View Issue Details

IDProjectCategoryView StatusLast Update
0016359mantisbtfilterspublic2017-10-08 23:52
Reportertniemi Assigned Tocproensa  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.15 
Target Version2.7.0Fixed in Version2.7.0 
Summary0016359: Custom field filters does not take user access rights into account
Description

When All projects are selected, the custom field filter shows all strings even if user does not have access to that project.

Steps To Reproduce

Create three projects (project1, project2 and project3) with same custom field.
Create user which has access to projec1 and project3 only.
Add issues to project1 and project2 and fill data to custom field
Sign in as logged in user and select view issues and open specific custom field filter. It will show data from projects2 as well while user does not have access.

TagsNo tags attached.

Relationships

child of 0023443 closedcproensa Fixes related to custom fields on filters, columns and visibility 

Activities

atrol

atrol

2013-09-04 15:26

developer   ~0037990

Updated "Steps To Reproduce" as you have to assign two projects to the reporter to be able to choose "All Projects"

Related Changesets

MantisBT: master 3476b161

2017-08-16 04:11

cproensa

Committer: dregad


Details Diff
Get accessible custom field values

Rewrite custom_field_distinct_values() to retrieve only those values
that are accessible by the user, according to either issue view
permission, or custom field definition for view access level.

Only values that are viewable by the user should be retrieved, so we
must account for:
- View issue permissions: if the issue is private or public.
- Project level permissions: if a private project is accessible
directly, or indirectly.
- Limit view issues for reporters: if the option is enabled.
- Custom field definition for viewing threshold

Viewable issues can be resolved by using a filter, which already
accounts for those restrictions. So here we only need to additionally
check for custom field view threshold on each project.

Fixes: 0016359
Affected Issues
0016359
mod - core/custom_field_api.php Diff File