View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0028903mantisbtauthorizationpublic2021-07-09 08:562021-07-19 16:41
ReporterJIMI3 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version2.25.2 
Summary0028903: default_bugnote_view_status not applied when set_view_status_threshold is above current user's Access Level
Description

In our installation we have basically everything set to private and default_bugnote_view_status is set to VS_PRIVATE.
Due to this we have no need for the "View Status" checkbox in the "Add Note" form. To hide it we wanted to use the "set_view_status_threshold" so that we wouldn't have to mangle directly with the code.

The "View Status" checkbox is then not shown, but the added note is Public.

I think that mantis should correctly apply the default_bugnote_view_status in this case.

Steps To Reproduce

default_bugnote_view_status = VS_PRIVATE
set_view_status_threshold = NOBODY

Add note to an issue - this note is public when by default it should be private.

Additional Information

The Public status is due to the fact that the checkbox is not shown and the sent form data do not contain "private" parameter.
Then when IssueNoteAddCommand payload is constructed in bugnote_add.php, view_state is assigned as VS_PUBLIC

line 49, bugnote_add.php

'view_state' => array(
        'id' => gpc_get_bool( 'private' ) ? VS_PRIVATE : VS_PUBLIC
    ),

This view_state is then parsed in the IssueNoteAddCommand validate function and would be correctly parsed to the default view status if it was set to null in bugnote_add.php like this:

'view_state' => gpc_isset('private') ? array('id' => gpc_get_bool( 'private' ) ? VS_PRIVATE : VS_PUBLIC) : null,

But when you do this you get ERROR ACCESS DENIED due to this condition in validate function:

# Can reporter add private notes?
        if( $this->private ) {
            if( !access_has_bug_level( config_get( 'set_view_status_threshold' ), $t_issue_id, $this->reporterId ) ) {
                throw new ClientException( "Reporter can't add private notes", ERROR_ACCESS_DENIED );
            }
        }

I understand what this condition does but don't understand why.
"set_view_status_threshold" is documented in config_defaults_inc.php as:
"Threshold needed to set the view status while reporting a bug or a bug note."
Nothing about the inability to add private notes if you're not at or above this threshold.

I think that having private notes by default and not permitting the users to change that should be doable by these two config values. So I feel like the set_view_status_threshold should either be documented differently or a new config value should be added for the aforementioned condition for setting threshold for the ability to add private notes and that the view_state should not fallback to VS_PUBLIC when by setting it to null it would get assigned correctly to default_bugnote_view_status.

TagsNo tags attached.

Activities

atrol

atrol

2021-07-11 08:09

developer   ~0065686

@vboctor you introduced this check and I am not sure if this is what you intended and if it's needed at all.

@JIMI3 I didn't try myself, but changing the code the following way should be safe and should change it the way you need it

        # Can reporter add private notes?
        if( $this->private && VS_PRIVATE != config_get( 'default_bugnote_view_status' )) {
            if( !access_has_bug_level( config_get( 'set_view_status_threshold' ), $t_issue_id, $this->reporterId ) ) {
                throw new ClientException( "Reporter can't add private notes", ERROR_ACCESS_DENIED );
            }
        }
JIMI3

JIMI3

2021-07-19 16:32

reporter   ~0065697

Last edited: 2021-07-19 16:41

If I disable the mentioned check like this:

  if( $this->private && VS_PRIVATE != config_get( 'default_bugnote_view_status' )) {
    if( !access_has_bug_level( config_get( 'set_view_status_threshold' ), $t_issue_id, $this->reporterId ) ) {
      throw new ClientException( "Reporter can't add private notes", ERROR_ACCESS_DENIED );
    }
  }

The private status is then ignored when the command is processed and is overriden to public due to this piece of code in bugnote_api.php

        # Check for private bugnotes.
    if( $p_private && access_has_bug_level( config_get( 'set_view_status_threshold' ), $p_bug_id, $p_user_id ) ) {
        $t_view_state = VS_PRIVATE;
    } else {
        $t_view_state = VS_PUBLIC;
    }

This I have overriden like this for the time being:

    if( $p_private && (access_has_bug_level( config_get( 'set_view_status_threshold' ), $p_bug_id, $p_user_id ) || VS_PRIVATE == config_get( 'default_bugnote_view_status' ) )) {
        $t_view_state = VS_PRIVATE;
    } else {
        $t_view_state = VS_PUBLIC;
    }

Now it behaves imho correctly. But I still feel like this shoudln't be needed like I mentioned before. This second check from bugnote_api.php basically says that if you don't meet the threshold to set the view status when posting a bug note then you cannot post a private note even when notes are private by default. Why?