Hello

I am not able to reproduce the behavior you describe on 1.2.19 (or 1.3.x).

When trying to open a file using the download URL without being logged in (anonymous user), or with a user having access level < $g_view_proj_doc_threshold, I'm getting the expected "Access Denied" error.

It's also worth mentioning that this feature is deprecated.

Well Ok, my wording "every user" is wrong. But "every user with access level < $g_view_proj_doc_threshold" can download other projects' documentation.

We have hundreds of different projects, all of them are private. $g_view_proj_doc_threshold is on its default, ANYBODY. And we would like to have anybody view the own project's documentation - but not other's project's documentation.

It seems so easy to achieve. The mantis_project_file_table has the field project_id, a simple query if the user has access to this project seems to do the job...

I see what you mean now, and indeed I can reproduce the problem.

That being said, ANYBODY means, well... anybody. If you want to restrict access to users who are members of the project, I believe setting

$g_view_proj_doc_threshold = VIEWER;

should do the trick. Let me know how it goes.

I guess you might argue that the system behavior with the default ANYBODY setting is counterintuitive... maybe we should change that to VIEWER.

ANYBODY is pretty OK for me. We want viewers to be able to view the project documentation. But restricted to their own projects. Not anybody's projects.

Once again, our projects are all private and nobody should be able to download documentation of projects that they don't have access to on any other page.

You seem to aim at that too because the proj_doc_page.php shows only documentation of projects that you have access to. But you can GUESS the other projects' documentation links very easy if you know one link for your own project.

Would you like me to provide a patch?

Thanks for proposing to provide a patch, but this is not needed at this time.

Could you please provide feedback on whether the system behaves as per your expectations when $g_view_proj_doc_threshold = VIEWER ?

Oooooh,

access_compare_level returns TRUE because FALSE >= ANYBODY ...

Almost simultaneous feedback. Be right back.

dregad, with $g_view_proj_doc_threshold = VIEWER everything works as we expect.

Please communicate internally that the config_defaults_inc.php value for $g_view_proj_doc_threshold poses a security hole. Maybe you should evaluate other places where ANYBODY is used.

Thank you for your assistance. Please close issue.

Thanks for the feedback.

I'll patch the default value in config_defaults_inc.php and request a CVE ID to track the information disclosure issue.

CVE request: http://article.gmane.org/gmane.comp.security.oss.general/17143

CVE assignment: http://article.gmane.org/gmane.comp.security.oss.general/17146