View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017744 | mantisbt | security | public | 2014-10-10 04:20 | 2014-12-05 18:33 |
Reporter | dregad | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017744: Attachments displayed in history despite user not authorised to view them | ||||
Description | A user authorized to view issue history ($g_view_history_threshold) is able to see that an issue has attachments and discover the corresponding filenames even if their access level is lower than $g_view_attachments_threshold. | ||||
Additional Information | This problem was originally reported by user ffuchs in 0017742:0041514 | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.2.x 2c93b0df 2014-10-10 04:36 Details Diff |
Hide attachments in history if user can't see them If user is not allowed to view attachments (i.e. their access level is lower than $g_view_attachments_threshold), then the history should not display information about attachments. Fixes 0017744 Backported from master (c2e2bf1c614afe2e3b0739c789f85413d4ef29cd) |
Affected Issues 0017744 |
|
mod - core/history_api.php | Diff File | ||
MantisBT: master c2e2bf1c 2014-10-10 04:36 Details Diff |
Hide attachments in history if user can't see them If user is not allowed to view attachments (i.e. their access level is lower than $g_view_attachments_threshold), then the history should not display information about attachments. Fixes 0017744 |
Affected Issues 0017744 |
|
mod - core/history_api.php | Diff File |