Anonymous user can change bug status

rwhitney · Post by **rwhitney** » 19 Feb 2007, 17:00

Currently in our setup the anonymous account can change the status of the bugs. Uh, how do we go about turning this option off?

Post by **vboctor** » 20 Feb 2007, 04:47

It seems that your anonymous user has a higher access level than they should. At the moment if a user has access to update a bug, then this user has access to change status. You should consider giving anonymous user reporter access rather than update access.

rwhitney · Post by **rwhitney** » 20 Feb 2007, 15:16

Its not set to update status, its set to viewer. Our anonymous users are unable to report bugs, just view them.

any other ideas?

Post by **vboctor** » 20 Feb 2007, 15:17

What are the steps that the anonymous user can use to change the issue status?

rwhitney · Post by **rwhitney** » 20 Feb 2007, 15:53

If the user merely views the bug then there is a single option for them to change the status.

Post by **vboctor** » 20 Feb 2007, 16:02

Please report this in the bug tracker. I will check it out.

rwhitney · Post by **rwhitney** » 20 Feb 2007, 16:37

Done

http://www.mantisbt.org/bugs/view.php?id=7771

jong · Post by **jong** » 20 Apr 2007, 11:03

I also have this problem with anonymous users. I get an accessed denied error when I try to view the bug you have posted (7771). Is there any news on a fix for this issue?

jong · Post by **jong** » 22 May 2007, 15:20

I am still having this problem. Should I file another bug report?

Post by **vboctor** » 22 May 2007, 15:56

I've posted some questions on the issue. Reporting another bug won't help. I am just wondering why not everyone is hitting this!

jong · Post by **jong** » 22 May 2007, 16:00

Thanks. It's awkward as the issue seems to be marked as private so I cannot tell if it is the same issue.

visiblesoul · Post by **visiblesoul** » 28 Jul 2007, 23:21

OK, so this is an old topic and I haven't found the solution for this issue for version 1.0.8 so here's a quick and ugly hack that seems to work for me...

First, find the user ID for your anonymous user account you set up. In my installation the "anonymous" user's user ID is "3". An easy way to find this is to navigate to Manage > Manage Users and hover over the "anonymous" username in the list of users. You will see a URL like this in your browser status bar...

http://example.com/mantis/manage_user_e ... ?user_id=3

You can see that the user_id is 3 for this particular user.

FIND in core/html_api.php (function html_button_bug_change_status):

Code: Select all

echo "<form method=\"post\" action=\"bug_change_status_page.php\">";

ADD ABOVE:

Code: Select all

if (auth_get_current_user_id() != 3) { // anonymous status button hack

Be sure to replace the "3" in my example code with the actual user ID of your anonymous user.

FIND:

Code: Select all

echo "</form>\n";

ADD BELOW:

Code: Select all

} // anonymous status button hack

FIND in bug_change_status_page.php:

Code: Select all

		) {
		access_denied();

ADD ABOVE:

Code: Select all

			|| auth_get_current_user_id() == 3 // anonymous status button hack

Be sure to replace the "3" in my example code with the actual user ID of your anonymous user.

Hope that helps someone.

-=DKC=-

Mantis Bug Tracker - Forums

Anonymous user can change bug status

Anonymous user can change bug status

Anonymous user has a viewer level status