View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003117 | mantisbt | security | public | 2003-04-09 15:32 | 2004-11-06 06:51 |
Reporter | jowouters | Assigned To | bpfennig | ||
Priority | high | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 0.18.2 | ||||
Fixed in Version | 0.19.1 | ||||
Summary | 0003117: Summary shows info about projects that are not assigned to this user | ||||
Description | In Summary, a users sees stats about all the projects, although (I suppose) he should only see stats about the projects he is assigned to. | ||||
Tags | No tags attached. | ||||
has duplicate | 0003510 | closed | vboctor | access rights problem in the summary of "all projects" |
has duplicate | 0003761 | closed | vboctor | summary page displays private projects to everyone |
has duplicate | 0004340 | closed | thraxisp | <b>[Summary page]</b> a user can see all projects |
has duplicate | 0003650 | closed | vboctor | Summery shows hidden information |
has duplicate | 0004174 | closed | vboctor | Summary counts private projects in "All Projects"-View |
has duplicate | 0003989 | closed | Graphs show info for data outside of user's visibility | |
child of | 0004297 | closed | vboctor | Mantis 0.19.1 release |
This only happens when you have "All Projects" selected. Example: I'm a reporter at this site, but when I select "All projects" (which actually is just one (mantisbt), as far as I know); I can see the Summary for "mantisbt" and "mantisbt-dev"; while "mantisbt-dev" is none of my bussiness. I'd like to use the bugtracker for multiple clients, but they do not need to know which other projects I'm working on. |
|
Same thing with a fresh user who just signed-in (and has no projects at all, since there are only private ones). On the summary page he gets information he should not get. |
|
I agree. I also see this as a quite serious problem. |
|
This needs to be fixed, and hence I marked it as confirmed. However, the quick fix at the moment is to higher the threshold needed to access the summary. In a lot of cases a normal reporter does not need to see the summary. |
|
Hi All! We had the same problem. A temporary solution was the adding of a global level check if the current user has developer rights or not. but we still have the problem with the summary page... greetings core/print_api.php function print_project_option_list( $p_project_id = null, $p_include_all_projects = true ) { |
|
Summary shows only info about projects that are assigned to this user. |
|