View Issue Details

IDProjectCategoryView StatusLast Update
0003117mantisbtsecuritypublic2004-11-06 06:51
Reporterjowouters Assigned Tobpfennig  
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version0.18.2 
Fixed in Version0.19.1 
Summary0003117: Summary shows info about projects that are not assigned to this user
Description

In Summary, a users sees stats about all the projects, although (I suppose) he should only see stats about the projects he is assigned to.

TagsNo tags attached.

Relationships

has duplicate 0003510 closedvboctor access rights problem in the summary of "all projects" 
has duplicate 0003761 closedvboctor summary page displays private projects to everyone 
has duplicate 0004340 closedthraxisp <b>[Summary page]</b> a user can see all projects 
has duplicate 0003650 closedvboctor Summery shows hidden information 
has duplicate 0004174 closedvboctor Summary counts private projects in "All Projects"-View 
has duplicate 0003989 closed Graphs show info for data outside of user's visibility 
child of 0004297 closedvboctor Mantis 0.19.1 release 

Activities

jowouters

jowouters

2003-04-11 02:28

reporter   ~0004172

This only happens when you have "All Projects" selected.

Example: I'm a reporter at this site, but when I select "All projects" (which actually is just one (mantisbt), as far as I know); I can see the Summary for "mantisbt" and "mantisbt-dev"; while "mantisbt-dev" is none of my bussiness.

I'd like to use the bugtracker for multiple clients, but they do not need to know which other projects I'm working on.

joachim

joachim

2003-08-23 02:45

reporter   ~0004560

Same thing with a fresh user who just signed-in (and has no projects at all, since there are only private ones). On the summary page he gets information he should not get.

ancpru

ancpru

2003-10-27 05:41

reporter   ~0004683

I agree. I also see this as a quite serious problem.

vboctor

vboctor

2004-05-02 21:25

manager   ~0005464

This needs to be fixed, and hence I marked it as confirmed. However, the quick fix at the moment is to higher the threshold needed to access the summary. In a lot of cases a normal reporter does not need to see the summary.

a_peter

a_peter

2004-05-18 07:50

reporter   ~0005533

Hi All!

We had the same problem. A temporary solution was the adding of a global level check if the current user has developer rights or not.

but we still have the problem with the summary page...

greetings

core/print_api.php

function print_project_option_list( $p_project_id = null, $p_include_all_projects = true ) {
$t_project_ids = current_user_get_accessible_projects();
if ( $p_include_all_projects && access_has_global_level(DEVELOPER) ) {
// edited by sck 2003-12-15, added global level-check
echo '<option value="' . ALL_PROJECTS . '"';
check_selected( $p_project_id, ALL_PROJECTS );
echo '>' . lang_get( 'all_projects' ) . '</option>';
}

bpfennig

bpfennig

2004-09-23 13:14

reporter   ~0007718

Summary shows only info about projects that are assigned to this user.