View Issue Details

IDProjectCategoryView StatusLast Update
0021894mantisbtsecuritypublic2016-11-27 00:45
Reportermcmo Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.3 
Target Version1.3.4Fixed in Version1.3.4 
Summary0021894: Handlers(Assignees) are visible when editing an issue even if they are not visible when viewing it
Description

if the view_handler_threshold configuration value is set to hide the handlers to reporters, the handlers are visible when the reporters edit an issue.

Steps To Reproduce

0- set update_bug_threshold to reporter
1- set view_handler_threshold to a value above reporter
2- create an issue with the reporter
3- assign the issue as a manager
4- view the issue as the reporter: the handler is hidden
5- edit the issue as the reporter: the handler is visible

[EDIT dregad] added step 0 per atrol's note 0021894:0054549

TagsNo tags attached.
Attached Files

Activities

atrol

atrol

2016-11-20 07:52

developer   ~0054549

Last edited: 2016-11-20 08:00

Missing one step in "Steps To Reproduce"
0- set update_bug_threshold to reporter

Also reproducible in 1.3.x

Missing check for view_handler_threshold in bug_update_page.php

atrol

atrol

2016-11-24 06:14

developer   ~0054573

PR https://github.com/mantisbt/mantisbt/pull/957

mcmo

mcmo

2016-11-25 03:00

reporter   ~0054584

Hi
will that be fixed in version 2.0.0 as well?
thanks

dregad

dregad

2016-11-25 03:01

developer   ~0054585

In principle, all patches applied in 1.3 branch are merged in master branch as well, so yes.

Related Changesets

MantisBT: master-1.3.x c8c4aa25

2016-11-24 01:09

atrol


Details Diff
Check access rights to view handlers on bug update page

Fixes 0021894
Affected Issues
0021894
mod - bug_update_page.php Diff File