streber>Tasks|Docu|Milestones|Versions|Files|HistoryHelp

UI > Tasks > taskEdit > Idea

Creating new tasks security / #4459

Summary

Statusopen

OpenedMar 23, 2007

CreatedMar 23, 2007 / wyllyam

ModifiedApr 5, 2007 / pixtur

View previous 2 versions

No files uploaded

Anyone can create a task and save it into any status they want. Even if they don't have access to edit the task.


wyllyam Mar 23, 2007	Possible Fix One thing we did to possibly fix this on our local copy was to decide that any and all new tasks created had to start and remain in New status until someone edited the task and changed the status. We modified file "task_more.inc.php" line "542" to reflect "if(($s >= STATUS_NEW && $task->id!=0) \|\| ($s == STATUS_NEW && $task->id==0)) {" from "if($s >= STATUS_NEW) {" This allows people editing a task to see all status and anyone creating a task to only see NEW in the drop down.
wyllyam Mar 23, 2007	my fix may have broken milestones My fix may have broken my local copy for new milestones. I'm gonna research it some more.
wyllyam Mar 23, 2007	fixed it I changed line 542 to reflect "if(($s >= STATUS_NEW && ($task->is_milestone \|\| (!$task->is_milestone && $task->id!=0))) \|\| ($s == STATUS_NEW && $task->id==0)) {" This causes milestones to use the display all status and new tasks to only display 'new' status
pixtur Apr 5, 2007	hmm. I don't get this... What's the problem with creating a closed task? Do you really think this is a security hole?

Comment / Update

Comment

Details
(Wiki format)

Please copy the text