Fix #13140: Incorrect permissions check during bug reporting and cloning

Todd Whitesel reported an issue with incorrect permissions checks being performed when cloning issues. The steps to reproduce this bug were provided by Todd: ------ Fresh 1.2.5 install. Create two users, a Developer and an Updater. Create a private project. (Actually create a couple more projects so you can see the project selector.) Add both users to the private project AS MANAGERS. Login as Developer, select the private project, and create an issue. Login as Updater, select All Projects, and attempt to clone that issue. It fails with ACCESS DENIED error #13. Also note that your access level was Manager while editing the cloned issue, but in the error screen your access level is back to your global access of Updater. As Updater, Select the private project, create an issue. Then select All Projects, and attempt to clone that issue. It succeeds, apparently because you are cloning your own issue. Create a public project and attach the private project as a subproject of it. Retry the above cloning tests with the public parent project instead of All Projects -- the results are the same whether you select All Projects or the parent project. ------ The problem was that the current project (from the project selector dropdown) was used as the basis for config_get calls, thus leading to incorrect permissions and settings being used within bug_report.php. We need to instead switch (temporarily) the current project to either the master issue (when cloning) or the specified project_id (when creating a new issue via bug_report_page.php). Thanks again to Todd for the discovery and debugging of this problem, the detailed bug report and initial patch (that has been extended to resolve the second project_id issue from bug_report_page.php). Conflicts: bug_report.php
mantisbt · Sep 5, 2011 · b08e9c1 · b08e9c1
1 parent 7af2f47
commit b08e9c1
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/bug_report.php b/bug_report.php
@@ -80,6 +80,27 @@
 
 form_security_validate( 'bug_report' );
 
+$t_project_id = null;
+$f_master_bug_id = gpc_get_int( 'm_id', 0 );
+if ( $f_master_bug_id > 0 ) {
+	bug_ensure_exists( $f_master_bug_id );
+	if ( bug_is_readonly( $f_master_bug_id ) ) {
+		error_parameters( $f_master_bug_id );
+		trigger_error( ERROR_BUG_READ_ONLY_ACTION_DENIED, ERROR );
+	}
+	$t_master_bug = bug_get( $f_master_bug_id, true );
+	project_ensure_exists( $t_master_bug->project_id );
+	access_ensure_bug_level( config_get( 'update_bug_threshold', null, null, $t_master_bug->project_id ), $f_master_bug_id );
+	$t_project_id = $t_master_bug->project_id;
+} else {
+	$f_project_id = gpc_get_int( 'project_id' );
+	project_ensure_exists( $f_project_id );
+	$t_project_id = $f_project_id;
+}
+if ( $t_project_id != helper_get_current_project() ) {
+	$g_project_override = $t_project_id;
+}
+
 access_ensure_project_level( config_get('report_bug_threshold' ) );
 
 $t_bug_data = new BugData;
@@ -118,7 +139,7 @@
 $f_copy_attachments_from_parent   = gpc_get_bool( 'copy_attachments_from_parent', false);
 
 
-$t_bug_data->project_id			= gpc_get_int( 'project_id' );
+$t_bug_data->project_id			= $t_project_id;
 
 $t_bug_data->reporter_id		= auth_get_current_user_id();