View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0030907 | mantisbt | api soap | public | 2022-08-20 22:21 | 2023-10-31 16:32 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.25.6 | ||||
Target Version | 2.26.0 | Fixed in Version | 2.26.0 | ||
Summary | 0030907: SOAP API mc_project_get_users doesn't enforce access check | ||||
Description | A user that can sign-in, but doesn't have access to a project, can list users in such project. The user should only be able to do so if they have VIEWER access to the project. Which is equivalent to what they see in reporters/developers drop downs in the filter box of View Issues page. | ||||
Tags | No tags attached. | ||||