[mantisbt-commits] [mantisbt/mantisbt] 9be5d9: Fix #13140: Incorrect permissions check during bug..

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

  Branch: refs/heads/master-1.2.x
  Home:   https://github.com/mantisbt/mantisbt

  Commit: 9be5d99a9850c0e9807ad0106901b2bab93a5278
      https://github.com/mantisbt/mantisbt/commit/9be5d99a9850c0e9807ad0106901b2bab93a5278
  Author: David Hicks <d...@hx...>
  Date:   2011-09-05 (Mon, 05 Sep 2011)

  Changed paths:
    M bug_report.php

  Log Message:
  -----------
  Fix #13140: Incorrect permissions check during bug reporting and cloning

Todd Whitesel reported an issue with incorrect permissions checks being
performed when cloning issues. The steps to reproduce this bug were
provided by Todd:

------
Fresh 1.2.5 install.

Create two users, a Developer and an Updater.
Create a private project.
(Actually create a couple more projects so you can see the project
selector.)
Add both users to the private project AS MANAGERS.
Login as Developer, select the private project, and create an issue.
Login as Updater, select All Projects, and attempt to clone that issue.
It fails with ACCESS DENIED error #13. Also note that your access level
was Manager while editing the cloned issue, but in the error screen your
access level is back to your global access of Updater.

As Updater, Select the private project, create an issue. Then select All
Projects, and attempt to clone that issue. It succeeds, apparently
because you are cloning your own issue.

Create a public project and attach the private project as a subproject
of it. Retry the above cloning tests with the public parent project
instead of All Projects -- the results are the same whether you select
All Projects or the parent project.
------

The problem was that the current project (from the project selector
dropdown) was used as the basis for config_get calls, thus leading to
incorrect permissions and settings being used within bug_report.php. We
need to instead switch (temporarily) the current project to either the
master issue (when cloning) or the specified project_id (when creating a
new issue via bug_report_page.php).

Thanks again to Todd for the discovery and debugging of this problem, the
detailed bug report and initial patch (that has been extended to resolve
the second project_id issue from bug_report_page.php).

[mantisbt-commits] [mantisbt/mantisbt] 9be5d9: Fix #13140: Incorrect permissions check during bug..

[mantisbt-commits] [mantisbt/mantisbt] 9be5d9: Fix #13140: Incorrect permissions check during bug...