View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011431 | mantisbt | authentication | public | 2010-01-24 23:38 | 2019-12-13 18:06 |
Reporter | rerbin | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | no change required | ||
Product Version | git trunk | ||||
Summary | 0011431: everyone can see the "private" issue which report by others | ||||
Description | Use an admin account to report an issue and make it private,then use another report account,you will find you can see the issue. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Hmmm, unable to reproduce. Try this private issue from this bug tracker: I can't see it when I log out and browse via the anonymous user. Bugnote revisions also seem to be protected, although it doesn't show an error (it just shows a blank note): http://www.mantisbt.org/bugs/bug_revision_view_page.php?bugnote_id=0024234#r542 |
|
Use an developer account to report an issue and make it private to admin,then use another developer or manager account,you will find you can see the issue. |
|
$g_private_bug_threshold = DEVELOPER; |
|
rebin: can you please confirm if setting the options specified by vboctor above resolve this issue? You need to change those values from DEVELOPER to something higher so that other developers cannot see private issues/notes. The owner/creator of private issues/notes can always see their private issues/notes. As per access_api.php inside access_has_bug_level(...):
EDIT (dregad) fix markdown |
|
if i set in config_defaults_inc.php |
|
I think I understand now... what you're saying is that we really need some more thresholds: $g_bugnote_set_private_threshold - allows a user to set a bugnote as being private $g_bugnote_unset_private_threshold - allows a user to unset a bugnote as being private $g_bugnote_view_private_threshold - allows a user to view private bugnotes Am I correct? |
|
hmmm...
the problem now is: either a user can post private message AND watch all other private messages OR he can not read other private messages, but then he has also not the ability to post private messages. your thresholdes would solve the problem if the thresholds are not addicted. difficult to explain, not my language :) |
|
if you have the permission to post a private issue, the you see all other private issues to. |
|
Removed assignment. dhx will not contribute to this issue in near future. |
|
As explained, this can be achieved with customizing thresholds in config_inc.php |
|