View Issue Details

IDProjectCategoryView StatusLast Update
0030907mantisbtapi soappublic2023-10-31 16:32
Reportervboctor Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.25.6 
Target Version2.26.0Fixed in Version2.26.0 
Summary0030907: SOAP API mc_project_get_users doesn't enforce access check
Description

A user that can sign-in, but doesn't have access to a project, can list users in such project. The user should only be able to do so if they have VIEWER access to the project. Which is equivalent to what they see in reporters/developers drop downs in the filter box of View Issues page.

TagsNo tags attached.

Relationships

related to 0022791 closedvboctor Support retrieving users with specified access level to a project 

Activities