View Issue Details

IDProjectCategoryView StatusLast Update
0011431mantisbtauthenticationpublic2019-12-13 18:06
Reporterrerbin Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Versiongit trunk 
Summary0011431: everyone can see the "private" issue which report by others
Description

Use an admin account to report an issue and make it private,then use another report account,you will find you can see the issue.

TagsNo tags attached.

Activities

dhx

dhx

2010-01-25 00:33

reporter   ~0024235

Hmmm, unable to reproduce.

Try this private issue from this bug tracker:
http://www.mantisbt.org/bugs/view.php?id=11206

I can't see it when I log out and browse via the anonymous user.

Bugnote revisions also seem to be protected, although it doesn't show an error (it just shows a blank note):

http://www.mantisbt.org/bugs/bug_revision_view_page.php?bugnote_id=0024234#r542

rerbin

rerbin

2010-01-25 20:24

reporter   ~0024246

Use an developer account to report an issue and make it private to admin,then use another developer or manager account,you will find you can see the issue.

vboctor

vboctor

2010-01-25 22:55

manager   ~0024247

  • Administrators have access to do ALL MantisBT operations and hence they will be able to view private issues.

  • There is a configuration option for access level above which PRIVATE issues will be visible.

$g_private_bug_threshold = DEVELOPER;
$g_private_bugnote_threshold = DEVELOPER;

dhx

dhx

2010-02-07 07:38

reporter   ~0024337

Last edited: 2019-12-03 07:21

View 2 revisions

rebin: can you please confirm if setting the options specified by vboctor above resolve this issue? You need to change those values from DEVELOPER to something higher so that other developers cannot see private issues/notes. The owner/creator of private issues/notes can always see their private issues/notes.

As per access_api.php inside access_has_bug_level(...):

    # If the bug is private and the user is not the reporter, then the
    #  the user must also have higher access than private_bug_threshold
    if( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) && !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
        $p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
    }

EDIT (dregad) fix markdown

mantistestor

mantistestor

2010-04-20 10:44

reporter   ~0025162

Last edited: 2010-04-20 10:58

View 3 revisions

if i set in config_defaults_inc.php
$g_private_bugnote_threshold = ADMINISTRATOR;
then i loosing the option to mark a notice as privat in the view.php for Roles < ADMINISTRATORs.
User with <ADMINISTRATORs should post their private Messages, the ability to set a notice as privat should resist.
i tried to explain with the printscreens.
im Using Mantis 1.2.0a3

mantistestor

mantistestor

2010-04-20 10:48

reporter  

adm.png (3,219 bytes)   
adm.png (3,219 bytes)   
mantistestor

mantistestor

2010-04-20 10:48

reporter  

dev.png (3,242 bytes)   
dev.png (3,242 bytes)   
dhx

dhx

2010-04-21 08:10

reporter   ~0025181

I think I understand now... what you're saying is that we really need some more thresholds:

$g_bugnote_set_private_threshold - allows a user to set a bugnote as being private

$g_bugnote_unset_private_threshold - allows a user to unset a bugnote as being private

$g_bugnote_view_private_threshold - allows a user to view private bugnotes

Am I correct?

mantistestor

mantistestor

2010-04-21 08:26

reporter   ~0025187

Last edited: 2010-04-23 08:04

View 2 revisions

hmmm...
the function must give the ability

  • allow a user to set a bugnote as being private <b>independent of his ability to see private notes</b>

the problem now is: either a user can post private message AND watch all other private messages OR he can not read other private messages, but then he has also not the ability to post private messages.

your thresholdes would solve the problem if the thresholds are not addicted.

difficult to explain, not my language :)

mantistestor

mantistestor

2010-05-07 06:49

reporter   ~0025437

if you have the permission to post a private issue, the you see all other private issues to.

atrol

atrol

2013-04-27 18:51

developer   ~0036717

Removed assignment. dhx will not contribute to this issue in near future.

dregad

dregad

2019-12-03 07:22

developer   ~0063173

As explained, this can be achieved with customizing thresholds in config_inc.php

Issue History

Date Modified Username Field Change
2010-01-24 23:38 rerbin New Issue
2010-01-25 00:33 dhx Note Added: 0024235
2010-01-25 20:24 rerbin Note Added: 0024246
2010-01-25 22:55 vboctor Note Added: 0024247
2010-02-07 07:38 dhx Note Added: 0024337
2010-02-07 07:38 dhx Assigned To => dhx
2010-02-07 07:38 dhx Status new => feedback
2010-04-20 10:44 mantistestor Note Added: 0025162
2010-04-20 10:48 mantistestor File Added: adm.png
2010-04-20 10:48 mantistestor File Added: dev.png
2010-04-20 10:48 mantistestor Note Edited: 0025162 View Revisions
2010-04-20 10:58 mantistestor Note Edited: 0025162 View Revisions
2010-04-21 08:10 dhx Note Added: 0025181
2010-04-21 08:26 mantistestor Note Added: 0025187
2010-04-23 08:04 mantistestor Note Edited: 0025187 View Revisions
2010-05-07 06:49 mantistestor Note Added: 0025437
2013-04-27 18:51 atrol Note Added: 0036717
2013-04-27 18:51 atrol Assigned To dhx =>
2019-12-03 07:21 dregad Note Edited: 0024337 View Revisions
2019-12-03 07:22 dregad Assigned To => dregad
2019-12-03 07:22 dregad Status feedback => resolved
2019-12-03 07:22 dregad Resolution open => no change required
2019-12-03 07:22 dregad Note Added: 0063173
2019-12-13 18:06 atrol Status resolved => closed