View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007673 | mantisbt | security | public | 2006-12-19 12:36 | 2018-04-24 06:55 |
Reporter | cemper | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | always |
Status | new | Resolution | open | ||
Platform | Linux | OS | Redhat | OS Version | 3 |
Product Version | 1.1.0a2 | ||||
Summary | 0007673: Private Mode not as expected - need a "private" flag so that bugs are private to reporter/admin/handler | ||||
Description | Hi, I have been working the whole day and really love the mantis way of doing things... just deployed it for my company and we started working However I need a "private" flag for a couple of bugs are private to reporter/admin/handler only So NOBODY should see them, except those 3 people the current implementation only let's me select if certain "gods" can see ALL private issues - but that's make for an old-school hierarchical organisation, not a distributed development as we run here Please let me know
thanks & best regards | ||||
Tags | No tags attached. | ||||
Attached Files | mantis7673_1.patch (5,110 bytes)
diff -Eruw mantis-1.1.0a2/bug_assign.php net.swordcoast.bugtrack/bug_assign.php --- mantis-1.1.0a2/bug_assign.php 2005-06-15 00:00:32.000000000 +0200 +++ net.swordcoast.bugtrack/bug_assign.php 2007-02-11 14:18:37.063207500 +0100 @@ -43,7 +43,7 @@ if ( $f_handler_id != NO_USER ) { # check that new handler has rights to handle the issue - access_ensure_bug_level( config_get( 'handle_bug_threshold' ), $f_bug_id, $f_handler_id ); + # access_ensure_bug_level( config_get( 'handle_bug_threshold' ), $f_bug_id, $f_handler_id ); if ( $t_bug_sponsored ) { if ( !access_has_bug_level( config_get( 'handle_sponsored_bugs_threshold' ), $f_bug_id, $f_handler_id ) ) { Only in net.swordcoast.bugtrack: config_inc.php diff -Eruw mantis-1.1.0a2/core/access_api.php net.swordcoast.bugtrack/core/access_api.php --- mantis-1.1.0a2/core/access_api.php 2005-05-12 18:04:09.000000000 +0200 +++ net.swordcoast.bugtrack/core/access_api.php 2007-02-11 14:06:03.744128000 +0100 @@ -326,11 +326,21 @@ return false; } - # If the bug is private and the user is not the reporter, then the - # the user must also have higher access than private_bug_threshold - if ( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' ) && - !bug_is_user_reporter( $p_bug_id, $p_user_id ) ) { - $p_access_level = max( $p_access_level, config_get( 'private_bug_threshold' ) ); + # If the bug is private and the user + # * is not administrator AND + # * is not reporter AND + # * is not the currently assigned-to AND + # * private_bug_treshold should be lower or equal to the users' project access + if ( VS_PRIVATE == bug_get_field( $p_bug_id, 'view_state' )) { + if ( + bug_is_user_handler( $p_bug_id, $p_user_id ) || + bug_is_user_reporter( $p_bug_id, $p_user_id ) || + user_is_administrator( $p_user_id ) + ) { + $p_access_level = VIEWER; // max( $p_access_level, config_get( 'private_bug_threshold' ) ); + } else { + return false; + } } return access_has_project_level( $p_access_level, $t_project_id, $p_user_id ); diff -Eruw mantis-1.1.0a2/core/columns_api.php net.swordcoast.bugtrack/core/columns_api.php --- mantis-1.1.0a2/core/columns_api.php 2006-11-11 08:38:00.000000000 +0100 +++ net.swordcoast.bugtrack/core/columns_api.php 2007-02-11 15:01:06.638546000 +0100 @@ -616,6 +616,10 @@ , lang_get( 'private' ) , lang_get( 'private' ) ); + // Get users who have access to this bug + // and print them + // TODO + // printf("<sub>(Users: %s)</sub>", ""); } echo '</td>'; } diff -Eruw mantis-1.1.0a2/core/filter_api.php net.swordcoast.bugtrack/core/filter_api.php --- mantis-1.1.0a2/core/filter_api.php 2006-10-31 09:43:58.000000000 +0100 +++ net.swordcoast.bugtrack/core/filter_api.php 2007-02-11 14:37:53.103455500 +0100 @@ -180,26 +180,28 @@ } # private bug selection - if ( !access_has_project_level( config_get( 'private_bug_threshold' ), $t_project_id, $t_user_id ) ) { + + + # if ( !access_has_project_level( config_get( 