View Issue Details

IDProjectCategoryView StatusLast Update
0023492mantisbtemailpublic2017-10-28 11:20
Reporternexor Assigned Toatrol  
PriorityurgentSeveritymajorReproducibilityhave not tried
Status closedResolutionduplicate 
Product Version2.7.0 
Summary0023492: Due to condition race email may be sent to reporter where it should not
Description

The check:
https://github.com/mantisbt/mantisbt/blob/master/core/email_api.php#L455

<pre>

exclude users who don't have at least viewer access to the bug,

    # or who can't see bugnotes if the last update included a bugnote
    if( !access_has_bug_level( config_get( 'view_bug_threshold', null, $t_id, $t_bug->project_id ), $p_bug_id, $t_id )
     || ( $t_bugnote_id !== 0 &&
            $t_bug_date == $t_bugnote_date && !access_has_bugnote_level( config_get( 'view_bug_threshold', null, $t_id, $t_bug->project_id ), $t_bugnote_id, $t_id ) )
    ) {
        log_event( LOG_EMAIL_RECIPIENT, 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id );
        continue;
    }

</pre>

Will fail if this is not true:
<pre>
$t_bug_date == $t_bugnote_date
</pre>

Timestamps are kept with the second's accuracy - the above check will fail if the second will "jump" between updating timestamp of note vs bug.
This does happen in the production environment - and the result is pretty serious: randomly an email is sent to a reporter when it should not (e.g. when the note is private).

Steps To Reproduce

Very hard to reproduce manually as it will happen randomly.

TagsNo tags attached.

Relationships

duplicate of 0022898 closeddregad Email for a new private bugnote was send to a non authorized reporter 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2017-10-17 09:52 nexor New Issue
2017-10-17 10:04 atrol Assigned To => atrol
2017-10-17 10:04 atrol Status new => resolved
2017-10-17 10:04 atrol Resolution open => duplicate
2017-10-17 10:04 atrol Relationship added duplicate of 0022898
2017-10-28 11:20 atrol Status resolved => closed