View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0019964||mantisbt||authentication||public||2015-07-23 07:53||2021-01-05 18:59|
|Summary||0019964: Wrong anonymous rights application|
Anonymous users have different rights depending on the way they 'login'
|Steps To Reproduce|
Setup Mantis for anonymous login.
This also affects on page contents: anonymous that has not truly logged in has no access to the bugs he should not have access to but he sees them in lists.
|Tags||No tags attached.|
I don't understand the problem at the moment.
There is a difference between anonymous visiting the bugtracker (web crawlers, users just viewing, ...) and beeing logged in as anonymous user.
We would not need the "Login Anonymously" link if there is no difference.
As a side note: We don't recommend to use another access level than VIEWER for the anonymous account.
In this case user should not be detected as 'anonymous' if he did not login as 'anonymous'
I believe the root cause for this is that when a page is browsed anonymously without prior login, the anonymous user's cookies are not actually set. This causes MantisBT API functions such as config_get() to return a generic value.
In this case, it returns whatever value is defined for $g_report_bug_threshold in config file instead of what might be defined in the database (global or project-specific).
EDIT: for the record, removed the "git trunk" product version as the issue likely exists since a very long time.
Reducing severity to minor since this is a corner case and we likely had this bug for a long time.
EDIT: please ignore me - I posted this note in the wrong issue...