Access Denied to administrator

General discussion of Mantis.

Moderators: Contributor, Developer

Post Reply
Starbuck
Posts: 180
Joined: Feb 13, 2006 9:53 pm
Location: USA
Contact:

Access Denied to administrator

Post by Starbuck » May 21, 2019 8:15 pm

Running v2.21.0 over Linux with (I didn't install this) PHP v5.6.40.

I have a private project. Users are two admins and two reporters. The project has been locked down so that reporters can only see their own posts. (That might be a clue.)

A ticket was created by a reporter and of course set to New status.
As admin I open the ticket and click Change Status To ... anything else.
The page bug_change_status_page.php is opened as normal.
The view status shows as private and the Note area is colored accordingly.
If I enter any Note text and click the Now In Status button, it fails from bug_update.php with Access Denied.
If I do not enter a Note, just click the button, it succeeds to change the status.
I can manually add a note from view.php.
I am not trying to bypass status access thresholds or defined workflow transitions.

There are only two places in bug_update where this specific error is thrown:
If the user does not have the corect access level to this bug, we get ERROR_ACCESS_DENIED.
If the user does not have access to change a custom field that has been changed, we get ERROR_ACCESS_DENIED.
That error does not come from bug_change_status_page.php.

I'm sure I'm not reading thoroughly through the code, but as an administrator I don't think we should ever get Access Denied, so I think something is wrong.

Help is always appreciated.
I'll file a bug if someone verifies this and agrees that it's a problem.
I will also recommend to the admin that they upgrade to PHP v7, but it would help if I had a reason outside of "it's the right thing to do".
Thanks!
If you want Mantis to work differently, use or create a plugin. Visit the Plugins forums.
Ask developers to create a plugin that you need - and motivate them to help you!

Post Reply