In history API, when processing bugnote add/change/delete events, there is a check to ensure that the bugnote exists, and if not the event is not shown. This check is bypassed for the note's creator only, which explains the behavior.

In history_get_event_from_row() function:

        if( $t_user_id != $v_user_id ) {
            # bypass if user originated note
            if( ( $v_type == BUGNOTE_ADDED ) || ( $v_type == BUGNOTE_UPDATED ) || ( $v_type == BUGNOTE_DELETED ) ) {
                if( !bugnote_exists( $v_old_value ) ) {
                    continue;
                }

This was introduced in MantisBT master-1.3.x 19736210 (see 0021878); I'm not really sure if that behavior was intentional, maybe @vboctor who authored the change will care to comment.

@dregad I would keep it as it is.
After a note was deleted, we can't check any longer if it was private before.
Even users without private_bugnote_threshold would see it in the history.

After a note was deleted, we can't check any longer if it was private before.

That's true, but at the same time the note's content is gone so it does not really matter so much as there is no real information disclosure (just info about a note added then deleted, that user could not see before).

What I do find confusing, is that you can get a partial history. Consider the following scenario,

1. user tdev creates a bugnote
2. manager tmgr updates it
3. admin tadm deletes it

This is what everyone sees at the end:

• tdev: no update or delete

  11/08/2025 19:20    tdev    Note Added: 0070113 

• tmgr: no create or delete

  11/08/2025 19:21    tmgr    Note Edited: 0070113    

• tadm: no create or update

  11/08/2025 19:22    tadm    Note Deleted: 0070113   

And for the record

issue was transfered from public to private project (if it's matter)

This makes no difference, the behavior is identical regardless of project / issue view state.

I believe we have the following options:

1. let everyone see everything
2. add a bypass for administrators so they see all activity
3. let all users who acted on the deleted bugnote see related activity
4. don't change anything (users only see their own activity on the deleted note)

Option 3 sounds nice, but maintaining proper sort order would be tricky due to the way the history array is built.

I would personally go for 1 for the sake of simplicity, but if you think it's important not to disclose that a (potentially private) note was created then deleted then I would at least recommend option 2 so admins can have a complete, unfiltered view.

Personally, I think that access to all events in the bugs history should be configured here

Screenshot_20250815_205737.png (36,319 bytes)   

Screenshot_20250815_205737.png (36,319 bytes)   

I don't think this is worth adding another config option to store the necessary threshold.

no another option - in that one (View Issue History)

no another option - in that one (View Issue History)

$g_view_history_threshold controls the access to view history at a global level, but further visibility restrictions must apply on individual history items, based on context (e.g. a user may not be allowed to view private notes, or issues linked in a restricted project - and therefore should not see related history events).

What is happening here, is that since the note was deleted it is not possible to check its visibility status anymore since the database record no longer exists. Mantis currently takes the most conservative approach of only showing the event to the person that initiated it.

As mentioned before, this is a corner case that is not worth introducing a special config option to fix. We just need to decide on one of the options I outlined in 0036257:0070439.

@dregad

1. let everyone see everything

That would be a privacy issue. Even the involvement of a user on an issue can be sensitive, even if the contents were deleted.

2. add a bypass for administrators so they see all activity

I'm OK with administrators seeing everything.

3. let all users who acted on the deleted bugnote see related activity

That is such a corner case. I don't think it is worth adding the complexity and runtime overhead. I suspect most of the time, such notes will be deleted shortly after creation - e.g. added to wrong issues. Otherwise, it is not the most common scenarios to delete old notes.

4. don't change anything (users only see their own activity on the deleted note)

That's also fine by me.

In summary, I would go for 2 or 4.

add a bypass for administrators so they see all activity

I think a manager should also see all bug history of his project.

a manager should also see all bug history of his project.

Makes sense. @vboctor OK with you ?

I think anyone who has access to view other user's private notes for the project, can see the history events of deleted notes. This will often cover DEVELOPERS, MANAGERS, and ADMINISTRATOR.

OK that makes even more sense :-)