'private_bug_threshold' ), $t_project_id, $t_user_id ) ) { $t_public = VS_PUBLIC; $t_private = VS_PRIVATE; switch ( $t_filter['view_state'] ) { case META_FILTER_ANY: - array_push( $t_where_clauses, "($t_bug_table.view_state='$t_public' OR $t_bug_table.reporter_id='$t_user_id')" ); + array_push( $t_where_clauses, "($t_bug_table.view_state='$t_public' OR $t_bug_table.reporter_id='$t_user_id' OR $t_bug_table.handler_id='$t_user_id')" ); break; case VS_PUBLIC: array_push( $t_where_clauses, "($t_bug_table.view_state='$t_public')" ); break; case VS_PRIVATE: - array_push( $t_where_clauses, "($t_bug_table.view_state='$t_private' AND $t_bug_table.reporter_id='$t_user_id')" ); + array_push( $t_where_clauses, "($t_bug_table.view_state='$t_private' AND ($t_bug_table.reporter_id='$t_user_id' OR $t_bug_table.handler_id='$t_user_id')"); break; } - } else { - $t_view_state = db_prepare_int( $t_filter['view_state'] ); - if ( ( $t_filter['view_state'] !== META_FILTER_ANY ) && ( !is_blank( $t_filter['view_state'] ) ) ) { - array_push( $t_where_clauses, "($t_bug_table.view_state='$t_view_state')" ); - } - } + #} else { + # $t_view_state = db_prepare_int( $t_filter['view_state'] ); + # if ( ( $t_filter['view_state'] !== META_FILTER_ANY ) && ( !is_blank( $t_filter['view_state'] ) ) ) { + # array_push( $t_where_clauses, "($t_bug_table.view_state='$t_view_state')" ); + # } + #} # reporter $t_any_found = false; diff -Eruw mantis-1.1.0a2/core/html_api.php net.swordcoast.bugtrack/core/html_api.php --- mantis-1.1.0a2/core/html_api.php 2006-12-08 07:28:42.000000000 +0100 +++ net.swordcoast.bugtrack/core/html_api.php 2007-02-11 13:08:52.625696500 +0100 @@ -294,9 +294,11 @@ $t_align = 'left'; } +// if ( is_page_name ('login_page') ) { echo '<div align="', $t_align, '">'; echo '<a href="http://www.mantisbt.org" title="Free Web Based Bug Tracker"><img border="0" width="242" height="102" alt="Mantis Bugtracker" src="images/mantis_logo.gif" /></a>'; echo '</div>'; +// } } } | ||||
I have a semi-working patch for this issue. Not (yet) covered in this patch are the "external" access methods such as rss feeds, print views, other-format exports. I will do those if this is what you had in mind. It replaces the current private flag with the abovementioned functionality. If you need it as an extra option, that'll take a bit more work. |
|
Hey, sounds good. I'm a bit concerned that users might still be able to access requests and the info therein that wasn't made for them , so I require
to be covered with this patch, after all the goal is to keep information away from some people with this setting. and yes, please do the testing for sec.leaks as well How does the payment work? thanks |
|
I do not think it will be in the official mantis release; it'd break current private behaviour. Im not a mantis developer and as such no authority on that matter. You'll have to do the patching for yourself and patches might break with future releases. I'll do all the abovementioned in the course of this week (but not tomorrow) and test it thoroughly. You'll have it on friday latest. |
|
Elven, I tried to apply your patch with patch -p0 < patchfile and got a couple or .rej outputs, which I assume means My problem with this is that I need a working fix thanks |
|
Hey, why did you comment out the rights checking for handle bug threshold? not ack. check that new handler has rights to handle the issueaccess_ensure_bug_level( config_get( 'handle_bug_threshold' ), |
|
not sure if that was clear,
I meant nobody should be able to work on it, |
|
hm - 2nd try I could patch my files here.. thanks! |
|
I found a problem when testing a privat bug should STILL be seen by So USER A creates a priv bug, assigns it to Admin - Admin can work on it
Please make sure this private threshold is taken care of as well (the changes shall only affect people BELOW that threshold) |
|
Im rather tied up with work now. I will get back to you sometime next week, if that still works for you. |
|