Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Prevent reporters from changing issue status to 'new'

Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes #15258
  • Loading branch information...
commit 53282ac6f5c8ebbc5e161d25cf1668243eec2dc4 1 parent 53844e3
@dregad dregad authored
Showing with 12 additions and 1 deletion.
  1. +12 −1 core/html_api.php
View
13 core/html_api.php
@@ -1441,11 +1441,22 @@ function html_button_bug_update( $p_bug_id ) {
function html_button_bug_change_status( $p_bug ) {
$t_current_access = access_get_project_level( $p_bug->project_id );
+ # User must have updater access to use the change status button
+ if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $p_bug->id ) ) {
+ return;
+ }
+
$t_enum_list = get_status_option_list(
$t_current_access,
$p_bug->status,
false,
- bug_is_user_reporter( $p_bug->id, auth_get_current_user_id() ) && ( ON == config_get( 'allow_reporter_close' ) ),
+ # Add close if user is bug's reporter, still has rights to report issues
+ # (to prevent users downgraded to viewers from updating issues) and
+ # reporters are allowed to close their own issues
+ ( bug_is_user_reporter( $p_bug->id, auth_get_current_user_id() )
+ && access_has_bug_level( config_get( 'report_bug_threshold' ), $p_bug->id )
+ && ON == config_get( 'allow_reporter_close' )
+ ),
$p_bug->project_id );
if( count( $t_enum_list ) > 0 ) {
Please sign in to comment.
Something went wrong with that request. Please try again.