| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007771 | mantisbt | security | public | 2007-02-20 10:35 | 2013-07-17 17:40 |
| Reporter | rwhitney | Assigned To | grangeway | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | unable to reproduce | ||
| Product Version | 1.0.6 | ||||
| Summary | 0007771: Anonymous users of type 'viewer' can change the status of bugs | ||||
| Description | Currently on our system the anonymous user (with an access level of 'viewer') can change the status of the bug. Please view the attached screen shot. Due to not wanting to expose our system to people potentially messing with it I can send the url of our mantis install to whoever is working on the bug so they can see the issue for themselves. Not sure what else to add at this moment. | ||||
| Steps To Reproduce |
EXPECTED: Unable to change status ACTUAL: User has ability to change status | ||||
| Tags | No tags attached. | ||||
 |
Your system is not correctly configured. Check the change_status_threshold, you probably set it to VIEWER instead of DEVELOPER. |
 |
I could not find any setting in the config file called change_status_threshold. Where is this set? Is it named something else? There is this setting: status change thresholds$g_update_bug_status_threshold = DEVELOPER; |
 |
Are you sure the anonymous user wasn't added to the users list associated with the project that the project belongs to? |
|
|
I checked. The anonymous user has been added to the project but is still set to 'viewer'. That still makes me think they shouldn't be able to change the status. Sorry about the delay, things have been pretty busy for me lately. |
|
|
Some questions to help with analyzing the issue:
|
|
|
You can see this for yourself, go to |
|
|
I can see the problem on your bug tracker. Did you notice that it is not happening on this bug tracker? If you logout and login as anonymous and go to an issue, you won't see the change status. It seems to be a corner case. I will look at the code and try to see if it can be obvious from there. |
|
|
Ahhh, I see that. So a couple things,
|
|
|
It might be a good idea to attach your configuration file here or add it as a note. This is after removing any sensitive information in there. |
|
|
Ah'right, uploaded with any sensitive information removed. |
 |
Thank you for taking the time to report a problem with mantis. Since this problem report was originally made, a number of releases have occured. Additionally no recent feedback has been received on this issue. Unfortunately you are not using the latest version and the problem might already be fixed. Please download the latest release from http://www.mantisbt.org/download.php If you are able to reproduce this bug in the current release, or have some more information on how this feature could be improved in the current release. Please either change the mantis version on this bug report Again, thank you for your continued support and report. |
