View Issue Details

IDProjectCategoryView StatusLast Update
0026993mantisbtsecuritypublic2020-05-28 15:50
Reporterpolzin Assigned To 
PriorityhighSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.24.1 
Summary0026993: bug_reminder_page inappropriately shows wrong view_status in some configurations
Description

What I have done:

  • config_inc: $g_bug_reminder_threshold = REPORTER;
  • config_inc: $g_default_reminder_view_status = VS_PRIVATE;
  • User with Access "Reporter"
  • bug_reminder_page.php

What expected:

  • No view_status printed

What seen:

  • Visibility: internal
  1. This is inappropriate, because user does not have the right so set or see view status
  2. The information is even wrong, because as the user does not hav ethe right to set the view status, the final view status is "public", not "private"

This is not really a security risc, but a confusion about security, but only, if reports may send reminders.

Additional Information

Fix:

Change in bug_reminder_page.php

        # Only display view status checkbox/info if reminders are stored as bugnotes
        if( $t_store_reminders ) {

to

        # Only display view status checkbox/info if reminders are stored as bugnotes
        # and there is a right to set the view status
        if( $t_store_reminders && access_has_bug_level( config_get( 'set_view_status_threshold' ), $f_bug_id ) ) {
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-05-28 15:50 polzin New Issue