View Issue Details

IDProjectCategoryView StatusLast Update
0015305mantisbtsecuritypublic2023-10-06 22:55
ReporterSercrui Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version1.2.12 
Summary0015305: Access control for copy, attach tag, add note
Description

There are currently no configuration options within Configuration > Workflow Thresholds to remove access to "copy", "attach tag" and "add note" functions as there are for "move" and others. This results in the ability to mass copy, add notes and add tags to all issues from the view issue page allowing reporters (in some cases anonymous) to mass copy tickets.

TagsNo tags attached.

Relationships

has duplicate 0023905 closedatrol mantisbt How to disable 'Copy' option in 'View Issues' and 'Clone' 

Activities

dregad

dregad

2012-12-19 07:19

developer   ~0034575

The 3 functions you mention, are controlled by existing thresholds:

copy = report_bug_threshold (which is possibly too permissive, and furthermore not consistent with the handling of the 'clone' button, see 0011290)

add tag = tag_attach_threshold

add note = add_bugnote_threshold

If I understand you correctly, you would like to have a threshold distinct from the "normal", single bug one, for each of the above-mentioned "mass update" functions.

Please confirm.

atrol

atrol

2012-12-19 07:45

developer   ~0034577

"mass updates" are also possible by using the SOAP API and by automated HTTP requests.
Having a setting $g_allow_bulk_operation_threshold = UPDATER and to check it at "View Issues" page will not be enough to get this solved.
There can't be a real solution for it. If one of your reporters is a bad guy ...

Sercrui

Sercrui

2012-12-19 21:35

reporter   ~0034587

If "Report an issue" in the workflow configuration panel corresponds to report_bug_threshold, then yes, I am asking for a separately configurable option for copy. I am not at all familiar with the inner workings of Mantis so I'm not 100% certain that's correct. I have found that one can remove the ability to post notes in the panel but it completely removes the ability to add a note over just the multiple option on view issues. I would assume it may be impractical to separate these. I have not found which option would correspond to tags.

We are currently using Mantis with anonymous reporting enabled for various reasons and would like to limit it to only the ability to report and add notes, which doesn't appear to be possible currently.

The potential for SOAP API abuse (it can be hidden or removed) and HTTP attacks (Mantis is one of many available targets) are of limited concern versus a button built into the software itself that can cause issues with only a few clicks. Our end users are much more likely to abuse the button than the API or to launch any kind of automated attack.

dregad

dregad

2012-12-20 03:48

developer   ~0034589

"Report an issue" in the workflow configuration panel corresponds to report_bug_threshold

That's correct.

I would assume it may be impractical to separate these

Indeed, I don't think it would be a good idea.

I think the best approach would be, as atrol suggested, to have a threshold to control who is allowed to perform mass updates.

However, due to resource constraints in the dev team, please note that it is unlikely that this feature would make it into core any time soon.

atrol

atrol

2012-12-20 04:37

developer   ~0034591

I have not found which option would correspond to tags.

You can't find it on the configuration page.
You have to add the following line to file config_inc.php
$g_tag_attach_threshold = DEVELOPER;

markmachine

markmachine

2023-10-06 22:54

reporter   ~0068190

Last edited: 2023-10-06 22:55

I see that this is a really old request, but I have the same issue at the moment. I keep my MantiBT installation open for registration so users can report bugs, I really dislike the fact that one can easily mass copy, copy at all or mass add notes to issues. I'm almost certain that this will be abused intentionally or unintentionally.

Since there is "Anti-Spam" available, I don't see the problem with "HTTP attacks" and SOAP might be disabled or should also implement a rate limit (not sure if that is already covered via "Anti-Spam"). So there should definitely be an option for a "copy" threshold (so e.g. reporter just can't copy at all), another one for bulk copy and bulk notes.
Thanks