MantisBT - v3.5 Release (Development)
View Issue Details
0001687v3.5 Release (Development)[All Projects] Generalpublic2016-04-14 08:102019-01-01 16:15
Assigned To 
PlatformOSOS Version
Summary0001687: Administrator can't edit task_log entrys
DescriptionAn administrator can't edit a task log entry of another coworker, even if the permissions are set correctly. I found this problem when using the timecard module, but the problem is located in the tasks module. So it also allpys when using the task log edit function is task view.
Steps To ReproduceJust try to edit a task log entry made by someone else. An error is thrown reporting a misleading unexpected character in JSON line 1 row 1.
Additional InformationI figured out that the problem is located in logs.class.php. In line 145 three parameters are set. The first two are ok, but the third is "tasks", which causes the problem. This should be "task_log" or "".

In BaseObject.class.php line 65 the _tbl_module is set, using the $module parameter (tasks in this case). This value is used in logs.class.php canEdit-function in line 339. But this is combined with the ID of the task log entry. So a sql-query for the permission check is build using the id of the task-log and the table tasks. This results in an empty result-array and equals no granted permission. Therefore, an admin is not allowed to edit a task log entry, if the permisson-option of the canEdit-function is required.

A solution is simple as stated above. Just remove the "tasks"-parameter and leave it empty oder set "task_log". In both cases the correct table is later used for the query and a correct permisson check result is achieved.
TagsNo tags attached.
Attached Files

2016-04-14 23:04   
(Last edited: 2016-04-14 23:09)
Just some more thoughts about this problem.

The solution mentioned in the first post was to modify the contructor to

//Line 143 in logs.class.php
public function __construct()
    parent::__construct('task_log', 'task_log_id', 'task_log');
    // ensure changes to checkboxes are honoured
    $this->task_log_problem = (int) $this->task_log_problem;

It might be better to leave the constructor untouched and change the function executing the permission check to use the _tbl-property instead of _tbl_module like this.

//line 336 in logs.class.php
public function canEdit() {
    if($this->_AppUI->user_id == $this->task_log_creator ||
        $this->_AppUI->user_id == $this->task_log_record_creator ||
        $this->_perms->checkModuleItem($this->_tbl, 'edit', $this->{$this->_tbl_key})) {

        return true;

    return false;

The second solution should be a better fix.

Issue History
2016-04-14 08:10karstenmtrNew Issue
2016-04-14 23:04karstenmtrNote Added: 0003766
2016-04-14 23:08karstenmtrNote Edited: 0003766bug_revision_view_page.php?bugnote_id=3766#r140
2016-04-14 23:09karstenmtrNote Edited: 0003766bug_revision_view_page.php?bugnote_id=3766#r141
2016-12-26 23:34caseydkProjectv3.3 Release => v3.4 Release (Current)
2019-01-01 16:15caseydkProjectv3.4 Release (Current) => v3.5 Release (Development)
2019-01-01 16:15caseydkCategoryTasks => General