View Issue Details

IDProjectCategoryView StatusLast Update
0021913mantisbttaggingpublic2017-10-08 23:52
Reportercproensa Assigned Tocproensa  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.3 
Target Version2.7.0Fixed in Version2.7.0 
Summary0021913: Unprivileged user can see related tags from private issues
Description

The selection of related tags is comparing incorrectly for access level:

<pre>
WHERE tag_id != $1 AND bug_id IN ( SELECT b.id FROM mantis_bug_table b
LEFT JOIN mantis_project_user_list_table p
ON p.project_id=b.project_id AND p.user_id=$2 JOIN mantis_user_table u
ON u.id=$3 JOIN mantis_bug_tag_table t
ON t.bug_id=b.id
WHERE ( p.access_level>b.view_state OR u.access_level>b.view_state )
AND t.tag_id=$4 )
</pre>

The clause
WHERE ( p.access_level>b.view_state OR u.access_level>b.view_state )
is comparing to view_state which is not an access level.

TagsNo tags attached.

Activities

Related Changesets

MantisBT: master 8ab8e125

2017-08-14 13:46

cproensa

Committer: dregad


Details Diff
Fix query for related tags

Refactor the related tags function to use a filter search for the tag,
leaving the rd work for access and visibility checks to the filter api.

Previous query was not correct as it was comparing project access level
with bug view state. Also, it didn't account for view tags permissions
for each project.

Fixes: 0021913
Affected Issues
0021913
mod - core/tag_api.php Diff File