I can confirm that report shows issues from "all projects", not only "all where user has access to". At least when user selects "all projects" or user has only one project assigned...

Quick solution: Change bugnote_api.php (Line 675+)

from:

if( ALL_PROJECTS != $c_project_id ) {
$t_project_where = " AND b.project_id = '$c_project_id' AND bn.bug_id = b.id ";
} else {
$t_project_where = '';
}

to:

if( ALL_PROJECTS != $c_project_id ) {
$t_project_where_ids = $c_project_id;
} else {
$t_project_where_ids = implode( ', ', user_get_accessible_projects( auth_get_current_user_id() ) );
}
if ( user_is_administrator( auth_get_current_user_id() ) ) {
$t_project_where = '';
}
else {
$t_project_where = " AND b.project_id in (" . $t_project_where_ids . ") AND bn.bug_id = b.id ";
}

Thanks Dominik. Ik can verify that the problem now is solved voor All Projects. However private issues are still shown when selecting the project ( which the user has access to, but not to the private issue ).

In this case I have to decide where to enforce access rules. It seems odd to count issues or bugnotes into a total when you do not have acces to the individual issue orr bugnote ( marked as private ).

Dominik: with your fix, Administrators can no longer view time tracking data for a specific project, it will always display data for all projects. It may also be worth considering the case of sub-projects.

TomR: I think you are correct that the Private bugs and notes should only be counted if user has access to them. However, I am afraid that properly handling that would be quite complex.

If you propose a patch I'll have a look at it.

May I suggest look into the time tracking plugin, which I don't think has any permission problems. As far as I know, the old time tracking within mantisbt is obsolete. https://github.com/mantisbt-plugins/timetracking