View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0026631||mantisbt||security||public||2020-01-27 14:17||2020-02-21 06:41|
|Summary||0026631: file_get_visible_attachments shows private files that should be invisible to the user|
2.23.0 allows to upload private and public files, the visibility is stored at the attached bugnote. This is not taken into account in some core functions like file_get_visible_attachment. It is possibly not critical, because I don't know if a user can see the return values somewhere. print_bug_attachment_list uses this function, but the print function seems not to be called directly.
|Tags||No tags attached.|
As response to 0022323:0063574 - fits here better:
Don't know what's the intention of the developers.
As reported in 0026627 it seems attachments are always treat public, so they prevent uploading if default note state is private.
If upgrading from an older version attachments don't pinned to a note, also always public visible.
I think, the situation is different:
|2020-01-27 14:17||polzin||New Issue|
|2020-02-04 12:12||ciwu||Note Added: 0063576|
|2020-02-04 12:31||polzin||Note Added: 0063578|
|2020-02-21 06:40||dregad||Relationship added||has duplicate 0026728|
|2020-02-21 06:40||dregad||Relationship added||related to 0022323|
|2020-02-21 06:41||dregad||Relationship added||related to 0009802|