Anonymous can see private issues entered by other Anonymous

[Radouch]

Hi,

developers and higher access levels can see private issues. So if a registred reporter submitts a private issue, this issue can be seen by the reporter and all developers and higher levels. No other reporter can see it. That is OK.

The problem is that if I allow anonymous users to submit issues than any private issue submitted by the anonymous can be seen by any other unregistred/unlogged user. It is quite logical because the anonymous is actually a special kind of registred user. But, on the other hand, it is an undesired feature.

Is it possible to prevent this?

Thanks for any advice.

[atrol]

You want anonymous users but at the same time you want to distinguish between anonymous users.
This cant't work, as you would need some criteria to distinguish between them. After having such criteria , the users would be no longer anonymous.

[Radouch]

I understand this and certainly the solution cannot be that we will distinguish between anonymous users.

As this problems concerns only private issues I propose not to allow anonymous users to see any private issues (as we cannot know which anonymous user submitted it).

[atrol]

I propose not to allow anonymous users to see any private issues

This is the default setting if the access level of the anonymous user is reporter or updater.

[Radouch]

I propose not to allow anonymous users to see any private issues

This is the default setting if the access level of the anonymous user is reporter or updater.

That would be great but, unfortunatelly, it does not operate this way. See http://radouch1.cekuj.net/mantis/view.php?id=14
You should not be able to see this as this is a private issue.

You can try to enter your own private issue anonymously and everyone unlogged will see it.

Account anonym has global access lever reader and is reporter for this particular project.

[atrol]

I am not able to reproduce the issue.
It seems you changed source code of Mantis.
Of course, this is no original Mantis as I am even not able to select any project on your system.
I get "404 Not Found" when trying to select a project (e.g. Fotoarchiv)

[Radouch]

I am not able to reproduce the issue.
It seems you changed source code of Mantis.
Of course, this is no original Mantis as I am even not able to select any project on your system.
I get "404 Not Found" when trying to select a project (e.g. Fotoarchiv)

Well, unfortunatelly I am not able to reproduce your problem. I am trying it as anonymous users and can switch projects without any problem (Firefox and Chrome). It would be great if other users could test it.

I slightly changed the source code because I wanted to see which project is selected and which page I am on. So there is header for the project and page. It should not change anything concerning access levels.

On the other hand, I can make fresh installation of pure Mantis a try to reproduce it there. I will provide the link to it soon I hope.

[atrol]

Might be caused by language settings. I assume your anonymous account has set language to "Auto", so I am using German settings when visiting your page.

BTW, Did you change setting $g_display_errors ?

[Radouch]

Might be caused by language settings. I assume your anonymous account has set language to "Auto", so I am using German settings when visiting your page.

I have changed the language of the anonymous to English and I have tested it works (I can switch between projects). Please test.

BTW, I cannot actually change language settings for the anonymous user. I had to change config file to prevent anonymous access, then change user's language and then change config back.

BTW, Did you change setting $g_display_errors ?

No. I can certainly change it how is needed.

[atrol]

(I can switch between projects). Please test.

I can't. Still get "404 Not Found".

[Radouch]

I tried it on my iPad (completelly different device, different connection) and on my PC Firefox I added German as my first language. Still no problem. I am afraid I cannot do more to reproduce your bug.

As I said I plan to make fresh install of Mantis and reproduce my problem with anonymous private issues there.

[atrol]

Still no problem. I am afraid I cannot do more to reproduce your bug.

No worries, it's your bug
I get the error message on three different OS and three different browsers.
Do you use the system in an intranet and I have to go through a reverse proxy?

BTW, your tweaked CSS (loading fonts from google) causes CSP violations.

Code: Select all

Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Open+Sans' because it violates the following Content Security Policy directive: "style-src 'self'".

As I said I plan to make fresh install of Mantis and reproduce my problem with anonymous private issues there.

Waiting for your results.

I just noticed that you didn't tell which version of Mantis do you use. I see it's a 1.3.x, ensure that it is latest 1.3.2.