View Issue Details

IDProjectCategoryView StatusLast Update
0024432mantisbtsecuritypublic2018-06-06 00:39
ReportermahindraAssigned Toatrol 
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version2.14.0 
Target Version2.15.0Fixed in Version2.15.0 
Summary0024432: Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks
Description

Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks

Since 2.12.0 $g_show_realname = ON; does not work as it used to be in previous versions, since 2003
We use realnames for not exposing usernames to public specifically in status mails as our security policy dictates.

One of the reasons for the use of mantisbt since 2003....

That's why we're current stuck with version 2.11.1. as well as others who have participated in tickets 0024069, 0024087 and 0024139 .

<b>Cause is 0004226 - from 2004-07-30 (!), which could be handled by a simple unique to the real name instead of a mask change to the user ID.</b>

In the name of the affected persons I ask for the fastest possible implementation of 0024139:0059327 to be able to perform the current Uprades to 2.14, 2.15, ...

<b>Or better - build it back like before 2.12 and make real names unique, simply! </b>

Thank you!

Additional Information

Feel free to change the category to upgrade

Ticket is related to

0024139
0024087
0024069
0024378
0023909
0004226
and so on

In the corporate environment, it is common practice to display real names instead of user IDs.
Mantisbt is not PHPBB
Setting an observer is also possible via the reminder function - please take look at 2.11.1 and

- show users with their real name or not

$ g_show_realname = ON;
$ g_differentiate_duplicates = OFF; # leave off for now
$ g_show_assigned_names = ON;

TagsNo tags attached.

Relationships

related to 0024139 closedatrol $g_show_realname for making usernames private 

Activities

atrol

atrol

2018-05-15 06:47

developer   ~0059794

and make real names unique

Real names are not unique.

mahindra

mahindra

2018-05-15 08:25

reporter   ~0059797

It doens't matter if real names are unique, but there are some old Tickets, which are not really important for the Major use case

atrol

atrol

2018-05-15 09:00

developer   ~0059800

As you are not asking for unique real names, do you are asking for something that is not covered in 0024432 ?

mahindra

mahindra

2018-05-15 09:13

reporter   ~0059801

Please build $g_show_realname = ON back like it was until <= 2.11.1 - the change in 2.12 is the blocker.

The non plus Ultra solution is your recommendation 0024139:0059327 until 0024139:0059327, the blocker must be made gone

atrol

atrol

2018-05-15 11:52

developer   ~0059806

Resolved as duplicate of 0024139 as tracking two issues for the same problem does not add value.

mahindra

mahindra

2018-05-15 13:11

reporter   ~0059807

Dear atrol,

I do not agree with setting this ID as resolved as duplicate of 0024139, because 0024139 is a minor bug - 0024432
describes an update blocker and asks for a return to the basic mantisbt function used until 2.11.1 in 2018 - even 0024139 is eventually implemented.
Users of the $ g_show_realname = ON function are actually blocked in 2.11.1 an are not able to perform their upgrades to> = 2.12, 2.14, and so on!

This ticket describes a structurally conceptual error in the implementation of loss of required functions in Display the Realname in masks and statusmails, while # 24139 describes a general improvement.

Best regards,
Karl!

atrol

atrol

2018-05-15 17:53

developer   ~0059812

@mahindra I don't understand what you want to tell.
The user who reported 0024139 requested to revert to the 2.11.1 behavior and you request the same.
Both of you requested that usernames are not exposed to public, but that was never the intention of $g_show_realname = ON, see also my comment 0024139:0059811

mahindra

mahindra

2018-05-16 06:04

reporter   ~0059833

Last edited: 2018-05-16 11:31

View 2 revisions

0024139:0059829 Thank you jensberke has written a summary

mahindra

mahindra

2018-05-19 00:26

reporter   ~0059849

https://mantisbt.org/bugs/view.php?id=24186.
[security] CVE-2018-1000162: XSS vulnerability in Parsedown library (dregad)
Resolved in 2.12.1

Please built the visibility of Realnames back like 2.11.1 or make a security version 2.11.1.1

mahindra

mahindra

2018-05-19 03:37

reporter   ~0059853

Last edited: 2018-05-19 04:10

View 4 revisions

Have a look at this the ID is visable with Realname=ON
This is like Realname off - and does not meet with usability or security guidlines if you have to do a mousover to see the realname while the user-ID is in front and visible



mahindra

mahindra

2018-05-19 03:50

reporter   ~0059854

Last edited: 2018-05-19 04:35

View 5 revisions

The reason for this misdirection is - how to add users monitoring a ticket:
<<<The real solution to add users to a ticket is a drop down list like 0012557 >>>
If Realname is on - it shows realnames like Mantis before 2.12 in every User field
If Realname is off - it Shows the User ID

Similar to the filter selection for user
Simple and clean
Please go in this direction and delete 0023375 go back to the previous solution in visualization Realnames up to version 2.11.1 this was clean and improve adding a user to a ticket with a drop-down list

You are moving in circle with 0024436, 0024435 and all the other IDs currently

In order to see this topic you have to work in the corresponding representation - only user ID or only real name instead of user ID - then it is easy to understand

0024436 on hold please, 0023375, 0024435, 0024378, 0024087

mahindra

mahindra

2018-05-22 03:09

reporter   ~0059910

Thanks again atrol
That's why mantis is the best bugtracker - the people behind the project and the opportunity to talk to each other.

When we get 0024139:0059859 in release 2.15, we have a solution, a compromise and a base for further development.

