Please sign in to comment.
Fix #14016: delete_attachments_threshold is not checked
Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue #14015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated.
- Loading branch information...
Showing with 21 additions and 0 deletions.