View Issue Details

IDProjectCategoryView StatusLast Update
0022898mantisbtemailpublic2017-10-17 17:32
Reporterwally68Assigned To 
PrioritynormalSeverityminorReproducibilitysometimes
Status newResolutionopen 
Product Version2.2.1 
Target VersionFixed in Version 
Summary0022898: Email for a new private bugnote was send to a non authorized reporter
Description

We have found a strange problem with private bug-notes:
A reporter has received a private bug note from a developer while the reporter is not authorized to see any private notes or bugs.

After some code digging, we found this in core/email_api.php::email_collect_recipients, around line 461:

...
        # exclude users who don't have at least viewer access to the bug,
        # or who can't see bugnotes if the last update included a bugnote
        if( !access_has_bug_level( config_get( 'view_bug_threshold', null, $t_id, $t_bug->project_id ), $p_bug_id, $t_id )
         || ( $t_bugnote_id !== 0 &&
                $t_bug_date == $t_bugnote_date && !access_has_bugnote_level( config_get( 'view_bug_threshold', null, $t_id, $t_bug->project_id ), $t_bugnote_id, $t_id ) )
        ) {
            log_event( LOG_EMAIL_RECIPIENT, 'Issue = #%d, drop @U%d (access level)', $p_bug_id, $t_id );
            continue;
        }
...        

The recipient for a bugnote email is excluded if the bug date is equal to the bugnote date and the access level is wrong. You use the lastmod-timestamp from the bug and the bugnote to differ between a bug email and a bugnote email.

The timestamp for a bugnote is created by db_now() in core/bugnote_api.php::bugnote_add. The timestamp for the bug is created by db_now() in core/bug_api.php::bug_update_date. The function bug_update_date is called from bugnote_add.

In our opinion there is a potential gap to create two different timestamps for the bugnote and the bug especially on slow machines.

As a possible solution, function core/bug_api.php::bug_update_date may be extended with a default parameter $p_last_modified = 0 and the call from bugnote_add would set the timestamp from the bugnote as a parameter to bug_update_date.

kind regards
Andreas

TagsNo tags attached.

Relationships

has duplicate 0023492 closedatrol Due to condition race email may be sent to reporter where it should not 

Activities

wally68

wally68

2017-05-19 04:57

reporter   ~0056905

Instead of testing the bug timestamp against the bugnote timestamp in core/email_api.php::email_collect_recipients the function parameter $p_notify_type could be tested against 'bugnote' right?

Issue History

Date Modified Username Field Change
2017-05-18 06:51 wally68 New Issue
2017-05-19 04:57 wally68 Note Added: 0056905
2017-10-17 10:04 atrol Relationship added has duplicate 0023492