View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0028897||mantisbt||customization||public||2021-07-05 09:20||2021-07-23 02:13|
|Status||resolved||Resolution||no change required|
|Summary||0028897: Bug reporter can modify every posted note|
After upgrading to Mantis 2.25.1, our team has seen that our clients accounts (set to reporters) could actually modify every posted note on a reported bug, even notes posted by our developers. After noticing this, we checked with an older version of Mantis (1.2.15), and we observed the same phenomenon: when a reporter reports a bug, he or she seems to have the rights to modify all the notes belonging to that bug.
Is this a wanted behavior? And if so, what would be the best way to only allow a reporter to modify its own notes, and note everyone elses?
Our team feels like this should not be possible for a reporter to do so. It gives them more access rights than needed.
|Tags||No tags attached.|
Check your config for $g_update_bugnote_threshold - by default set to DEVELOPER, it sounds like you have it to REPORTER (or lower).
See also related $g_bugnote_user_edit_threshold, which relates to the users' own notes.
Thanks for these details.
Not that I know of.
And the problem is not reproducible on a fresh install, so it must be something specific to your instance.
Bug finally solved.