View Issue Details

IDProjectCategoryView StatusLast Update
0007673mantisbtsecuritypublic2018-04-24 06:55
Reportercemper Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
PlatformLinuxOSRedhat 
Product Version1.1.0a2 
Summary0007673: Private Mode not as expected - need a "private" flag so that bugs are private to reporter/admin/handler
Description

Hi, I have been working the whole day and really love the mantis way of doing things... just deployed it for my company and we started working

However I need a "private" flag for a couple of bugs are private to reporter/admin/handler only

So NOBODY should see them, except those 3 people

the current implementation only let's me select if certain "gods" can see ALL private issues - but that's make for an old-school hierarchical organisation, not a distributed development as we run here

Please let me know

  • if there's a way to do it right now in 1.1.0a2
  • if somebody's interested in implementing this and what the sponsor cost would be

thanks & best regards
Christoph C. Cemper

http://www.cemper.com

TagsNo tags attached.

Activities

elven

elven

2007-02-11 12:24

reporter   ~0014027

I have a semi-working patch for this issue.

Not (yet) covered in this patch are the "external" access methods such as rss feeds, print views, other-format exports. I will do those if this is what you had in mind.
I haven't audited and tested it for security leaks. I will do that if it meets your approval.

It replaces the current private flag with the abovementioned functionality. If you need it as an extra option, that'll take a bit more work.

2007-02-11 12:25

 

mantis7673_1.patch (5,110 bytes)   
diff -Eruw mantis-1.1.0a2/bug_assign.php net.swordcoast.bugtrack/bug_assign.php
--- mantis-1.1.0a2/bug_assign.php	2005-06-15 00:00:32.000000000 +0200
+++ net.swordcoast.bugtrack/bug_assign.php	2007-02-11 14:18:37.063207500 +0100
@@ -43,7 +43,7 @@
 
 	if ( $f_handler_id != NO_USER ) {
 		# check that new handler has rights to handle the issue
-		access_ensure_bug_level( config_get( 'handle_bug_threshold' ), $f_bug_id, $f_handler_id );
+		# access_ensure_bug_level( config_get( 'handle_bug_threshold' ), $f_bug_id, $f_handler_id );
 
 		if ( $t_bug_sponsored ) {
 			if ( !access_has_bug_level( config_get( 'handle_sponsored_bugs_threshold' ), $f_bug_id, $f_handler_id ) ) {
Only in net.swordcoast.bugtrack: config_inc.php
diff -Eruw mantis-1.1.0a2/core/access_api.php net.swordcoast.bugtrack/core/access_api.php
--- mantis-1.1.0a2/core/access_api.php	2005-05-12 18:04:09.000000000 +0200
+++ net.swordcoast.bugtrack/core/access_api.php	2007-02-11 14:06:03.744128000 +0100
@@ -326,11 +326,21 @@
 		  return false;
 		}
 
-		# If the bug is private and the user is not the reporter, then the
-		#  the user must also have higher access than private_bug_threshold
-		if ( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) &&
-			 !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) {
-			$p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) );
+		# If the bug is private and the user
+		# * is not administrator AND
+		# * is not reporter AND
+		# * is not the currently assigned-to AND
+		# * private_bug_treshold should be lower or equal to the users' project access 
+		if ( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' )) {
+			if  (
+				bug_is_user_handler( $p_bug_id, $p_user_id ) ||
+			 	bug_is_user_reporter( $p_bug_id, $p_user_id ) ||
+				user_is_administrator( $p_user_id )
+			 ) {
+				$p_access_level = VIEWER; // max( $p_access_level, config_get( 'private_bug_threshold' ) );
+			} else {
+				return false;
+			}
 		}
 
 		return access_has_project_level( $p_access_level, $t_project_id, $p_user_id );
diff -Eruw mantis-1.1.0a2/core/columns_api.php net.swordcoast.bugtrack/core/columns_api.php
--- mantis-1.1.0a2/core/columns_api.php	2006-11-11 08:38:00.000000000 +0100
+++ net.swordcoast.bugtrack/core/columns_api.php	2007-02-11 15:01:06.638546000 +0100
@@ -616,6 +616,10 @@
 				, lang_get( 'private' )
 				, lang_get( 'private' )
 			);
+			// Get users who have access to this bug
+			// and print them
+			// TODO
+			// printf("<sub>(Users: %s)</sub>", "");
 		}
 		echo '</td>';
 	}
diff -Eruw mantis-1.1.0a2/core/filter_api.php net.swordcoast.bugtrack/core/filter_api.php
--- mantis-1.1.0a2/core/filter_api.php	2006-10-31 09:43:58.000000000 +0100
+++ net.swordcoast.bugtrack/core/filter_api.php	2007-02-11 14:37:53.103455500 +0100
@@ -180,26 +180,28 @@
 		}
 
