0009745: Making bugnote private, access check is wrong

ID	Project	Category	View Status	Date Submitted	Last Update
0009745	mantisbt	bugtracker	public	2008-10-24 15:20	2009-06-26 12:03

Reporter	olegos	Assigned To	jreese
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0a2
Target Version	1.2.0a3	Fixed in Version	1.2.0a3

Summary	0009745: Making bugnote private, access check is wrong
Description	I have: $g_update_bugnote_threshold = MANAGER; $g_private_bugnote_threshold = DEVELOPER; (default) Because I don't want developers changing each other's notes, but do want any developer to be able to make any note private. So now I (a developer) see the "Make Private" button on notes, but clicking on it, gives "Access denied." That's because bugnote_set_view_state.php checks 'update_bugnote_threshold'. I believe that's wrong and it should be checking 'private_bugnote_threshold' instead. Probably also need to check 'change_view_status_threshold', to match the checks in bugnote_view_inc.php for the "Make Private" button.
Tags	No tags attached.

olegos 2008-10-24 15:30 reporter ~0019675	Couldn't even make my own note private. This should be explicitly allowed, regardless of other thresholds, I think.

giallu 2008-10-24 18:50 reporter ~0019677	Your assumption about the meaning of $g_private_bugnote_threshold is not correct. That parameters controls who can "view" a private bugnote, not who can make it provate. Making it public or private is an "update", so that's controlled by $g_update_bugnote_threshold

giallu 2008-10-24 18:52 reporter ~0019678	and yes, editing your own bugnote should work (including making it private)

olegos 2008-10-24 19:32 reporter ~0019679	In this case, there shouldn't be "Make Private" button on others' notes. The basic problem is that the check for displaying "Make Private" button, and the access check when the button is clicked, are different, right? And I do wish there was a way to have threshold for making notes private/public lower than editing.

jreese 2009-01-14 18:19 reporter ~0020623	Targetting, for 1.2.0a3, a fix to only show the button when the user has update privileges to the bugnote.

jreese 2009-01-15 10:50 reporter ~0020630	Fix committed to 1.2.x development tree.

olegos 2009-01-16 10:12 reporter ~0020640	$t_can_edit in bugnote_view_inc.php line 163 should be $t_can_edit_note

jreese 2009-01-16 10:32 reporter ~0020641	Yes, I found this shortly after the release. It is already committed to the repository.

olegos 2009-01-18 01:58 reporter ~0020651	Hmm, in http://git.mantisbt.org/?p=mantisbt.git;a=log I see only one commit after the release, by Paul. In http://git.mantisbt.org/?p=mantisbt.git;a=tree the file is still wrong. In this tracker I don't see the "Make private" button on my notes (it says "Mantis 1.2.0a3 git snapshot 7f168ee" -- how do I find out what exactly this "snapshot 7f168ee" is, how does it relate to the log on the web?)

giallu 2009-01-18 04:33 reporter ~0020652	It was there before the rebase of master that happened a few days ago. I guess it just needs to be re-committed (though it won't have the same SHA1). Since you seem to be keen on following the development, I suggest you join the mantisbt-dev mailing list at https://lists.sourceforge.net/lists/listinfo/mantisbt-dev and keep this kind of discussions there.

MantisBT: master a8539eb6 2009-01-14 19:16 jreese Details Diff	Fix 0009745: Fix bugnote view state button and update process to use the same access levels. Allow users to mark their own bugnotes as public/private.	Affected Issues 0009745
	mod - bugnote_set_view_state.php	Diff File
	mod - bugnote_view_inc.php	Diff File

View Issue Details

Activities

Related Changesets