View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024139 | mantisbt | ui | public | 2018-03-19 19:06 | 2018-06-06 00:39 |
Reporter | stainlessstill | Assigned To | atrol | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.12.0 | ||||
Target Version | 2.15.0 | Fixed in Version | 2.15.0 | ||
Summary | 0024139: $g_show_realname for making usernames private | ||||
Description | In version 2.12.0 $g_show_realname doesn't work as it used to in previous versions. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
related to | 0024087 | closed | atrol | $g_show_realname problem on 2.12.0 |
related to | 0024069 | closed | vboctor | Show realname not working |
related to | 0024378 | closed | atrol | How can I change reporter_id to reporter's real name in Issue report page? |
related to | 0024432 | closed | atrol | Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks |
related to | 0024436 | closed | atrol | Selecting users is not easy if show_realname is set to ON |
related to | 0024435 | closed | atrol | show_user_realname_threshold is not considered when sorting by reporter or handler |
If real names behaviour could be reverted (in config) to old-style handling and it conflicted with @mention or something, you could cut off automatically the whole @mention functionality and all the stuff that conflicts with it. Not everyone uses @mention. Supposedly. |
|||||||||||||||||||||||||||||||||||||||||||
Also some users (for example outsourced contractors) historically have usernames as their emails. So showing usernames all the time is inappropriate for our tasks. It would be quite reasonable for us to display real names by default while usernames as tooltips if it has to be so (or better not at all). For the projects that have no strict requirements for usernames this change ruins the ui and exposes what shouldn't be exposed. |
|||||||||||||||||||||||||||||||||||||||||||
There could be javascript solutions for @mentions using real names. For example suggestions may pop up triggered by @ sign. I understand that it supposedly entails big code changes and editor area rework. That's all for now. :) |
|||||||||||||||||||||||||||||||||||||||||||
I am not aware this was ever possible. |
|||||||||||||||||||||||||||||||||||||||||||
Real name speaks for itself than a username. With $g_show_realname we make usernames not that obvious as they are no that informative and inconvenient for comprehension. |
|||||||||||||||||||||||||||||||||||||||||||
It is common practice to always show usernames. For example:
Hiding usernames was not ever a goal and was always discoverable. |
|||||||||||||||||||||||||||||||||||||||||||
ok. When you know the rules, you follow them. We know that some web-stuff requires usernames. But here the rules has changed. And that changed the way the info is displayed in comparison to how it used to be. By making private I'm not speaking about hiding data rather than I'm speaking about exposing relevant data like real names. E-mails (some of our users has it as usernames) are irrelevant in this case while real names from profiles are relevant. For example, emails like usernames not only look ugly, they don't even work for comprehension and personalisation. |
|||||||||||||||||||||||||||||||||||||||||||
Proposal from 0024087:0059267 What about replacing
|
|||||||||||||||||||||||||||||||||||||||||||
"stainlessstill" +1 I have the same problem |
|||||||||||||||||||||||||||||||||||||||||||
If this format is displayed on the form instead of USERNAME, then I agree it. This will be solution the problem |
|||||||||||||||||||||||||||||||||||||||||||
If I get that right, that will solve the problem. If old mantisbt installations had an option to manage new username display rule, that would be a great lifesaver. Edit [dregad]: markdown |
|||||||||||||||||||||||||||||||||||||||||||
"stainlessstill" +1 I have the same problem We work with physical person and not virtual user. Then i modifed function prepare_user_name in prepare_api.php with using show_realname : cf JPG but, If it's possible to add an option to manage how we can show username that will be great. thanks |
|||||||||||||||||||||||||||||||||||||||||||
