View Issue Details

IDProjectCategoryView StatusLast Update
0029454mantisbtemailpublic2023-12-04 16:44
ReporterZazzarim Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Target Version2.26.0Fixed in Version2.26.0 
Summary0029454: monitor receives no mails if he is not project member
Description

In a private project i add someone to monitor this bug.
But unfortunatelly this user is not member of this project.
As a result he does not receive any emails related to this bug!
I would have expected that he gets the mails but can´t enter the bug because of "access denied".

$g_default_notify_flags = array(
'reporter' => ON,
'handler' => ON,
'monitor' => ON,
'bugnotes' => OFF,
'category' => OFF,
'explicit' => ON,
'threshold_min' => NOBODY,
'threshold_max' => NOBODY
);

TagsNo tags attached.

Relationships

related to 0033342 closeddregad cannot assign user to monitoring issues in public project (not assigned to him) 
related to 0033404 closedatrol Unable to grant user access to private issue by adding them as a monitoring user 

Activities

Zazzarim

Zazzarim

2022-01-05 09:19

reporter   ~0066143

If I add the user to the project he gets the mails. (role = viewer)

atrol

atrol

2022-01-05 14:48

developer   ~0066145

But unfortunatelly this user is not member of this project.

We should not allow that such users can be added to the list of monitoring users.
We might even think about removing users from existing lists, if users are no longer member of a project

As a result he does not receive any emails related to this bug!

IMO the right behavior that should not be changed.

I would have expected that he gets the mails but can´t enter the bug because of "access denied".

Users that are not allowed to view an issue should also not get mails that finally contain the same content that can be viewed on the issue page.

Zazzarim

Zazzarim

2022-01-05 15:04

reporter   ~0066146

Last edited: 2023-11-28 03:50

Hi Atrol,

We should not allow that such users can be added to the list of monitoring users.
We might even think about removing users from existing lists, if users are no longer member of a project

I agree that would be fine for me. But now the Reporter and Developer relay on that the monitored users are informed about the issue!
They can´t figure out a missing project participation.
As long as the monitor box is a text field and not drop down (and there is no verification), Mantis should send mails to if 'monitor' => ON. The user is informed and realise that he has a missing permission.
Or send a mail "you should be informed about bug xxx but you have insufficent permission" in mail api instead of not inform the explicit entered monitors.

Greeetings,

zazzarim

EDIT(dregad): replace BBcode by markdown for quote

atrol

atrol

2022-01-05 16:36

developer   ~0066147

Last edited: 2022-01-05 16:38

We should not allow that such users can be added to the list of monitoring users.

Implemented in PR https://github.com/mantisbt/mantisbt/pull/1789

Zazzarim

Zazzarim

2022-01-06 08:02

reporter   ~0066150

Hi Atrol,

thank you for the quick solution.
I´ve tested your implementation and it works.

zazza

mantis.jpg (80,211 bytes)   
mantis.jpg (80,211 bytes)   
atrol

atrol

2022-01-06 16:10

developer   ~0066152

Thanks @Zazzarim for the feedback.

Related Changesets

MantisBT: master 2278735a

2022-01-05 11:20

atrol


Details Diff
Correct access checks when adding monitoring users

Fixes 0029454
Affected Issues
0029454
mod - core/commands/MonitorAddCommand.php Diff File
mod - core/constant_inc.php Diff File
mod - lang/strings_english.txt Diff File