View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0021095 | mantisbt | administration | public | 2016-06-12 17:51 | 2016-06-13 03:05 |
Reporter | cproensa | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Summary | 0021095: protected users should not allow project assignment changes | ||||
Description | In the same way currently a protected user is not allowed to be changed its global access level, it makes sense that neither can be modified its access level for any projects that is assigned. | ||||
Tags | No tags attached. | ||||
I believe a protected user cannot be changed in any way. That includes its assignment to projects How did you manage to do this? |
|
Seems not to work that way (at least in current 1.3) "Protected" flag only blocks modifications of "active" flag, and global access level |
|
Actually: In case a modification is needed, first the protected field has to be modified, and then the fileds would be editable. |
|
This would not be clean in terms of security. |
|
Don't know about you but for me MantisBT 1.2.x and 1.3.x work the same in this respect If i open any protected user on the Manage Users page, it only shows Username, Real Name, E-mail, Access Level, Enabled, Protected, Notify User. If i try to change any of them (except Protected) an error says i cannot change the user because he's protected. Everything else is not shown in case of protected users |
|
I am guessing you mean "my account" page, for preferences? I think i am seeing the "protected" flag as also protected from changes made by administrators, which is somehow implied by the warnings you get from manage user page.
I am clearly seeing the project assignment form, and can change this configuration. |
|
I think that protecting a user should just serve to protect the user himself from changing a setting, e.g. anonymous users. At the moment, I don't see the advantage to restrict administrators. |
|
Of course, an administrator should be able to change a protected user. Some warning or first level protection should be convenient, especially when administration is shared with several team members. The project assignment is something that probably should be protected too. I havent tested yet, but: |
|