security issue with email notifications

[meveric]

Hello together,

i have been having some security issues with the email notification in our company.
We're using Mantis version 1.2.11 right now, we have different external and internal projects.
All projects are set to private, so that only members of these projects are allow to see those projects and tickets within.
A normal workflow is that a customer creates an external ticket and if it's something that can't be solved immediately or if it's a feature request, that has to be implemented, we create a clone of that ticket and move that clone in to one of our internal projects where developers work on the solution (sometimes it gets copied instead of cloned as well and later added a relation).

( quick sidenote: it would be nice to have a "clone to" option, to clone it into another project, like when you copy a ticket, but with the option to set relations right with it, like when you clone it)

Anyway: it happens that some of our customers send us emails answering on items that was handled in internal tickets.
First thing we found out, was when you re-assign a ticket to another handler the users are getting informed about that change. The problem is, that they are getting informed about ALL the changes happened in the INTERNAL ticket up to that point, even if the user has NO access to the internal project.
That's a huge security issue, since they can see assessments and other things that they are not suppose to see.
To fix that we deactivated all notifications for creater of tickets about changes of the handler.

Shortly there after we had another issue, which has not yet been figuered out. Another customer was complaining he could not add comments to a ticket he got a notification about. Thing is that it was again an internal ticket, that he is not suppose to see or get any notification about. He saw (once again) the entire history of what happend in the ticket. Last entry to be seen was a switch from assigned to feedback. I tried to reproduce that situation, but was not able to, instead found out another issue. If you copy a ticket from an external project in a internal one (where customer has no access to) he will get notifications about everything that has happend to this point if you add or remove a relationship to another ticket.

All of these things are a very big security problem in our company and i would like to find a solution on how to avoid that.
A user should under no circumstances get any notification about a ticket that is in a project he has no access to!

Can you help me to figure out how to solve that issue?

[atrol]

I recommend to update to latest stable version 1.2.12 where this issue is fixed.
http://www.mantisbt.org/bugs/view.php?id=14704