Permalink
Browse files

Prevent reporters from changing issue status to 'new'

Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes #15258
  • Loading branch information...
1 parent 53844e3 commit 53282ac6f5c8ebbc5e161d25cf1668243eec2dc4 @dregad dregad committed Dec 6, 2012
Showing with 12 additions and 1 deletion.
  1. +12 −1 core/html_api.php
View
@@ -1441,11 +1441,22 @@ function html_button_bug_update( $p_bug_id ) {
function html_button_bug_change_status( $p_bug ) {
$t_current_access = access_get_project_level( $p_bug->project_id );
+ # User must have updater access to use the change status button
+ if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $p_bug->id ) ) {
+ return;
+ }
+
$t_enum_list = get_status_option_list(
$t_current_access,
$p_bug->status,
false,
- bug_is_user_reporter( $p_bug->id, auth_get_current_user_id() ) && ( ON == config_get( 'allow_reporter_close' ) ),
+ # Add close if user is bug's reporter, still has rights to report issues
+ # (to prevent users downgraded to viewers from updating issues) and
+ # reporters are allowed to close their own issues
+ ( bug_is_user_reporter( $p_bug->id, auth_get_current_user_id() )
+ && access_has_bug_level( config_get( 'report_bug_threshold' ), $p_bug->id )
+ && ON == config_get( 'allow_reporter_close' )
+ ),
$p_bug->project_id );
if( count( $t_enum_list ) > 0 ) {

0 comments on commit 53282ac

Please sign in to comment.