View Issue Details

IDProjectCategoryView StatusLast Update
0022224mantisbthtmlpublic2019-03-19 04:36
ReporterMr.BricodageAssigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version2.0.0 
Target VersionFixed in Version 
Summary0022224: Access Restrictions to "Print Reports", "CSV Export", "Excel Export" in view all bugs page
Description

Current Mantis version displays several options to export and print filtered bugs in view all bugs page, options displayed on top of bugs table.

This kind of options should be displayed only to a restricted list of users based on user rights on each project, at least in my company.

I see two solutions to restrict access to these options :

  • define a configuration option to set the minimum access to see each option ($g_view_export_excel_button_threshold, $g_view_export_csv_button_threshold, $g_view_print_report_button_threshold) and use each threshold in the 'view_all_inc.php' file.
  • use a plugin to catch an event and hide these options if user has no right.

What is your opinion about these solutions?

I tried to implement the plugin but I didn't found any plugin that is used to "hide" or "delete" information displayed by Mantis, only plugins that adds more information.

My goal is to implement the functionality according to your wishes (with a minimum of help if plugin can be used) and post here or in github the implemented solution.

Thanks for your help

TagsNo tags attached.

Relationships

related to 0025492 new Printing (print_all_bug_page) is a perf/security risk 

Activities

atrol

atrol

2017-01-20 02:16

developer   ~0055237

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways?

E.g. you could get the information by using the SOAP API or by using scripts to access "View Issue Details" page of all issues.

cproensa

cproensa

2017-01-20 03:38

developer   ~0055238

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways

Besides that.. in similar situations, that you may want to alter some of the screen elements, where there is not a provided hook by core or plugin events, you may use javascript to selectively hide or delete those elements.

Mr.Bricodage

Mr.Bricodage

2017-01-23 05:33

reporter   ~0055261

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways

Yes, I am. My "rejected export access users" have no technical knowledge to use SOAP or scripts. And my goal is to hide "easy access" to unwanted export functions for non technical users (REPORTER). If they found an other way, their account deserve to be upgraded ;-)

Maybe that CSV export and Excel Export should become plugins? Because XML Import / Export is configurable :

public function config() {
    return array(
        "import_threshold" => ADMINISTRATOR,
        "export_threshold" => DEVELOPER,
    );
}

This is the behaviour that I need and imagine for Excel and CSV exports. I have no idea for Print Reports. Your throughts?

in similar situations, that you may want to alter some of the screen elements, where there is not a provided hook by core or plugin events, you may use javascript to selectively hide or delete those elements

Thanks for the tip. That will be my solution if nothing can be done in core or (new) plugins.

Regards

cproensa

cproensa

2017-01-23 06:29

developer   ~0055264

Having a configurable threshold for users that can execute a export may be a convenient feature.
So, relating atrol comment:

Are you aware that restricting access to those pages does not restrict users from getting the same information by using other ways?

Massive export can be a long running process, even if the same info can be accesed by the users, limiting the export execution could be used by some admin in some situations. For example: preventing server overload or DOS requests for small servers.

Mr.Bricodage

Mr.Bricodage

2017-02-05 13:47

reporter   ~0055494

@atrol : did you change your mind with cproensa use case ?

atrol

atrol

2017-02-05 14:00

developer   ~0055495

@atrol : did you change your mind with cproensa use case ?

Change my mind? Isn't 0022224:0055237 true?

Mr.Bricodage

Mr.Bricodage

2017-02-05 14:14

reporter   ~0055496

Change my mind? Isn't 0022224:0055237 true?

you're right, wrong formulation, my mistake and my apologies.

Are you in favor of adding this new configuration option ?

atrol

atrol

2017-02-06 07:47

developer   ~0055504

I don't need it myself, but I see no reason why it should not be implemented.

