From: GitHub <no...@gi...> - 2012-12-06 08:48:33
|
Branch: refs/heads/master Home: https://github.com/mantisbt/mantisbt Commit: 53844e3621c390da5143364ddbd4c1850181eb2d https://github.com/mantisbt/mantisbt/commit/53844e3621c390da5143364ddbd4c1850181eb2d Author: Damien Regad <dam...@me...> Date: 2012-12-06 (Thu, 06 Dec 2012) Changed paths: M core/access_api.php Log Message: ----------- access_get_status_threshold() returns incorrect value for NEW When the user's access level is below $g_update_bug_status_threshold and the status to change to is NEW, the function returned the incorrect access level, preventing user from accessing the target status when updating bugs, even though the workflow permits it. This commit fixes the problem by introducing special handling for NEW status ('bug_submit_status'), in which case the function returns 'report_bug_threshold' otherwise it falls back to default 'update_bug_status_threshold'. Fixes #15260, affects issue #15258 Commit: 53282ac6f5c8ebbc5e161d25cf1668243eec2dc4 https://github.com/mantisbt/mantisbt/commit/53282ac6f5c8ebbc5e161d25cf1668243eec2dc4 Author: Damien Regad <dam...@me...> Date: 2012-12-06 (Thu, 06 Dec 2012) Changed paths: M core/html_api.php Log Message: ----------- Prevent reporters from changing issue status to 'new' Due to a missing access level check in html_button_bug_update(), in some cases reporters had access to the 'Change Status To' button, which could let them change an existing issue's status to 'new' (even if not their own issue). The code now checks that the user has at least 'update_bug_threshold' permissions to display the button. Fixes #15258 Compare: https://github.com/mantisbt/mantisbt/compare/0a78482c6d67...53282ac6f5c8 |