View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016359 | mantisbt | filters | public | 2013-09-04 08:40 | 2017-10-08 23:52 |
Reporter | tniemi | Assigned To | cproensa | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.15 | ||||
Target Version | 2.7.0 | Fixed in Version | 2.7.0 | ||
Summary | 0016359: Custom field filters does not take user access rights into account | ||||
Description | When All projects are selected, the custom field filter shows all strings even if user does not have access to that project. | ||||
Steps To Reproduce | Create three projects (project1, project2 and project3) with same custom field. | ||||
Tags | No tags attached. | ||||
MantisBT: master 3476b161 2017-08-16 04:11 Committer: dregad Details Diff |
Get accessible custom field values Rewrite custom_field_distinct_values() to retrieve only those values that are accessible by the user, according to either issue view permission, or custom field definition for view access level. Only values that are viewable by the user should be retrieved, so we must account for: - View issue permissions: if the issue is private or public. - Project level permissions: if a private project is accessible directly, or indirectly. - Limit view issues for reporters: if the option is enabled. - Custom field definition for viewing threshold Viewable issues can be resolved by using a filter, which already accounts for those restrictions. So here we only need to additionally check for custom field view threshold on each project. Fixes: 0016359 |
Affected Issues 0016359 |
|
mod - core/custom_field_api.php | Diff File |