Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fix #14340: Reporters can use SOAP to update bugnotes without permission

The access checks inside bugnote_update.php and
api/soap/mc_issue_api.php differed. Users were incorrectly allowed via
the SOAP interface to update the bugnotes of other users. Instead of
comparing the SOAP user's access level to $g_update_bugnote_threshold,
$g_add_bugnote_threshold was used instead.

This posed a problem because the default installed state of MantisBT is
to allow the REPORTER access level to submit bugs via the SOAP API. Thus
in the default installed state, any user who could submit a bug could
also update/modify the bugnotes of any other user.

Access checks within bugnote_update.php and api/soap/mc_issue_api.php
should now be equivalent.

Thanks to Roland Becker and Damien Regard (both MantisBT developers) for
finding and reporting this problem.
  • Loading branch information...
commit edc8142bb8ac0ac0df1a3824d78c15f4015d959e 1 parent 8e5faf8
David Hicks authored June 02, 2012

Showing 1 changed file with 48 additions and 35 deletions. Show diff stats Hide diff stats

  1. 83  api/soap/mc_issue_api.php
83  api/soap/mc_issue_api.php
@@ -1058,51 +1058,64 @@ function mc_issue_note_delete( $p_username, $p_password, $p_issue_note_id ) {
1058 1058
  * @return true on success, false on failure
1059 1059
  */
1060 1060
 function mc_issue_note_update( $p_username, $p_password, $p_note ) {
1061  
-    $t_user_id = mci_check_login( $p_username, $p_password );
1062  
-    
1063  
-    if( $t_user_id === false ) {
1064  
-        return mci_soap_fault_login_failed();
1065  
-    }
  1061
+	$t_user_id = mci_check_login( $p_username, $p_password );
1066 1062
 
1067  
-    if ( !isset( $p_note['id'] ) || is_blank( $p_note['id'] ) ) {
1068  
-        return new soap_fault( 'Client', '', "Issue id must not be blank." );
1069  
-    }
1070  
-    
1071  
-    if ( !isset( $p_note['text'] ) || is_blank( $p_note['text'] ) ) {
1072  
-        return new soap_fault( 'Client', '', "Issue note text must not be blank." );
1073  
-    }
1074  
-    
1075  
-    $t_issue_note_id = $p_note['id'];
  1063
+	if ( $t_user_id === false ) {
  1064
+		return mci_soap_fault_login_failed();
  1065
+	}
  1066
+
  1067
+	if ( !isset( $p_note['id'] ) || is_blank( $p_note['id'] ) ) {
  1068
+		return new soap_fault( 'Client', '', "Issue id must not be blank." );
  1069
+	}
  1070
+
  1071
+	if ( !isset( $p_note['text'] ) || is_blank( $p_note['text'] ) ) {
  1072
+		return new soap_fault( 'Client', '', "Issue note text must not be blank." );
  1073
+	}
  1074
+
  1075
+	$t_issue_note_id = $p_note['id'];
  1076
+
  1077
+	if ( !bugnote_exists( $t_issue_note_id ) ) {
  1078
+		return new soap_fault( 'Server', '', "Issue note '$t_issue_note_id' does not exist." );
  1079
+	}
1076 1080
 
1077  
-    if( !bugnote_exists( $t_issue_note_id ) ) {
1078  
-        return new soap_fault( 'Server', '', "Issue note '$t_issue_note_id' does not exist." );
1079  
-    }
1080  
-    
1081 1081
 	$t_issue_id = bugnote_get_field( $t_issue_note_id, 'bug_id' );
1082  
-	
1083 1082
 	$t_project_id = bug_get_field( $t_issue_id, 'project_id' );
1084 1083
 
1085  
-    if( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
1086  
-        return mci_soap_fault_access_denied( $t_user_id );
1087  
-    }
  1084
+	if ( !mci_has_readwrite_access( $t_user_id, $t_project_id ) ) {
  1085
+		return mci_soap_fault_access_denied( $t_user_id );
  1086
+	}
1088 1087
 
1089  
-    if( !access_has_bug_level( config_get( 'add_bugnote_threshold' ), $t_issue_id, $t_user_id ) ) {
1090  
-        return mci_soap_fault_access_denied( $t_user_id, "You do not have access rights to add notes to this issue" );
1091  
-    }
  1088
+	$t_issue_author_id = bugnote_get_field( $t_issue_note_id, 'reporter_id' );
1092 1089
 
1093  
-    if( bug_is_readonly( $t_issue_id ) ) {
1094  
-        return mci_soap_fault_access_denied( $t_user_id, "Issue ' . $t_issue_id . ' is readonly" );
1095  
-    }
  1090
+	# Check if the user owns the bugnote and is allowed to update their own bugnotes
  1091
+	# regardless of the update_bugnote_threshold level.
  1092
+	$t_user_owns_the_bugnote = bugnote_is_user_reporter( $t_issue_note_id, $t_user_id );
  1093
+	$t_user_can_update_own_bugnote = config_get( 'bugnote_allow_user_edit_delete', null, $t_user_id, $t_project_id );
  1094
+	if ( $t_user_owns_the_bugnote && !$t_user_can_update_own_bugnote ) {
  1095
+		return mci_soap_fault_access_denied( $t_user_id );
  1096
+	}
1096 1097
 
1097  
-    if( isset( $p_note['view_state'] )) {
1098  
-        $t_view_state = $p_note['view_state'];
1099  
-        $t_view_state_id = mci_get_enum_id_from_objectref( 'view_state', $t_view_state );
1100  
-        bugnote_set_view_state( $t_issue_note_id, $t_view_state_id );
1101  
-    }
  1098
+	# Check if the user has an access level beyond update_bugnote_threshold for the
  1099
+	# project containing the bugnote to update.
  1100
+	$t_update_bugnote_threshold = config_get( 'update_bugnote_threshold', null, $t_user_id, $t_project_id );
  1101
+	if ( !$t_user_owns_the_bugnote && !access_has_bugnote_level( $t_update_bugnote_threshold, $t_user_id, $t_project_id ) ) {
  1102
+		return mci_soap_fault_access_denied( $t_user_id );
  1103
+	}
  1104
+
  1105
+	# Check if the bug is readonly
  1106
+	if ( bug_is_readonly( $t_issue_id ) ) {
  1107
+		return mci_soap_fault_access_denied( $t_user_id, "Issue ' . $t_issue_id . ' is readonly" );
  1108
+	}
  1109
+
  1110
+	if ( isset( $p_note['view_state'] ) ) {
  1111
+		$t_view_state = $p_note['view_state'];
  1112
+		$t_view_state_id = mci_get_enum_id_from_objectref( 'view_state', $t_view_state );
  1113
+		bugnote_set_view_state( $t_issue_note_id, $t_view_state_id );
  1114
+	}
1102 1115
 
1103  
-    bugnote_set_text( $t_issue_note_id, $p_note['text'] );
  1116
+	bugnote_set_text( $t_issue_note_id, $p_note['text'] );
1104 1117
 
1105  
-    return bugnote_date_update( $t_issue_note_id );
  1118
+	return bugnote_date_update( $t_issue_note_id );
1106 1119
 }
1107 1120
 
1108 1121
 /**

0 notes on commit edc8142

Roland Becker

This line can be removed.
$t_issue_author_id is not used

Please sign in to comment.
Something went wrong with that request. Please try again.