View Issue Details

IDProjectCategoryView StatusLast Update
0024437mantisbtfilterspublic2018-06-06 22:38
Reporterintuity Assigned Tocommunity  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.13.1 
Target Version2.15.0Fixed in Version2.15.0 
Summary0024437: Cannot save private filter if not allowed to save shared filter
Description

There is a bug in query_store.php where you cannot save a private filter if you do not have the privileges to save a shared filter (i.e. in my setup minimum access level to saving filters is 'Developer' and minimum access level to save shared filters is 'Manager'). The bug is on line 106 of query_store.php:

Original:

...
# ensure that we're not making this filter public if we're not allowed
if( !access_has_project_level( config_get( 'stored_query_create_shared_threshold' ) ) ) {
        access_denied();
}
..

I suggest that it should be corrected to:

...
# ensure that we're not making this filter public if we're not allowed
if( $f_is_public && !access_has_project_level( config_get( 'stored_query_create_shared_threshold' ) ) ) {
        access_denied();
}
...
Steps To Reproduce
  1. Setup shared filter saving as higher ACL than saving a private filter
  2. Create an account with privileges only high enough to share a private filter
  3. Attempt to save a private filter
TagsNo tags attached.

Activities

atrol

atrol

2018-05-16 09:48

developer   ~0059840

Thanks @intuity for reporting and providing the fix

PR https://github.com/mantisbt/mantisbt/pull/1350

Related Changesets

MantisBT: master b421ab2f

2018-05-16 09:42:54

atrol

Details Diff
Correct access checks when storing filters

Fixes 0024437
Affected Issues
0024437
mod - query_store.php Diff File