View Issue Details

IDProjectCategoryView StatusLast Update
0021913mantisbttaggingpublic2017-10-08 23:52
Reportercproensa Assigned Tocproensa  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.3 
Target Version2.7.0Fixed in Version2.7.0 
Summary0021913: Unprivileged user can see related tags from private issues

The selection of related tags is comparing incorrectly for access level:

WHERE tag_id != $1 AND bug_id IN ( SELECT FROM mantis_bug_table b
LEFT JOIN mantis_project_user_list_table p
ON p.project_id=b.project_id AND p.user_id=$2 JOIN mantis_user_table u
ON$3 JOIN mantis_bug_tag_table t
WHERE ( p.access_level>b.view_state OR u.access_level>b.view_state )
AND t.tag_id=$4 )

The clause
WHERE ( p.access_level>b.view_state OR u.access_level>b.view_state )
is comparing to view_state which is not an access level.

TagsNo tags attached.


Related Changesets

MantisBT: master 8ab8e125

2017-08-14 17:46:43


Committer: dregad Details Diff
Fix query for related tags

Refactor the related tags function to use a filter search for the tag,
leaving the rd work for access and visibility checks to the filter api.

Previous query was not correct as it was comparing project access level
with bug view state. Also, it didn't account for view tags permissions
for each project.

Fixes: 0021913
Affected Issues
mod - core/tag_api.php Diff File

Issue History

Date Modified Username Field Change
2016-11-13 17:13 cproensa New Issue
2017-08-14 19:28 cproensa Note Added: 0057459
2017-08-15 11:18 cproensa Assigned To => cproensa
2017-08-15 11:18 cproensa Status new => assigned
2017-09-09 18:35 dregad Changeset attached => MantisBT master 8ab8e125
2017-09-09 18:35 cproensa Status assigned => resolved
2017-09-09 18:35 cproensa Resolution open => fixed
2017-09-09 18:35 cproensa Fixed in Version => 2.7.0
2017-09-09 18:38 dregad Target Version => 2.7.0
2017-10-08 11:35 cproensa Summary unprivileged user can see related tags from private issues => Unprivileged user can see related tags from private issues
2017-10-08 23:52 vboctor Status resolved => closed