View Issue Details

IDProjectCategoryView StatusLast Update
0004899mantisbtfilterspublic2005-05-31 11:23
ReporterPATL Assigned Tothraxisp  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version0.19.1 
Fixed in Version1.0.0a3 
Summary0004899: <b>[ Custom Fields ]</b> Display in "all projects"
Description

All user can see the "custom fields" in "all projects" view.
Its the same things if this customs fields are in private projet

For exemple, the clients who have access to mantis can see all "Custom fields"
il "all projects" view. It's a lite annoying.

Additional Information

Can i desactivate "all projects" view only for any acces ?

Thx

TagsNo tags attached.

Activities

PATL

PATL

2004-11-23 09:00

reporter   ~0008415

Severity = major because clients can see all "custom fields"

grangeway

grangeway

2004-11-23 17:11

reporter   ~0008417

I don't understand what you mean. Users can only see projects that they have
access too.

Can you explain a bit more about what you mean here?

Paul

PATL

PATL

2004-11-24 03:53

reporter   ~0008420

Users can only see projects that they have access too << Right
But if you select "all projects" view (in the combo box), you see all customs fields in filter.

PATL

PATL

2004-12-15 02:01

reporter   ~0008629

Any user can Show lot of informations about all projects.
He can see, in the filter, Reporter, Category , Custom fields.
For example:
If user "X" is reporter on Project "A" and if Mantis Have 2 other projects "b" & "c", the User "X" can see, in "All projects" view, all Categorys of all project not just the category for His Project ("A"), same things for reporters field and Custom fileds. The rights don't "filter" the choice in the filter.

Its More Clear ? or i try again to Explain ? :)

TomR

TomR

2005-01-12 10:22

reporter   ~0008971

Last edited: 2005-01-12 10:24

This is indeed a major problem for us. We used Mantis first only internally, but now we want to give our customers access to a few projects. However it is very confusing that in the 'All Projects' view they see al our custom fields, and also from projects they do not have access to.

However they do not have access to issues which they are not supposed to, but they can see all values ( enumeration ) for all the custom fields in the system.

Furthermore it is very confusing for them.

We have over 50 custom fields in our system, but only a few for the 'customer projects'.

grunes

grunes

2005-04-25 05:06

reporter   ~0009895

I have the same Problem too.

grunes

grunes

2005-05-24 06:50

reporter   ~0010196

Here is my solution: (v1.0.0.a2)

file: ./core/custom_field_api.php

diff:

603c603,605
<

          $t_project_user_list_table      = config_get( 'mantis_project_user_list_table' );
          $t_user_id                      = auth_get_current_user_id();

605,606c607,611
< $query = "SELECT id
< FROM $t_custom_field_table

                  $query =         &quot;SELECT cft.id
                                    FROM $t_custom_field_table as cft
                                    LEFT JOIN $t_custom_field_project_table as cfpt on cft.id = cfpt.field_id
                                    LEFT JOIN $t_project_user_list_table as pult on cfpt.project_id = pult.project_id
                                    WHERE pult.user_id = $t_user_id

regards,
steffen

thraxisp

thraxisp

2005-05-24 08:43

reporter   ~0010201

The query needs to be modified to handle public projects.

grunes

grunes

2005-05-24 08:58

reporter   ~0010202

Yes, and you need an exception for the administrators! (i noticed that the custom field management uses the same querry)

grunes

grunes

2005-05-24 10:49

reporter   ~0010205

Here ist the SQL that handles public projects:

SELECT *
FROM mantis_custom_field_table as cft
LEFT JOIN mantis_custom_field_project_table as cfpt on cft.id = cfpt.field_id
LEFT JOIN mantis_project_user_list_table as pult on cfpt.project_id = pult.project_id
LEFT JOIN mantis_project_table as pt on cfpt.project_id = pt.id
WHERE pult.user_id = 1
OR pt.view_state = 10
GROUP BY cft.id
ORDER BY cft.name ASC

Please do the rest by yourself, I have no experience in the Mantis "permission architecture".

thraxisp

thraxisp

2005-05-24 14:11

reporter   ~0010207

Fixed in CVS.

core/custom_field_api.php -> 1.52