View Issue Details

IDProjectCategoryView StatusLast Update
0024432mantisbtsecuritypublic2018-05-22 03:09
ReportermahindraAssigned Toatrol 
PriorityimmediateSeverityblockReproducibilityalways
Status assignedResolutionreopened 
Product Version2.14.0 
Target VersionFixed in Version 
Summary0024432: Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks
Description

Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks

Since 2.12.0 $g_show_realname = ON; does not work as it used to be in previous versions, since 2003
We use realnames for not exposing usernames to public specifically in status mails as our security policy dictates.

One of the reasons for the use of mantisbt since 2003....

That's why we're current stuck with version 2.11.1. as well as others who have participated in tickets 0024069, 0024087 and 0024139 .

<b>Cause is 0004226 - from 2004-07-30 (!), which could be handled by a simple unique to the real name instead of a mask change to the user ID.</b>

In the name of the affected persons I ask for the fastest possible implementation of 0024139:0059327 to be able to perform the current Uprades to 2.14, 2.15, ...

<b>Or better - build it back like before 2.12 and make real names unique, simply! </b>

Thank you!

Additional Information

Feel free to change the category to upgrade

Ticket is related to

0024139
0024087
0024069
0024378
0023909
0004226
and so on

In the corporate environment, it is common practice to display real names instead of user IDs.
Mantisbt is not PHPBB
Setting an observer is also possible via the reminder function - please take look at 2.11.1 and

- show users with their real name or not

$ g_show_realname = ON;
$ g_differentiate_duplicates = OFF; # leave off for now
$ g_show_assigned_names = ON;

TagsNo tags attached.

Relationships

duplicate of 0024139 assignedatrol $g_show_realname for making usernames private 

Activities

atrol

atrol

2018-05-15 06:47

developer   ~0059794

and make real names unique

Real names are not unique.

mahindra

mahindra

2018-05-15 08:25

reporter   ~0059797

It doens't matter if real names are unique, but there are some old Tickets, which are not really important for the Major use case

atrol

atrol

2018-05-15 09:00

developer   ~0059800

As you are not asking for unique real names, do you are asking for something that is not covered in 0024432 ?

mahindra

mahindra

2018-05-15 09:13

reporter   ~0059801

Please build $g_show_realname = ON back like it was until <= 2.11.1 - the change in 2.12 is the blocker.

The non plus Ultra solution is your recommendation 0024139:0059327 until 0024139:0059327, the blocker must be made gone

atrol

atrol

2018-05-15 11:52

developer   ~0059806

Resolved as duplicate of 0024139 as tracking two issues for the same problem does not add value.

mahindra

mahindra

2018-05-15 13:11

reporter   ~0059807

Dear atrol,

I do not agree with setting this ID as resolved as duplicate of 0024139, because 0024139 is a minor bug - 0024432
describes an update blocker and asks for a return to the basic mantisbt function used until 2.11.1 in 2018 - even 0024139 is eventually implemented.
Users of the $ g_show_realname = ON function are actually blocked in 2.11.1 an are not able to perform their upgrades to> = 2.12, 2.14, and so on!

This ticket describes a structurally conceptual error in the implementation of loss of required functions in Display the Realname in masks and statusmails, while # 24139 describes a general improvement.

Best regards,
Karl!

atrol

atrol

2018-05-15 17:53

developer   ~0059812

@mahindra I don't understand what you want to tell.
The user who reported 0024139 requested to revert to the 2.11.1 behavior and you request the same.
Both of you requested that usernames are not exposed to public, but that was never the intention of $g_show_realname = ON, see also my comment 0024139:0059811

mahindra

mahindra

2018-05-16 06:04

reporter   ~0059833

Last edited: 2018-05-16 11:31

View 2 revisions

0024139:0059829 Thank you jensberke has written a summary

mahindra

mahindra

2018-05-19 00:26

reporter   ~0059849

https://mantisbt.org/bugs/view.php?id=24186.
[security] CVE-2018-1000162: XSS vulnerability in Parsedown library (dregad)
Resolved in 2.12.1

