View Issue Details

IDProjectCategoryView StatusLast Update
0028897mantisbtcustomizationpublic2021-07-23 02:13
Reportermalomn Assigned Todregad  
Status resolvedResolutionno change required 
Product Version2.25.1 
Summary0028897: Bug reporter can modify every posted note

After upgrading to Mantis 2.25.1, our team has seen that our clients accounts (set to reporters) could actually modify every posted note on a reported bug, even notes posted by our developers. After noticing this, we checked with an older version of Mantis (1.2.15), and we observed the same phenomenon: when a reporter reports a bug, he or she seems to have the rights to modify all the notes belonging to that bug.

Is this a wanted behavior? And if so, what would be the best way to only allow a reporter to modify its own notes, and note everyone elses?

Our team feels like this should not be possible for a reporter to do so. It gives them more access rights than needed.

TagsNo tags attached.




2021-07-05 11:28

developer   ~0065675

Check your config for $g_update_bugnote_threshold - by default set to DEVELOPER, it sounds like you have it to REPORTER (or lower).

See also related $g_bugnote_user_edit_threshold, which relates to the users' own notes.



2021-07-06 10:38

reporter   ~0065676

Thanks for these details.
$g_update_bugnote_threshold is indeed set to DEVELOPER, so the issue does not come from there.
$g_bugnote_user_edit_threshold is set to 25 (corresponding to REPORTER level if I'm not mistaking), which means that a reporter can modify its own notes, which is what we want.
I'll keep digging and I'll inform you if any progress is made.
Has this kind of issue been reported before?



2021-07-06 12:10

developer   ~0065677

Has this kind of issue been reported before?

Not that I know of.

And the problem is not reproducible on a fresh install, so it must be something specific to your instance.



2021-07-07 10:05

reporter   ~0065679

Bug finally solved.
For some reason, we had in our database a line in mantis_config_table setting "update_bugnote_threshold" to 25.
Now that we've removed it, it works as intended and the value from config_default_inc.php is now taken into account by Mantis.
Thanks for your help!