View Issue Details

IDProjectCategoryView StatusLast Update
0021393mantisbtadministrationpublic2020-12-30 05:33
Reporterkerwinchen Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0 
Target Version2.9.1Fixed in Version2.9.1 
Summary0021393: When disable "Update an issue", then "Assign to" become access denied
Description

I just want to hide "Edit" button.

Role: Developer
Config: "Update an issue" ==> disable
"Assign an issue" ==> enable

The config is work fine at ver 1.2.19

Tagsmantishub

Relationships

related to 0022093 closedvboctor Reporter can´t change status of a bug 
has duplicate 0023201 closedatrol unable to reassign without "update an issue" rigth 
has duplicate 0023424 closedatrol Workflow Threshold - can't allow assignment or change status without edit permission 
related to 0024512 closedatrol Can't reopen resolved bug from another reporter 
related to 0027806 closeddregad Impossible to edit issues with PHP8 

Activities

raymondf

raymondf

2017-10-13 12:24

reporter   ~0057957

For us this is also major, because we use MantisBT to manage AT bug communications with our supplier. And we don't want a developer to change the original content.

Somehow this bug also has a relationship with 0022093. The fix described there (ver 2.7.0, bug_update.php, line 158), fixed also this issue.
Note: so 0022093 was also a major for us...

vboctor

vboctor

2017-12-12 23:35

manager   ~0058381

PR: https://github.com/mantisbt/mantisbt/pull/1254

Related Changesets

MantisBT: master-2.9 bf1f02f7

2017-12-12 18:24

vboctor


Details Diff
Fix access checks for assign and change status

- Users should be able to assign issues even if they can’t update issues.
- Users should be able to change status even if they can’t update issues.

Fixes 0021393, 0022093
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File

MantisBT: master-2.24 65567e0d

2020-12-28 13:41

dregad


Details Diff
Properly check access level when updating issues

Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093)
introduced a bug in the access level check, as it passed the threshold
as a string to access_ensure_bug_level() instead of its actual value.

This seemed to work in PHP < 8.0, because string comparisons behaved
differently [[1]], but in reality there was no actual access check, as
the strings were evaluated to 0 (ANYBODY).

Adding the missing config_get() call to fix the access level check.

Fixes 0027806

[1]: https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File