View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0008332mantisbtadministrationpublic2007-09-04 06:192025-10-20 09:26
Reporterstappel Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionwon't fix 
Product Version1.1.0a4 
Summary0008332: manage_project_threshold problems
Description

I question the correctness on how bug 0008324 was solved. It creates some strange situations.

a) example when a user is created on global level: developer and i give him level: manager on a project. With fix 0008324, and $g_manage_user_threshold = MANAGER; in the config_inc.php file this user will not be able to be a user manager for the project. only if the user is set on global level manager will it work.

This can be fixed with replacing access_has_global_level() with access_has_project_level() in the patch from 0008324.

But then this also has to be done on all manageuser*.php pages like manage_user_page.php

b) (this might has to be created as a new bug report, you decide). If a user is a global manager level it can create new users with level administrator. This should probably not be possible as the user can elevate his own level by using this.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0008324 closedgiallu Rendering of "Manage Users" menu link ignores $g_manage_user_threshold 
related to 0006719 closedvboctor Manager of a project can assign the Administrator role to a user. 

Activities

dregad

dregad

2025-10-20 09:21

developer   ~0070575

If a user is a global manager level it can create new users with level administrator

This should not be possible (covered by 0006719; see also 0023837).
dregad

dregad

2025-10-20 09:26

developer   ~0070576

when a user is created on global level: developer and i give him level: manager on a project. [...] this user will not be able to be a user manager for the project

I believe this was intentional. User management is a global thing in Mantis, so it would be very difficult to properly manage the security implications to ensure that a project-level manager is not able to grant access or have visibility on other projects.