Page 1 of 1

Attached files to private notes

Posted: Jun 30, 2019 6:14 am
by federico
Hello all.

The of mantis behaviour when trying to attach files to a private note is the following (for version 2.20.0)

- If the note is public:
You can mix text and files in the same notes, and both works well without dependencias

- If the note is private: I had to comment bugnote_add_inc.php line 149 to show the upload control, with the following result:
If you send text only => all works fine
If you try to send text and files => you get an application error
If you try to send only files => the operation is performed but the note becomes public and the file results exposed

Is there any workaround to remain the note and the attached files private.

Thank you in advance.

Re: Attached files to private notes

Posted: Jun 30, 2019 7:01 am
by atrol
Private attachments are not available in Mantis.

Furthemore attachments are not related to notes
federico wrote:
Jun 30, 2019 6:14 am
- If the note is private: I had to comment bugnote_add_inc.php line 149 to show the upload control, with the following result:
No good idea as you will encounter

Re: Attached files to private notes

Posted: Jul 01, 2019 12:10 am
by federico
Thanks atrol.

Does someone knows the reason? I have found this issue a week before the users should start to use mantisbt, and after 1000 working hours checking mantis requirements, configuring it for their needs, and developing a plugin to perform some custom transactions. Too late for me, so I need a solution, or my project with mantis definitively fails, with a very expensive waste of time, and and embarrassing loose of reputation. Both things are critical for many people (including me).

As I realized, it is an old known issue, and I can not figure out why it is not accomplished yet (because I check I am not the only one, and it is relatively strongly demanded), and reading your answer, seems there are not expectations to get it solved.

As well as the common sense does not give clues to explain this default behaviour, I've supposed it is a limitation by design, but I need to know why, to find an approach in order to avoid my work to be lost, and this is one of the more complex functions to trace I have found in mantis. So I really need help.

My objetive would be to make attachments scope and behaviour same as the note they are linked to (private attachment support), and I have a week to achieve.

I have not problems to make the effort, but I do not know if it is the the tip of a bigger iceberg already treated with no success by the mantis development team, and where is exactly the problem.

Any suggestions?

Thank you.

Re: Attached files to private notes

Posted: Jul 02, 2019 12:58 am
by federico
Finally it is an issue by design. The note attachments are added as a result of a timestamp comparison, without a real relationship between notes and attachments (as cproensa suggests at The approach I am evaluating is the following:

- mantis_project_file_table will act as a business entity as mantis_bugnote_text_table do.
- Create a table in the database called mantis_bugnote_file with two fields: bugnote_id, file_id
- IssueNoteAddCommand:
Modify the validation method to remove security consderations which avoids attachments and text to be added together, and include the simple rule
Modify the add method to insert into bugnote_file in the same file transaction, including the note text.
- bug_activity_api.php: retrieves bugnote attachments joining file and bugnote_file
- bug_note_view_inc.php: remove the attachment activity type (unuseful once the relationship bugnote_file is set). Everything is a bugnote, and a bug note can have or not a text and/or a collection of attachments. Then iterate throgh bugnotes and render the attachments for each case.

- dude: are attachments rendered in other places?

If it works, I will modify the delete attachment command to prevent orphan activities (neither text nor attachments), and the delete bugnote command because files are only used at this point and are not going to be useful in the future. In case someone decides to handle files in other places in the future (is the file_api who should take care of this).

Is there any known inconveniences (in addition to the complexity)?

If it works, how can I protect the fix of future mantis updates?


Re: Attached files to private notes

Posted: Jul 03, 2019 4:22 pm
by atrol
federico wrote:
Jul 02, 2019 12:58 am
If it works, how can I protect the fix of future mantis updates?
You have to reapply your changes after every upgrade.
This is not that much work if you use a seperate branch in Git for it (rebase your branch on top of new master branch)

It would be even better, if you submit a pull request, as it increases the chances of improvement eventually making it into MantisBT core. All contributions are welcome and greatly appreciated.
Send us a pull request on our Github repository
Please make sure that your submissions adhere to our Coding Guidelines ... guidelines

Re: Attached files to private notes

Posted: Jul 13, 2019 3:04 pm
by federico
Thank you.