Please built the visibility of Realnames back like 2.11.1 or make a security version 2.11.1.1

mahindra

mahindra

2018-05-19 03:37

reporter   ~0059853

Last edited: 2018-05-19 04:10

View 4 revisions

Have a look at this the ID is visable with Realname=ON
This is like Realname off - and does not meet with usability or security guidlines if you have to do a mousover to see the realname while the user-ID is in front and visible



mahindra

mahindra

2018-05-19 03:50

reporter   ~0059854

Last edited: 2018-05-19 04:35

View 5 revisions

The reason for this misdirection is - how to add users monitoring a ticket:
<<<The real solution to add users to a ticket is a drop down list like 0012557 >>>
If Realname is on - it shows realnames like Mantis before 2.12 in every User field
If Realname is off - it Shows the User ID

Similar to the filter selection for user
Simple and clean
Please go in this direction and delete 0023375 go back to the previous solution in visualization Realnames up to version 2.11.1 this was clean and improve adding a user to a ticket with a drop-down list

You are moving in circle with 0024436, 0024435 and all the other IDs currently

In order to see this topic you have to work in the corresponding representation - only user ID or only real name instead of user ID - then it is easy to understand

0024436 on hold please, 0023375, 0024435, 0024378, 0024087

mahindra

mahindra

2018-05-22 03:09

reporter   ~0059910

Thanks again atrol
That's why mantis is the best bugtracker - the people behind the project and the opportunity to talk to each other.

When we get 0024139:0059859 in release 2.15, we have a solution, a compromise and a base for further development.

@vboctor please wave that through!

Issue History

Date Modified Username Field Change
2018-05-14 15:01 mahindra New Issue
2018-05-15 06:47 atrol Note Added: 0059794
2018-05-15 06:48 atrol Relationship added related to 0024139
2018-05-15 08:25 mahindra Note Added: 0059797
2018-05-15 09:00 atrol Status new => feedback
2018-05-15 09:00 atrol Note Added: 0059800
2018-05-15 09:13 mahindra Note Added: 0059801
2018-05-15 09:13 mahindra Status feedback => new
2018-05-15 11:52 atrol Assigned To => atrol
2018-05-15 11:52 atrol Status new => resolved
2018-05-15 11:52 atrol Resolution open => duplicate
2018-05-15 11:52 atrol Note Added: 0059806
2018-05-15 11:52 atrol Relationship replaced duplicate of 0024139
2018-05-15 13:11 mahindra Note Added: 0059807
2018-05-15 17:53 atrol Note Added: 0059812
2018-05-16 06:04 mahindra Note Added: 0059833
2018-05-16 11:31 mahindra Note Edited: 0059833 View Revisions
2018-05-19 00:26 mahindra Note Added: 0059849
2018-05-19 03:37 mahindra File Added: userid visible realname on.png
2018-05-19 03:37 mahindra File Added: userid visible realname on (2).png
2018-05-19 03:37 mahindra Note Added: 0059853
2018-05-19 03:47 mahindra Note Edited: 0059853 View Revisions
2018-05-19 03:48 mahindra Status resolved => feedback
2018-05-19 03:48 mahindra Resolution duplicate => reopened
2018-05-19 03:50 mahindra Note Added: 0059854
2018-05-19 03:50 mahindra Status feedback => assigned
2018-05-19 04:06 mahindra Note Edited: 0059854 View Revisions
2018-05-19 04:07 mahindra Note Edited: 0059854 View Revisions
2018-05-19 04:08 mahindra Note Edited: 0059854 View Revisions
2018-05-19 04:09 mahindra Note Edited: 0059853 View Revisions
2018-05-19 04:10 mahindra Note Edited: 0059853 View Revisions
2018-05-19 04:35 mahindra Note Edited: 0059854 View Revisions
2018-05-22 03:09 mahindra Note Added: 0059910