0009885: Emails on relations is send to people who cannot see the related issue - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0009885	mantisbt	security	public	2008-11-24 16:42	2014-12-22 08:21

Reporter	polzin	Assigned To	vboctor
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Target Version	1.2.18	Fixed in Version	1.2.18

Summary	0009885: Emails on relations is send to people who cannot see the related issue
Description	Issue A is set to related to issue B. User U has the right to see A, but not B. If he is monitoring A, he receives a mail that the issue A is related to B. The summary of B and of other issues being related is disclosed, although it should be invisible to the user.
Tags	No tags attached.

polzin 2009-12-23 10:18 reporter ~0023971	Furthermore, any email notification lists all relationsships, even those the user should not see!

jreese 2009-12-23 10:59 reporter ~0023974	Targetting for 1.3 with possibilty of backporting as a bugfix.

polzin 2009-12-23 12:06 reporter ~0023975	I would have hoped that you consider it also a security issue that should definitely be solved in 1.2.x, even if it does not block 1.2.0. Well, let's see...

grangeway 2014-06-01 16:34 reporter ~0040692	Fixing this would require relationship_get_details having details of the current user (to use with access_has_bug_level). I know I had some positive feedback from atrol when considering moving towards a "MantisContext" class to track this sort of stuff. We probably need to decide on if we are going to move to that approach, before fixing this - otherwise it's a case of adding user_id, project_id all the way through the chains

grangeway 2014-06-01 16:36 reporter ~0040693	Reminder sent to: atrol, dregad Atrol/Damien: Whats your thoughts on this?

atrol 2014-06-02 16:42 developer ~0040723	IIRC "MantisContext" class was some kind of more elegant method to set/save/restore/get values of a collection of global variables. But it would be still quite easy to use it the wrong way. There is no big difference between calling a SetContext method and setting $g_project_override. I prefer in a first step to have user_id and project_id at least for the low level functions as non optional parameters. Thus it's clear for a developer that he has to think about project and user when using such a function. Introducing a new concept (which might break plugins) is probably nothing that should be done in 1.3.

vboctor 2014-10-25 01:14 manager ~0041652	Here is a proposed fix. https://github.com/mantisbt/mantisbt/pull/520

dregad 2014-11-03 05:43 developer ~0041755	Are you planning to backport this to 1.2 ? I think we should, as it's a security-related bugfix.

vboctor 2014-11-04 23:07 manager ~0041760	@dregard, I've ported the fix to master-1.2.x.

MantisBT: master 0f030fd7 2014-11-01 22:36 vboctor Details Diff	Relationship emails disclose related issue This fix tackles the following scenarios: - Users no longer get notified about relationships that they don't have access to. - Users no longer see relationships listed in email notifications that they don't have access to. - Users no longer see history events associated with relationships they don't have access to. - Emails are constructed within the context of the target user not the logged in one. Fixes 0009885		Affected Issues 0009885
	mod - core/email_api.php		Diff File
	mod - core/history_api.php		Diff File
MantisBT: master-1.2.x b899651c 2014-11-04 18:04 vboctor Details Diff	Relationship emails disclose related issue This fix tackles the following scenarios: - Users no longer get notified about relationships that they don't have access to. - Users no longer see relationships listed in email notifications that they don't have access to. - Users no longer see history events associated with relationships they don't have access to. - Emails are constructed within the context of the target user not the logged in one. Fixes 0009885		Affected Issues 0009885
	mod - core/email_api.php		Diff File
	mod - core/history_api.php		Diff File
MantisBT: master-1.2.x 76a1d203 2014-11-04 18:04 vboctor Details Diff	Relationship emails disclose related issue This fix tackles the following scenarios: - Users no longer get notified about relationships that they don't have access to. - Users no longer see relationships listed in email notifications that they don't have access to. - Users no longer see history events associated with relationships they don't have access to. - Emails are constructed within the context of the target user not the logged in one. Fixes 0009885		Affected Issues 0009885
	mod - core/email_api.php		Diff File
	mod - core/history_api.php		Diff File
MantisBT: master 3012159c 2014-11-15 11:38 vboctor Details Diff	Fix bug doesn't exist error in timeline feature The error was caused by 0f030fd725b8139aa39e47365fe3433a2f12dda8 which checks that the user has access to issues referenced in issue history. Issue 0009885		Affected Issues 0009885
	mod - core/history_api.php		Diff File
MantisBT: master-1.2.x 5d1a57f8 2014-11-15 11:38 vboctor Details Diff	Fix bug doesn't exist error in timeline feature The error was caused by 0f030fd725b8139aa39e47365fe3433a2f12dda8 which checks that the user has access to issues referenced in issue history. Issue 0009885 Conflicts: core/history_api.php		Affected Issues 0009885
	mod - core/history_api.php		Diff File