The options should not just prevent the display of the buttons, but also the access to the pages.
E.g. you should not be able open the link https://www.YourMantisbt.com/bugs/csv_export.php

So I would call the options
$g_export_excel_threshold, $g_export_csv_threshold, $g_print_report_threshold
instead of
$g_view_export_excel_button_threshold, $g_view_export_csv_button_threshold, $g_view_print_report_button_threshold

Not sure if 3 separate options are needed, maybe one is enough. Something like $g_export_issues_threshold

cproensa

cproensa

2017-02-06 15:02

developer   ~0055512

$g_print_report_threshold

I wasn't thinking in $g_print_report_threshold. I don't know if it falls in the same situation, if it can be easily used to output 1000s of issues at once.

$g_export_excel_threshold, $g_export_csv_threshold

I would define only one export threshold.
We still keep separated pages and configs for csv and excel operations, but in the future i think we'll probably want to join them into one single export functionality

Mr.Bricodage

Mr.Bricodage

2017-02-06 16:33

reporter   ~0055513

Thanks for your responses.

In hindsight, I'm not able to provide a good reason to hide "Print reports" option. I made the mistake to group print and export functions when I wrote the issue.

I'll provide ASAP a PR with one configuration variable '$g_export_issues_threshold' that will be used to check user rights for Export Excel and Export CSV functionalities (display menus and access to pages).

Mr.Bricodage

Mr.Bricodage

2017-02-07 17:43

reporter   ~0055569

PR : https://github.com/mantisbt/mantisbt/pull/1021

atrol

atrol

2017-02-08 03:27

developer   ~0055574

Last edited: 2018-09-07 06:07

View 2 revisions

I don't know if it falls in the same situation, if it can be easily used to output 1000s of issues at once.

In hindsight, I'm not able to provide a good reason to hide "Print reports" option.

"Print reports" can easily be used to export all issues.

Mr.Bricodage

Mr.Bricodage

2017-02-08 16:44

reporter   ~0055593

Last edited: 2018-09-07 06:01

View 2 revisions

"Print reports" can easily be used to export all issues.

I agree. My contribution (overview in 0022224:0055513) is based on last response from @cproensa :

$g_print_report_threshold

I wasn't thinking in $g_print_report_threshold. I don't know if it falls in the same situation, if it can be easily used to output 1000s of issues at once.

$g_export_excel_threshold, $g_export_csv_threshold

I would define only one export threshold.

Should I add a second threshold ($g_print_report_threshold ?) for "Print Reports" option ? Or use the same threshold for the 3 options?

mak

mak

2018-09-07 02:05

reporter   ~0060618

Has this issue been addressed ?
I have the same requirement as described.

dregad

dregad

2018-09-07 06:08

developer   ~0060620

Should I add a second threshold ($g_print_report_threshold ?) for "Print Reports" option ? Or use the same threshold for the 3 options?

In my opinion, a single threshold is sufficient.

Issue History

Date Modified Username Field Change
2017-01-19 17:47 Mr.Bricodage New Issue
2017-01-20 02:16 atrol Status new => feedback
2017-01-20 02:16 atrol Note Added: 0055237
2017-01-20 03:38 cproensa Note Added: 0055238
2017-01-23 05:33 Mr.Bricodage Note Added: 0055261
2017-01-23 05:33 Mr.Bricodage Status feedback => new
2017-01-23 06:29 cproensa Note Added: 0055264
2017-02-05 13:47 Mr.Bricodage Note Added: 0055494
2017-02-05 14:00 atrol Note Added: 0055495
2017-02-05 14:14 Mr.Bricodage Note Added: 0055496
2017-02-06 07:47 atrol Note Added: 0055504
2017-02-06 15:02 cproensa Note Added: 0055512
2017-02-06 16:33 Mr.Bricodage Note Added: 0055513
2017-02-07 17:43 Mr.Bricodage Note Added: 0055569
2017-02-08 03:27 atrol Note Added: 0055574
2017-02-08 16:44 Mr.Bricodage Note Added: 0055593
2018-09-07 02:05 mak Note Added: 0060618
2018-09-07 06:01 dregad Note Edited: 0055593 View Revisions
2018-09-07 06:07 dregad Note Edited: 0055574 View Revisions
2018-09-07 06:08 dregad Note Added: 0060620
2019-02-19 15:42 atrol Relationship added related to 0025492