View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011981 | mantisbt | security | public | 2010-06-03 10:45 | 2014-12-08 00:33 |
Reporter | Sergiodf | Assigned To | dhx | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.1 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0011981: Do not allow to send a reminder on a private issue to users under threshold | ||||
Description | If $g_reminder_receive_threshold is set to a lower user category than $g_private_bug_threshold, bug_reminder_page.php allows to send a reminder on a private issue to a user that can not see it. | ||||
Tags | No tags attached. | ||||
Attached Files | 11981.diff (956 bytes)
--- C:/mantis/mantisbt-1.2.1-official/bug_reminder_page.php Fri Apr 23 14:28:34 2010 +++ C:/mantis/mantisbt-1.2.1-custom/bug_reminder_page.php Thu Jun 03 11:31:46 2010 @@ -71,7 +71,13 @@ <select name="to[]" multiple="multiple" size="10"> <?php $t_project_id = bug_get_field( $f_bug_id, 'project_id' ); - $t_access_level = config_get( 'reminder_receive_threshold' ); + $t_access_level = config_get('reminder_receive_threshold'); + echo '<!-- '.$t_bug->view_state.' === '.VS_PRIVATE.' -->'; + if($t_bug->view_state == VS_PRIVATE) { + $t_private_bug_threshold = config_get('private_bug_threshold'); + echo '<!-- '.$t_access_level.' === '.$t_private_bug_threshold.' -->'; + $t_access_level = ($t_access_level > $t_private_bug_threshold)?$t_access_level:$t_private_bug_threshold; + } $t_selected_user_id = 0; print_user_option_list( $t_selected_user_id, $t_project_id, $t_access_level ); ?> | ||||
Oops... I forget to remove "echo"es on patch. |
|
Thanks Sergio, great catch! I've committed a fix ready for the next release. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 11fb95de 2010-06-23 00:23 Details Diff |
Fix 0011981: Factor in view status when showing user monitor list When a user attempts to send a reminder to users about an issue they're presented with a list of users from which they can select from. This list of users is generated by determining the minimum access level required to view the issue. However the view state of the issue was not taken into consideration and thus if an issue had a private view state, users without permission to view private issues would still be shown in the user list. Thanks to Sergio Del Franco for reporting this issue and providing a patch. |
Affected Issues 0011981 |
|
mod - bug_reminder_page.php | Diff File |