Thanks for the bug report.

1. If you select active project as 'All Projects' and then try to report an
   issue, you will be able to select project you don't have permission to report
   to it. As a result you get "Access Denied." error in this case.

I am not able to reproduce this on 1.2.15, with a reporter account, I only see projects I have access to.

Please confirm that you are not using customized code, and provide detailed steps to reproduce the issue.

2. Why shouldn't we use the Default project

That's an option indeed, could you kindly open a separate issue to cover this ?

The problem is that you get also projects in the list where you are just VIEWER.

dregad, atrol:
I don't use customized code.
In my case the situation is as follows: I have several projects with changed report_bug_threshold (Manage->Manage Configuration->Workflow Thresholds->Report an issue-> uncheck 'Reporter'). Suppose, for example, one of these is called "Test Project". So I can browse issues in these projects but cannot report a new bug.
When I set active project as 'All Projects' (top right of pages) and then click on the link 'Report Issue' and then select 'Test Project' I'll get 'Access Denied.' error.

In my opinion, it's not the correct behavior. I should not see 'Test project' in that list.

@atrol

The problem is that you get also projects in the list where you are just VIEWER.

You're confusing me. As viewer, you don't get the 'report issue' menu to begin with so you should not even see the login_select_proj_page.php... Am I missing something ?

@Chewits

OK, I can reproduce the issue now.

it's not the correct behavior. I should not see 'Test project' in that list.

Agreed.

Create a user which is
REPORTER in private project A and
VIEWER in private project B

-> You get the 'report issue' menue
-> You get projects A and B in the list

@atrol, OK; I get it now. It's the same problem actually.

My first thought was do not add the projects where user can't report issues, but that was causing problems / confusion when using subprojects.

So I'm now working on a patch which sets the option to disabled instead. Will post a solution shortly.

Please test https://github.com/dregad/mantisbt/tree/fix-16024

Note that this branch also fixes 0016029 which is a bug I discovered while testing this.

Thanks a lot!

Please try this case:

1. Select 'All Projects' (top right drop-down list) or any permitted to report Project
2. Click 'Report Issue'
   (3. Select any available project) - not needed if you select particular project in the first step
3. Select 'Test Project' (which is not allowed to report to) in the top right drop down select box
4. You have 'Access Denied.' error

Quite a lot of source code changed.
Severity is "minor" maybe even "feature"

I prefer to not fix this in master-1.2.x as I fear introducing regressions.

@atrol

Not sure what you qualify as "quite a lot", the changes are quite limited (excluding whitespace, 4 files changed, 60 insertions(+), 24 deletions(-)) and I think the risk of regression is quite low.

But anyway if you're not comfortable, I'm fine with holding this (and the other fixes 0016026 and 0016029 too) to 1.3.

@Chewits

The access denied case you describe in 0016024:0037144 is normal, expected and can't be avoided, without completely preventing selection of your 'Test Project' from other places in the system.