View Issue Details

IDProjectCategoryView StatusLast Update
0016359mantisbtfilterspublic2017-10-08 23:52
ReportertniemiAssigned Tocproensa 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.15 
Target Version2.7.0Fixed in Version2.7.0 
Summary0016359: Custom field filters does not take user access rights into account
Description

When All projects are selected, the custom field filter shows all strings even if user does not have access to that project.

Steps To Reproduce

Create three projects (project1, project2 and project3) with same custom field.
Create user which has access to projec1 and project3 only.
Add issues to project1 and project2 and fill data to custom field
Sign in as logged in user and select view issues and open specific custom field filter. It will show data from projects2 as well while user does not have access.

TagsNo tags attached.

Relationships

child of 0023443 closedcproensa Fixes related to custom fields on filters, columns and visibility 

Activities

atrol

atrol

2013-09-04 15:26

developer   ~0037990

Updated "Steps To Reproduce" as you have to assign two projects to the reporter to be able to choose "All Projects"

Related Changesets

MantisBT: master 3476b161

2017-08-16 08:11:27

cproensa


Committer: dregad Details Diff
Get accessible custom field values

Rewrite custom_field_distinct_values() to retrieve only those values
that are accessible by the user, according to either issue view
permission, or custom field definition for view access level.

Only values that are viewable by the user should be retrieved, so we
must account for:
- View issue permissions: if the issue is private or public.
- Project level permissions: if a private project is accessible
directly, or indirectly.
- Limit view issues for reporters: if the option is enabled.
- Custom field definition for viewing threshold

Viewable issues can be resolved by using a filter, which already
accounts for those restrictions. So here we only need to additionally
check for custom field view threshold on each project.

Fixes: 0016359
mod - core/custom_field_api.php Diff File

Issue History

Date Modified Username Field Change
2013-09-04 08:40 tniemi New Issue
2013-09-04 15:23 atrol Status new => confirmed
2013-09-04 15:26 atrol Note Added: 0037990
2013-09-04 15:26 atrol Steps to Reproduce Updated View Revisions
2017-08-16 13:18 cproensa Assigned To => cproensa
2017-08-16 13:18 cproensa Status confirmed => assigned
2017-10-07 12:45 dregad Changeset attached => MantisBT master 3476b161
2017-10-07 12:45 cproensa Status assigned => resolved
2017-10-07 12:45 cproensa Resolution open => fixed
2017-10-07 12:45 cproensa Fixed in Version => 2.7.0
2017-10-07 13:34 atrol Target Version => 2.7.0
2017-10-08 11:49 cproensa Relationship added child of 0023443
2017-10-08 23:52 vboctor Status resolved => closed