0006960: "Reporter" Filter shows up all reporters. - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0006960	mantisbt	security	public	2006-04-19 18:06	2009-04-17 17:07

Reporter	jens_heitmann	Assigned To
Priority	normal	Severity	tweak	Reproducibility	always
Status	new	Resolution	open
Product Version	1.0.2

Summary	0006960: "Reporter" Filter shows up all reporters.
Description	The reporter filter shows up every reporter registered in the bugtracker system. If a reporter has only access to a limited number of private projects/subprojects it will be best if only reporters visible that are working with the same project (also if "all projects" are selected). Any other reporter that is only assigned to other private projects should be hidden to such a reporter. In my opion this is a security issue, if you manage different indepent projects within one Mantis instance. Find my patch below. Hope this helps.
Additional Information	I've modified project_api.php (find it attached to this report) in the following way: function project_get_all_user_rows( $p_project_id = ALL_PROJECTS, $p_access_level = ANYBODY ) { .... .... $t_adm = ADMINISTRATOR; $t_users = array(); if( $c_project_id == ALL_PROJECTS ) { $t_user_id = auth_get_current_user_id(); $query = "SELECT u.id, u.username, u.realname, u.access_level FROM $t_user_table u, $t_project_user_list_table l WHERE u.enabled = $t_on AND u.access_level $t_global_access_clause AND l.user_id=u.id AND (l.project_id in (select project_id from $t_project_user_list_table where user_id = $t_user_id ))"; } else { $query = "SELECT id, username, realname, access_level FROM $t_user_table WHERE enabled = $t_on AND access_level $t_global_access_clause"; } $result = db_query( $query ); .... ..... } This works well in my configuration. I'm not sure yet, if the change interferes some other functionality.
Tags	No tags attached.
Attached Files	project_api.php.tar.gz (5,091 bytes)

jens_heitmann 2006-04-19 18:11 reporter ~0012631	Sorry, this bug appears twice, because it reports an illegal file type (with the attached php). I've used the back button, like mentioned in the appearing error message and resend it with a proper (.tgz) file type. Now it is ther as a duplicate (0006959). That's the next bug :-(

grangeway 2009-04-15 06:22 reporter ~0021550	The addition of: AND (l.project_id in (select project_id from $t_project_user_list_table where user_id = $t_user_id ))"; for ALL_PROJECTS seems to be the only change. Codebase has changed a bit since the initial report. I'm just thinking if this makes sense to do - would need to test the subquery against mssql

jens_heitmann 2009-04-17 17:07 reporter ~0021590	Last modification I've made vor Mantis 1.1.6 in my installation: < # < if( $c_project_id == ALL_PROJECTS ) { < $t_user_id = auth_get_current_user_id(); < < $query = "SELECT u.id, u.username, u.realname, u.access_level < FROM $t_user_table u, $t_project_user_list_table l < WHERE u.enabled = $t_on < AND u.access_level $t_global_access_clause < AND u.access_level <> $t_adm < AND l.user_id=u.id < AND (l.project_id in (select project_id from < $t_project_user_list_table where user_id = $t_user_id ))"; < } else { < $query = "SELECT id, username, realname, access_level < FROM $t_user_table < WHERE enabled = $t_on < AND access_level $t_global_access_clause < AND access_level <> $t_adm"; < } < < < # $query = "SELECT id, username, realname, access_level < # FROM $t_user_table < # WHERE enabled = $t_on < # AND access_level $t_global_access_clause";