Improved get_status_option_list() function

Previous behavior to return all available values for the status enum when the workflow is not set for the given status, could potentially result in a security issue (letting the user bypass the workflow). The function now returns an empty array in this case, leaving it up to the caller to handle a possibly empty list. Simplified and optimized the test in the foreach loop. Do not add 'closed' status to the list if it is the current status. Added PHPdoc function header. Affects #11661, #14156
mantisbt · Apr 14, 2012 · 0630f85 · 0630f85
1 parent d453402
commit 0630f85
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/core/print_api.php b/core/print_api.php
@@ -776,10 +776,15 @@ function print_enum_string_option_list( $p_enum_name, $p_val = 0 ) {
 	}
 }
 
-# Select the proper enum values for status based on workflow
-# or the input parameter if workflows are not used
-# $p_enum_name : name of enumeration (eg: status)
-# $p_current_value : current value
+/*
+ * Returns a list of valid status options based on workflow
+ * @param int $p_user_auth User's access level
+ * @param int $p_current_value Current issue's status
+ * @param bool $p_show_current Add current status to return list
+ * @param bool $p_add_close Add 'closed' to return list
+ * @param int $p_project_id
+ * @return array
+ */
 function get_status_option_list( $p_user_auth = 0, $p_current_value = 0, $p_show_current = true, $p_add_close = false, $p_project_id = ALL_PROJECTS ) {
 	$t_config_var_value = config_get( 'status_enum_string', null, null, $p_project_id );
 	$t_enum_workflow = config_get( 'status_enum_workflow', null, null, $p_project_id );
@@ -793,15 +798,16 @@ function get_status_option_list( $p_user_auth = 0, $p_current_value = 0, $p_show
 			$t_enum_values = MantisEnum::getValues( $t_enum_workflow[$p_current_value] );
 		} else {
 			# workflow was not set for this status, this shouldn't happen
-			$t_enum_values = MantisEnum::getValues( $t_config_var_value );
+			# caller should be able to handle empty list
+			$t_enum_values = array();
 		}
 	}
-
 	$t_enum_list = array();
 
 	foreach ( $t_enum_values as $t_enum_value ) {
-		if ( ( access_compare_level( $p_user_auth, access_get_status_threshold( $t_enum_value, $p_project_id ) ) )
-				&& ( !(( false == $p_show_current ) && ( $p_current_value == $t_enum_value ) ) ) ) {
+		if (   ( $p_show_current || $p_current_value != $t_enum_value )
+			&& access_compare_level( $p_user_auth, access_get_status_threshold( $t_enum_value, $p_project_id ) )
+		) {
 			$t_enum_list[$t_enum_value] = get_enum_element( 'status', $t_enum_value );
 		}
 	}
@@ -812,7 +818,9 @@ function get_status_option_list( $p_user_auth = 0, $p_current_value = 0, $p_show
 
 	if ( $p_add_close && access_compare_level( $p_current_value, config_get( 'bug_resolved_status_threshold', null, null, $p_project_id ) ) ) {
 		$t_closed = config_get( 'bug_closed_status_threshold', null, null, $p_project_id );
-		$t_enum_list[$t_closed] = get_enum_element( 'status', $t_closed );
+		if( $p_show_current || $p_current_value != $t_closed ) {
+			$t_enum_list[$t_closed] = get_enum_element( 'status', $t_closed );
+		}
 	}
 
 	return $t_enum_list;