View Issue Details

IDProjectCategoryView StatusLast Update
0023492mantisbtemailpublic2017-10-28 11:20
Reporternexor Assigned Toatrol  
PriorityurgentSeveritymajorReproducibilityhave not tried
Status closedResolutionduplicate 
Product Version2.7.0 
Summary0023492: Due to condition race email may be sent to reporter where it should not
Description

The check:
https://github.com/mantisbt/mantisbt/blob/master/core/email_api.php#L455

<pre>

exclude users who don't have at least viewer access to the bug,

    # or who can't see bugnotes if the last update included a bugnote
    if( !access_has_bug_level( config_get( 'view_bug_threshold', null, $t_id, $t_bug->project_id ), $p_bug_id, $t_id )
     || ( $t_bugnote_id !== 0 &&
            $t_bug_date == $t_bugnote_date && !access_has_bugnote_level( config_get( 'view_bug_threshold', null, $t_id, $t_bug->project_id ), $t_bugnote_id, $t_id ) )
    ) {
        log_event( LOG_EMAIL_RECIPIENT, 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id );
        continue;
    }

</pre>

Will fail if this is not true:
<pre>
$t_bug_date == $t_bugnote_date
</pre>

Timestamps are kept with the second's accuracy - the above check will fail if the second will "jump" between updating timestamp of note vs bug.
This does happen in the production environment - and the result is pretty serious: randomly an email is sent to a reporter when it should not (e.g. when the note is private).

Steps To Reproduce

Very hard to reproduce manually as it will happen randomly.

TagsNo tags attached.

Relationships

duplicate of 0022898 closeddregad Email for a new private bugnote was send to a non authorized reporter 

Activities

There are no notes attached to this issue.