@vboctor please wave that through!

mahindra

mahindra

2018-05-25 16:31

reporter   ~0059956

https://mantisbt.org/bugs/view.php?id=24186.
[security] CVE-2018-1000162: XSS vulnerability in Parsedown library (dregad)
Resolved in 2.12.1

Please built the visibility of Realnames back like 2.11.1 or make a security version 2.11.1.1 we are sticking here until we see Realnames!
or
better do solution from @atrol 0024139:0059929 in next release 2.15, please!

The concept can be improved like 0024139:0059566, parallel to the releases, if needed or someone has time...

atrol

atrol

2018-05-30 10:40

developer   ~0059979

Resolved in 2.15.0 after merge of PR https://github.com/mantisbt/mantisbt/pull/1351

mahindra

mahindra

2018-05-31 01:21

reporter   ~0059982

Last edited: 2018-05-31 01:22

View 2 revisions

This is a theme from the versatility of Mantis that makes it so good, on the other hand, to understand quite abstractly - especially if you do not need some function yourself.

From an application point of view, I can only recommend user selection - where possible outside of the text (reminder, combo, etc.) to make and ask for display conversions - straight, when it comes to naming - straight to lead.

Thanks again - I will report if I get topics because of the better user-ID view, which is better hidden in ours, where possible.

Ticket can be closed. Thank you very much!

Related Changesets

MantisBT: master 85a2e55f

2018-05-19 11:57:40

atrol

Details Diff
Send usernames in e-mail notifications again based on show_realnames

This reverts the changes from 0024239 that have been needed as we
were no longer able to protect realnames by show_user_realname_threshold.

The change assumes that we agree, that show_realnames = ON allows
any user to see the realnames.

show_user_realname_threshold is just used on view user page
if show_realnames = OFF (behavior before version 2.12.0)

Issue 0024432
Affected Issues
0024432
mod - core/email_api.php Diff File

MantisBT: master 1b6ba0ff

2018-05-20 13:44:31

atrol

Details Diff
Send usernames in history of e-mail notifications based on show_realnames

This reverts the changes from 0024167 that have been needed as we
were no longer able to protect realnames by show_user_realname_threshold.

The change assumes that we agree, that show_realnames = ON allows
any user to see the realnames.

show_user_realname_threshold is just used on view user page
if show_realnames = OFF (behavior before version 2.12.0)

Issue 0024432
Affected Issues
0024432
mod - core/history_api.php Diff File

Issue History

Date Modified Username Field Change
2018-05-14 15:01 mahindra New Issue
2018-05-15 06:47 atrol Note Added: 0059794
2018-05-15 06:48 atrol Relationship added related to 0024139
2018-05-15 08:25 mahindra Note Added: 0059797
2018-05-15 09:00 atrol Status new => feedback
2018-05-15 09:00 atrol Note Added: 0059800
2018-05-15 09:13 mahindra Note Added: 0059801
2018-05-15 09:13 mahindra Status feedback => new
2018-05-15 11:52 atrol Assigned To => atrol
2018-05-15 11:52 atrol Status new => resolved
2018-05-15 11:52 atrol Resolution open => duplicate
2018-05-15 11:52 atrol Note Added: 0059806
2018-05-15 11:52 atrol Relationship replaced duplicate of 0024139
2018-05-15 13:11 mahindra Note Added: 0059807
2018-05-15 17:53 atrol Note Added: 0059812
2018-05-16 06:04 mahindra Note Added: 0059833
2018-05-16 11:31 mahindra Note Edited: 0059833 View Revisions
2018-05-19 00:26 mahindra Note Added: 0059849
2018-05-19 03:37 mahindra File Added: userid visible realname on.png
2018-05-19 03:37 mahindra File Added: userid visible realname on (2).png
2018-05-19 03:37 mahindra Note Added: 0059853
2018-05-19 03:47 mahindra Note Edited: 0059853 View Revisions
2018-05-19 03:48 mahindra Status resolved => feedback
2018-05-19 03:48 mahindra Resolution duplicate => reopened
2018-05-19 03:50 mahindra Note Added: 0059854
2018-05-19 03:50 mahindra Status feedback => assigned
2018-05-19 04:06 mahindra Note Edited: 0059854 View Revisions
2018-05-19 04:07 mahindra Note Edited: 0059854 View Revisions
2018-05-19 04:08 mahindra Note Edited: 0059854 View Revisions
2018-05-19 04:09 mahindra Note Edited: 0059853 View Revisions
2018-05-19 04:10 mahindra Note Edited: 0059853 View Revisions
2018-05-19 04:35 mahindra Note Edited: 0059854 View Revisions
2018-05-22 03:09 mahindra Note Added: 0059910
2018-05-25 16:31 mahindra Note Added: 0059956
2018-05-30 09:03 atrol Changeset attached => MantisBT master 85a2e55f
2018-05-30 09:03 atrol Changeset attached => MantisBT master 1b6ba0ff
2018-05-30 10:40 atrol Status assigned => resolved
2018-05-30 10:40 atrol Resolution reopened => fixed
2018-05-30 10:40 atrol Fixed in Version => 2.15.0
2018-05-30 10:40 atrol Note Added: 0059979
2018-05-30 10:41 atrol Target Version => 2.15.0
2018-05-30 10:42 atrol Relationship replaced related to 0024139
2018-05-31 01:21 mahindra Note Added: 0059982
2018-05-31 01:22 mahindra Note Edited: 0059982 View Revisions
2018-06-06 00:39 vboctor Status resolved => closed