View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006960 | mantisbt | security | public | 2006-04-19 18:06 | 2009-04-17 17:07 |
Reporter | jens_heitmann | Assigned To | |||
Priority | normal | Severity | tweak | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 1.0.2 | ||||
Summary | 0006960: "Reporter" Filter shows up all reporters. | ||||
Description | The reporter filter shows up every reporter registered in the bugtracker system. If a reporter has only access to a limited number of private projects/subprojects it will be best if only reporters visible that are working with the same project (also if "all projects" are selected). Any other reporter that is only assigned to other private projects should be hidden to such a reporter. In my opion this is a security issue, if you manage different indepent projects within one Mantis instance. Find my patch below. | ||||
Additional Information | I've modified project_api.php (find it attached to this report) in the following way: function project_get_all_user_rows( $p_project_id = ALL_PROJECTS, $p_access_level = ANYBODY ) {
.... This works well in my configuration. I'm not sure yet, if the change interferes some other functionality. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Sorry, this bug appears twice, because it reports an illegal file type (with the attached php). I've used the back button, like mentioned in the appearing error message and resend it with a proper (.tgz) file type. Now it is ther as a duplicate (0006959). That's the next bug :-( |
|
The addition of: AND (l.project_id in (select project_id from for ALL_PROJECTS seems to be the only change. Codebase has changed a bit since the initial report. I'm just thinking if this makes sense to do - would need to test the subquery against mssql |
|
Last modification I've made vor Mantis 1.1.6 in my installation: < # |
|