View Issue Details

IDProjectCategoryView StatusLast Update
0021095mantisbtadministrationpublic2016-06-13 03:05
Reportercproensa Assigned To 
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status newResolutionopen 
Summary0021095: protected users should not allow project assignment changes
Description

In the same way currently a protected user is not allowed to be changed its global access level, it makes sense that neither can be modified its access level for any projects that is assigned.

TagsNo tags attached.

Relationships

related to 0021092 closedSL-Gundam Plugin - EmailReporting reporter user list does not show all reporter users 

Activities

SL-Gundam

SL-Gundam

2016-06-12 18:15

reporter   ~0053340

I believe a protected user cannot be changed in any way. That includes its assignment to projects

How did you manage to do this?

cproensa

cproensa

2016-06-12 18:22

developer   ~0053342

I believe a protected user cannot be changed in any way. That includes its assignment to projects
How did you manage to do this?

Seems not to work that way (at least in current 1.3)

"Protected" flag only blocks modifications of "active" flag, and global access level

cproensa

cproensa

2016-06-12 18:31

developer   ~0053343

Actually:
From a UI perspective, the user manage page for a protected user should have all those (no change allowed) fields disabled by default, as a read only view.

In case a modification is needed, first the protected field has to be modified, and then the fileds would be editable.

atrol

atrol

2016-06-12 19:43

developer   ~0053346

In case a modification is needed, first the protected field has to be modified, and then the fileds would be editable.

This would not be clean in terms of security.
It would allow the user to access the "My View" page during the short period where the user is not set to protected.

SL-Gundam

SL-Gundam

2016-06-12 19:52

reporter   ~0053347

Don't know about you but for me MantisBT 1.2.x and 1.3.x work the same in this respect

If i open any protected user on the Manage Users page, it only shows Username, Real Name, E-mail, Access Level, Enabled, Protected, Notify User. If i try to change any of them (except Protected) an error says i cannot change the user because he's protected. Everything else is not shown in case of protected users

cproensa

cproensa

2016-06-12 19:57

developer   ~0053348

It would allow the user to access the "My View" page during the short period where the user is not set to protected.

I am guessing you mean "my account" page, for preferences?
That would be the case if i currently want to change access level for a protected user.

I think i am seeing the "protected" flag as also protected from changes made by administrators, which is somehow implied by the warnings you get from manage user page.

Everything else is not shown in case of protected users

I am clearly seeing the project assignment form, and can change this configuration.

atrol

atrol

2016-06-13 02:46

developer   ~0053354

I am guessing you mean "my account" page
Certainly right, I should not write comments when it's time to go to bed ...

I am clearly seeing the project assignment form, and can change this configuration.
Same for me.
What I don't see any longer for protected accounts is the "Account Preferences" section.

I think that protecting a user should just serve to protect the user himself from changing a setting, e.g. anonymous users.

At the moment, I don't see the advantage to restrict administrators.
I see just the additional steps to remove/add protection if you want to change something.

cproensa

cproensa

2016-06-13 03:05

developer   ~0053355

At the moment, I don't see the advantage to restrict administrators.
I see just the additional steps to remove/add protection if you want to change something.

Of course, an administrator should be able to change a protected user. Some warning or first level protection should be convenient, especially when administration is shared with several team members.

The project assignment is something that probably should be protected too.
I am thinking about protected users that are needed in some situations, like script agets, etc. These are not intended for use by a person, but are needed to be kept unmodified.
See related 0021092, where a generic reporter user can be configured in the Email Reporting plugin, and changing its project access level may break the email integration.

I havent tested yet, but:
can a user that is not an administrator, eg: manager, change project access to another user, given the appropiate threshold configurations? That would be the wors scenario for this...