I just reverted back from 2.14.0 to our previously installed version 2.10.0, because we need the old behaviour which instantly shows the real names in all places and doesn't need an extra mouse-over to see it. Therefore: +1 for atrol's proposal, or for any other option which makes it possible to see real names in all places. |
|||||||||||||||||||||||||||||||||||||||||||
Dear jensberke +1 We are waiting for getting this old function back Thank you! |
|||||||||||||||||||||||||||||||||||||||||||
Dear mantisbt Team, I'm sorry to say this, but this is a showstopper or Blocker, please realize 0024139:0059327 immediately ! Best regards, Karl |
|||||||||||||||||||||||||||||||||||||||||||
$g_show_realname is a important functionality for me (and others). |
|||||||||||||||||||||||||||||||||||||||||||
Does this need a blocker ticket for 2.15, really? |
|||||||||||||||||||||||||||||||||||||||||||
@mahindra even if you go back, usernames are exposed to public, see my note 0024139:0059243
|
|||||||||||||||||||||||||||||||||||||||||||
Thank you for a the answer atrol. |
|||||||||||||||||||||||||||||||||||||||||||
Add a User to a Ticket should be made in an alternativ-way in sent reminder - when it's checken - the user will track the ticket only, without an reminder notice |
|||||||||||||||||||||||||||||||||||||||||||
In a closed mantis with private and child projects world |
|||||||||||||||||||||||||||||||||||||||||||
Wartepools and Leichen im Keller Pools für Verbesserungen - wie überall Status des and so on |
|||||||||||||||||||||||||||||||||||||||||||
2.11.1 was near perfekt in this Realname=ON sight |
|||||||||||||||||||||||||||||||||||||||||||
Great, if Managers could allow Reporters private notices to play an open project game |
|||||||||||||||||||||||||||||||||||||||||||
I mean reporters can see private notices only in their projects in 2.11.1 since the begin |
|||||||||||||||||||||||||||||||||||||||||||
If you parameter it as describet in config defaults |
|||||||||||||||||||||||||||||||||||||||||||
Thats all - ok the date settings and basics |
|||||||||||||||||||||||||||||||||||||||||||
Rest is managed in mantis via project and possibilities |
|||||||||||||||||||||||||||||||||||||||||||
+1 |
|||||||||||||||||||||||||||||||||||||||||||
Relateted to 0024435 , which will not be necessary |
|||||||||||||||||||||||||||||||||||||||||||
I try to summarize or rephrase what the problem is, what uses cases have to be considered, and why some people, like me, think this has to be of high priority and fixed soon. This ticket actually isn't only about privacy of usernames (as the summary suggests). There are two things two consider:
The requirements of a project which uses a Mantis installation determine if either only one or even both of these aspects have to be considered: if either only the username, only the real name or both must be displayed. As a result, I suggest to raise the priority of this ticket, target the fix for one of the next versions and change the summary into something like this: "Make display of real name and/or username configurable" As already said, the solution proposed by @atrol above (0024139:0059327) seems to address all this. |
|||||||||||||||||||||||||||||||||||||||||||
@jensberke thanks for the excellent summary. I agree with you and support the proposed approach. |
|||||||||||||||||||||||||||||||||||||||||||
Requiring the username to be private is a new feature request, as this was not possible in any earlier Mantis version.
Unfortunately not, see above Furthermore we have to consider that users are not forced to enter their real name. And there is 0024239 to consider, where we use always username in e-mail notifications starting from 2.13.2.
Until there is a complete idea what to do and someone willing to implement it, maybe my PR to fix 0024436 is an acceptable compromise at least for some users. |
|||||||||||||||||||||||||||||||||||||||||||
0024139:0059829 Thank you jensberke |
|||||||||||||||||||||||||||||||||||||||||||
I know. My summary was rather looking forward than backward. I should have written that Mantis installations may require the username or the real name to be private in the future.
