View Issue Details

IDProjectCategoryView StatusLast Update
0030907mantisbtapi soappublic2022-08-20 22:22
Reportervboctor Assigned Tovboctor  
Status assignedResolutionopen 
Product Version2.25.6 
Target Version2.26.0 
Summary0030907: SOAP API mc_project_get_users doesn't enforce access check

A user that can sign-in, but doesn't have access to a project, can list users in such project. The user should only be able to do so if they have VIEWER access to the project. Which is equivalent to what they see in reporters/developers drop downs in the filter box of View Issues page.

TagsNo tags attached.


related to 0022791 resolvedvboctor Support retrieving users with specified access level to a project