View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0028903||mantisbt||authorization||public||2021-07-09 08:56||2021-07-19 16:41|
|Summary||0028903: default_bugnote_view_status not applied when set_view_status_threshold is above current user's Access Level|
In our installation we have basically everything set to private and default_bugnote_view_status is set to VS_PRIVATE.
The "View Status" checkbox is then not shown, but the added note is Public.
I think that mantis should correctly apply the default_bugnote_view_status in this case.
|Steps To Reproduce|
default_bugnote_view_status = VS_PRIVATE
Add note to an issue - this note is public when by default it should be private.
The Public status is due to the fact that the checkbox is not shown and the sent form data do not contain "private" parameter.
line 49, bugnote_add.php
This view_state is then parsed in the IssueNoteAddCommand validate function and would be correctly parsed to the default view status if it was set to null in bugnote_add.php like this:
But when you do this you get ERROR ACCESS DENIED due to this condition in validate function:
I understand what this condition does but don't understand why.
I think that having private notes by default and not permitting the users to change that should be doable by these two config values. So I feel like the set_view_status_threshold should either be documented differently or a new config value should be added for the aforementioned condition for setting threshold for the ability to add private notes and that the view_state should not fallback to VS_PUBLIC when by setting it to null it would get assigned correctly to default_bugnote_view_status.
|Tags||No tags attached.|
@vboctor you introduced this check and I am not sure if this is what you intended and if it's needed at all.
@JIMI3 I didn't try myself, but changing the code the following way should be safe and should change it the way you need it
If I disable the mentioned check like this:
The private status is then ignored when the command is processed and is overriden to public due to this piece of code in bugnote_api.php
This I have overriden like this for the time being:
Now it behaves imho correctly. But I still feel like this shoudln't be needed like I mentioned before. This second check from bugnote_api.php basically says that if you don't meet the threshold to set the view status when posting a bug note then you cannot post a private note even when notes are private by default. Why?