0015770: When $g_limit_reporters = ON; it is still possible to change reporter - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0015770	mantisbt	security	public	2013-04-20 21:27	2014-02-07 18:24

Reporter	viktor.minko	Assigned To	dregad
Priority	high	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.15
Target Version	1.2.16	Fixed in Version	1.2.16

Summary	0015770: When $g_limit_reporters = ON; it is still possible to change reporter
Description	When $g_limit_reporters = ON; and I open bug_update_page.php I see that field "Report" is changeable and select is filled with a list of all users in the system, so I'm able to change reporter of issue, as a result I will loose access to the issue if I change reporter.
Additional Information	I guess some check of g_limit_reporters option should be made in bug_update_advanced_page.php around lines 207-235
Tags	No tags attached.

dregad 2013-04-21 04:38 developer ~0036636	The purpose of $g_limit_reporter is only to restrict issues visibility to their reporters. It does not mean that an authorized person cannot change the reporter; even though it may be a silly thing do do in some cases, there are other situations where it does make sense to allow this, e.g. a developer reporting an issue on behalf of some user, then changing the reporter to be the user. So, from my perspective the system works as designed. Let me know your thoughts.

viktor.minko 2013-04-22 16:53 reporter ~0036643	Well I thought that $g_limit_reporter allows to fully separate reporters, so each of them doesn't know about others and obviously can't do anything for another reporter, e.g. change reporters of own issues. I'm OK if this possibility (changing reporter of the issue) is allowed to admin, but not for reporters. I'm building a system where different clients can post their own tasks for executors, and I don't want clients to know about other clients, but now when I change issue I can see the list of all clients when trying to change reporter.

dregad 2013-04-23 04:13 developer ~0036645 Last edited: 2013-04-23 04:24	If I understand properly, you gave reporters the ability to edit issues ? EDIT: and you would like the selection list to behave like the one in View Issues (filter) ?

dregad 2013-04-23 04:54 developer ~0036646	Try this and let me know how it goes https://github.com/dregad/mantisbt/commits/fix-15770

dregad 2013-05-01 06:57 developer ~0036755	Did you get a chance to test ?

MantisBT: master-1.2.x 00b6e318 2013-04-23 00:38 dregad Details Diff	Reporter not allowed changing Reporter when limit_reporters = ON When reporters are limited to their own issues and allowed to update issues, they are able to change the issue's reporter (and gain visibility on existence of other reporters). This commit fixes the problem by only displaying the current reporter's name (i.e without the [edit] ajax) when $g_limit_reporters = ON and the current user's access level is greater than REPORTER. Fixes 0015770		Affected Issues 0015770
	mod - bug_update_advanced_page.php		Diff File
MantisBT: master f2e6550e 2013-04-23 00:38 dregad Details Diff	Reporter not allowed changing Reporter when limit_reporters = ON When reporters are limited to their own issues and allowed to update issues, they are able to change the issue's reporter (and gain visibility on existence of other reporters). This commit fixes the problem by only displaying the current reporter's name (i.e without the [edit] ajax) when $g_limit_reporters = ON and the current user's access level is greater than REPORTER. Fixes 0015770		Affected Issues 0015770
	mod - bug_update_advanced_page.php		Diff File