View Issue Details

IDProjectCategoryView StatusLast Update
0011981mantisbtsecuritypublic2014-12-08 00:33
ReporterSergiodfAssigned Todhx 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.1 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0011981: Do not allow to send a reminder on a private issue to users under threshold
Description

If $g_reminder_receive_threshold is set to a lower user category than $g_private_bug_threshold, bug_reminder_page.php allows to send a reminder on a private issue to a user that can not see it.

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

Sergiodf

Sergiodf

2010-06-03 10:47

reporter  

11981.diff (956 bytes)
--- C:/mantis/mantisbt-1.2.1-official/bug_reminder_page.php	Fri Apr 23 14:28:34 2010
+++ C:/mantis/mantisbt-1.2.1-custom/bug_reminder_page.php	Thu Jun 03 11:31:46 2010
@@ -71,7 +71,13 @@
 		<select name="to[]" multiple="multiple" size="10">
 			<?php
 				$t_project_id = bug_get_field( $f_bug_id, 'project_id' );
-				$t_access_level = config_get( 'reminder_receive_threshold' );
+				$t_access_level = config_get('reminder_receive_threshold');
+				echo '<!-- '.$t_bug->view_state.' === '.VS_PRIVATE.' -->';
+				if($t_bug->view_state == VS_PRIVATE) {
+					$t_private_bug_threshold = config_get('private_bug_threshold');
+					echo '<!-- '.$t_access_level.' === '.$t_private_bug_threshold.' -->';
+					$t_access_level = ($t_access_level > $t_private_bug_threshold)?$t_access_level:$t_private_bug_threshold;
+				}
 				$t_selected_user_id = 0;
 				print_user_option_list( $t_selected_user_id, $t_project_id, $t_access_level );
 			?>
11981.diff (956 bytes)
Sergiodf

Sergiodf

2010-06-03 10:51

reporter   ~0025682

Oops... I forget to remove "echo"es on patch.

dhx

dhx

2010-06-23 00:30

reporter   ~0025953

Thanks Sergio, great catch! I've committed a fix ready for the next release.

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036471

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 11fb95de

2010-06-23 04:23:21

dhx

Details Diff
Fix 0011981: Factor in view status when showing user monitor list

When a user attempts to send a reminder to users about an issue they're
presented with a list of users from which they can select from. This
list of users is generated by determining the minimum access level
required to view the issue. However the view state of the issue was not
taken into consideration and thus if an issue had a private view state,
users without permission to view private issues would still be shown in
the user list.

Thanks to Sergio Del Franco for reporting this issue and providing a
patch.
mod - bug_reminder_page.php Diff File

Issue History

Date Modified Username Field Change
2010-06-03 10:45 Sergiodf New Issue
2010-06-03 10:47 Sergiodf File Added: 11981.diff
2010-06-03 10:51 Sergiodf Note Added: 0025682
2010-06-03 12:38 jreese Status new => acknowledged
2010-06-03 12:38 jreese Target Version => 1.2.2
2010-06-23 00:16 dhx Assigned To => dhx
2010-06-23 00:16 dhx Status acknowledged => assigned
2010-06-23 00:17 dhx Target Version 1.2.2 => 1.3.0-beta.1
2010-06-23 00:29 dhx Changeset attached => MantisBT master 11fb95de
2010-06-23 00:29 dhx Resolution open => fixed
2010-06-23 00:29 dhx Fixed in Version => 1.3.0-beta.1
2010-06-23 00:30 dhx Note Added: 0025953
2010-06-23 00:30 dhx Status assigned => resolved
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036471
2013-04-05 18:07 grangeway Relationship added related to 0015721
2013-04-06 03:44 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
2014-11-07 12:51 vboctor Category bugtracker => security
2014-12-08 00:33 vboctor Status resolved => closed