View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0006233mantisbtsecuritypublic2005-09-09 17:572015-01-25 16:36
Reporterurkle Assigned Tovboctor  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionwon't fix 
Product Version1.0.0rc1 
Summary0006233: Ability to revoke access to a public project from a specific user
Description

There should be a "none" access level in the list so I can revoke ALL rights to a public project from a user in the system.

Tagspatch
Attached Files
Mantis_noaccess.diff (406 bytes)    
--- user_api.php.orig	2005-09-09 17:33:43.000000000 -0500
+++ user_api.php	2005-09-09 17:35:32.000000000 -0500
@@ -664,6 +664,7 @@
 					  LEFT JOIN $t_project_hierarchy_table ph
 					    ON ph.child_id = p.id
 					  WHERE $t_enabled_clause
+                                                u.access_level > 0 AND
 						( p.view_state='$t_public'
 						    OR (p.view_state='$t_private'
 							    AND
Mantis_noaccess.diff (406 bytes)   
noaccess.diff (923 bytes)    
--- user_api.php.orig	2005-09-27 14:19:43.000000000 -0500
+++ user_api.php	2005-09-27 14:27:13.000000000 -0500
@@ -652,6 +652,7 @@
 			$t_project_table			= config_get( 'mantis_project_table' );
 			$t_project_user_list_table	= config_get( 'mantis_project_user_list_table' );
 			$t_project_hierarchy_table	= config_get( 'mantis_project_hierarchy_table' );
+			$t_user_table			= config_get( 'mantis_user_table' );
 
 			$t_public	= VS_PUBLIC;
 			$t_private	= VS_PRIVATE;
@@ -663,8 +664,11 @@
 					    ON p.id=u.project_id AND u.user_id=$c_user_id
 					  LEFT JOIN $t_project_hierarchy_table ph
 					    ON ph.child_id = p.id
+					  JOIN $t_user_table ut
+					    ON ut.id = $c_user_id
 					  WHERE $t_enabled_clause
-						( p.view_state='$t_public'
+						( (p.view_state='$t_public'
+						   AND ut.access_level > 0)
 						    OR (p.view_state='$t_private'
 							    AND
 						        u.user_id='$c_user_id' )
noaccess.diff (923 bytes)   

Activities

urkle

urkle

2005-09-09 18:19

reporter   ~0011359

Adding 0:none, to the beginning of $g_access_levels_enum_string and $s_access_levels_enum_string adds the desired results.
urkle

urkle

2005-09-09 18:22

reporter   ~0011360

OK, Mostly the desired result.. The user can not switch to the project, report an issue to the project, nor view any tickets for the project. BUT he can search tickets in the project and view their simple summary in view_issues.
urkle

urkle

2005-09-09 18:37

reporter   ~0011361

I've attached a patch to core/user_api.php that implements an extra security check to assure that user does not have "none" access on a project.
urkle

urkle

2005-09-27 15:31

reporter   ~0011436

I've attached an updated patch that correcs some mislogic I had w/ the original query. This one correclty works now.
vboctor

vboctor

2015-01-14 04:15

manager   ~0042145

Public projects are by design available to everyone.