -r1.36 --- core/history_api.php 27 Aug 2005 01:15:59 -0000 1.34 +++ core/history_api.php 26 Sep 2006 01:30:57 -0000 1.36 @@ -6,7 +6,7 @@ # See the README and LICENSE files for details # -------------------------------------------------------- - # $Id: history_api.php,v 1.34 2005/08/27 01:15:59 thraxisp Exp $ + # $Id: history_api.php,v 1.36 2006/09/26 01:30:57 thraxisp Exp $ # -------------------------------------------------------- ### History API ### @@ -102,12 +102,13 @@ # Retrieves the raw history events for the specified bug id and returns it in an array # The array is indexed from 0 to N-1. The second dimension is: 'date', 'userid', 'username', # 'field','type','old_value','new_value' - function history_get_raw_events_array( $p_bug_id ) { + function history_get_raw_events_array( $p_bug_id, $p_user_id=NULL ) { $t_mantis_bug_history_table = config_get( 'mantis_bug_history_table' ); $t_mantis_user_table = config_get( 'mantis_user_table' ); $t_history_order = config_get( 'history_order' ); $c_bug_id = db_prepare_int( $p_bug_id ); - + $t_user_id = (( NULL == $p_user_id) ? auth_get_current_user_id() : $p_userid); + # grab history and display by date_modified then field_name # @@@ by MASC I guess it's better by id then by field_name. When we have more history lines with the same # date, it's better to respect the storing order otherwise we should risk to mix different information @@ -122,20 +123,49 @@ $raw_history_count = db_num_rows( $result ); $raw_history = array(); - for ( $i=0; $i < $raw_history_count; ++$i ) { + $t_private_bugnote_threshold = config_get( 'private_bugnote_threshold' ); + $t_private_bugnote_visible = access_has_bug_level( + config_get( 'private_bugnote_threshold' ), $p_bug_id, $t_user_id ); + + for ( $i=0,$j=0; $i < $raw_history_count; ++$i ) { $row = db_fetch_array( $result ); extract( $row, EXTR_PREFIX_ALL, 'v' ); - $raw_history[$i]['date'] = db_unixtimestamp( $v_date_modified ); - $raw_history[$i]['userid'] = $v_user_id; + // check that the item should be visible to the user + // custom fields + $t_field_id = custom_field_get_id_from_name( $v_field_name ); + if ( false !== $t_field_id && + !custom_field_has_read_access( $t_field_id, $p_bug_id, $t_user_id ) ) { + continue; + } + // bugnotes + if ( $t_user_id != $v_user_id ) { // bypass if user originated note + if ( ( $v_type == BUGNOTE_ADDED ) || + ( $v_type == BUGNOTE_UPDATED ) || + ( $v_type == BUGNOTE_DELETED ) ) { + if ( !$t_private_bugnote_visible && + ( bugnote_get_field( $v_old_value, 'view_state' ) == VS_PRIVATE ) ) { + continue; + } + } + if ( $v_type == BUGNOTE_STATE_CHANGED ) { + if ( !$t_private_bugnote_visible && + ( bugnote_get_field( $v_new_value, 'view_state' ) == VS_PRIVATE ) ) { + continue; + } + } + } + $raw_history[$j]['date'] = db_unixtimestamp( $v_date_modified ); + $raw_history[$j]['userid'] = $v_user_id; # user_get_name handles deleted users, and username vs realname - $raw_history[$i]['username'] = user_get_name( $v_user_id ); + $raw_history[$j]['username'] = user_get_name( $v_user_id ); - $raw_history[$i]['field'] = $v_field_name; - $raw_history[$i]['type'] = $v_type; - $raw_history[$i]['old_value'] = $v_old_value; - $raw_history[$i]['new_value'] = $v_new_value; + $raw_history[$j]['field'] = $v_field_name; + $raw_history[$j]['type'] = $v_type; + $raw_history[$j]['old_value'] = $v_old_value; + $raw_history[$j]['new_value'] = $v_new_value; + $j++; } # end for loop return $raw_history; | ||||