0012191: Private bugs can be assigned to users not allowed to view private bugs

ID	Project	Category	View Status	Date Submitted	Last Update
0012191	mantisbt	security	public	2010-07-23 05:45	2014-02-02 11:35

Reporter	thobleone_oleco_net	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Product Version	1.1.8

Summary	0012191: Private bugs can be assigned to users not allowed to view private bugs
Description	There is an inconistency in the user assignment behaviour between the bug view page (view.php) and the bug update page (bug_update_page.php). When trying to assign a bug with bug view state set to private to an user with user access level < private_bug_threshold, the view.php page throws an "access denied error" which is correct at least (but lacks any explanation). On the other hand, in the bug update page in the assigned to dropdown combo box contains all project users and can be set to any user. This way a user can be assigned that is not able to view the bug.
Steps To Reproduce	a) have a project with several users with access level above and below private_bug_threshold (e.g. reporter account "REP" and developer account "DEV") b) have any bug set view state set to private that is reported by somone other than "REP" from step a) c) confirm that user DEV can see the bug in the view all bugs page but not user REP d) use the DEV account and the view.php page to assign REP to that account, you'll get the access denied error message e) now use the DEV account and the bug update page and assign REP to that issue, and set the status to assigned. It can be saved. f) use the REP account. On the view_all_bug_page the private issue is not shown, trying the issue id on the view.php?id=<issueid> page you get an access denied error
Additional Information	I'm not sure if the behaviour described is really a bug or can be called a featureof the the bug_update_page. But at least, the operation sequence described above will create an inconsitency in our issue data. I can think of several ways out of the situation: An issue with view state set to private is visible to any user above the private_bug_threshold, to the reporter of that isue AND to anyone assigned to the issue. In the bug update page, fill the user list only with the accounts that have the right to view that issue. This fix won't cover the situation that an account access level might be updated by the user management. And it eliminates the feature of assigning any "read the manual" or "do your configuration" issue to the reporters :)
Tags	No tags attached.

View Issue Details

Activities

watergad 2010-07-23 12:23 reporter ~0026125	And the similar issue is that you can add some users to the bug monitor list despite their access level. They will receive email notification but they can't view issue by the URL.