 		# private bug selection
-		if ( !access_has_project_level( config_get( 'private_bug_threshold' ), $t_project_id, $t_user_id ) ) {
+		
+
+		# if ( !access_has_project_level( config_get( 'private_bug_threshold' ), $t_project_id, $t_user_id ) ) {
 			$t_public = VS_PUBLIC;
 			$t_private = VS_PRIVATE;
 			switch ( $t_filter['view_state'] ) {
 				case META_FILTER_ANY:
-					array_push( $t_where_clauses, "($t_bug_table.view_state='$t_public' OR $t_bug_table.reporter_id='$t_user_id')" );
+				array_push( $t_where_clauses, "($t_bug_table.view_state='$t_public' OR $t_bug_table.reporter_id='$t_user_id' OR $t_bug_table.handler_id='$t_user_id')" );
 					break;
 				case VS_PUBLIC:
 					array_push( $t_where_clauses, "($t_bug_table.view_state='$t_public')" );
 					break;
 				case VS_PRIVATE:
-					array_push( $t_where_clauses, "($t_bug_table.view_state='$t_private' AND $t_bug_table.reporter_id='$t_user_id')" );
+				array_push( $t_where_clauses, "($t_bug_table.view_state='$t_private' AND ($t_bug_table.reporter_id='$t_user_id' OR $t_bug_table.handler_id='$t_user_id')");
 					break;
 			}
-		} else {
-			$t_view_state = db_prepare_int( $t_filter['view_state'] );
-			if ( ( $t_filter['view_state'] !== META_FILTER_ANY ) && ( !is_blank( $t_filter['view_state'] ) ) ) {
-				array_push( $t_where_clauses, "($t_bug_table.view_state='$t_view_state')" );
-			}
-		}
+		#} else {
+		#	$t_view_state = db_prepare_int( $t_filter['view_state'] );
+		#	if ( ( $t_filter['view_state'] !== META_FILTER_ANY ) && ( !is_blank( $t_filter['view_state'] ) ) ) {
+		#		array_push( $t_where_clauses, "($t_bug_table.view_state='$t_view_state')" );
+		#	}
+		#}
 
 		# reporter
 		$t_any_found = false;
diff -Eruw mantis-1.1.0a2/core/html_api.php net.swordcoast.bugtrack/core/html_api.php
--- mantis-1.1.0a2/core/html_api.php	2006-12-08 07:28:42.000000000 +0100
+++ net.swordcoast.bugtrack/core/html_api.php	2007-02-11 13:08:52.625696500 +0100
@@ -294,9 +294,11 @@
 				$t_align = 'left';
 			}
 
+//			if ( is_page_name ('login_page') ) {
 			echo '<div align="', $t_align, '">';
 			echo '<a href="http://www.mantisbt.org" title="Free Web Based Bug Tracker"><img border="0" width="242" height="102" alt="Mantis Bugtracker" src="images/mantis_logo.gif" /></a>';
 			echo '</div>';
+//			}
 		}
 	}
mantis7673_1.patch (5,110 bytes)   
cemper

cemper

2007-02-11 17:27

reporter   ~0014029

Hey, sounds good.

I'm a bit concerned that users might still be able to access requests and the info therein that wasn't made for them , so I require

  • RSS feeds
  • notification mails
  • views/prints

to be covered with this patch, after all the goal is to keep information away from some people with this setting.

and yes, please do the testing for sec.leaks as well

How does the payment work?
will this find it's way into the normal releases or will I have to apply the patch or stick w/ the alpha version now?

thanks
christoph

elven

elven

2007-02-11 18:06

reporter   ~0014030

I do not think it will be in the official mantis release; it'd break current private behaviour. Im not a mantis developer and as such no authority on that matter. You'll have to do the patching for yourself and patches might break with future releases.
Alas, no plugin system.

I'll do all the abovementioned in the course of this week (but not tomorrow) and test it thoroughly. You'll have it on friday latest.

cemper

cemper

2007-02-11 18:53

reporter   ~0014031

Elven, I tried to apply your patch with

patch -p0 < patchfile

and got a couple or .rej outputs, which I assume means
that your changes didn't go into the file

My problem with this is that I need a working fix
and I'd need to hire you again to apply the changes when a new version
will be used.

thanks

cemper

cemper

2007-02-11 18:59

reporter   ~0014032

Hey,

why did you comment out the rights checking for handle bug threshold?
users will still need to have that priv,

not ack.

check that new handler has rights to handle the issue

access_ensure_bug_level( config_get( 'handle_bug_threshold' ),

cemper

cemper

2007-02-11 19:01

reporter   ~0014033

not sure if that was clear,
but when I wrote

So NOBODY should see them, except those 3 people

I meant nobody should be able to work on it,
so of course the assignee should be able to perform update

cemper

cemper

2007-02-11 19:15

reporter   ~0014035

hm - 2nd try I could patch my files here..
will do some testing and get back soon

thanks!
christoph

cemper

cemper

2007-02-12 17:31

reporter   ~0014039

I found a problem when testing

a privat bug should STILL be seen by
admins (i.e. private threshold reached)

So USER A creates a priv bug, assigns it to Admin - Admin can work on it

  • Admin assigns it back to USER A => disappears for Admin

Please make sure this private threshold is taken care of as well
as in the previous handling

(the changes shall only affect people BELOW that threshold)

elven

elven

2007-02-18 04:40

reporter   ~0014059

Im rather tied up with work now. I will get back to you sometime next week, if that still works for you.

Issue History

Date Modified Username Field Change
2006-12-19 12:36 cemper New Issue
2006-12-19 12:36 cemper Sponsorship Added cemper: US$ 20
2006-12-19 12:36 cemper Sponsorship Total 0 => 20
2007-02-09 10:49 cemper Sponsorship Updated cemper: US$ 100
2007-02-09 10:49 cemper Sponsorship Total 20 => 100
2007-02-11 12:24 elven Note Added: 0014027
2007-02-11 12:25 elven File Added: mantis7673_1.patch
2007-02-11 17:27 cemper Note Added: 0014029
2007-02-11 18:06 elven Note Added: 0014030
2007-02-11 18:53 cemper Note Added: 0014031
2007-02-11 18:59 cemper Note Added: 0014032
2007-02-11 19:01 cemper Note Added: 0014033
2007-02-11 19:15 cemper Note Added: 0014035
2007-02-12 17:31 cemper Note Added: 0014039
2007-02-18 04:40 elven Note Added: 0014059
2017-01-18 10:51 atrol Severity major => feature
2017-01-18 10:51 atrol Description Updated View Revisions