 |
What access level is your anonymous account set at? MantisBT does allow you to set the access level to "reporter" (or whatever else you like) although this is obviously not recommended. Usually you should only set the anonymous account to a "viewer" access level. Also please make sure you mark your anonymous account as "protected" so the account cannot be updated by non-administrators. |
 |
The access level of anonymous account is 'reporter'. The idea of using the anonymous account is to make it easier for users to report bugs, without having to register first an account. Obvious 'anonymous' needs to be reporter for this. If the anonymous account is only meant for viewing, a note about this in the documentation wouldn't be bad, to warn people about the issues I mentioned. The anonymous account is marked as protected. |
|
|
It isn't currently possible to set a threshold for who can edit bugnotes (it is just an on/off toggle). There is a threshold for deleting bugnotes however. It wouldn't be too hard to implement a bugnote editing threshold and create a new (default) access level called "anonymous" which is below the bugnote editing threshold. Public/private won't really work properly with anonymous accounts unless you don't mind the anonymous users losing read access to it right after posting. The whole purpose of being anonymous is that you shouldn't be able to tell different anonymous users apart. This means we can't work out which anonymous user posted a bug or bugnote that is marked as private. What we could do is provide password access to bugs so that anonymous users can use a password to access the private bug they've submitted? |
|
|
That public/private does not work properly with anonymous is not such a big problem I would say. Of course not nice, but in that case people should simply not use anonymous and register first. With password access you mean that somebody has to fill in a password when submitting a bug anonymous, which he can use to access it afterwards? Might be an option, but than it might get almost easier to fully register. One could simply add a warning behind the private option that access is lost immediately after posting, unless you register first. For the moment I've installed a cronjob that changes the user_id of posts made by anonymous to a second anonymous user. This works, but takes some time before it gets into effect. I suppose that an option to store the anonymous posts under different user_id than it uses to view will solve biggest part of the problem. That you indeed cannot edit your own stuff should be accepted (for that you can register). |
 |
AFAICT the problem here is that anonymous is mapped to a real user with a given set of privileges, corresponding to the chosen user's access level. I think that was a shortcut during development of the feature and if we decide it's a feature important enough we should rethink how that's handled. |
|
|
The more I think about it, the more I can understand why you may want more than one anonymous account at a time... ie, if you want to have different permissions for anonymous users from different IP ranges (internal vs external for example). Therefore I think it would be best to aim for Mantis to not have a single hardcoded anonymous account. |
|
|
Uhm, that starts to be cumbersome... so we should rely on the client's IP address to grant permissions? doesn't sound right |
 |
@Wim van Ravesteijn: This may not solve all your problems, but could be a temporary workaround. What I did for my project was to give anonymous user a Viewer profile, but then I granted Viewers the right to create reports (from Manage Config > Workflow Thresholds), but not to add/edit notes. I had to go for this as I was getting lots of spam notes otherwise (probably from bots), while I would like to keep the right for reporting for anonymous users. |
- Anonymous
