0009827: Note link exposes other users, authors of private notes

ID	Project	Category	View Status	Date Submitted	Last Update
0009827	mantisbt	security	public	2008-11-17 16:21	2013-07-17 10:34

Reporter	olegos	Assigned To	grangeway
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0a2
Target Version	1.2.0rc1	Fixed in Version	1.2.0rc1

Summary	0009827: Note link exposes other users, authors of private notes
Description	Related to issue 0009321. Maybe if a user doesn't have access to a certain note, he shouldn't see a link to it, with all its associated details. In my system, I'm trying to limit each user's view to only his assigned project(s) (all projects are private, all users are globally Viewers). By inserting random issue notes, other user names become visible that otherwise are inaccessible. I use First_Last as username for some of my users, and since sometimes links get inserted inadvertently, the result is that random other users sometimes get exposed. Also, by linking to a private note it's possible to discover its author.
Tags	No tags attached.

vboctor 2008-11-18 01:45 manager ~0019930	Agreed that this should be fixed and ported to 1.1.x (unless 1.2.x becomes the stable branch before then).

jreese 2009-01-14 18:17 reporter ~0020621	Targetting for future 1.2.x release.

grangeway 2009-04-14 20:18 reporter ~0021538	Hello, I believe i've generated a fix for this in GIT. Please let me know if it doesn't/does work for you. Jreese: CAn I leave you to review+backport if necessary Paul

jreese 2009-04-15 08:47 reporter ~0021553	IIRC, backporting is unnecessary, as the issue in question is a result of new code in 1.2.x.