View Issue Details

IDProjectCategoryView StatusLast Update
0027806mantisbtbugtrackerpublic2020-12-30 07:37
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.9.1 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027806: Impossible to edit issues with PHP8
Description

Incorrect access level check in bug_update.php prevents any user from updating an issue when running on PHP8

In the switch statement at line 155, several calls to access_ensure_bug_level() calls are made, with passing a threshold name as $p_access_level parameter as a string instead of the actual threshold's value (i.e. the config_get() call was omitted)

This "worked" in PHP < 8.0, because string comparisons worked differently https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions. In fact, it means there was no actual access check, as the strings were evaluated to 0 (ANYBODY)

Additional Information

Regression introduced by MantisBT master-2.9 bf1f02f7

TagsPHP 8

Relationships

related to 0021393 closedvboctor When disable "Update an issue", then "Assign to" become access denied 
related to 0022093 closedvboctor Reporter can´t change status of a bug 
has duplicate 0027644 closedatrol PHP 8: Access Denied on Bug Modification 
has duplicate 0027751 closedatrol Can't update any value, we got ACCESS DENIED 

Activities

atrol

atrol

2020-12-28 13:24

developer   ~0064852

In fact, it means there was no actual access check, as the strings were evaluated to 0 (ANYBODY)

Shame on me when approving the PR.
Seems I tested the original issues, which were resolved by the changes, but didn't have a real look at the code.

dregad

dregad

2020-12-28 18:46

developer   ~0064854

Last edited: 2020-12-29 03:07

Shame on me when approving the PR.

Don't be hard on yourself, everyone makes mistakes...

Proposed fix in PR https://github.com/mantisbt/mantisbt/pull/1721

dregad

dregad

2020-12-28 18:51

developer   ~0064855

The proposed fix does address the bug preventing editing issues in PHP 8, but I did not fully test whether the individual access check work as @vboctor originally intended them.

Any additional testing or feedback would be appreciated.

RealityRipple

RealityRipple

2020-12-28 20:11

reporter   ~0064857

Looks good. Set all three possible values to REPORTER in config for a quick minute and was able to make changes with a dummy reporter account. Access went away when I deleted the config lines.

Related Changesets

MantisBT: master-2.9 bf1f02f7

2017-12-12 23:24:40

vboctor

Details Diff
Fix access checks for assign and change status

- Users should be able to assign issues even if they can’t update issues.
- Users should be able to change status even if they can’t update issues.

Fixes 0021393, 0022093
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File

MantisBT: master-2.24 65567e0d

2020-12-28 18:41:32

dregad

Details Diff
Properly check access level when updating issues

Commit bf1f02f71a85bd4e05cd2a627b3c25e79f96d5a0 (issues 0021393, 0022093)
introduced a bug in the access level check, as it passed the threshold
as a string to access_ensure_bug_level() instead of its actual value.

This seemed to work in PHP < 8.0, because string comparisons behaved
differently [[1]], but in reality there was no actual access check, as
the strings were evaluated to 0 (ANYBODY).

Adding the missing config_get() call to fix the access level check.

Fixes 0027806

[1]: https://www.php.net/releases/8.0/en.php#consistent-type-errors-for-internal-functions
Affected Issues
0021393, 0022093, 0027806
mod - bug_update.php Diff File