Running v2.21.0 over Linux with (I didn't install this) PHP v5.6.40.
I have a private project. Users are two admins and two reporters. The project has been locked down so that reporters can only see their own posts. (That might be a clue.)
A ticket was created by a reporter and of course set to New status.
As admin I open the ticket and click Change Status To ... anything else.
The page bug_change_status_page.php is opened as normal.
The view status shows as private and the Note area is colored accordingly.
If I enter any Note text and click the Now In Status button, it fails from bug_update.php with Access Denied.
If I do not enter a Note, just click the button, it succeeds to change the status.
I can manually add a note from view.php.
I am not trying to bypass status access thresholds or defined workflow transitions.
There are only two places in bug_update where this specific error is thrown:
If the user does not have the corect access level to this bug, we get ERROR_ACCESS_DENIED.
If the user does not have access to change a custom field that has been changed, we get ERROR_ACCESS_DENIED.
That error does not come from bug_change_status_page.php.
I'm sure I'm not reading thoroughly through the code, but as an administrator I don't think we should ever get Access Denied, so I think something is wrong.
Help is always appreciated.
I'll file a bug if someone verifies this and agrees that it's a problem.
I will also recommend to the admin that they upgrade to PHP v7, but it would help if I had a reason outside of "it's the right thing to do".
General discussion of Mantis.
1 post • Page 1 of 1