Yes, for my requirements, fix 0024436 will suffice. |
|||||||||||||||||||||||||||||||||||||||||||
Scenario: If a person who wants you something bad comes into the possession of your User-ID (real name = OFF or Mantis >2.11.1), all this Person will have to do is to guess the password in order to take over your identity. $ g_allow_signup = OFF - is therefore mandatory for many Mantis. |
|||||||||||||||||||||||||||||||||||||||||||
0024139:0059830 thank you degrad. until we get this theme organized, we have to live on 2.11.1 with the following gap 0024186: [security] CVE-2018-1000162: XSS vulnerability in Parsedown library <<<The real solution to add users to a ticket is a drop down list like 0012557 >>> Similar to the filter selection for user You are moving in circle with 0024436, 0024435 and all the other IDs currently In order to see this topic you have to work in the corresponding representation - only user ID or only real name instead of user ID - then it is easy to understand |
|||||||||||||||||||||||||||||||||||||||||||
Please have a look at PR (not tested, just coded until now) https://github.com/mantisbt/mantisbt/pull/1351 @vboctor as you introduced the current behavior. What's your opinion on that? |
|||||||||||||||||||||||||||||||||||||||||||
Thanks for the support atrol If so That would be a good compromise right now in a closed company Mantis (eg service desk) ($ g_show_user_realname_threshold is only useful if realnames, = off
|
|||||||||||||||||||||||||||||||||||||||||||
yes to all, but it would be good if someone supports testing my PR. You can download the code from https://github.com/atrol/mantisbt/archive/username-realname-proposal.zip |
|||||||||||||||||||||||||||||||||||||||||||
Many thanks atrol! I looked at the trial version - the only thing is with the selection boxes, where the ID is still directly visible. It would be nice to hide the ID there. Everything else looks beautiful - including mails. Test was carried out with '#' - show users with their real name or not NICE TO HAVE PARAMETERS FOR - in the future - but I will take this compromise before, please When do we have that in 2.15 ??? - really cool!!!!! |
|||||||||||||||||||||||||||||||||||||||||||
This is the compromise.
Until now there is not any feedback from any other Mantis team member. |
|||||||||||||||||||||||||||||||||||||||||||
Thank you I think the compromise is OK for all. Maybe you will have a look to a listbox to add users in future release. |
|||||||||||||||||||||||||||||||||||||||||||
@atrol: I just tested https://github.com/mantisbt/mantisbt/pull/1351 too. It works and is OK for my requirements. Thanks a lot for providing this compromise. |
|||||||||||||||||||||||||||||||||||||||||||
Thanks @mahindra and @jensberke for testing. I documented the expected behavior to discuss https://github.com/mantisbt/mantisbt/pull/1351#issuecomment-391495880 Expected behavior after merging the PR
|
|||||||||||||||||||||||||||||||||||||||||||
Thanks again for the support and reasoning in https://github.com/mantisbt/mantisbt/pull/1351 The documentation fits the test results and is also an improvement for realname = off according to the documentation. Please be assured that both representational views (real name OFF and / or real name ON) have their justification - above based on the documentation of the compromise this is clearly shown. We wait for 2.15 and are still sticking to 2.11.1. until the representation of Realname ON is fixed. |
|||||||||||||||||||||||||||||||||||||||||||
@vboctor If realname is enabled, then the realname should be used as elsewhere in email notifications, csv export, and excel export. Thanks for this advice |
|||||||||||||||||||||||||||||||||||||||||||
@atrol Sorry - but we do need 0024139:0059929 nothing else covers the requirements! |
|||||||||||||||||||||||||||||||||||||||||||
it would be good, a few others would deal with a Relname Mantis once - and what advantages that offers in a version <= 2.11.1. |
|||||||||||||||||||||||||||||||||||||||||||
Resolved in 2.15.0 after merge of https://github.com/mantisbt/mantisbt/pull/1351 |
|||||||||||||||||||||||||||||||||||||||||||
This is a theme from the versatility of Mantis that makes it so good, on the other hand, to understand quite abstractly - especially if you do not need some function yourself. From an application point of view, I can only recommend user selection - where possible outside of the text (reminder, combo, etc.) to make and ask for display conversions - straight, when it comes to naming - straight to lead. Thank you very much again to atrol and the mantisbt-team! I will report if I get topics because of the better user-ID view, which is better hidden in ours, where possible. |
|||||||||||||||||||||||||||||||||||||||||||
MantisBT: master fe309505 2018-05-19 06:59 Details Diff |
Unifiy show_realname handling Issue 0024139 Issue 0024435 |
Affected Issues 0024139, 0024435 |
|
mod - core/classes/BugFilterQuery.class.php | Diff File | ||
MantisBT: master 97fff189 2018-05-23 04:32 Details Diff |
Correct documentation of function user_get_expanded_name_from_row Issue 0024139 |
Affected Issues 0024139 |
|
mod - core/user_api.php | Diff File |