View Issue Details

IDProjectCategoryView StatusLast Update
0022093mantisbtadministrationpublic2020-12-30 05:33
ReporterZazzarim Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.4 
Target Version2.9.1Fixed in Version2.9.1 
Summary0022093: Reporter can´t change status of a bug
Description

Reporters are not allowed to change the head of a bug note after submitting it.
In configuration I set $update_bug_threshold to DEVELOPER and above.
But now reporters can´t change the status e.g. from RESOLVED back to ASSIGNED. By workflow configuration it should be possible.
Now i set $update_bug_status_threshold to REPORTER and above. But this has no effect because bug_update.php line 154 uses access_ensure_bug_level( config_get( 'update_bug_threshold' ), $f_bug_id ); instead of access_ensure_bug_level( config_get( 'update_bug_status_threshold' ), $f_bug_id );
If I change this php file everything works fine for me.

TagsNo tags attached.

Relationships

related to 0016376 closeddregad Not able to change status without having update issue rights 
related to 0023719 closedvboctor The reporter can not solve or close the issue 
related to 0021393 closedvboctor When disable "Update an issue", then "Assign to" become access denied 
related to 0024512 closedatrol Can't reopen resolved bug from another reporter 
related to 0027806 closeddregad Impossible to edit issues with PHP8 

Activities

Zazzarim

Zazzarim

2016-12-30 01:52

reporter  

mantis_conf.jpg (703,248 bytes)
jascheri

jascheri

2017-02-07 12:46

reporter   ~0055558

I am also having this issue with version 2.1.0

I would like to allow various roles to work within the workflow (assigning, changing status, etc.) but I do not want users below manager to be able to update an issue.

jascheri

jascheri

2017-02-07 15:45

reporter   ~0055562

NOTE: The fix in the description worked for me too.

vboctor

vboctor

2017-12-12 23:36

manager   ~0058382

PR: https://github.com/mantisbt/mantisbt/pull/1254

Related Changesets

MantisBT: master-2.9 bf1f02f7

2017-12-12 23:24:40

vboctor

Details Diff
Fix access checks for assign and change status

- Users should be able to assign issues even if they can’t update issues.
- Users should be able to change status even if they can’t update issues.

Fixes 0021393, 0022093
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File

MantisBT: master-2.24 65567e0d

2020-12-28 18:41:32

dregad

Details Diff
Properly check access level when updating issues

Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093)
introduced a bug in the access level check, as it passed the threshold
as a string to access_ensure_bug_level() instead of its actual value.

This seemed to work in PHP < 8.0, because string comparisons behaved
differently [[1]], but in reality there was no actual access check, as
the strings were evaluated to 0 (ANYBODY).

Adding the missing config_get() call to fix the access level check.

Fixes 0027806

[1]: https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File