View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0009885 | mantisbt | security | public | 2008-11-24 16:42 | 2014-12-22 08:21 |
Reporter | polzin | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0009885: Emails on relations is send to people who cannot see the related issue | ||||
Description | Issue A is set to related to issue B. User U has the right to see A, but not B. If he is monitoring A, he receives a mail that the issue A is related to B. The summary of B and of other issues being related is disclosed, although it should be invisible to the user. | ||||
Tags | No tags attached. | ||||
Furthermore, any email notification lists all relationsships, even those the user should not see! |
|
Targetting for 1.3 with possibilty of backporting as a bugfix. |
|
I would have hoped that you consider it also a security issue that should definitely be solved in 1.2.x, even if it does not block 1.2.0. Well, let's see... |
|
Fixing this would require relationship_get_details having details of the current user (to use with access_has_bug_level). I know I had some positive feedback from atrol when considering moving towards a "MantisContext" class to track this sort of stuff. We probably need to decide on if we are going to move to that approach, before fixing this - otherwise it's a case of adding user_id, project_id all the way through the chains |
|
Reminder sent to: atrol, dregad Atrol/Damien: Whats your thoughts on this? |
|
IIRC "MantisContext" class was some kind of more elegant method to set/save/restore/get values of a collection of global variables. But it would be still quite easy to use it the wrong way. I prefer in a first step to have user_id and project_id at least for the low level functions as non optional parameters. Thus it's clear for a developer that he has to think about project and user when using such a function. Introducing a new concept (which might break plugins) is probably nothing that should be done in 1.3. |
|
Here is a proposed fix. |
|
Are you planning to backport this to 1.2 ? I think we should, as it's a security-related bugfix. |
|
@dregard, I've ported the fix to master-1.2.x. |
|
MantisBT: master 0f030fd7 2014-11-01 22:36 Details Diff |
Relationship emails disclose related issue This fix tackles the following scenarios: - Users no longer get notified about relationships that they don't have access to. - Users no longer see relationships listed in email notifications that they don't have access to. - Users no longer see history events associated with relationships they don't have access to. - Emails are constructed within the context of the target user not the logged in one. Fixes 0009885 |
Affected Issues 0009885 |
|
mod - core/email_api.php | Diff File | ||
mod - core/history_api.php | Diff File | ||
MantisBT: master-1.2.x b899651c 2014-11-04 18:04 Details Diff |
Relationship emails disclose related issue This fix tackles the following scenarios: - Users no longer get notified about relationships that they don't have access to. - Users no longer see relationships listed in email notifications that they don't have access to. - Users no longer see history events associated with relationships they don't have access to. - Emails are constructed within the context of the target user not the logged in one. Fixes 0009885 |
Affected Issues 0009885 |
|
mod - core/email_api.php | Diff File | ||
mod - core/history_api.php | Diff File | ||
MantisBT: master-1.2.x 76a1d203 2014-11-04 18:04 Details Diff |
Relationship emails disclose related issue This fix tackles the following scenarios: - Users no longer get notified about relationships that they don't have access to. - Users no longer see relationships listed in email notifications that they don't have access to. - Users no longer see history events associated with relationships they don't have access to. - Emails are constructed within the context of the target user not the logged in one. Fixes 0009885 |
Affected Issues 0009885 |
|
mod - core/email_api.php | Diff File | ||
mod - core/history_api.php | Diff File | ||
MantisBT: master 3012159c 2014-11-15 11:38 Details Diff |
Fix bug doesn't exist error in timeline feature The error was caused by 0f030fd725b8139aa39e47365fe3433a2f12dda8 which checks that the user has access to issues referenced in issue history. Issue 0009885 |
Affected Issues 0009885 |
|
mod - core/history_api.php | Diff File | ||
MantisBT: master-1.2.x 5d1a57f8 2014-11-15 11:38 Details Diff |
Fix bug doesn't exist error in timeline feature The error was caused by 0f030fd725b8139aa39e47365fe3433a2f12dda8 which checks that the user has access to issues referenced in issue history. Issue 0009885 Conflicts: core/history_api.php |
Affected Issues 0009885 |
|
mod - core/history_api.php | Diff File |