View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0028903 | mantisbt | authorization | public | 2021-07-09 08:56 | 2021-07-19 16:41 |
Reporter | JIMI3 | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 2.25.2 | ||||
Summary | 0028903: default_bugnote_view_status not applied when set_view_status_threshold is above current user's Access Level | ||||
Description | In our installation we have basically everything set to private and default_bugnote_view_status is set to VS_PRIVATE. The "View Status" checkbox is then not shown, but the added note is Public. I think that mantis should correctly apply the default_bugnote_view_status in this case. | ||||
Steps To Reproduce | default_bugnote_view_status = VS_PRIVATE Add note to an issue - this note is public when by default it should be private. | ||||
Additional Information | The Public status is due to the fact that the checkbox is not shown and the sent form data do not contain "private" parameter. line 49, bugnote_add.php
This view_state is then parsed in the IssueNoteAddCommand validate function and would be correctly parsed to the default view status if it was set to null in bugnote_add.php like this:
But when you do this you get ERROR ACCESS DENIED due to this condition in validate function:
I understand what this condition does but don't understand why. I think that having private notes by default and not permitting the users to change that should be doable by these two config values. So I feel like the set_view_status_threshold should either be documented differently or a new config value should be added for the aforementioned condition for setting threshold for the ability to add private notes and that the view_state should not fallback to VS_PUBLIC when by setting it to null it would get assigned correctly to default_bugnote_view_status. | ||||
Tags | No tags attached. | ||||
@vboctor you introduced this check and I am not sure if this is what you intended and if it's needed at all. @JIMI3 I didn't try myself, but changing the code the following way should be safe and should change it the way you need it |
|
If I disable the mentioned check like this:
The private status is then ignored when the command is processed and is overriden to public due to this piece of code in bugnote_api.php
This I have overriden like this for the time being:
Now it behaves imho correctly. But I still feel like this shoudln't be needed like I mentioned before. This second check from bugnote_api.php basically says that if you don't meet the threshold to set the view status when posting a bug note then you cannot post a private note even when notes are private by default. Why? |
|