View Issue Details

IDProjectCategoryView StatusLast Update
0030907mantisbtapi soappublic2023-10-31 16:32
Reportervboctor Assigned Tovboctor  
Status closedResolutionfixed 
Product Version2.25.6 
Target Version2.26.0Fixed in Version2.26.0 
Summary0030907: SOAP API mc_project_get_users doesn't enforce access check

A user that can sign-in, but doesn't have access to a project, can list users in such project. The user should only be able to do so if they have VIEWER access to the project. Which is equivalent to what they see in reporters/developers drop downs in the filter box of View Issues page.

TagsNo tags attached.


related to 0022791 closedvboctor Support retrieving users with specified access level to a project