[mantisbt-commits] [mantisbt/mantisbt] 53844e: access_get_status_threshold() returns incorrect va...

[GitHub <no...@gi...>]

  Branch: refs/heads/master
  Home:   https://github.com/mantisbt/mantisbt
  Commit: 53844e3621c390da5143364ddbd4c1850181eb2d
      https://github.com/mantisbt/mantisbt/commit/53844e3621c390da5143364ddbd4c1850181eb2d
  Author: Damien Regad <dam...@me...>
  Date:   2012-12-06 (Thu, 06 Dec 2012)

  Changed paths:
    M core/access_api.php

  Log Message:
  -----------
  access_get_status_threshold() returns incorrect value for NEW

When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.

This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.

Fixes #15260, affects issue #15258


  Commit: 53282ac6f5c8ebbc5e161d25cf1668243eec2dc4
      https://github.com/mantisbt/mantisbt/commit/53282ac6f5c8ebbc5e161d25cf1668243eec2dc4
  Author: Damien Regad <dam...@me...>
  Date:   2012-12-06 (Thu, 06 Dec 2012)

  Changed paths:
    M core/html_api.php

  Log Message:
  -----------
  Prevent reporters from changing issue status to 'new'

Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes #15258


Compare: https://github.com/mantisbt/mantisbt/compare/0a78482c6d67...53282ac6f5c8