View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0016359||mantisbt||filters||public||2013-09-04 08:40||2017-10-08 23:52|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Target Version||2.7.0||Fixed in Version||2.7.0|
|Summary||0016359: Custom field filters does not take user access rights into account|
When All projects are selected, the custom field filter shows all strings even if user does not have access to that project.
|Steps To Reproduce|
Create three projects (project1, project2 and project3) with same custom field.
|Tags||No tags attached.|
MantisBT: master 3476b161
Committer: dregad Details Diff
|Get accessible custom field values
Rewrite custom_field_distinct_values() to retrieve only those values
that are accessible by the user, according to either issue view
permission, or custom field definition for view access level.
Only values that are viewable by the user should be retrieved, so we
must account for:
- View issue permissions: if the issue is private or public.
- Project level permissions: if a private project is accessible
directly, or indirectly.
- Limit view issues for reporters: if the option is enabled.
- Custom field definition for viewing threshold
Viewable issues can be resolved by using a filter, which already
accounts for those restrictions. So here we only need to additionally
check for custom field view threshold on each project.
|mod - core/custom_field_api.php||Diff File|