0003117: Summary shows info about projects that are not assigned to this user - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0003117	mantisbt	security	public	2003-04-09 15:32	2004-11-06 06:51

Reporter	jowouters	Assigned To	bpfennig
Priority	high	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	0.18.2
Fixed in Version	0.19.1

Summary	0003117: Summary shows info about projects that are not assigned to this user
Description	In Summary, a users sees stats about all the projects, although (I suppose) he should only see stats about the projects he is assigned to.
Tags	No tags attached.

has duplicate	0003510	closed	vboctor	access rights problem in the summary of "all projects"
has duplicate	0003761	closed	vboctor	summary page displays private projects to everyone
has duplicate	0004340	closed	thraxisp	[Summary page] a user can see all projects
has duplicate	0003650	closed	vboctor	Summery shows hidden information
has duplicate	0004174	closed	vboctor	Summary counts private projects in "All Projects"-View
has duplicate	0003989	closed		Graphs show info for data outside of user's visibility
child of	0004297	closed	vboctor	Mantis 0.19.1 release

jowouters 2003-04-11 02:28 reporter ~0004172	This only happens when you have "All Projects" selected. Example: I'm a reporter at this site, but when I select "All projects" (which actually is just one (mantisbt), as far as I know); I can see the Summary for "mantisbt" and "mantisbt-dev"; while "mantisbt-dev" is none of my bussiness. I'd like to use the bugtracker for multiple clients, but they do not need to know which other projects I'm working on.

joachim 2003-08-23 02:45 reporter ~0004560	Same thing with a fresh user who just signed-in (and has no projects at all, since there are only private ones). On the summary page he gets information he should not get.

ancpru 2003-10-27 05:41 reporter ~0004683	I agree. I also see this as a quite serious problem.

vboctor 2004-05-02 21:25 manager ~0005464	This needs to be fixed, and hence I marked it as confirmed. However, the quick fix at the moment is to higher the threshold needed to access the summary. In a lot of cases a normal reporter does not need to see the summary.

a_peter 2004-05-18 07:50 reporter ~0005533	Hi All! We had the same problem. A temporary solution was the adding of a global level check if the current user has developer rights or not. but we still have the problem with the summary page... greetings core/print_api.php function print_project_option_list( $p_project_id = null, $p_include_all_projects = true ) { $t_project_ids = current_user_get_accessible_projects(); if ( $p_include_all_projects && access_has_global_level(DEVELOPER) ) { // edited by sck 2003-12-15, added global level-check echo '<option value="' . ALL_PROJECTS . '"'; check_selected( $p_project_id, ALL_PROJECTS ); echo '>' . lang_get( 'all_projects' ) . '</option>'; }

bpfennig 2004-09-23 13:14 reporter ~0007718	Summary shows only info about projects that are assigned to this user.