View Issue Details

IDProjectCategoryView StatusLast Update
0021393mantisbtadministrationpublic2020-12-30 05:33
Reporterkerwinchen Assigned Tovboctor  
Status closedResolutionfixed 
Product Version1.3.0 
Target Version2.9.1Fixed in Version2.9.1 
Summary0021393: When disable "Update an issue", then "Assign to" become access denied

I just want to hide "Edit" button.

Role: Developer
Config: "Update an issue" ==> disable
"Assign an issue" ==> enable

The config is work fine at ver 1.2.19



related to 0022093 closedvboctor Reporter can´t change status of a bug 
has duplicate 0023201 closedatrol unable to reassign without "update an issue" rigth 
has duplicate 0023424 closedatrol Workflow Threshold - can't allow assignment or change status without edit permission 
related to 0024512 closedatrol Can't reopen resolved bug from another reporter 
related to 0027806 closeddregad Impossible to edit issues with PHP8 




2017-10-13 12:24

reporter   ~0057957

For us this is also major, because we use MantisBT to manage AT bug communications with our supplier. And we don't want a developer to change the original content.

Somehow this bug also has a relationship with 0022093. The fix described there (ver 2.7.0, bug_update.php, line 158), fixed also this issue.
Note: so 0022093 was also a major for us...



2017-12-12 23:35

manager   ~0058381


Related Changesets

MantisBT: master-2.9 bf1f02f7

2017-12-12 23:24:40


Details Diff
Fix access checks for assign and change status

- Users should be able to assign issues even if they can’t update issues.
- Users should be able to change status even if they can’t update issues.

Fixes 0021393, 0022093
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File

MantisBT: master-2.24 65567e0d

2020-12-28 18:41:32


Details Diff
Properly check access level when updating issues

Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093)
introduced a bug in the access level check, as it passed the threshold
as a string to access_ensure_bug_level() instead of its actual value.

This seemed to work in PHP < 8.0, because string comparisons behaved
differently [[1]], but in reality there was no actual access check, as
the strings were evaluated to 0 (ANYBODY).

Adding the missing config_get() call to fix the access level check.

Fixes 0027806

Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File