View Issue Details

IDProjectCategoryView StatusLast Update
0011399mantisbtsecuritypublic2017-09-12 16:14
ReporterdhxAssigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status newResolutionreopened 
Product Version1.2.0 
Target VersionFixed in Version 
Summary0011399: Deprecate $g_show_realname and use $g_show_user_realname_threshold instead
Description

There are two similar configuration options: $g_show_realname (either ON or OFF) and $g_show_user_realname_threshold (a threshold). Throughout the codebase these these options are used interchangeably which is wrong - because we should always be checking the access threshold against $g_show_user_realname_threshold.

Therefore I propose deprecation of the $g_show_realname option and replacement of all uses of this configuration option with a proper access check against $g_show_user_realname_threshold

This will help ensure that user real name's aren't exposed if the administrator sets configuration options as such.

TagsNo tags attached.

Relationships

related to 0008100 new Ability to change displayed names projectwise 
related to 0008583 closeddhx User Lists - Display Realname (yes:no) 
related to 0023339 confirmed User real name can't be fetched as Manager (or lower than Admin in general) 

Activities

dregad

dregad

2012-04-02 08:11

developer   ~0031588

I'm not sure; I think these settings actually control two different things.

  • $g_show_realname globally drives the use of Realname vs Username, anywhere in the application, e.g. Reporter, Assigned To, User selection lists...
    show_realname   OFF      ON
    Reporter        trep     Test Reporter
    Assigned To     tdev     Test Developer
    
  • $g_show_user_realname_threshold is only used in view_user_page.php, to determine if the current user is authorized to view the realname (if not, "Access Denied" is displayed instead).

One may want to use realnames everywhere (i.e. $g_show_realname = ON), in which case I agree with dhx that it would not make sense to set $g_show_user_realname_threshold to anything other than ANYBODY.

But if you want to work with usernames ($g_show_realname = OFF), it makes sense to be able to restrict who can see realnames.

sge

sge

2013-02-13 09:53

reporter   ~0035125

I've tried this solution on a working config, but I'm getting an Internal Server Error 500 as soon as I restart the webserver when I've implemented the following code:
$g_show_realname = ON;
or
$g_show_user_realname_threshold = ANYBODY;
What could be the reason?

dregad

dregad

2013-02-14 15:21

developer   ~0035151

@sge

I've tried this solution

What solution are you talking about ?

If you get an HTTP 500 error, you should look for further details in your system's logs.

In any case, unless I misunderstand, I don't think what you describe has anything to do with this issue's topic. Kindly open a separate issue if that's the case.

sge

sge

2013-02-15 01:52

reporter   ~0035162

There was a semicolon missing in the config nevermind.

dregad

dregad

2013-03-08 04:31

developer   ~0035412

Reminder sent to: grangeway

Based on my comment 0011399:0031588, I think your commit 5d6b1bb4 should be reverted as you're removing functionality by doing this, and therefore introducing a regression for instances using these configs in the manner I described.

grangeway

grangeway

2014-05-26 20:28

reporter   ~0040644

Reminder sent to: dregad

Damien: How good's your memory? In short, I guess we got to the point of needing to keep both variables that dhx proposed deprecating one of. I plan to have a look (And rethink at what these do over the next few days).

What i'm actually thinking about doing atm is the following:

a) keep both variables for reasons you described
b) Rename $g_show_realname to $g_use_realname
c) Change the new $g_use_realname to instead of being ON|OFF, to being a threshold value.

At first glance, i'd probably use the new value at work (i.e. I currently use username's so as not to show students firstnames - whereas i'd set staff to udpater or whatever, and then set use_realname to updater

Thoughts?

dregad

dregad

2014-05-27 03:23

developer   ~0040647

I don't really care about the implementation, as long as the existing functionality is maintained, i.e. we need be able to
a) work with realnames, with a threshold to determine who can see them (that's the setup I had at Merck)
b) enforce use of work usernames, while restricting who can see realnames (like on this tracker)

Issue History

Date Modified Username Field Change
2010-01-15 07:36 dhx New Issue
2010-01-15 07:37 dhx Status new => confirmed
2010-01-15 07:38 dhx Relationship added related to 0008100
2010-01-15 07:41 dhx Relationship added related to 0008583
2012-04-02 08:11 dregad Note Added: 0031588
2013-02-13 09:53 sge Note Added: 0035125
2013-02-14 15:21 dregad Note Added: 0035151
2013-02-15 01:52 sge Note Added: 0035162
2013-03-01 18:38 Changeset attached => MantisBT master-2.0.x 5d6b1bb4
2013-03-01 18:38 anonymous Status confirmed => resolved
2013-03-01 18:38 anonymous Resolution open => fixed
2013-03-01 19:09 dregad Status resolved => feedback
2013-03-01 19:09 dregad Resolution fixed => reopened
2013-03-08 04:31 dregad Note Added: 0035412
2013-03-13 06:18 jayavel Issue cloned: 0015630
2014-05-26 20:17 grangeway Assigned To => grangeway
2014-05-26 20:17 grangeway Status feedback => assigned
2014-05-26 20:28 grangeway Note Added: 0040644
2014-05-27 03:23 dregad Note Added: 0040647
2014-06-30 01:37 vboctor Severity major => minor
2014-11-07 16:59 atrol Assigned To grangeway =>
2014-11-07 16:59 atrol Status assigned => new
2014-12-08 02:10 atrol Target Version 1.3.0-beta.1 => 1.3.0-beta.2
2014-12-22 08:44 dregad Changeset removed MantisBT master-2.0.x 5d6b1bb4 =>
2015-03-15 19:59 dregad Target Version 1.3.0-beta.2 => 1.3.0-beta.3
2015-09-06 17:47 vboctoradmin Target Version 1.3.0-beta.3 => 1.3.0-rc.1
2015-12-06 02:55 vboctor Target Version 1.3.0-rc.1 => 1.3.0-rc.2
2016-06-12 02:37 atrol Target Version 1.3.0-rc.2 => 1.3.0
2016-07-10 07:57 atroladmin Target Version 1.3.0 => 1.3.1
2016-07-11 15:37 atrol Target Version 1.3.1 =>
2017-09-12 16:14 atrol Relationship added related to 0023339