0006959: "Reporter" Filter shows up all reporters.

ID	Project	Category	View Status	Date Submitted	Last Update
0006959	mantisbt	security	public	2006-04-19 18:06	2006-04-20 06:24

Reporter	jens_heitmann	Assigned To	vboctor
Priority	normal	Severity	tweak	Reproducibility	always
Status	closed	Resolution	duplicate
Product Version	1.0.2

Summary	0006959: "Reporter" Filter shows up all reporters.
Description	The reporter filter shows up every reporter registered in the bugtracker system. If a reporter has only access to a limited number of private projects/subprojects it will be best if only reporters visible that are working with the same project (also if "all projects" are selected). Any other reporter that is only assigned to other private projects should be hidden to such a reporter. In my opion this is a security issue, if you manage different indepent projects within one Mantis instance. Find my patch below. Hope this helps.
Additional Information	I've modified project_api.php (find it attached to this report) in the following way: function project_get_all_user_rows( $p_project_id = ALL_PROJECTS, $p_access_level = ANYBODY ) { .... .... $t_adm = ADMINISTRATOR; $t_users = array(); if( $c_project_id == ALL_PROJECTS ) { $t_user_id = auth_get_current_user_id(); $query = "SELECT u.id, u.username, u.realname, u.access_level FROM $t_user_table u, $t_project_user_list_table l WHERE u.enabled = $t_on AND u.access_level $t_global_access_clause AND l.user_id=u.id AND (l.project_id in (select project_id from $t_project_user_list_table where user_id = $t_user_id ))"; } else { $query = "SELECT id, username, realname, access_level FROM $t_user_table WHERE enabled = $t_on AND access_level $t_global_access_clause"; } $result = db_query( $query ); .... ..... } This works well in my configuration. I'm not sure yet, if the change interferes some other functionality.
Tags	No tags attached.

View Issue Details

Relationships

Activities