View Issue Details

IDProjectCategoryView StatusLast Update
0020690mantisbtbugtrackerpublic2023-10-15 04:43
Reportercproensa Assigned Todregad  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0-rc.2 
Target Version2.24.4Fixed in Version2.24.4 
Summary0020690: inconsistent UI for view bugnote revision
Description

Currently, when a bugnote has been modified, a link with access to "view revisions" is showed:

  • in the bug note box
  • in the history line

However, if clicked through, only users with "private_bugnote_threshold" access can view those revisions

Some inconsistencies:

  • The action is presented even if the user can't view the actual revisions
  • "private_bugnote_threshold" is a hardcoded access level that may not fit with the actual desired behaviour.
TagsNo tags attached.

Relationships

related to 0027370 closeddregad CVE-2020-35849: Revisions allow viewing private bugnotes id and summary 
related to 0020675 new It would be nice if you could hide revisions in history below a certain user level 
related to 0032980 closed Information leakage: summary on bug revision note 

Activities

dregad

dregad

2016-03-12 01:45

developer   ~0052756

So if I understand correctly, you're saying we should have a specific config threshold driving who can view revisions ?

cproensa

cproensa

2016-03-12 06:04

developer   ~0052760

you're saying we should have a specific config threshold driving who can view revisions ?

Not necessariliy.
"private_bugnote_threshold" makes sense, as an older revision of a bug note can be thought as a text that is made private. This is fine to avoid having more config options.

My point is:
If the user cant see the revisions, dont show the action to go to revision view page.

Another point is:
Seeing bug note revisions is limited by some permission level. but seems that bug summary revisions is not.

dregad

dregad

2020-12-05 21:14

developer   ~0064750

I think that creating a new config is the only way to make this consistent, because relying on private_bugnote_threshold does not really make sense for bug-level revisions.

dregad

dregad

2020-12-06 08:11

developer   ~0064755

Design decision: users can always see the revisions for issues and bugnotes they reported, regardless of the new config's value (i.e. this setting currently does not allow to entirely "turn off" revisions)

Related Changesets

MantisBT: master c9a8aca2

2020-12-06 02:27

dregad


Details Diff
New config $g_bug_revision_view_threshold

Access level required to view bug history revisions. Note that users
can always see the revisions for issues and bugnotes they reported,
regardless of the new config's value.

Two new Access API functions, access_can_view_bug_revisions() and
access_can_view_bugnote_revisions(), can be used to check whether user
has required access level.

Fixes 0020690
Affected Issues
0020690
mod - config_defaults_inc.php Diff File
mod - core/access_api.php Diff File

MantisBT: master 57e9b01a

2020-12-06 02:59

dregad


Details Diff
Hide 'View Revisions' if user has no access

Do not display the 'View Revisions' link to the user if they are not
allowed to see it, both when displaying bugnotes and in bug history.

Added $p_bug_id parameter to history_localize_item() function, it is
needed to call access_can_view_revisions().

Adapted mci_issue_get_history() and email_format_bug_message() to use
the new function signature.

Fixes 0020690
Affected Issues
0020690
mod - api/soap/mc_issue_api.php Diff File
mod - bugnote_view_inc.php Diff File
mod - core/email_api.php Diff File
mod - core/history_api.php Diff File

MantisBT: master e6365041

2020-12-14 07:38

dregad


Details Diff
Documentation for bug revisions

Added new $g_bug_revision_view_threshold config to Admin Guide's
Bug History section, as well as $g_bug_revision_drop_threshold which
was previously not documented.

Issue 0020690
Affected Issues
0020690
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/bughistory.xml Diff File