Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fix #14016: delete_attachments_threshold is not checked

Roland Becker (MantisBT developer) reported the following
security/access control bug:

In a default installation delete_attachments_threshold is set to
DEVELOPER but having access level >= update_bug_threshold is enough to
delete attachments if form_security_validation is set to OFF.

MantisBT was not checking the access level of the user requesting
deletion of an attachment to an issue against
$g_delete_attachments_threshold.

The new access control logic for deleting an issue attachment is now:
1. Does the user have an access level of at least update_bug_threshold?
2. If the user is the owner of the file and
$g_allow_delete_own_attachments=OFF, does this user have an access level
of at least delete_attachments_threshold?
3. If the user is not the owner of the file, do they have an access
level of at least delete_attachments_threshold?

Also refer to issue #14015 for discussion on whether
update_bug_threshold should be part of the access control logic.

The relevant SOAP API call has also been updated.
  • Loading branch information...
commit ceafe6f0c679411b81368052633a63dd3ca06d9c 1 parent 804f6ed
David Hicks authored
15  api/soap/mc_issue_attachment_api.php
@@ -64,12 +64,27 @@ function mc_issue_attachment_add( $p_username, $p_password, $p_issue_id, $p_name
64 64
  */
65 65
 function mc_issue_attachment_delete( $p_username, $p_password, $p_issue_attachment_id ) {
66 66
 	$t_user_id = mci_check_login( $p_username, $p_password );
  67
+
67 68
 	if( $t_user_id === false ) {
68 69
 		return mci_soap_fault_login_failed();
69 70
 	}
  71
+
70 72
 	$t_bug_id = file_get_field( $p_issue_attachment_id, 'bug_id' );
  73
+
  74
+	# Check access against update_bug_threshold
71 75
 	if( !access_has_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id, $t_user_id ) ) {
72 76
 		return mci_soap_fault_access_denied( $t_user_id );
73 77
 	}
  78
+
  79
+	$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
  80
+	$t_current_user_is_attachment_owner = $t_attachment_owner == $t_user_id;
  81
+	# Factor in allow_delete_own_attachments=ON|OFF
  82
+	if ( !$t_current_user_is_attachment_owner || ( $t_current_user_is_attachment_owner && !config_get( 'allow_delete_own_attachments' ) ) ) {
  83
+		# Check access against delete_attachments_threshold
  84
+		if ( !access_has_bug_level( config_get( 'delete_attachments_threshold' ), $t_bug_id, $t_user_id ) ) {
  85
+			return mci_soap_fault_access_denied( $t_user_id );
  86
+		}
  87
+	}
  88
+
74 89
 	return file_delete( $p_issue_attachment_id, 'bug' );
75 90
 }
6  bug_file_delete.php
@@ -44,6 +44,12 @@
44 44
 
45 45
 	access_ensure_bug_level( config_get( 'update_bug_threshold' ), $t_bug_id );
46 46
 
  47
+	$t_attachment_owner = file_get_field( $f_file_id, 'user_id' );
  48
+	$t_current_user_is_attachment_owner = $t_attachment_owner == auth_get_current_user_id();
  49
+	if ( !$t_current_user_is_attachment_owner || ( $t_current_user_is_attachment_owner && !config_get( 'allow_delete_own_attachments' ) ) ) {
  50
+		access_ensure_bug_level( config_get( 'delete_attachments_threshold'), $t_bug_id );
  51
+	}
  52
+
47 53
 	helper_ensure_confirmed( lang_get( 'delete_attachment_sure_msg' ), lang_get( 'delete_attachment_button' ) );
48 54
 
49 55
 	file_delete( $f_file_id, 'bug' );

0 notes on commit ceafe6f

Roland Becker

$f_file_id is not defined at this place.
Should be $p_issue_attachment_id

I fixed it with commit c931418

Please sign in to comment.
Something went wrong with that request. Please try again.