Anonymous can see private issues entered by other Anonymous
Moderators: Developer, Contributor
Anonymous can see private issues entered by other Anonymous
Hi,
developers and higher access levels can see private issues. So if a registred reporter submitts a private issue, this issue can be seen by the reporter and all developers and higher levels. No other reporter can see it. That is OK.
The problem is that if I allow anonymous users to submit issues than any private issue submitted by the anonymous can be seen by any other unregistred/unlogged user. It is quite logical because the anonymous is actually a special kind of registred user. But, on the other hand, it is an undesired feature.
Is it possible to prevent this?
Thanks for any advice.
developers and higher access levels can see private issues. So if a registred reporter submitts a private issue, this issue can be seen by the reporter and all developers and higher levels. No other reporter can see it. That is OK.
The problem is that if I allow anonymous users to submit issues than any private issue submitted by the anonymous can be seen by any other unregistred/unlogged user. It is quite logical because the anonymous is actually a special kind of registred user. But, on the other hand, it is an undesired feature.
Is it possible to prevent this?
Thanks for any advice.
Re: Anonymous can see private issues entered by other Anonym
You want anonymous users but at the same time you want to distinguish between anonymous users.
This cant't work, as you would need some criteria to distinguish between them. After having such criteria , the users would be no longer anonymous.
This cant't work, as you would need some criteria to distinguish between them. After having such criteria , the users would be no longer anonymous.
Re: Anonymous can see private issues entered by other Anonym
I understand this and certainly the solution cannot be that we will distinguish between anonymous users.
As this problems concerns only private issues I propose not to allow anonymous users to see any private issues (as we cannot know which anonymous user submitted it).
As this problems concerns only private issues I propose not to allow anonymous users to see any private issues (as we cannot know which anonymous user submitted it).
Re: Anonymous can see private issues entered by other Anonym
This is the default setting if the access level of the anonymous user is reporter or updater.Radouch wrote:I propose not to allow anonymous users to see any private issues
Re: Anonymous can see private issues entered by other Anonym
That would be great but, unfortunatelly, it does not operate this way. See http://radouch1.cekuj.net/mantis/view.php?id=14atrol wrote:This is the default setting if the access level of the anonymous user is reporter or updater.Radouch wrote:I propose not to allow anonymous users to see any private issues
You should not be able to see this as this is a private issue.
You can try to enter your own private issue anonymously and everyone unlogged will see it.
Account anonym has global access lever reader and is reporter for this particular project.
Re: Anonymous can see private issues entered by other Anonym
I am not able to reproduce the issue.
It seems you changed source code of Mantis.
Of course, this is no original Mantis as I am even not able to select any project on your system.
I get "404 Not Found" when trying to select a project (e.g. Fotoarchiv)
It seems you changed source code of Mantis.
Of course, this is no original Mantis as I am even not able to select any project on your system.
I get "404 Not Found" when trying to select a project (e.g. Fotoarchiv)
Re: Anonymous can see private issues entered by other Anonym
Well, unfortunatelly I am not able to reproduce your problem. I am trying it as anonymous users and can switch projects without any problem (Firefox and Chrome). It would be great if other users could test it.atrol wrote:I am not able to reproduce the issue.
It seems you changed source code of Mantis.
Of course, this is no original Mantis as I am even not able to select any project on your system.
I get "404 Not Found" when trying to select a project (e.g. Fotoarchiv)
I slightly changed the source code because I wanted to see which project is selected and which page I am on. So there is header for the project and page. It should not change anything concerning access levels.
On the other hand, I can make fresh installation of pure Mantis a try to reproduce it there. I will provide the link to it soon I hope.
Re: Anonymous can see private issues entered by other Anonym
Might be caused by language settings. I assume your anonymous account has set language to "Auto", so I am using German settings when visiting your page.
BTW, Did you change setting $g_display_errors ?
BTW, Did you change setting $g_display_errors ?
Re: Anonymous can see private issues entered by other Anonym
I have changed the language of the anonymous to English and I have tested it works (I can switch between projects). Please test.atrol wrote:Might be caused by language settings. I assume your anonymous account has set language to "Auto", so I am using German settings when visiting your page.
BTW, I cannot actually change language settings for the anonymous user. I had to change config file to prevent anonymous access, then change user's language and then change config back.
No. I can certainly change it how is needed.atrol wrote:BTW, Did you change setting $g_display_errors ?
Re: Anonymous can see private issues entered by other Anonym
I tried it on my iPad (completelly different device, different connection) and on my PC Firefox I added German as my first language. Still no problem. I am afraid I cannot do more to reproduce your bug.
As I said I plan to make fresh install of Mantis and reproduce my problem with anonymous private issues there.
As I said I plan to make fresh install of Mantis and reproduce my problem with anonymous private issues there.
Re: Anonymous can see private issues entered by other Anonym
No worries, it's your bugRadouch wrote: Still no problem. I am afraid I cannot do more to reproduce your bug.
I get the error message on three different OS and three different browsers.
Do you use the system in an intranet and I have to go through a reverse proxy?
BTW, your tweaked CSS (loading fonts from google) causes CSP violations.
Code: Select all
Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans' because it violates the following Content Security Policy directive: "style-src 'self'".
Waiting for your results.Radouch wrote:As I said I plan to make fresh install of Mantis and reproduce my problem with anonymous private issues there.
I just noticed that you didn't tell which version of Mantis do you use. I see it's a 1.3.x, ensure that it is latest 1.3.2.