Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Prevent reporters from changing issue status to 'new'
Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes #15258
  • Loading branch information
dregad committed Dec 6, 2012
1 parent 53844e3 commit 53282ac
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion core/html_api.php
Expand Up @@ -1441,11 +1441,22 @@ function html_button_bug_update( $p_bug_id ) {
function html_button_bug_change_status( $p_bug ) {
$t_current_access = access_get_project_level( $p_bug->project_id );

# User must have updater access to use the change status button
if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $p_bug->id ) ) {
return;
}

$t_enum_list = get_status_option_list(
$t_current_access,
$p_bug->status,
false,
bug_is_user_reporter( $p_bug->id, auth_get_current_user_id() ) && ( ON == config_get( 'allow_reporter_close' ) ),
# Add close if user is bug's reporter, still has rights to report issues
# (to prevent users downgraded to viewers from updating issues) and
# reporters are allowed to close their own issues
( bug_is_user_reporter( $p_bug->id, auth_get_current_user_id() )
&& access_has_bug_level( config_get( 'report_bug_threshold' ), $p_bug->id )
&& ON == config_get( 'allow_reporter_close' )
),
$p_bug->project_id );

if( count( $t_enum_list ) > 0 ) {
Expand Down

0 comments on commit 53282ac

Please sign in to comment.