View Issue Details

IDProjectCategoryView StatusLast Update
0025935mantisbtattachmentspublic2019-12-09 04:32
Reportersandyj Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.20.0 
Target Version2.23.0Fixed in Version2.23.0 
Summary0025935: Warning for users when making public notes with attachments private
Description

Currently, there is no support for private attachments. Users are successfully blocked from adding attachments to private notes. However, if a user wishes to retrospectively make a public note with an attachment private, the note becomes private but the attachment remains public. This is particularly problematic as the attachment appears to the user to be private but is in fact not.

I understand that there are already issues 0022817 & 0009802 open to address support of private attachments but in the interim, there should be a warning to users that the attachment will become public since this has the potential to expose sensitive information.

Steps To Reproduce
  • create a public note with an attachment.
  • make note private
  • impersonate user without access to private notes
  • note is hidden but attachment is accessible.
TagsNo tags attached.

Relationships

related to 0022817 closedvboctor "private bugnotes" as default setting prevents uploading further attachments 
related to 0009802 closedvboctor Support attachments associated with private notes 

Activities