I am almost finishing the job, and it seems to work by the moment. There are three or four more files to change, but I thing the approach is clean. I can not wait or follow processes because my customer thought it was working fine.

I would share the complete solution in order to its revision for implementation in next releases. I am creating a document with all changes I do. Consider this as a donation and do with it whatever you want (with the oportune mention). I do not know every functional detail of mantis, so I can not be sure if there are more views or reports using files. Please, could someone read the document with the changes and check if I am forggeting something important?

By the way, do you know where is the javascript to display/hide the file upload control when switch beteen public/private notes? It will not be necessary in the future, and now causes a nonsense behaviour, because files or text can be attached to a note indeed together, and the renderization follows the text pattern security.

Re: Attached files to private notes

Posted: Jul 24, 2019 3:17 am
by federico
I've just finished, thinking it is enaugh tested and seems to work fine.

The experience

As well as other parts of the program are clean, the code to manage file attachments is really a mess. The current attachment management implementation, mixes different patterns (OO vs !OO) in different levels of the architecture (technical and functional) which becomes an extra work to understand what it is happening with files in the version of mantis I am using (2.20.0), resulting in security issues patched by restricting the use of files, or other non consistent complex hard to understand printing strategies for files attached to bugs. This is what the fix really solves.

I would consider to modify the treatment of files, making a file as a global entity which can be linked with other entities as a part of its content (as already implemented for the text in bugnotes). The OO approach would be fine, and a ORM would help (I do not know if there is an equivalent of Hibernate or Ibatis for PHP). One file could be linked as a property to whatever other bussiness entity in the model.

It would be of interesting to consider evolving mantisbt to a new technical design which can re-use a big part of the existing code with a more consistant result with a more clear idea of the entities meaning.

I would also consider to implement a transactional model (OSIV could be a simple and efficient pattern to implement because mantis has a known loading sequence), to ensure ACID. Why not if all supported mantis databases are transactional?

In terms of security access level, the result is at least as secure as mantis, and this is not a part of my analysis.

Followed strategy

Performed actions includes: creation of a new database table; modified php files with new functions (named with the "fix" keyword ) to CRUD the new table records, or to complete the insert/update sequences for existing transactions; print api file, to open the attached files in a new window; js file to change the show/hide behaviour; and a new text resource creation to store the default text value for the note when note text is empty but has files, or when creating a new issue. All changes can be found searching the "NEW:" term in the code.

As well as I would like to create notes containg one text and/or a collection of files, I had to take some deccissions that forces structural changes: a note becomes into an entity which can contain text or attached files, instead of being a text container entity, and a separate collection of files also as a content.

- Database: {note_file} table created to store bugnote / file relationships
- File: IssueNoteAddCommand.php
- File: bug_activity_api.php
- File: bugnote_api.php
- File: bugnote_add.php
- File: bugnote_add_inc.php
- File: bugnote_view_inc.php
- File: file_api.php
- File: IssueAddCommand.php
- File: common.js
- File: print_api.php: to set the
- custom_strings.php (config)


I tried to follow the code guidelines, and I think it is almost achieved. I had my own good practices and conventions, and most of the mantis recomendations are not useful in other environments and are just a convention (celestial mechanics). I have not a PHP IDE to made things easy.

I am not a part of the mantis deveolopment team to follow all of its development requirements. I have to earn money every month, and I have not my business focused on mantis evolving, specially, if a lot of the guidelines are related to PHP limitations, and consume a lot of time with improductive things comparing with other environments. I would prefer to re-write the complete solution to a new environment, because we are talking about deep concepts involving structural changes, and there are more productive alternatives.

Alternatively, I can share my result to help the mantis team to solve a problem, but from the commitment of the mantis team, to solve what is a "by design" issue in a compatible way for future releases (not hard to achieve because I do not break the mantis standard behaviour), incorporating a real mantisbt flavor (errors and so on). I saw I am not the only one with this requirement, and my goal is only to forget all about future manteinance because it was a part of the mantis core.

Re: Attached files to private notes

Posted: Jul 24, 2019 6:08 am
by atrol
Sorry @federico I have hardly any time for Mantis at the moment, not even to read the details of your post.

It would be good if you look at and comment to
and also the related PR

It will certainly be better to have one single solution that comes with future Mantis versions instead of having two separate solutions.