View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0021393 | mantisbt | administration | public | 2016-07-19 23:17 | 2020-12-30 05:33 |
Reporter | kerwinchen | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0 | ||||
Target Version | 2.9.1 | Fixed in Version | 2.9.1 | ||
Summary | 0021393: When disable "Update an issue", then "Assign to" become access denied | ||||
Description | I just want to hide "Edit" button. Role: Developer The config is work fine at ver 1.2.19 | ||||
Tags | mantishub | ||||
related to | 0022093 | closed | vboctor | Reporter can´t change status of a bug |
has duplicate | 0023201 | closed | atrol | unable to reassign without "update an issue" rigth |
has duplicate | 0023424 | closed | atrol | Workflow Threshold - can't allow assignment or change status without edit permission |
related to | 0024512 | closed | atrol | Can't reopen resolved bug from another reporter |
related to | 0027806 | closed | dregad | Impossible to edit issues with PHP8 |
For us this is also major, because we use MantisBT to manage AT bug communications with our supplier. And we don't want a developer to change the original content. Somehow this bug also has a relationship with 0022093. The fix described there (ver 2.7.0, bug_update.php, line 158), fixed also this issue. |
|
MantisBT: master-2.9 bf1f02f7 2017-12-12 18:24 Details Diff |
Fix access checks for assign and change status - Users should be able to assign issues even if they can’t update issues. - Users should be able to change status even if they can’t update issues. Fixes 0021393, 0022093 |
Affected Issues 0021393, 0022093, 0027806 |
|
mod - bug_update.php | Diff File | ||
MantisBT: master-2.24 65567e0d 2020-12-28 13:41 Details Diff |
Properly check access level when updating issues Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093) introduced a bug in the access level check, as it passed the threshold as a string to access_ensure_bug_level() instead of its actual value. This seemed to work in PHP < 8.0, because string comparisons behaved differently [[1]], but in reality there was no actual access check, as the strings were evaluated to 0 (ANYBODY). Adding the missing config_get() call to fix the access level check. Fixes 0027806 [1]: https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions |
Affected Issues 0021393, 0022093, 0027806 |
|
mod - bug_update.php | Diff File |