View Issue Details

IDProjectCategoryView StatusLast Update
0022470mantisbtfeaturepublic2018-03-02 17:40
ReporterMr.Bricodage Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version2.2.0 
Summary0022470: Access Restriction to each custom action group option
Description

Custom action group can be added according to https://www.mantisbt.org/wiki/doku.php/mantisbt:issue:7900

These additional action group are available to any user that has rights to the project.

Some custom action group should be displayed only to users with a minimal access level. A new action group option 'threshold_min' could be used.

Additional Information

new custom action group declaration :

$g_custom_group_actions = array(0=>
                array(  'action' => 'EXT_ADD_NOTE',  // you need to implement bug_actiongroup_<action_without_'EXT_'>_inc.php
                    'threshold_min' => $g_update_bug_threshold,
                    'label' => 'actiongroup_menu_add_note' // see strings_english.txt for this label
                    )
                );

The new option 'threshold_min' is handled in core/bug_group_action_api.php, row 303

foreach( $t_custom_group_actions as $t_custom_group_action ) {
    if( access_has_project_level( $t_custom_group_action['threshold_min'], $t_project_id ) ) {
        # use label if provided to get the localized text, otherwise fallback to action name.
        if( isset( $t_custom_group_action['label'] ) ) {
            $t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['label'] );
        } else {
            $t_commands[$t_custom_group_action['action']] = lang_get_defaulted( $t_custom_group_action['action'] );
        }
    }
}

Existing custom action group are not impacted by the modification, because if 'threshold_min' is not defined, threshold_min equal to 0 and everybody can view the option in the list.

TagsNo tags attached.

Activities

atrol

atrol

2017-03-05 15:38

developer   ~0055910

Last edited: 2017-03-05 15:39

Didn't have a deeper look, but doesn't this prevent just the display of the menu entry, so that you are still able to execute the custom functions using other ways?

BTW, the same applies to $g_main_menu_custom_options where there is already an option to set access level.

Mr.Bricodage

Mr.Bricodage

2017-03-06 05:10

reporter   ~0055917

Didn't have a deeper look, but doesn't this prevent just the display of the menu entry, so that you are still able to execute the custom functions using other ways?

Yes, you're right.

My problem is that the custom actions page api let the developper to define access rights in validate and process functions, but even if the user hasn't rights to use the custom function, this custom function is displayed in the group action option list in bug_view_page and the form in the custom action page is displayed too.
A user without access rights has to validate custom action group form to be informed that he can't perform the action.

To avoid displaying actions that will be forbidden in validate or process functions, the threshold_min option is a solution that doesn't break existing custom action group. Of course, this option should be coherent with validate and process function restrictions.

BTW, the same applies to $g_main_menu_custom_options where there is already an option to set access level.

I didn't understand this note. Do you please confirm that $g_main_menu_custom_optionsis not a solution to the problem exposed above, because the restriction is in a group action list and not in the main menu ?

atrol

atrol

2017-03-06 05:37

developer   ~0055918

Last edited: 2017-03-06 05:38

Do you please confirm that $g_main_menu_custom_optionsis not a solution to the problem exposed above,

Right,
it was just a side note that we have a similar solution for the main menu.
It comes with the the same security issue like your proposal:
You can hide the menu entries by setting a threshold, but you can still visit the page behind it without having appropriate access rights by entering the URL in browser.

Mr.Bricodage

Mr.Bricodage

2018-03-02 17:40

reporter   ~0059072

Do you want me to provide a PR for this feature ?