Hmmm, unable to reproduce.

Try this private issue from this bug tracker:
http://www.mantisbt.org/bugs/view.php?id=11206

I can't see it when I log out and browse via the anonymous user.

Bugnote revisions also seem to be protected, although it doesn't show an error (it just shows a blank note):

http://www.mantisbt.org/bugs/bug_revision_view_page.php?bugnote_id=0024234#r542

Use an developer account to report an issue and make it private to admin,then use another developer or manager account,you will find you can see the issue.

• Administrators have access to do ALL MantisBT operations and hence they will be able to view private issues.

• There is a configuration option for access level above which PRIVATE issues will be visible.

$g_private_bug_threshold = DEVELOPER;
$g_private_bugnote_threshold = DEVELOPER;

rebin: can you please confirm if setting the options specified by vboctor above resolve this issue? You need to change those values from DEVELOPER to something higher so that other developers cannot see private issues/notes. The owner/creator of private issues/notes can always see their private issues/notes.

As per access_api.php inside access_has_bug_level(...):

    # If the bug is private and the user is not the reporter, then the
    #  the user must also have higher access than private_bug_threshold
    if( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) && !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
        $p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
    }

EDIT (dregad) fix markdown

if i set in config_defaults_inc.php
$g_private_bugnote_threshold = ADMINISTRATOR;
then i loosing the option to mark a notice as privat in the view.php for Roles < ADMINISTRATORs.
User with <ADMINISTRATORs should post their private Messages, the ability to set a notice as privat should resist.
i tried to explain with the printscreens.
im Using Mantis 1.2.0a3

I think I understand now... what you're saying is that we really need some more thresholds:

$g_bugnote_set_private_threshold - allows a user to set a bugnote as being private

$g_bugnote_unset_private_threshold - allows a user to unset a bugnote as being private

$g_bugnote_view_private_threshold - allows a user to view private bugnotes

Am I correct?

hmmm...
the function must give the ability

• allow a user to set a bugnote as being private independent of his ability to see private notes

the problem now is: either a user can post private message AND watch all other private messages OR he can not read other private messages, but then he has also not the ability to post private messages.

your thresholdes would solve the problem if the thresholds are not addicted.

difficult to explain, not my language :)

if you have the permission to post a private issue, the you see all other private issues to.

Removed assignment. dhx will not contribute to this issue in near future.

As explained, this can be achieved with customizing thresholds in config_inc.php